[ISN] Tests find medical files open to hackers

From: InfoSec News (isnat_private)
Date: Tue Dec 11 2001 - 21:53:27 PST

  • Next message: InfoSec News: "[ISN] FBI streamlines operations"

    Monday, December 10, 2001
    Page A1 
    The private medical files of thousands of Ontario patients have been
    stored on-line where they're vulnerable to hackers and the prying eyes
    of government-hired technicians, according to documents obtained by
    The Globe and Mail.
    Less than a month after the Health Ministry set up a much-vaunted
    patient-information database for doctors, Ontario's privacy
    commissioner is investigating the system for breaching one of the most
    sacred tenants of medicine: doctor-patient confidentiality.
    The commissioner is looking into a wide range of allegations, from
    whether private companies have been given access to patient
    information to whether some of the information has already been lost.
    Ken Anderson, director of legal and corporate services for the
    commissioner's office, said the probe could take weeks and the office
    won't comment in the interim.
    But in the meantime, privacy advocates such as Richard Rosenberg,
    vice-president of Electronic Frontier Canada, say such mismanagement
    of information could undermine the health system.
    "If I can't trust the security or privacy of that system, then as a
    patient I might withhold information which could affect my treatment,"  
    Dr. Rosenberg said. "The whole system collapses if you don't have that
    The Ontario government set up the computer system last month as part
    of its five-year struggle to revolutionize family medicine.
    Health Minister Tony Clement has said he plans to have 80 per cent of
    family doctors working in teams, or primary-care networks, by 2004.  
    Doctors will share information with each other over the Internet to
    improve efficiency and provide better service.
    The so-called ePhysician Project received approval from Privacy
    Commissioner Ann Cavoukian one day before the first team of four
    doctors, in the Chatham, Ont., area, started using the system on Nov.  
    The project has since expanded to include nine Chatham-area doctors
    with 1,500 to 2,000 patients each.
    But the privacy commissioner wasn't told several details about how the
    information is handled. Government contracts, meeting minutes and
    internal correspondence about the Chatham project reveal a long list
    of items now under investigation by the commissioner's office,
    Vulnerability tests showing that the system can be "hacked into by
    anyone with skill" over the Internet, an e-mail by a Ministry of
    Health official says. These security problems became apparent on the
    first day the system was up and running, although the privacy
    commissioner was not informed.
    Patients were not fully informed about what happens to their data.  
    Although they were told that other doctors could see their files, most
    patients don't know that their information is stored on a server in a
    Ministry of Health building in Toronto.
    A computer technician took unencrypted backup tapes, containing
    thousands of medical records, to his home for several nights. Three of
    the tapes were lost, according to a source, although the Health
    Ministry denies any tapes were misplaced.
    Three private companies have been granted access to patient
    information. Two of the companies, software developers that helped
    build the system, can look at raw data files including patients' names
    and medical histories. The ministry denies this.
    A company hired to store backup tapes containing all the medical files
    has only agreed to $1 liability if a tape is lost or stolen.
    The Health Ministry says patient records have been handled properly.
    "As far as I've been able to check, there have been no tapes lost,"  
    said ministry spokesman John Letherby. "Patient-doctor confidence is
    of the utmost importance. The three [companies] do not have access to
    patient data or information.
    "As many safeguards as humanly and technologically possible are put in
    place to ensure that the only people who have access are doctors and
    patients involved."
    But internal documents indicate that the number of people who can see
    patients' information isn't so strictly limited. A contract with
    Markham-based software company York-Med Systems Inc. explicitly gives
    the technicians access to pieces of "raw data" so they can perform
    "system maintenance, backup or data recovery."
    An e-mail from a ministry official to one of the Chatham doctors says
    that the government will also give Edmonton-based iW Technologies
    Inc., maker of the Vividesk software used by the project, full access
    to the doctors' and patients' information.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 01:41:59 PST