Protecting patient data

SecureWorks, based in Atlanta, GA, says it has seen an 85 per cent
increase in the number of attempted attacks directed toward its
health-care clients by Internet hackers in the last year. Other sectors
saw only a modest rise of around 15 per cent.

There are a number of reasons why health-care institutions are
being singled out by hackers, says Hunter King, a researcher at
SecureWorks’ counter threat unit, the main one being that hospitals
just aren’t as prepared for cyber attack as other industries, such as
banking.

Financial institutions and credit card companies were
typically the main targets, says King, but they’ve responded by
tightening up their security and educating their clients about safe
banking procedures. Hospitals are sometimes more lax about security
maintenance and IT policies for staff.

“A large portion of it is that their IT staff isn’t really
familiar with what attacks are going on or even if they are being
attacked in the first place,” he says.
“A lot of them don’t have policies about what staff are allowed to view
on the web. Banks may have already looked at social networking sites or
sites that exist just for entertainment purposes and have those
blocked. But health care really doesn’t have that.”

Hackers are exploiting this fact and attacking client PCs rather than the more difficult to reach targets, such as servers.

 Michael
Power, vice-president of privacy and security for the Smart Systems for
Health Agency, an Ontario government-funded institution that has
created a technology infrastructure for hosting e-health records, says
that there “may be an unevenness in the practice by health care
professionals, because in a lot of instances their priority is not the
security of the information but providing the best health outcomes for
patients.”

The reason American health records make a tantalizing target
for hackers is the potential for insurance fraud — a potentially
lucrative source of criminal income. Canada’s socialized medical system
may help make it less of a target, says King.

Power says that Canadian health records are less damaging in
terms of their potential for identity theft, but the threat is still
very real.

“There are some people who believe — and I’m not adverse to
the assumption — that the biggest kind of identity theft in this
country will probably come through the health-care system.”

There have been several recent cases of Canadian health records going
missing. So far, the high profile cases have been the result of someone
misplacing a laptop or computer.

Last November, a consultant working for the Provincial Public Health
Laboratory in Newfoundland and Labrador unplugged a computer and took
it home with him. An anonymous tipster claiming to be a security
consultant called after the computer was removed and said they were
able to access patient health data over the Internet.

In January 2007, a laptop containing 2,900 patient records from the
Hospital for Sick Children in Toronto was stolen from the van of a
physician who was doing data analysis. The incident resulted in an
investigation from the Ontario Privacy Commissioner Anne Cavoukian.

Jim Forbes, the CTO at SIMS, the shared information management services
provider for Toronto-based University Health Network (UHN) and seven
other institutions, says he hasn’t seen any increase in the number of
hacker attacks on patient records “but I don’t see any reason why it
would differ (from the U.S.) We certainly use the same technology from
the same providers. I don’t think we would be any better off.”

Following the Sick Kids incident, Cavoukian ordered the hospital to
encrypt its data to protect the safety of patients. SIMS, which doesn’t
serve Sick Kids, has also opted to evaluate its security practices, and
issued an RFP for technology to safeguard records by doing encryption
at the desktop level. Encrypting individual hard drives would be one
way of protecting patient information even if it happens to fall into
the hands of a criminal.

“I don’t think we’re any less vulnerable than MasterCard or Visa or any of those companies anymore,” Forbes says.

“I’m not totally surprised to hear that hackers may be looking at new
domains, new opportunities. But the health-care system is doing all
that it can to protect (people), just as private sector industry does.”

Cost is an issue when it comes to upgrading security. Larger hospitals
should be able to stay ahead of the game, he says, but smaller
facilities may have a harder time keeping up.
“I think at smaller organizations . . . you may find varying degrees of
risk. Larger organizations, I think, have the resources, people and
dollars typically to deal with those things.”