BreachExchange mailing list archives
Alleged data breach a body blow to health research expansion
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 13 Sep 2012 03:05:07 -0400
http://www.vancouversun.com/health/Alleged+data+breach+body+blow+health+research+expansion/7233053/story.html The health data privacy breach bombshell that exploded in Victoria last week landed on what had been a concerted effort by the government to encourage data-based research. For almost a decade, Colin Hansen watched what he saw as a gold mine of health care information collected by the provincial government go largely untapped. This spring, the MLA and former health minister was leading a push to spark a gold rush by making access to sensitive health information easier to obtain. The computerized data, which has been collected by successive governments, includes visits to physicians, hospital admissions and the use of prescription drugs. As health minister in 2002, Hansen enthused about the millions of dollars in funding researchers already lined up to make use of the data for studies that could lead to advances in treatment and billions in savings for the publicly funded system. Much of that promise was unfulfilled. Potential research was stalled by what Hansen, now an ordinary Liberal MLA who has yet to declare whether he intends to run again, characterized in an interview as misguided privacy concerns and a culture of resistance in the ministry. In a column Hansen penned for The Vancouver Sun in March, he argued that health information would be stripped of anything that would identify individuals and be protected by existing safeguards that ensure no one’s privacy would be put at risk. “Not only would a more open-door policy bring in millions of new research dollars and human talent, it would lead to discoveries that will save more lives, improve quality of life and cement British Columbia as a centre of excellence for bringing efficient/effective health care solutions to Canada and the world,” Hansen wrote. This spring, the province brought in Bill 35, which was described as a tool to knock down the price of generic drugs, but also made it easier for researchers to access that data by clarifying the right of the minister to release it. B.C.’s Information and Privacy Commissioner Elizabeth Denham issued a warning that the bill went too far, allowing broad and unfocused access to the data by the minister without sufficient safeguards. The bill passed anyway. Not part of the discussion at the time was the investigation already quietly underway that led to the dismissal or suspension of seven health ministry employees last week. Details about the alleged data breach and subsequent firings have been scant so far. All we have been told by the government is that information was wrongly shared with researchers. The only fired employees who have spoken so far have denied all allegations. Regardless of what the truth turns out be, the whole affair has landed as a massive road block to the open-door policy Hansen has been pushing for. Privacy advocates say the alleged breach is evidence that centralized data can never really be considered secure. Vincent Gogolek, executive director of the B.C. Freedom of Information and Privacy Association, talks about the “big rock candy mountain” of centralized data. Before computers, there were breaches of privacy, such as patient records found in dumpsters or left in hallways, but always small scale. “When you have everybody in the province’s cross-referenced, linked data, that is a huge target for actual criminals, for hackers.” In an interview this week, Hansen concedes that his cause has been set back, but hopes it won’t be for long. He also argues that computerization has made personal information safer, not less so, by taking from view individual paper records that used to be easily accessible in health care institutions. The safeguards that can be built in with digitization also mean that if there is a breach it can be identified and traced afterwards, which should act as a deterrent to abuse. Hansen said the fact that individuals were identified in this case “signifies the system works in finding out if there is a problem.” This case only came to light, however, as the result of an investigation that started with a tip. While that undermines the safety argument, Hansen also makes what to me is a more compelling argument, which is that while no one can eliminate all risk, it has to be weighed against the value of what can be achieved by mining the data. For now, all that is on hold. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Alleged data breach a body blow to health research expansion Jake Kouns (Sep 17)