Recent data thefts by outside attackers at several U.S. hospitals have grabbed headlines in the past year for stealing millions of patient records. But serious breaches by two clerical workers at a Toronto-area hospital shows the importance of the Canadian health care sector looking out for insider threats.
That was one of the messages Tuesday at a conference on cybersecurity in critical infrastructure industries — which includes hospitals.
“Several years ago you might be able to get away with an audit committee or a board meeting and not necessarily have the topic (of breaches) come up,” Jeff Curtis, chief privacy officer at the Toronto’s Sunnybrook Health Sciences hospital told a panel. “My experience is it’s the first, if not the last topic that always comes up (now) at a board review of IT.”
One of the most recently-publicized Canadian hospital breaches were at the Toronto-area Rouge Valley Health System, where in 2013 a clerk used data from its electronic patient system to sell Registered Education Savings Plans to new mothers, while last year another clerical staffer was found selling data on mothers to a firm that sold RESPs.
Both staffers had authorized access to Rouge Valley’s Meditech health records system; both violated hospital policy. Unfortunately because of the way the system was configured it couldn’t tell how many patient records were compromised, so Rouge Valley ended up having to notify 14,000 people their records might have been misused.
As a result last December the provincial information and privacy commissioner concluded the hospital failed to comply with the Ontario Personal Health Information Protection Act, ordered Rouge Valley to it can audit all instances where staff access personal health information on its electronic information systems.
It also had to review and revise its privacy training tools and materials, immediately conduct privacy training for clerical staff, and conduct privacy training for the rest of the hospital’s staff over the next six months.
(UPDATE: In August, 2016 a former maternity ward nurse and a former broker with the RESP firm were sentenced to three months’ house arrest, part of six-month conditional sentences, as well as two years’ probation and 340 hours of community service.)
While the commissioner’s order has been appealed, it could impact all of Ontario’s health institutions, Curtis said. So he mandated new data controls at Sunnybrook including mandatory privacy impact and security threat risk assessment reviews of the more than 100 IT systems with personal patient records and pulling random access audits.
(On the subject of random audits, he advised that doesn’t mean randomly checking who accessed any patients’ records but logically figuring out where there might be suspicious access — although, he admitted, who would have thought personal information on new mothers might be at risk? Curtis didn’t mention that well-known patients could be targets — last year staffers at two Toronto health facilities leaked information to the media about then Toronto Mayor Rob Ford’s cancer treatments,)
As a result of the Rouge Valley and the highly-publicized U.S. breaches Sunnybrook is keeping a closer eye on how staff use IT, Curtis said, including warning them on the use of social media about their work and being aware of phishing attempts.
“So we’re moving into an audit and compliance type of discussion that arguably hasn’t been looked at by health care … We’re starting to change our posture in terms of the need for proactive monitoring of what’s going on within and outside our walls.”
In an email he explained that Sunnybrook’s communications department monitors social media for mentions of the hospital.
He also told the conference that Ontario has promised legislation making it mandatory for health providers in the province to disclose data breaches to the privacy commissioner. “We open and close every presentation (on privacy to staff) with a slide that effectively tells them if they are found in engage in certain activities they may lose their job.”
[Another security tip to hospital CISOs: Because of medicare, few think that Canadian hospitals are a repository of credit card data compared to U.S. facilities. Perhaps that’s why some think hospitals here aren’t targets for attackers. But Curtis noted there is one spot that does handle credit cards and could be an attack vector: Hospital gift shops.]
The panel also got advice from Bob Carver, manager of network security at U.S. carrier Verizon, who warned attendees not to take short-cuts. “Insider threat is about people first, next about business and process and finally how you integrate people, business process and technology. If you try to go first to the shiny blinking light thing, you’ve missed the point.”
Organizations should be watching for signs of employees, partners or contractors could be going rogue including unexpectedly failing a background check, knows information they shouldn’t, are disgruntled to the point they wants to take action against the employer; is vulnerable to blackmail due to committing fraud, having an affair or gambling; shows signs of greed or financial need; has excessive debt or expenses; believes they are above the rules; exhibits compulsive or destructive behaviour, signs of drug or alcohol abuse; and are having serious family problems.
He also offered five simple things an organization in critical infrastructure can do to protect against insider threats:
*conduct background checks on all new employees and contractors
*monitor employee behaviour
*restrict accounts that have remote access
*restrict the scope of remote access
*enforce the principle of least user privilege
The critical infrastructure conference, organized by the Canadian Institute, ends today.