Provincial health officials haven’t done enough to protect British Columbians’ personal health information from abuse and  hacking despite knowing about vulnerabilities for years, a new investigation from the Office of the Information and Privacy Commissioner has found.

A 2019 internal risk  assessment found the Provincial Public Health Information System, run by  the Provincial Health Services Authority, lacked key safeguards like  two-factor authentication to prevent outside breaches and potential  abuse by more than 4,000 authorized users.

But little action was taken to address the  gaps that leave sensitive health information, including communicable  disease diagnoses, vaccinations, pregnancy care, sexually transmitted  infections and substance use, at risk, says commissioner Michael McEvoy.

“We’ve gone from a paper records-based  system where, when breaches happened in the past, and they were serious,  they would often be a file folder in a drawer in a doctor’s office,”  said McEvoy in an interview. 

“And now all of this data  resides in massive amounts in one place. It creates kind of a honeypot  for the people who are wrongdoers and are bad actors who want to get  access to it for identity theft or blackmail.”

If released, this very  personal information can harm relationships, threaten someone’s  employment or housing, and lead to embarrassment or loss of reputation  due to the stigma associated with many sensitive health issues, McEvoy  said, and some people fleeing abuse or domestic violence may also be at  risk if their abuser were able to access their address.

But the PHSA’s data security measures fall short of what is needed and are only reactive, found the 20-page report, called “Left Untreated: Security Gaps in B.C.’s Public Health Database,” released Thursday.

These include some of the most basic  safeguards employed elsewhere. Two-factor identification has become  standard for many online banking and social media platforms, but is not  required for everyone with access to the PHSA database.

There were also no ongoing auditing  practices to look for signs of suspicious activity until the  investigation began, and the authority had no guiding data security  strategy. 

That can look like a software that flags if  someone’s name is searched repeatedly within a small amount of time,  McEvoy said, or if a staff member is looking up people with the same  last name or someone on the same block as them to find information on  family, a current or past partner or neighbours.

“Given the sensitivity of the data at issue  and the number of people accessing the system, I think we found it  surprising that that wasn’t in place now,” said McEvoy.

Sensitive data is also left unencrypted  inside the system for anyone who gains access to peruse, he explained.  In other stored data, like when a credit card is saved on a website for  future payment, that information is usually encrypted.

“It’s like gaining entry into a house, the  door is obviously locked. But if you manage to get through the door and  enter the house, everything is there for the taking, basically,” said  McEvoy.

Just like locking jewelry in a safe, encrypting the most sensitive information stores is best practice.

The investigation, which included  interviews with PHSA staff and reviews of key documents, found there are  also many shared computers with access to the database straight from  their desktop. 

And the authority did not conduct regular  testing to see if hired “white hat” hackers can gain access to the  system and how quickly staff would notice and react if one did until the  investigation was underway. The same can be done for a staff member  using their privileges inappropriately.

McEvoy’s office issued seven  recommendations to protect sensitive personal information, ranging from  implementing software to monitor for suspicious activity, to developing  an overarching data security strategy to encryption and annual  penetration testing at minimum.

He said Vancouver Island  Health authority has a more proactive approach that has helped prevent  attacks, and that other authorities could learn from it.

In a Thursday statement,  PHSA president and CEO David Byrnes did not commit to implementing all  seven recommendations and said the authority would carefully review the  findings.

“PHSA takes privacy very seriously and on  behalf of patients, clients and families throughout British Columbia, we  are continually taking steps to ensure that people’s sensitive and  private information is secure and protected,” read the statement.

The authority has already updated outdated  software in a 2022 review, he said, and is looking at its auditing  system and capacity.

“They will need to do more than look at it,” said McEvoy, noting PHSA had been very collaborative during the process.

Health systems across Canada have faced cyberattacks and hacking in recent years, including a massive leak  of around 5.5 million files containing personal health information in  Saskatchewan caused by a phishing link opened by a single employee.

But it is difficult to know how prevalent  it is in B.C., McEvoy said, because health authorities aren’t currently  required to report potential and confirmed breaches to the OIPC or to  individuals affected.

That will change on Feb. 1, 2023 when  amendments to B.C.’s privacy legislation take effect and require public  bodies to report breaches.

“I think through those reporting mechanisms  and proper auditing systems, we will get more of a handle on the extent  to the problem,” said McEvoy.

Like other organizations, the health-care  sector is still working to catch up with decades of quickly changing  technology as it contends with pandemic and staffing pressures as well,  he noted.

“It’s a fundamentally important database  for the delivery of public health care in the province,” said McEvoy.  “And that’s why the stakes are so high and why protections need to be in  place that are up to the task of this kind of sensitive information.”

By Moira Wyton, Local Journalism Initiative Reporter

Original Published on Dec 19, 2022 at 00:44

This item reprinted with permission from   The Tyee   Vancouver, British Columbia

Comments are Welcome - Leave a reply below - Posts are moderated