By Stan Shaw, Founder, CTS
The recent PharmaNet breach in BC, where it appears that several incidents allowed for unauthorized access to personal health records over the past five months and affected 7,500 residents, provides a number of useful lessons that physicians and clinic managers should think about with respect to safeguarding clinic health data.
First, it underscores statistics cited in one of our recent blogs that 80% of breaches are undetected for months. If this can happen with a province-wide service such as PharmaNet, is it possible that some clinics with electronic medical record (EMR) systems are already compromised and don’t know it?
Second, and this is not unusual when data breaches are discovered, there were warnings and even incidents that had occurred long before the most recent one.
Third, unauthorized access appears to have occurred through a physician’s login userid and password.
Fourth, the impact of the breach was significant. As the Ministry of Health warned on February 6th, breaches of this nature are a ‘starting point’ for identity theft.
So what does this mean for private medical and dental clinics, where thousands of confidential medical records may be stored in an EMR and are accessed on a daily basis, employing userids and passwords not unlike the ones used to access PharmaNet, on computers and servers that are completely managed by the clinic or their contracted providers?
Are there any other lessons that might be learned from the most recent PharmaNet breach?
4. Use stronger methods to authenticate your accounts than just passwords. This is part of best practices noted above, but because the PharmaNet breach is on everyone’s mind in BC right now, it merits special attention. There are so many ways that accounts with even very strong passwords can be quickly compromised, experts in the healthcare data security industry are saying using just passwords is not enough. In fact, the BC Office of the Information & Privacy Commissioner (OIPC) states that, as a minimum security requirement, 2-factor authentication should be used whenever handling sensitive personal information, including financial information (see section 13.23 of the OIPC Self-Assessment Tool that is mentioned in Part 4 of our series on Best Practices). If your EMR vendor and service providers are not providing 2-factor authentication as an option that your clinic can implement, ask why they are not doing so. While doing this, ask about convenient technologies such as Yubikeys, adaptive authentication and other methods that could make this method of securing your accounts easy to use in a clinical practice.