Canadian health data security is critical in changing political climate

With a rapidly changing political landscape in the United States, Canada must move quickly to safeguard valuable Canadian health data, argue the authors of a commentary published in the Canadian Medical Association Journal.

“The value of Canada’s health data is immense,” write Dr. Kumanan Wilson, CEO, Bruyère Health Research Institute and an internal medicine specialist at The Ottawa Hospital and the University of Ottawa, Ottawa, Ontario, and co-authors. “The sovereignty risks associated with these data are real. If Canada is to lead in the health AI space, it must move quickly to establish long-overdue privacy and technology safeguards.”

The rise of artificial intelligence (AI) and its reliance on massive amounts of data has increased the value of these data and created new risks on top of pre-existing concerns about health data being used by other countries for national security purposes.

“Serious privacy, security, and economic risks arise when companies in other countries hold and use Canadian data. Given the rapidly changing political climate in the United States, preserving the sovereignty of Canada’s health data—notably, ensuring that the data are subject to Canadian laws and legal systems—requires renewed focus,” writes co-author Dr. Michael Geist, a Canada Research Chair in Internet and e-Commerce Law, and professor at the Center for Law, Technology and Society, University of Ottawa.

Canada’s health system is largely reliant on US providers that manage electronic medical record systems for hospitals and store encrypted data on servers or cloud servers. Although these servers are located in Canada, they are owned by the US companies Microsoft Azure, Amazon Web Services, and Google Cloud.

Europe has expressed similar concerns for their region. For example, the recent Clarifying Lawful Overseas Use of Data (CLOUD) Act in the US that potentially allows US law enforcement to access data held by US companies in other countries could be a threat.

To protect health data in Canada, the authors suggest a multipronged approach:

Ensure data security by requiring encryption by default
Include requirements in federal and provincial privacy laws to keep data in the originating location
Implement rules in Canadian privacy laws against disclosure of data to foreign jurisdictions
Invest in creating Canadian cloud servers to ensure data resides in Canada with Canadian providers

“Canada should consider mechanisms by which our data could be used safely, securely, and in a privacy-compliant manner by Canadian private-sector entities to support the development of domestic health AI algorithms,” the authors write.

“Implementing such measures will ensure that health care decisions are based on data representative of Canada’s population, and will support the growth of domestic companies, supporting a better health system and growing tax base.”