Tuesday, December 20, 2022

BC's Privacy Commissioner raises a number of concerns over protection of Health Data

A 20 page report released last week by the Office of Information Protection in BC has raised a number of concerns and delivered seven recommendations for the Province's Health Care Data System.

In the report, which was released on December 15th by the Oipc, Michael McEvoy, the Information and Privacy Commissioner for the province outlines a number of areas where security features are lacking and the risk of abuse is possible if medical records are accessed by the wrong people.

The System is indispensable when it is used for its intended purposes, which are the delivery of healthcare and managing threats like communicable disease outbreaks. However, the System is subject to abuse if wrongly accessed by any bad actor, ranging from cyber criminals to a jilted lover looking for information about an ex to someone simply curious about their neighbour. 

Given its high level of sensitivity and the risk of its unauthorized access, one would expect the highest degree of privacy and security would be in place to protect our personal information from such intrusions. 

But as we learned during our investigation, this is not so. There are many areas where the System is vulnerable. Its “entry gate” is weak. Very disturbingly, there exists no proactive audit program that would alert authorities to those who try to use the System for nefarious purposes. Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act. 

It is troubling that the Provincial Health Services Authority (the PHSA), charged with responsibility for managing the System, has known about these risks since at least 2019, and has made little progress to address them.

The Commissioner's Message  as a prelude to the Report, provides for some background on the importance of the health data system and the need to improve on safeguards for it.

click to enlarge

The Executive summary of the document  outlines how the study of the Health Data system was taken on, as well as to some of the troubling areas that stood out for investigators. 

To conduct the investigation, the OIPC reviewed documents related to the technological controls PHSA has in place to protect personal information, and interviewed PHSA staff to determine whether the PHSA is properly protecting the personal information in the System Database. 

This report finds that given the volume and sensitivity of personal information in the System, those protections fall far short of what is necessary to protect the public. 

The investigation revealed that the PHSA’s audit procedure for detecting malicious attacks and inappropriate use of the System is reactive only, generating reports for manual review after events occur. Investigators found the PHSA has no comprehensive security architecture documentation that would effectively guide its mitigation of security and privacy risks. 

While the PHSA undertook a major system upgrade to address outdated and unsupported software during the investigation, the OIPC learned the PHSA does not conduct regular penetration testing on the System that would disclose security vulnerabilities. Investigators discovered that the PHSA does not check to see that all desktop environments that are required to protect themselves from attack actually do so, leaving the entire System vulnerable. 

Every British Columbian should be troubled by these findings, because it means personal information in the System is vulnerable to misuse and attack.

The Report which is titled Left Untreated: Security Gaps in BC's Public Health database, has Four sections focused  on Background, Legislation, Overview of the system and Findings, as well as the Conclusion/Recommendations.

Those recommendations from the Privacy Commissioner can be reviewed below:

click to enlarge

More notes on Health care in the Northwest can be explored here.

Further items of interest from the provincial capital are available through our Legislature Archives.

No comments:

Post a Comment