The Health Law Group is pleased to welcome back Ira Parghi, who returns to BLG as counsel after significant roles as the first-ever corporate privacy officer for the largest non-profit hospital system in the United States, and counsel in a global law firm based in San Francisco, California.
Ira brings vast international experience advising on privacy and cybersecurity matters in the health-care industry. She has advised clients on all aspects and stages of information privacy and cybersecurity incidents — from incident prevention to breach analysis, risk containment, incident reporting, and regulatory investigations. In addition to advising health-care clients, Ira provides counsel to public and private entities across diverse industry sectors, including medical technology companies, pharmaceutical firms, universities, start-ups, and non-profits.
We asked Ira a few questions about her practice and international experience and are pleased to share her responses with you this month. If you would like to speak to Ira about any issues your organization is currently facing, she is available to assist at IParghi@blg.com or 416.367.6458.
1. What drew you toward a specialty in privacy and cybersecurity?
Partly sheer luck—privacy was becoming a growing issue right when I was an associate lawyer looking for something interesting to develop an expertise in. From the beginning, I was interested in the way it affects people's lives: patients and consumers, all types of institutions and businesses, researchers, everybody. It involves science, technology, patient and customer care, and ethics. It requires real-time decision-making about complicated issues that the laws sometimes have not kept up-to-date on. I also appreciate that this work calls on you to be practical and operations-friendly: to understand how your client's business works, how its leaders make decisions, what is and isn't going to work on the ground. Off-the-shelf advice isn't really very helpful to clients. And, on top of it all, the issues are always changing so you don't ever feel like you are standing still.
2. What do you think is the most significant privacy/cybersecurity issue affecting Canadian hospitals in 2019?
It's hard to pick one. I think one of the most significant issues is cybersecurity generally. Initially, a lot of the focus was on the privacy side of the equation, and that's where clients devoted their time and energy. Now, clients and regulators are turning more to the cybersecurity piece. And it can seem daunting. A lot of the guidance out there is a bit blunt: it will list 45 cybersecurity measures that hospitals should implement immediately, but it won't give a sense of the relative costs and benefits of those measures, or how to select from among them. It's challenging for hospitals to prioritize among those objectives, and it's even harder for them to try to execute, especially when they have limited time and resources. Unfortunately, the health-care sector is perceived as a relatively easy target for cyber crime, compared to other industries that have had the capacity to focus on (and fund) cybersecurity efforts for years, like the finance sector. And thanks to the widespread uptake of electronic health records and the growth of hospital IT networks, the information "payoff" of a cybercrime can be very large. So hospitals are in a tough situation: they know that the issue is important, the stakes are high, and the regulators are increasingly attentive, but they have limited information, time, and money to devote to it.
[Please see some of Ira's practical suggestions for institutions facing cybersecurity challenges in her article "Preventing and Managing Cyber Breaches: Where to Begin?", also featured in this month's Health Law Monitor.]
3. What has been the most important change in the privacy space since you began your career?
I think it's the push towards big data. It really is a game-changer. There is an interest in pooling patient care data into larger and larger data sets, for all kinds of reasons. There's an interest in pooling medical research data into larger and larger data sets. Predictably, there is also an interest in pooling those kinds of data with other kinds of data altogether. It all ties into the push towards machine learning and predictive analytics and artificial intelligence. To some degree, privacy law can address these issues: the ideas of transparency and consent, and understanding clearly what data is being collected and why, all figure prominently in the law, and they are essential in the age of big data. But at the same time, privacy law was formulated in an era in which we never would have contemplated the volumes of data being gathered today, or the uses being made of them. This issue is going to keep exploding in the next few years.
4. You recently practiced in the United States; what would you say is the most notable difference between the privacy environment there and in Canada? What about the greatest similarity?
To begin, information privacy in the U.S. is more heavily, and more aggressively, regulated. In general, regulators do not strike the type of constructive tone that they often try to strike here in Canada. And their mindset is often, "Once I have the hood of the car open, I'm going to look at everything under the hood." The other thing I've noticed is that many of the U.S. regulators at both the federal and state level are trying to "fill" what they perceive as regulatory gaps by legislating in arenas in which they think no one else has. For instance, a state attorney general has issued enforcement decisions against app developers, relying on consumer protection legislation, because they think the other regulators have failed to step in. It's very interesting to watch.
At the same time, the similarities are clear to me. Most of the privacy laws, here and in the U.S., regulate the same core activities: collection, use, access, disclosure and disposal. And they articulate many of the same principles: transparency, consent, permitted and mandatory uses and disclosures in the absence of consent. So a lot of the ideas apply equally on both sides of the border.
5. And just for fun: what is your favourite book you've read in the past year?
Great question. I just reread Barney's Version by Mordecai Richler and, before that, BossyPants by Tina Fey. Both are brilliant, and brilliantly funny. On a more serious note, I also read The Immortal Life of Henrietta Lacks by Rebecca Skloot, which is a terrific non-fiction book about privacy and consent and the use of health information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.