OTNhub to the Cloud PIA Summary

Date of PIA Report: February 12, 2020 (PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 9, 2025

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background on the OTNhub to the Cloud project, key findings, risk and recommendations as applicable, target dates for completion.  The PIA for the OTNhub to the Cloud migration was originally conducted by an external consultant in February 2020. In October 2020, the PIA was updated to reflect the transfer of the Ontario Telemedicine Network (OTN) to Ontario Health. No additional risks were identified in relation to the transfer. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

Ontario Health manages one of the busiest and most comprehensive virtual visit programs in the world. Using advanced information and communication technologies, Ontario Health supports the delivery of clinical care, professional education and health-related administrative services across Ontario. Ontario Health’s services include real-time video-based clinical and educational consulting, and asynchronous store/forward programs. 

Ontario Health brings virtual care innovation to the health care system so that the people of Ontario can get the care they need when and where they need it most: at home, in their community, or in hospital. For more than a decade, Ontario Health has increased access to health care and education across the province with one of the world’s most extensive virtual visit networks. Working with its many partners and leveraging its unique knowledge of health care and digital technology, Ontario Health addresses challenges by introducing and spreading new ways of delivering care that benefit patients, care providers and the health care system. 

The OTNhub is the foundation on which many Ontario Health virtual care services are built. The OTNhub provides a private and secure community that uses virtual care solutions to communicate with and care for patients and connect with peers and specialists. OTNhub users log in to the OTNhub to gain access to the specific Ontario Health services they have subscribed to, including eConsult, Secure Messaging, eVisit and the Directory. Currently the OTNhub infrastructure is hosted on premises, but the infrastructure is aging, resulting in unexpected long outages. Also, deployments require long overnight sessions, adding to the downtime issue and resulting in less frequent product releases than desired. Ontario Health has decided to move the on-premises OTNhub infrastructure to Canadian data centres hosted by Amazon Web Services (AWS). 

In addition, the video conferencing infrastructure, which previously used Vidyo technology, has recently been changed to Pexip technology. The eVisit videoconferencing infrastructure is used by videoconferencing hardware in client meeting rooms and is also used to host personal videoconferencing sessions using personal devices such as laptops and mobile devices. The control servers used by Ontario Health video conferencing services will remain on Ontario Health premises, but the Pexip servers used in hosting the actual video-conferencing streams, together with the scheduling applications Telemedicine Service Manager (TSM) and Ncompass, will be hosted in AWS. 

This PIA has identified six (6) risks and/or areas for privacy enhancement: three (3) high and three (3) medium risks. Any findings, observations and recommendations in this report are based on a review of project documentation at the time of the assessment.

Key Findings

The privacy analysis of the initiative identified six risks. Ontario Health’s PIA policy recommends that all high and medium risks be mitigated to an acceptable level prior to a project going live. As such, the following recommendations should be implemented prior to or in concert with this project’s launch. The recommendations should reduce the risk ratings from high to medium and from medium to low. The identified low risks should be mitigated within a reasonable time as determined by the Privacy Team. 

Risk rating definitions used to assess the risk of each identified gap are available upon demand. 

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1: The detailed architecture of either the Amazon Web Services (AWS)-hosted Ontario Health’s architecture or of interfaces to Ontario Health or other systems is not known and may not have been fully developed as of this assessment. While AWS does provide many security controls and additional controls, without detailed knowledge of the architecture nor how AWS resources have been configured and will be maintained, it is possible that unknown security vulnerabilities may exist in the migrated infrastructure that could provide unauthorized access to Ontario Health data. 

Risk Level: High

Recommendations: Once the post-migration AWS architecture has been finalized (and before going live), complete a comprehensive Threat and Risk Assessment (TRA). 

Status: Completed

Risk 2: Existing log consolidation and monitoring procedures do not include handling of AWS-generated logs. It is not known exactly what AWS logs will be generated nor what level of detail will be in them. It also is not known how Ontario Health staff will monitor existing and new AWS logs – i.e., whether they will utilize AWS provided log monitoring capabilities or add the new AWS logs to existing log consolidation and monitoring infrastructure. If Ontario Health monitoring infrastructure and procedures do not properly collect and monitor audit logs, it is possible that a 

Security incidents will go undetected for a period, thereby increasing the magnitude of the impact of such breaches. 

