[ad_1]
Provincial health officials did not do enough to protect British Columbians’ personal health information from misuse and hacking despite knowing about the vulnerabilities for years, a new investigation by the Office of the Information and Privacy Commissioner has found.
A 2019 internal risk assessment found that the province’s Public Health Information System, managed by the Provincial Health Services Authority, lacked key safeguards such as two-factor authentication to prevent external breaches and potential abuse by more than 4,000 authorized users.
But little action has been taken to close the gaps that put sensitive health information at risk, including diagnoses of communicable diseases, vaccinations, pregnancy care, sexually transmitted infections and substance use, says Commissioner Michael McEvoy.
“We’ve gone from a paper-based file system where, in the past, when violations happened and they were serious, they were often a folder of files in a drawer in a doctor’s office,” McEvoy said in an interview.
“And now all of that data is in massive amounts in one place. It creates a kind of honeypot for people who are infringers and bad actors who want to access it for identity theft or extortion.
If released, this highly personal information could damage relationships, threaten someone’s job or housing and lead to embarrassment or loss of reputation because of the stigma attached to very sensitive health issues, McEvoy said, and some people fleeing abuse or domestic violence may also be at risk if their abuser has access to their address.
But PHSA’s data security measures are inadequate and only reactive, the 20-page report, called Left Untreated, published Thursday found.
These include some of the most basic precautions used elsewhere. Two-factor authentication has become standard for many online banking and social media platforms, but is not mandatory for everyone with access to the PHSA database.
In addition, there were no ongoing auditing practices to look for signs of suspicious activity until the investigation began, and the authority had no guiding data security strategy.
This could look like software that alerts if someone’s name is searched multiple times within a short period of time, McEvoy said, or if a staff member searches for people with the same last name or someone on the same block as them to find information about family, current or past partner or neighbors.
“Given the sensitivity of the data in question and the number of people who have access to the system, I think it’s surprising that this isn’t in place now,” McEvoy said.
Sensitive data also remains unencrypted inside the system for anyone to access for review, he explained. In other stored data, such as when a credit card is saved on a website for future payment, this information is usually encrypted.
“It’s like walking into a house, the door is obviously locked. But if you can get through the door and into the house, basically everything is there for the taking,” McEvoy said.
Just like locking jewelry in a safe, encrypting your most sensitive information stores is a best practice.
The investigation, which included interviews with PHSA staff and reviews of key documents, found there were also many shared computers with desktop access to the database.
And the authority did not conduct regular testing to see whether hired white-hat hackers could gain access to the system, and how quickly staff would notice and respond if one did, until the investigation began. The same can be done for a staff member who uses their privileges inappropriately.
McEvoy’s office issued seven recommendations for protecting sensitive personal information, ranging from implementing software to monitor suspicious activity to developing a comprehensive data security strategy to encryption and minimum annual penetration testing.
He said Vancouver Island health authorities have taken a more proactive approach that has helped prevent attacks and that other authorities can learn from it.
In a statement Thursday, PHSA President and CEO David Burns did not commit to implementing all seven recommendations and said the body would carefully review the findings.
“PHSA takes privacy very seriously, and on behalf of patients, clients and families in British Columbia, we are constantly taking steps to ensure that people’s sensitive and personal information is secure and protected,” the statement read.
The authority has already updated the outdated software at the 2022 review, he said, and is looking at its auditing and capacity system.
“They’re going to have to do more than just look at it,” McEvoy said, noting that PHSA has been very cooperative throughout the process.
Canada’s health systems have faced cyberattacks and hacking attacks in recent years, including a massive leak of about 5.5 million files containing personal health information in Saskatchewan caused by a phishing link opened by a single employee.
But it’s hard to know how widespread it is in British Columbia, McEvoy said, because health authorities are not currently required to report potential and confirmed violations to the OIPC or to affected individuals.
That will change on February 1, 2023, when amendments to British Columbia’s privacy legislation come into effect and require public bodies to report breaches
“I think through these reporting mechanisms and proper auditing systems we will get a better handle on the extent of the problem,” McEvoy said.
Like other organizations, the healthcare sector is still working to catch up with decades of rapidly changing technology as it grapples with the pandemic and staffing pressures, he noted.
“This is a fundamentally important database for public health delivery in the province,” McEvoy said. “And that’s why the stakes are so high and why there have to be protections that are up to the task for this kind of sensitive information.”
[ad_2]
Source link