Tests find medical files open to hackers

[InfoSec News <isn () c4i org>]

http://www.theglobeandmail.com/servlet/GIS.Servlets.HTMLTemplate?tf=tgam/common/FullStory.html&cf=tgam/common/FullStory.cfg&date=20011210&cache_key=national&current_row=1&start_row=1&num_rows=1

By GRAEME SMITH
         
Monday, December 10, 2001
Page A1 

The private medical files of thousands of Ontario patients have been
stored on-line where they're vulnerable to hackers and the prying eyes
of government-hired technicians, according to documents obtained by
The Globe and Mail.

Less than a month after the Health Ministry set up a much-vaunted
patient-information database for doctors, Ontario's privacy
commissioner is investigating the system for breaching one of the most
sacred tenants of medicine: doctor-patient confidentiality.

The commissioner is looking into a wide range of allegations, from
whether private companies have been given access to patient
information to whether some of the information has already been lost.

Ken Anderson, director of legal and corporate services for the
commissioner's office, said the probe could take weeks and the office
won't comment in the interim.

But in the meantime, privacy advocates such as Richard Rosenberg,
vice-president of Electronic Frontier Canada, say such mismanagement
of information could undermine the health system.

"If I can't trust the security or privacy of that system, then as a
patient I might withhold information which could affect my treatment,"  
Dr. Rosenberg said. "The whole system collapses if you don't have that
assurance."

The Ontario government set up the computer system last month as part
of its five-year struggle to revolutionize family medicine.

Health Minister Tony Clement has said he plans to have 80 per cent of
family doctors working in teams, or primary-care networks, by 2004.  
Doctors will share information with each other over the Internet to
improve efficiency and provide better service.

The so-called ePhysician Project received approval from Privacy
Commissioner Ann Cavoukian one day before the first team of four
doctors, in the Chatham, Ont., area, started using the system on Nov.  
1.

The project has since expanded to include nine Chatham-area doctors
with 1,500 to 2,000 patients each.

But the privacy commissioner wasn't told several details about how the
information is handled. Government contracts, meeting minutes and
internal correspondence about the Chatham project reveal a long list
of items now under investigation by the commissioner's office,
including:

Vulnerability tests showing that the system can be "hacked into by
anyone with skill" over the Internet, an e-mail by a Ministry of
Health official says. These security problems became apparent on the
first day the system was up and running, although the privacy
commissioner was not informed.

Patients were not fully informed about what happens to their data.  
Although they were told that other doctors could see their files, most
patients don't know that their information is stored on a server in a
Ministry of Health building in Toronto.

A computer technician took unencrypted backup tapes, containing
thousands of medical records, to his home for several nights. Three of
the tapes were lost, according to a source, although the Health
Ministry denies any tapes were misplaced.

Three private companies have been granted access to patient
information. Two of the companies, software developers that helped
build the system, can look at raw data files including patients' names
and medical histories. The ministry denies this.

A company hired to store backup tapes containing all the medical files
has only agreed to $1 liability if a tape is lost or stolen.

The Health Ministry says patient records have been handled properly.

"As far as I've been able to check, there have been no tapes lost,"  
said ministry spokesman John Letherby. "Patient-doctor confidence is
of the utmost importance. The three [companies] do not have access to
patient data or information.

"As many safeguards as humanly and technologically possible are put in
place to ensure that the only people who have access are doctors and
patients involved."

But internal documents indicate that the number of people who can see
patients' information isn't so strictly limited. A contract with
Markham-based software company York-Med Systems Inc. explicitly gives
the technicians access to pieces of "raw data" so they can perform
"system maintenance, backup or data recovery."

An e-mail from a ministry official to one of the Chatham doctors says
that the government will also give Edmonton-based iW Technologies
Inc., maker of the Vividesk software used by the project, full access
to the doctors' and patients' information.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.