Alleged data breach a body blow to health research expansion

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.vancouversun.com/health/Alleged+data+breach+body+blow+health+research+expansion/7233053/story.html

The health data privacy breach bombshell that exploded in Victoria
last week landed on what had been a concerted effort by the government
to encourage data-based research.

For almost a decade, Colin Hansen watched what he saw as a gold mine
of health care information collected by the provincial government go
largely untapped. This spring, the MLA and former health minister was
leading a push to spark a gold rush by making access to sensitive
health information easier to obtain.

The computerized data, which has been collected by successive
governments, includes visits to physicians, hospital admissions and
the use of prescription drugs. As health minister in 2002, Hansen
enthused about the millions of dollars in funding researchers already
lined up to make use of the data for studies that could lead to
advances in treatment and billions in savings for the publicly funded
system.

Much of that promise was unfulfilled. Potential research was stalled
by what Hansen, now an ordinary Liberal MLA who has yet to declare
whether he intends to run again, characterized in an interview as
misguided privacy concerns and a culture of resistance in the
ministry.

In a column Hansen penned for The Vancouver Sun in March, he argued
that health information would be stripped of anything that would
identify individuals and be protected by existing safeguards that
ensure no one’s privacy would be put at risk.

“Not only would a more open-door policy bring in millions of new
research dollars and human talent, it would lead to discoveries that
will save more lives, improve quality of life and cement British
Columbia as a centre of excellence for bringing efficient/effective
health care solutions to Canada and the world,” Hansen wrote.

This spring, the province brought in Bill 35, which was described as a
tool to knock down the price of generic drugs, but also made it easier
for researchers to access that data by clarifying the right of the
minister to release it.

B.C.’s Information and Privacy Commissioner Elizabeth Denham issued a
warning that the bill went too far, allowing broad and unfocused
access to the data by the minister without sufficient safeguards. The
bill passed anyway.

Not part of the discussion at the time was the investigation already
quietly underway that led to the dismissal or suspension of seven
health ministry employees last week.

Details about the alleged data breach and subsequent firings have been
scant so far. All we have been told by the government is that
information was wrongly shared with researchers. The only fired
employees who have spoken so far have denied all allegations.

Regardless of what the truth turns out be, the whole affair has landed
as a massive road block to the open-door policy Hansen has been
pushing for.

Privacy advocates say the alleged breach is evidence that centralized
data can never really be considered secure.

Vincent Gogolek, executive director of the B.C. Freedom of Information
and Privacy Association, talks about the “big rock candy mountain” of
centralized data. Before computers, there were breaches of privacy,
such as patient records found in dumpsters or left in hallways, but
always small scale.

“When you have everybody in the province’s cross-referenced, linked
data, that is a huge target for actual criminals, for hackers.”

In an interview this week, Hansen concedes that his cause has been set
back, but hopes it won’t be for long. He also argues that
computerization has made personal information safer, not less so, by
taking from view individual paper records that used to be easily
accessible in health care institutions.

The safeguards that can be built in with digitization also mean that
if there is a breach it can be identified and traced afterwards, which
should act as a deterrent to abuse.

Hansen said the fact that individuals were identified in this case
“signifies the system works in finding out if there is a problem.”

This case only came to light, however, as the result of an
investigation that started with a tip.

While that undermines the safety argument, Hansen also makes what to
me is a more compelling argument, which is that while no one can
eliminate all risk, it has to be weighed against the value of what can
be achieved by mining the data.

For now, all that is on hold.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.