“Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act.”
B.C.’s provincial public health information system and the citizens’ information it contains are vulnerable to malicious attacks or employee abuses, the province’s information and privacy commissioner says.
In a report released Dec. 15, commissioner Michael McEvoy said there are many areas where the system is vulnerable.
“The system contains some of our most sensitive health information — matters relating to our mental and sexual health, infectious diseases and more,” McEvoy said. “It is imperative that the (Provincial Health Services Authority — PHSA) put in place commensurate security measures to protect British Columbians from potential harms.”
In a response to Glacier Media, PHSA said it’s reviewing the report and working to ensure its databases are secure.
The commissioner said the system ‘entry gate’ is weak and the industry standard, multi-factor authentication for securing personal information is not universally required for system access.
“Very disturbingly, there exists no proactive audit program that would alert authorities to those who try to use the system for nefarious purposes,” McEvoy said. “Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act.”
And that creates perils for British Columbians, he said.
“The system is subject to abuse if wrongly accessed by any bad actor, ranging from cyber criminals to a jilted lover looking for information about an ex to someone simply curious about their neighbour,” McEvoy said in the report. “Given its high level of sensitivity and the risk of its unauthorized access, one would expect the highest degree of privacy.”
Glacier Media has reached out to PHSA for comment and is awaiting a reply.
The system is a provincewide information service shared with the Yukon that supports public health programs such as immunization, communicable disease and outbreak management and family health programs such as maternal child health, early child health and family sexual health.
The system operates under PHSA and is accessed by hundreds of health-care providers who deliver these services, conduct surveillance activities and perform program evaluation.
McEvoy said PHSA has known about the problems since 2019 and has done little about them.
“The consequences of failing to invest in privacy and security can be catastrophic. That is precisely how the New York Times described a recent breach of a database in Newfoundland and Labrador that effectively paralyzed the province’s entire health-care system,” McEvoy said. “These impacts are serious, and we need to treat them seriously.”
The commissioner said the investigation revealed that PHSA’s audit procedure for detecting malicious attacks and inappropriate use of the system is reactive only, generating reports for manual review after events occur.
The report said investigators found PHSA has no comprehensive security architecture documentation to guide mitigation of security and privacy risks.
“While the PHSA undertook a major system upgrade to address outdated and unsupported software during the investigation, the (Office of the Information and Privacy Commissioner) learned the PHSA does not conduct regular penetration testing on the system that would disclose security vulnerabilities,” McEvoy said.
“Investigators discovered that the PHSA does not check to see that all desktop environments that are required to protect themselves from attack actually do so, leaving the entire system vulnerable,” he added.
McEvoy said the public has a right to expect robust security practices, including proactive monitoring of suspicious activity, securing all desktops with access to the system, and strong authentication processes.
“The PHSA has begun to address matters we have identified, and much critical work remains,” McEvoy said. “What is at stake is the very trust British Columbians place in our health-care system to protect the sensitive personal information it holds.”
PHSA president David Byres said the authority actively deploys strategies to mitigate cybersecurity threats and has a dedicated team supporting that activity.
“PHSA takes privacy very seriously and on behalf of patients, clients and families throughout British Columbia, we are continually taking steps to ensure that people’s sensitive and private information is secure and protected,” Byres said.
He said PHSA regularly completes security enhancements.
“We completed an upgrade of the Panorama system in July 2022, which involved upgrading security of this important public health tool that helps to support frontline health-care workers with management of communicable diseases, outbreaks, immunizations and vaccine inventory,” he said.
He added PHSA has a user access auditing system and work is ongoing to enhance auditing solutions and processes.
“Security assessments have consistently indicated PHSA sufficiently protects patient data and we will continue to review how additional data encryption may better protect information,” he said.
Earlier calls for safeguards
In September, Canada’s federal, provincial, and territorial information and privacy commissioners and ombudspersons called on governments for a concerted effort across the health-care sector to modernize and strengthen privacy protections for sharing personal health information.
The commissioners said that, despite rapid health-care sector digital advancements, using outdated and vulnerable technologies, such as faxes and unencrypted email, threatens to erode public confidence that personal health information is secure.
“New technologies are so important to improving health-care delivery in British Columbia and Canada. But if these new tools are going to be effective and accepted, they need to be trusted by citizens,” McEvoy said at the time.
He noted the issue became especially acute with the COVID-19 pandemic accelerating health-care technologies beyond anybody’s imagination.
“Virtual health care has become a norm and tools to fight the pandemic, like the digital vaccine QR code, being just a few examples — all involve the collection and use of sensitive personal information,” McEvoy said. “It’s therefore more important than ever that we can trust how our information is maintained within the health system, and that it is properly protected and secured.”
Editor’s note: This story has been updated to include comment from PHSA.