Risk Level: High

Recommendations: Once the post-migration AWS architecture has been finalized (and before going live), complete a comprehensive Threat and Risk Assessment. 

Status: Completed

Risk 3: The migration is being done over four phases, meaning many changes between phases such as new components, changes to sessions between components, etc. These changes between phases may have unknown vulnerabilities that could expose PHI.

Risk Level: High

Recommendations: Ensure that all changes related to each migration phase have a Threat and Risk Assessment prior to that phase going live. Whether such assessments were included with the previously recommended TRA or performed as delta assessments prior to each phase would depend on the level of detail known about all migration phases at the time of the initial assessment, and other factors relevant to Ontario Health. 

Status: Completed

Risk 4: The OTNhub User Agreement, June 2018 does not explicitly acknowledge that Ontario Health’s client’s data including PHI may be subject to services provided by Ontario Health’s third-party service providers. Without acknowledging Ontario Health’s use of third-party service providers, there is a lack of transparency and openness and a risk of future complaints regarding Ontario Health’s use of third-party service providers. OTNhub’s Terms of Service for Member Organizations, June 2018, acknowledges the use of third-party service providers but does not acknowledge the fact that the third-party service provider may be located in a foreign jurisdiction. Without acknowledgement, there is a lack of transparency and openness and a risk of future complaints regarding Ontario Health’s use of third-party service providers. 

Risk Level: Medium

Recommendations: As a matter of best practice and to be transparent with Ontario Health clients, Ontario Health should amend the OTNhub User Agreement, June 2018 and make it clear that the user’s data including PHI may be processed and stored by a third-party service provider that is subject to laws in a foreign jurisdiction on behalf of Ontario Health. In doing so, Ontario Health should consider including language pertaining to AWS’ commitment to privacy and security protection (i.e. compliance with ISO standards) and any additional mitigating factors. 

To be completely transparent and mitigate potential complaints, Ontario Health should amend OTNhub’s Terms of Service for Member Organizations, June 2018 to include language around the use of a third-party service provider that is subject to laws in a foreign jurisdiction. 

As an additional consideration, the Privacy Notice on the Protection of Personal Information should also be updated to make it clear that data including PHI may be processed and stored by AWS, a third-party service provider that is subject to foreign jurisdiction. 

Status: Completed

Risk 5: Ontario Health is using the AWS managed Key Management Service (KMS) to handle its encryption keys. There is a potential risk that AWS administrators, through a deliberate abuse of privilege, could circumvent the mitigating controls AWS has in place to control access to Ontario Health master keys and decrypt Ontario Health data stored in AWS databases. The degree of vulnerability cannot be determined in a PIA, as this requires a detailed technical evaluation, and Ontario Health needs to determine its risk tolerance for detailed PHI that will be stored at AWS. 

Risk Level: Medium

Recommendations: Ontario Health should ensure that the previously recommended TRA include a technical evaluation of the two key management services AWS offers - KMS (AWS managed) vs. CloudHSM (Ontario Health - managed). The assessment should rate the relative risks associated with AWS access vs. Ontario Health key management and recommend actions Ontario Health can take to best safeguard Ontario Health data stored at AWS. 

Status: Completed

Risk 6: While Ontario Health has amended the Enterprise Agreement with AWS such that the agreement is governed by the laws of Ontario, AWS as a corporation is still subject to US laws and jurisdiction and may receive requests for data from various sources including law enforcement in the United States (U.S.).

Risk Level: Medium

Recommendations: Ontario Health should develop a documented procedure to address the possible scenario where a request for Ontario Health-hosted data has been received by AWS. The procedure should consider options that are available to Ontario Health in order to prevent AWS from disclosing Ontario Health data and key stakeholders involved including their roles and responsibilities. 

Ontario Health should ensure that this issue be included in the risk assessment recommended by Risk #5. 

If Ontario Health should decide to implement Ontario Health-managed encryption keys, this would make it difficult for AWS to comply with such US subpoenas and warrants. 

Ontario Health should develop internal guidelines regarding Ontario Health use of new AWS resources, including reviewing all new AWS resources utilized to ensure that Ontario Health data remains under Ontario Health control in Canada. 

Status: Completed