Canada’s population-based health data is a valuable national asset, not just for improving care, but also for advancing the global health AI race. But experts are sounding the alarm that this data may be at risk from foreign surveillance, monetization and a lack of adequate domestic protections.
A new report, published in the Canadian Medical Association Journal, outlines both the opportunities and vulnerabilities tied to Canada’s health information. The report urges immediate and multipronged action to protect the data’s security and sovereignty.
“The good news is our health data is valuable,” said Dr. Kumanan Wilson, University of Ottawa professor and both the CEO and chief scientific officer of the Bruyère Health Research Institute, in an interview with CTVNews.ca.
Wilson says Canada’s health data also has monetary value because we are in the age of artificial intelligence and Canada has a lot of what AI needs.
“We have population-based data because we have a public health system,” he said. “The U.S. doesn’t have that. Our data is more valuable than their data.”
This, Wilson says, creates a significant economic opportunity for Canada to lead in health AI, but only if the country can ensure the data stays secure and is used appropriately.
“I would rather have a situation where Canadian companies are building AI algorithms based on our data (rather) than U.S. companies, and that Canada can benefit from it,” he said.
‘Backdoor access’
At the centre of the concern is where and how health data is stored. Electronic medical records from hospitals and clinics are often stored on cloud servers and their management is dominated by three U.S. providers: Epic, Cerner, and MEDITECH.
While many are physically located in Canada, they are typically owned and operated by U.S. tech giants, such as Amazon Web Services, Google Cloud and Microsoft Azure.
This setup, experts warn, creates a backdoor for U.S. authorities to demand access.
“Just because it’s on Canadian soil doesn’t necessarily provide the protection, because it is still held by a U.S. company,” said Wilson.
The risk isn’t theoretical. Following the 2001 Patriot Act and the 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act), U.S. law enforcement agencies can legally compel American companies to hand over data, even if it’s stored in another country.
“The U.S. government could still mandate transfer because these are U.S. companies and they will be required to do what the U.S. government asked them to do,” Wilson said.
“We know that this administration can cause companies to do what it wants through offering contracts or access to government contracts and government money.”
In an email to CTVNews.ca, Epic said most Canadian customers have their own database and control over it. The company said it is not subject to the U.S. CLOUD Act, as it “does not meet the definitions for the type of companies to which it applies.”
Epic added that the health data of its Canadian customers is stored in Canada, and that “most customers manage the servers and encryption keys for their data.”
For clients who use Epic to host their systems, the company said the data still resides in Canada, with Epic managing the servers and keys.
When asked about potential Canadian data localization laws, the company responded that Epic staff have “years of extensive training and deep expertise” and warned that having another company manage its software could “significantly increase the risk of data corruption, cyber security breaches, and patient safety errors.”
‘Canada could lead the world in health AI’
To counter these risks, the report recommends a combination of technological and legislative fixes:
- Encryption by design to make any intercepted data unreadable without a secure decryption key
- A blocking statute to prevent companies from complying with foreign data requests
- Data localization laws to ensure health data remains within Canada
- Investment in sovereign Canadian cloud infrastructure
“If you’re a vendor that wants to operate within Canada, you’re going to have to adhere to some rules,” said cybersecurity expert Ritesh Kotak in a video interview with CTVNews.ca. “Those rules could be the fact that there’s data localization requirements, meaning health data, which is highly sensitive, must reside within a particular geographical boundary.”
Kotak also emphasized the importance of encrypting data so that even if it ends up in foreign hands, it cannot be read.
“The easiest way to think about this is when you go on a website and you put in a password … if a hacker was to get the data, they wouldn’t get the plain text of what you’re putting in, they would get mumbo jumbo,” he said.
When it comes to security controls, sovereign data storage infrastructure is a key component.
“We need to move in the direction of sovereign Canadian data servers controlled by Canadian companies,” Wilson said. “Though the U.S. companies are dominant in the market because they are good at what they do… we have to make sure we can match that.”
Still, both Wilson and Kotak agree that digitized systems are crucial for modern care.
“We cannot go back to pen and paper,” Kotak said. “We got to leverage the advancements in technology that are occurring … but we have to think these things through before just hitting ‘I agree’ and allowing any vendor to come in and introduce a piece of software that may possess additional risks.”
Wilson echoed the sentiment, framing the issue not just as one of risk, but of missed opportunity.
“Canada could lead the world in health AI because of our public health system and our population health data,” he said. “What I would hate to see is the country that is south of our border… use our own data to grow their economy and have a competitive advantage against us.”
