Here we go again (serious PHI breach)

A Calgary doctor uses his personal Gmail account to communicate sensitive personal health information, does not protect his account, and whammo: 7,000 of his patients now have their private information circulating on the Intertubes.

What are the takeaways?

First, never use your personal email to communicate business sensitive information. In this case, the doctor had been provided with a secure email service by the Alberta Health Service. With many companies, the corporate email system is protected (at least to some degree) against compromise and breach, defences that your personal email probably does not have.

Secondly, protect your personal email like the crown jewels it represents. Think about it, how many other services do you use online that are tied to your personal email account such that all that is required to reset the password is to click a button and respond to an email? An attacker who takes over your email, can take over all of those account too!

Which begs the question, how do you protect your email?

  1. Use a killer password generated and stored in a password manager.
  2. Enable multi-factor authentication such as Google Authenticator, Microsoft Authenticator, or Authy. Do not use SMS (text messages) as your second factor unless there is absolutely no other option. It’s better than nothing, but much weaker than a proper second factor.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
George Pajari
George Pajarihttps://fractionalci.so/
George Pajari is a “CISO-for-hire”, providing cybersecurity leadership to SaaS cloud startups. He was previously the Chief Information Security Officer (CISO) of Hootsuite, the most widely used social media management platform with over 15 million users including more than 800 of the Fortune 1000 companies. He was responsible for information security, IS risk management, and IT general controls. Prior to that he was the Security Architect at Hootsuite, and before that, Manager of Network Operations for Glentel's national digital radio service. He is a member of the BC Government's Provincial Security Advisory Council, a member of the Vancouver (ISC)² Chapter executive, and one of the organisers of the Vancouver BSides and BC AWARE Day security conferences. He was invited by the (ISC)² to write the Security Architecture and Engineering section for the next edition of the Official (ISC)² Guide to the CISSP CBK (Common Body of Knowledge), to be published by John Wiley in 2019. George's professional certifications include the CISSP-ISSAP, CISM, and CIPP/E. He is learning to play the bagpipes and his paper on a new device for improving piping skills will appear in a forthcoming issue of Piping Times.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight