In Ontario, three hospitals in the north-east region, North Bay Regional Health Centre (NBRHC), Sault Area Hospital (SAH), and West Parry Sound Health Centre (WPSHC), are using a health information system (HIS) based on MEDITECH Expanse, to make personal health information (PHI) including patient records that reside in the HIS system available to health providers in the participating hospitals. Under Ontario’s healthcare privacy law and other applicable policies, these hospitals are referred to as Health Information Custodians (HICs) and, as such, are responsible for ensuring PHI is held securely and confidentially in the HIS. Secure network connections between the HICs and IBM are provided by eHealth Ontario under an agreement directly between eHealth Ontario and the HICs. For information about the HIS and the safeguards implemented by the HICs in relation to the security and confidentiality of the PHI (including to protect against unauthorized use and disclosure, and to protect the integrity of the PHI) collected by and/or in the custody and control of each HIC, including safeguards in the HIS and network connections, refer to: http://www.nelhin.on.ca/digitalhealth/one.aspx.

MEDITECH Expanse is an electronic health record (EHR) system that provides clinical charting for health care professionals. Health care providers can view patient vitals, lab results, medication information, health history, patient notes and diagnostic imaging from this secure system. End-user support and licensing for MEDITECH Expanse is provided by MEDITECH to the HICs under an agreement directly between MEDITECH and the HICs. For more information on the MEDITECH system, refer to https://ehr.meditech.com.

IBM’s role is to provide Infrastructure-as-a-Service (IaaS) to the HICs. IBM implements and provides managed services for the IT infrastructure on which the HICs run the MEDITECH Expanse system. This includes hosting the MEDITECH workloads at the IBM Cloud data centres in Toronto and Montreal and delivering ongoing related services to connect, load balance, support and secure the computing and storage infrastructure. The infrastructure is scalable depending on the processing and storage needs of the HICs.

The scope of IBM’s services and required safeguards are defined in an agreement between IBM and the HICs. Under its agreement, IBM is responsible to provide safeguards with respect to the IBM Cloud infrastructure that help protect against unauthorized use and disclosure, and to protect the integrity of PHI in the HIS.

Physical Safeguards

  • The IBM Cloud data centres have 24x7 on-site security with access limited to certified employees and rigorous security controls that are vetted by third party auditors.
  • Physical and environmental controls defend the data centres against risks from power loss, flooding and fire.  
  • To protect against theft, IBM maintains physical entry controls (limited by job role and subject to authorized approval), card-controlled entry points, and surveillance cameras at its Cloud data centres. Auxiliary entry points into the data centers, such as delivery areas and loading docks, are controlled and isolated from computing resources.

Technical Safeguards

  • Methods to secure the IBM Cloud network include firewalls, intrusion detection and prevention devices, as well as anti-virus and anti-malware tools. 
  • Access to the IBM Cloud infrastructure is carefully defined, controlled, logged, and managed to prevent unauthorized entry.

Administrative Safeguards

  • IBM personnel are trained on the IBM practices and policies related to the security and privacy of client information.
  • IBM’s security measures are regularly reviewed for adherence to industry standards and applicable privacy regulations. 

In addition, the IBM directives, guidelines and policies at the following links apply to the services provided by IBM to the HICs: