Privacy commissioner investigating security of patient health records at Alberta Health Services.

Assessment by external security firm found several major security risks.

Alberta’s Privacy commissioner investigating security of patient health records to see whether Alberta Health Services properly safeguards the public’s personal health information after CBC News revealed the electronic system housing it was vulnerable to outside security threats.

A 2018 assessment by an external security firm found several “significant risks” with the health authority’s administration of the Alberta Netcare Portal. The system gives health-care providers access to key information from a patient’s medical file, such as laboratory test results and hospital visits.

A spokesperson confirmed commissioner Jill Clayton launched her investigation on Aug. 8, one week after CBC News reported on a leaked AHS summary detailing the firm’s findings.

“The investigation is examining safeguards of patient health records at AHS,” Scott Sibbald said Thursday. He declined to provide any further details because the investigation, conducted under the Health Information Act, is ongoing.

In its May 2018 summary, AHS said Procyon Security Group found 108 security risks in the Alberta Netcare Portal and its associated infrastructure: 11 critical, 34 high, and 63 medium.

“While it is difficult to quantify the risk, we might be considered to be in breach of the Health Information Act and the duties it outlines relative to our role in protecting health information,” the AHS summary stated.

The Health Information Act states that a custodian of private health information has a duty to protect against any reasonably anticipated threat to the security or loss of that information.

On July 31, AHS told CBC News there was no breach of the Health Information Act and no breaches of the Alberta Netcare Portal by outside sources.

The health authority said it had already acted on most of the issues identified in the vulnerability assessment and it insisted patient information remained secure.

‘Highly insecure’ database access

Of particular concern to Procyon was the Alberta Netcare Portal’s “highly insecure” database access.

The security firm discovered AHS last applied security updates to its system in July 2014 — three and a half years before the company conducted its review — and the health authority did not securely store users’ passwords.

The portal protects users’ passwords through a common method called hashing, a process that replaces an entered password with a unique string of different numbers and letters.

Password “hashes” are then stored and compared against a user’s actual password each time it is entered.

But Procyon was able to obtain the password hashes of database users and crack nearly 40 per cent of their actual passwords.

From there, the firm would have been able to “exfiltrate all data in the database,” including the password hashes of Alberta Netcare Portal users, the AHS summary said, and to also access “personally identifiable medical records.”

As a condition of its operating agreement with Alberta Health, AHS must conduct vulnerability assessments every two years and meet certain service-level targets.

Procyon’s review concluded the health authority is “in breach” of its targets.

In a statement to CBC News last year, AHS said it takes the proper steps to secure patient information.

“We are constantly reviewing all of our IT systems, so as to protect them from ongoing and ever-changing security risks, in turn protecting the information of our patients,” AHS said.

“To not do this would be irresponsible, and would put our systems at risk of breach.”


Related Links:

Object-Oriented Programming (OOP)

Free online cybersecurity training resources

My little pony learning game in VB.NET

Russian hackers are eight times faster than North Korean groups

Systematic approach to Problem Solving

Methods of teaching programming

Alice Teaches OOP (Glossary of useful terms)

Introduction to JavaScript – Built-in Methods

Hackers Have Just Put 620 Million Accounts Up For Sale On The Dark Web — Are You On The List?

USB O.MG cable opens Wi-Fi to remote attacks

Facebook’s chief AI scientist: Deep learning may need a new programming language

Object-Oriented Programming (OOP)

Computer Programming Business Requirements Analysis

Social engineering is the new method of choice for hackers. Here’s how it works.

Hackers tried to steal €13 million from Malta’s Bank of Valletta

Philips devs are coding algorithms that help detect cancer accurately

Nova Scotia must toughen protection over medical databases, says privacy commissioner

AHS failed to protect health information, privacy commissioner finds

Introduction to JavaScript – Variables: Review

Hacking the IoT: Vulnerabilities and Prevention Methods

We should treat algorithms like prescription drugs

Pricing algorithms can learn to collude with each other to raise prices

Building a web page with HTML tags

Thousands of Android apps have been creating a permanent record of everything you do

Introduction to JavaScript – CONSOLE

What is Kodi or XBMC?