British Columbians’ medical information is at an unnecessary risk of being accessed by unauthorized intruders, a new investigation from the Information and Privacy Commissioner has found.
Commissioner Michael McEvoy said the Provincial Health Services Authority (PHSA) is failing to protect residents’ records and has known about security and privacy vulnerabilities within its system since at least 2019.
Sexual, mental health records at risk
B.C.’s health records database, known as the Provincial Public Health Information System, is used to store people’s health information from their vaccination status to possible sexually-transmitted or infectious diseases, as well as their mental health and any history of pregnancies. If a patient ever discussed their use of alcohol or tobacco, education level or income, that information would also exist in the database.
It can also store even more specific details, such as if someone is a sex worker, what kinds of drugs a person uses and how they ingest them, where they work and what their contact information is.
Used correctly, McEvoy said the database is vital in coordinating care for people and responding to communicable disease outbreaks, such as with COVID-19.
“However, the system is subject to abuse if wrongly accessed by any bad actor, ranging from cyber criminals to a jilted lover looking for information about an ex to someone simply curious about their neighbour,” he said in his report released Thursday (Dec. 15).
“Our findings were concerning. Because there are no proactive processes in place to monitor for suspicious activity, a major breach of the database could occur today, and no one would know.”
The investigation identified a number of vulnerabilities that it says need to be addressed immediately.
PHSA not addressing risks proactively
Firstly, McEvoy found the information system lacks a proactive audit program that would alert authorities if someone tried to access private data for a nefarious purpose. As it stands now, PHSA only has a reactive system, in which they review breaches after they occur.
“Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act,” McEvoy said.
McEvoy recommended PHSA starts using Security Information and Event Management technology. This, he said, could be configured to trigger alerts when suspicious activity occurs. For instance, an alert could go off if an employee tried to access information about someone living on their block or someone with the same last name as them. It could also be triggered by someone trying to export a large amount of data at once.
Beyond protecting patients, McEvoy said using the security technology could also protect PHSA from civil liability in the case of a data breach.
McEvoy found PHSA is also failing to test its system regularly for vulnerabilities. He said it should be continuously reviewing the computer code behind its system to check for errors or hacks, and hiring an outside expert to run penetration tests.
“If the hired expert manages to access the system, the security experts can study how they got in, how long they were able to stay in, and what they were able to see and do when they were inside.”
McEvoy said another problem exists in how the system encrypts patient information. He found the physical disks that information is stored on are encrypted, but the data on them is not.
The investigation further recommends that PHSA implement an universal requirement for multi-factor authentication to use the system, and that it ensure all desktops with access to the system are properly secured.
“Every British Columbian should be troubled by these findings, because it means personal information in the System is vulnerable to misuse and attack,” McEvoy said.
He acknowledged the recommendations he made would require a serious financial investment, but said he believes they are worth it.
PHSA says it will review report
In response, PHSA president and CEO David Byres said in a statement that they are committed to reviewing the report’s findings.
“PHSA takes privacy very seriously and on behalf of patients, clients and families throughout British Columbia, we are continually taking steps to ensure that people’s sensitive and private information is secure and protected.”
Byres added they regularly make security upgrades, that they’re working to enhance their auditing system, that they’re actively mitigates cybersecurity threats, and that past security assessments have indicated PHSA does sufficiently protect patient data.
The Provincial Public Health Information System was created in 2006, alongside a move by many provinces in response to a global outbreak of Severe Acute Respiratory Syndrome. The same system is also used in the Yukon.