Privacy commissioner investigating security of patient health records at Alberta Health Services.
Assessment by external security firm found several major security risks.
Alberta’s Privacy commissioner investigating security of patient health records to see whether Alberta Health Services properly safeguards the public’s personal health information after CBC News revealed the electronic system housing it was vulnerable to outside security threats.
A 2018 assessment by an external security firm found several “significant risks” with the health authority’s administration of the Alberta Netcare Portal. The system gives health-care providers access to key information from a patient’s medical file, such as laboratory test results and hospital visits.
A spokesperson confirmed commissioner Jill Clayton launched her investigation on Aug. 8, one week after CBC News reported on a leaked AHS summary detailing the firm’s findings.
“The investigation is examining safeguards of patient health records at AHS,” Scott Sibbald said Thursday. He declined to provide any further details because the investigation, conducted under the Health Information Act, is ongoing.
In its May 2018 summary, AHS said Procyon Security Group found 108 security risks in the Alberta Netcare Portal and its associated infrastructure: 11 critical, 34 high, and 63 medium.
“While it is difficult to quantify the risk, we might be considered to be in breach of the Health Information Act and the duties it outlines relative to our role in protecting health information,” the AHS summary stated.
The Health Information Act states that a custodian of private health information has a duty to protect against any reasonably anticipated threat to the security or loss of that information.
On July 31, AHS told CBC News there was no breach of the Health Information Act and no breaches of the Alberta Netcare Portal by outside sources.
The health authority said it had already acted on most of the issues identified in the vulnerability assessment and it insisted patient information remained secure.
‘Highly insecure’ database access
Of particular concern to Procyon was the Alberta Netcare Portal’s “highly insecure” database access.
The security firm discovered AHS last applied security updates to its system in July 2014 — three and a half years before the company conducted its review — and the health authority did not securely store users’ passwords.
The portal protects users’ passwords through a common method called hashing, a process that replaces an entered password with a unique string of different numbers and letters.
Password “hashes” are then stored and compared against a user’s actual password each time it is entered.
But Procyon was able to obtain the password hashes of database users and crack nearly 40 per cent of their actual passwords.
From there, the firm would have been able to “exfiltrate all data in the database,” including the password hashes of Alberta Netcare Portal users, the AHS summary said, and to also access “personally identifiable medical records.”
As a condition of its operating agreement with Alberta Health, AHS must conduct vulnerability assessments every two years and meet certain service-level targets.
Procyon’s review concluded the health authority is “in breach” of its targets.
In a statement to CBC News last year, AHS said it takes the proper steps to secure patient information.
“We are constantly reviewing all of our IT systems, so as to protect them from ongoing and ever-changing security risks, in turn protecting the information of our patients,” AHS said.
“To not do this would be irresponsible, and would put our systems at risk of breach.”