Open Privacy Research Society discovered that the sensitive medical information of patients being admitted to certain hospitals across the Greater Vancouver Area was being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are easily interceptable. The society discovered the vulnerability and notified Vancouver Coastal Health (VCH) immediately almost a year ago, but the vulnerability was not immediately acted upon, according to the Open Privacy Research Society.
Some of the patient data (PHI) being broadcast included the following data:
Name,
Age,
Gender marker,
Diagnosis,
Attending doctor and room number.
To understand more, Eve Maler, vice president of innovation & emerging technology of ForgeRock provides Digital Journal with some insight.
Maler focuses on the importance of patient data and healthcare: “Healthcare organizations can’t afford to be negligent about security when threat actors have proven their relentlessness in gaining access to and misusing patients’ personal health information (PHI).”
She goes on to place the specific issue in the context of risk to patient data: “By broadcasting unencrypted PHI through radio waves, Vancouver Coastal Health opened a window of opportunity for cybercriminals to exploit patient data for their own personal gain. Despite Open Privacy’s initial alert over the security issue in late 2018, VCH continued to ignore and downplay the vulnerability for almost a year, which is even more alarming.”
Maler then draws out some general issues, in relation to companies that are not focusing sufficiently on patient health: “In general, there seems to be a lack of awareness of data protection requirements and technologies. In order for VCH and other healthcare entities to solve issues surrounding privacy, identity, consent, and all elements of processing personal data, these organizations must deploy and use proven security applications that are built from existing well-tested libraries and best practices.”
In terms of what the healthcare organization involved needs to do, Maler recommends: “VCH needs to transition to a more secure messaging system immediately to prevent further and future access to PHI.”
She notes that the technology is available to achieve these aims: “It’s now easier than ever to leverage security strategies and tools that prescribe real-time, contextual and continuous security, detecting irregular behavior and prompting further action, such as strong and adaptive identity authentication and authorization.”
And such measures, she niotes, will deliver better security over peronal data: “Healthcare organizations that use these strategies and tools are in a better position to prevent malicious actors that seek unauthorized access to PHI.”
