Provincial health officials haven’t done enough to protect British Columbians’ personal health information from abuse and hacking despite knowing about vulnerabilities for years, a new investigation from the Office of the Information and Privacy Commissioner has found.
A 2019 internal risk assessment found the Provincial Public Health Information System, run by the Provincial Health Services Authority, lacked key safeguards like two-factor authentication to prevent outside breaches and potential abuse by more than 4,000 authorized users.
But little action was taken to address the gaps that leave sensitive health information, including communicable disease diagnoses, vaccinations, pregnancy care, sexually transmitted infections and substance use, at risk, says commissioner Michael McEvoy.
“We’ve gone from a paper records-based system where, when breaches happened in the past, and they were serious, they would often be a file folder in a drawer in a doctor’s office,” said McEvoy in an interview.
“And now all of this data resides in massive amounts in one place. It creates kind of a honeypot for the people who are wrongdoers and are bad actors who want to get access to it for identity theft or blackmail.”
If released, this very personal information can harm relationships, threaten someone’s employment or housing, and lead to embarrassment or loss of reputation due to the stigma associated with many sensitive health issues, McEvoy said, and some people fleeing abuse or domestic violence may also be at risk if their abuser were able to access their address.
But the PHSA’s data security measures fall short of what is needed and are only reactive, found the 20-page report, called “Left Untreated: Security Gaps in sa¹ú¼Ê´«Ã½’s Public Health Database,” released Thursday.
These include some of the most basic safeguards employed elsewhere. Two-factor identification has become standard for many online banking and social media platforms, but is not required for everyone with access to the PHSA database.
There were also no ongoing auditing practices to look for signs of suspicious activity until the investigation began, and the authority had no guiding data security strategy.
That can look like a software that flags if someone’s name is searched repeatedly within a small amount of time, McEvoy said, or if a staff member is looking up people with the same last name or someone on the same block as them to find information on family, a current or past partner or neighbours.
“Given the sensitivity of the data at issue and the number of people accessing the system, I think we found it surprising that that wasn’t in place now,” said McEvoy.
Sensitive data is also left unencrypted inside the system for anyone who gains access to peruse, he explained. In other stored data, like when a credit card is saved on a website for future payment, that information is usually encrypted.
“It’s like gaining entry into a house, the door is obviously locked. But if you manage to get through the door and enter the house, everything is there for the taking, basically,” said McEvoy.
Just like locking jewelry in a safe, encrypting the most sensitive information stores is best practice.
The investigation, which included interviews with PHSA staff and reviews of key documents, found there are also many shared computers with access to the database straight from their desktop.
And the authority did not conduct regular testing to see if hired “white hat” hackers can gain access to the system and how quickly staff would notice and react if one did until the investigation was underway. The same can be done for a staff member using their privileges inappropriately.
McEvoy’s office issued seven recommendations to protect sensitive personal information, ranging from implementing software to monitor for suspicious activity, to developing an overarching data security strategy to encryption and annual penetration testing at minimum.
He said Vancouver Island Health authority has a more proactive approach that has helped prevent attacks, and that other authorities could learn from it.
In a Thursday statement, PHSA president and CEO David Byrnes did not commit to implementing all seven recommendations and said the authority would carefully review the findings.
“PHSA takes privacy very seriously and on behalf of patients, clients and families throughout British Columbia, we are continually taking steps to ensure that people’s sensitive and private information is secure and protected,” read the statement.
The authority has already updated outdated software in a 2022 review, he said, and is looking at its auditing system and capacity.
“They will need to do more than look at it,” said McEvoy, noting PHSA had been very collaborative during the process.
Health systems across sa¹ú¼Ê´«Ã½ have faced cyberattacks and hacking in recent years, including a massive leak of around 5.5 million files containing personal health information in Saskatchewan caused by a phishing link opened by a single employee.
But it is difficult to know how prevalent it is in sa¹ú¼Ê´«Ã½, McEvoy said, because health authorities aren’t currently required to report potential and confirmed breaches to the OIPC or to individuals affected.
That will change on Feb. 1, 2023 when amendments to sa¹ú¼Ê´«Ã½’s privacy legislation take effect and require public bodies to report breaches.
“I think through those reporting mechanisms and proper auditing systems, we will get more of a handle on the extent to the problem,” said McEvoy.
Like other organizations, the health-care sector is still working to catch up with decades of quickly changing technology as it contends with pandemic and staffing pressures as well, he noted.
“It’s a fundamentally important database for the delivery of public health care in the province,” said McEvoy. “And that’s why the stakes are so high and why protections need to be in place that are up to the task of this kind of sensitive information.”