Security, Privacy and Risk Management (SPRM) at CCIM

The Security, Privacy and Risk Management (SPRM) team at Community Care Information Management (CCIM) is positioned within the Solutions Group. The team works to protect the privacy of client information and the access to it. It ensures that security controls are integrated into all project solutions by providing Security Architecture Solutions and conducting Threat/Risk Assessments (TRAs) and Privacy Impact Assessments (PIA) to mitigate the risk to CCIM and its projects.

In Ontario, Personal Health Information (PHI) is collected by health care providers every time a client uses the health care system. PHI is used to identify the person and to provide care providers with information about personal and family health history and about previous visits to physicians.

Ontario introduced the Personal Health Information Protection Act, 2004 (PHIPA) to protect a client’s right to privacy and their personal data against unauthorized disclosure and use. CCIM’s clients are custodians of PHI and must abide by PHIPA.

SPRM ensures that security and privacy standards are embedded in all projects and intellectual property to protect PHI and Personal Information (PI). The team also builds safeguards to protect the personal and confidential information of contractors and business partners.

The team ensures that safeguards and controls only allow authorized users to access client information. This guarantees that PHI and/or PI are private and accessible only by those who have permission to view it for the purpose of providing approved services.

Privacy and Information Security Protection

This is a core requirement for any CCIM project or initiative. CCIM has implemented an Information Security and Privacy Policy Framework and governance structure to ensure compliance with applicable laws and regulations.

The framework is influenced by standards, including the ISO 2700 series of standards for information security (http://www.27000.org) and the Canadian privacy principles, (“fair information principles”), as contained in the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA).

The Information Security and Privacy Management Program (ISPMP)

To adhere to the Information Security and Privacy Policy framework and to meet CCIM privacy and security objectives, SPRM developed and implemented the Information Security and Privacy Management Program (ISPMP).

The ISPMP provides:

Security and privacy advisory services to projects
Assurance of compliance with applicable laws and regulations
Development and maintenance of information security and privacy policies, processes and procedures
Design and development of security architecture
Threat/Risk Assessments (TRA) and Privacy Impact Assessments (PIA)
Vulnerability Assessments (VA) and audits
Incident management
Security and privacy awareness for CCIM members and clients.