How can I protect access to my confidential accounts? Lessons learned from the PharmaNet breach.

The recent PharmaNet breach in BC, where it appears that several incidents allowed for unauthorized access to personal health records over the past five months and affected 7,500 residents, provides a number of useful lessons that physicians and clinic managers should think about with respect to safeguarding clinic health data.

First, it underscores statistics cited in one of our recent blogs that 80% of breaches are undetected for months.  If this can happen with a province-wide service such as PharmaNet, is it possible that some clinics with electronic medical record (EMR) systems are already compromised and don’t know it?

Second, and this is not unusual when data breaches are discovered, there were warnings and even incidents that had occurred long before the most recent one.

Third, unauthorized access appears to have occurred through a physician’s login userid and password.

Fourth, the impact of the breach was significant. As the Ministry of Health warned on February 6th, breaches of this nature are a ‘starting point’ for identity theft.

So what does this mean for private medical and dental clinics, where thousands of confidential medical records may be stored in an EMR and are accessed on a daily basis, employing userids and passwords not unlike the ones used to access PharmaNet,  on computers and servers that are completely managed by the clinic or their contracted providers?

  1. Don’t wait, especially if you have nagging concerns over how health care data is being managed in your clinic.  If you have not done so within the past few months, take the time to conduct a thorough review of your clinic privacy and data security practices. With ransomware threats now targeting health care, the urgency to conduct a review of this nature cannot be overstated. This is as important as having an earthquake kit in your home, and probably more urgent to your business.
  2. Use best practices.  When it comes to protecting your clinic, the value of doing things right will more than pay for itself if it avoids a catastrophic breach or clinic disruption. There is lots of excellent advice available to help you. Our own blogs on this topic are a good starting point.
  3. Be vigilant.  To safeguard your patients and your clinic’s daily operations, all staff must be engaged in creating a culture of privacy and security that is consciously maintained, and always alert to risks that could endanger it.

Are there any other lessons that might be learned from the most recent PharmaNet breach?

4. Use stronger methods to authenticate your accounts than just passwords.  This is part of best practices noted above, but because the PharmaNet breach is on everyone’s mind in BC right now, it merits special attention.  There are so many ways that accounts with even very strong passwords can be quickly compromised, experts in the healthcare data security industry are saying using just passwords is not enough. In fact, the BC Office of the Information & Privacy Commissioner (OIPC) states that, as a minimum security requirement, 2-factor authentication should be used whenever handling sensitive personal information, including financial information (see section 13.23 of the OIPC Self-Assessment Tool that is mentioned in Part 4 of our series on Best Practices). If your EMR vendor and service providers are not providing 2-factor authentication as an option that your clinic can implement, ask why they are not doing so. While doing this, ask about convenient technologies such as Yubikeys, adaptive authentication and other methods that could make this method of securing your accounts easy to use in a clinical practice.

If you need assistance, contact us.