Privacy breach notification – is it mandatory?

Vulnerability Assessment

We have been receiving a number of questions about the new federal privacy Breach Notification requirements coming on November 1st, and whether it applies to medical clinics in British Columbia.

The reason is that, as of this date, notification will be mandatory for those private sector businesses that must comply with PIPEDA, the Personal Information Protection and Electronic Documents Act.  Businesses that must be compliant to PIPEDA, and knowingly violate its new breach notification requirements, may be fined up to CA$100,000 per violation.

What are the implications for private medical clinics in British Columbia? 

In general, if your medical clinic is located in BC, and operates internally within this province, you must comply with BC’s Personal Information Protection Act (PIPA). Assuming this is exclusively the case for your clinic, compliance to PIPEDA, including its new mandatory breach reporting requirements, is not required.  However, this does not mean that PIPEDA is not relevant in British Columbia. There are cases where some businesses must, in fact, comply with PIPEDA mandatory breach requirements.  If you are wondering whether this applies to you, seek legal advice.

If I know that my clinic only has to be compliant with PIPA, do I need to report a breach?

Essentially, it is your judgement call. But consider the risks of failing to report very carefully.  When you make this decision, consider the potential impact to your patients and any other affected individuals. For example,

  • How sensitive was the personal information disclosed or lost to the breach?
  • Was the information was fully recovered, without further disclosure?
  • How many people were affected?
  • Could the personal information be used to commit fraud or identity theft? Consider that even partial information is helpful for these purposes, as information from other sources can be merged by the attacker to build a convincing identity profile.
  • Is there is a reasonable risk of physical, psychological or financial harm?
  • Is there is a risk of harm to the relationship your clinic has with your patients, or to the public?

Consider also the potential for litigation through failure to comply with PIPA, contractual obligations, or other applicable legislation.

Regardless of whether breach notification is mandatory or not, it is important to know what you should do, to protect your patients, and your clinic.

Fortunately there are lots of resources available that can help.

Here is a new resource that has been designed especially for medical clinics in British Columbia:  Guidelines for Responding to a Privacy Breach, from the Doctors of BC Privacy Toolkit.

Some key advice from this document is that:

  • Individuals who are affected by a privacy breach should be notified immediately if it is necessary to avoid or mitigate harms that they could experience as a result of the breach.
  • The determination of whether or not to report the breach to BC’s Office of the Information and Privacy Commissioner (OIPC) should generally be made within two days of the breach.

While PIPA does not currently include an explicit requirement for organizations to report breaches to the OIPC, doing so will assist the practice to demonstrate that it has taken reasonable steps to respond to the privacy breach. It may also be helpful towards resolving a complaint made to the OIPC by someone who may have been affected.

Additional help can be found in an excellent toolkit called Privacy Breaches Tools and Resources, written by the OIPC. It has helpful details on on how to respond to a breach, including a breach policy template you can adapt for your clinic, and a procedure checklist that can be printed out and placed in a “policy and procedures binder”, ready to use, in case you need it.

The Doctors Technology Office, at Doctors of BC, is constantly adding new resources, and conducts workshops and webinars to help clinicians protect their offices. We will be writing about some of them in future posts. In the meantime, check their website, or contact them for specific help.

See also our previous post on how to respond to a Privacy Breach, posted last year.

Legal note to all of the above: This is intended for general information only.  It is not intended to provide legal or other advice.  The key message here is: make sure you have policies and procedures in place, before a privacy breach occurs, that will help you to appropriately notify those who need to be informed.

If you need more information, contact us.

 

 

A new series on Clinic Security Best Practices

shutterstock_407776045

It has been a busy year since our last series of journal posts on clinic security.  Thanks to work we have been doing with our healthcare clients in BC, we would like to update you on new developments and emerging best practice standards.  Here is a list of some of our upcoming posts:

  • Breach Notification – Is it mandatory?  When should you do it? Who should you notify, and what should you say?
  • Mobile Devices – How can I make sure my smartphone is protecting my patient’s health information?
  • Self-managed staff training – what can you do to create the ‘human side’ culture in your clinic that safeguards personal information? And what resources are available to help you?
  • Clinic security guidelines – recently published for BC medical clinics, that you can use right away
  • Privacy and Security – are they the same?
  • Timely topics – are there issues that you are concerned about?  We are constantly reviewing issues from a clinician’s perspective, and will include ones here that may help to both alert you, and provide inexpensive, and fast ways of better protecting your sensitive data.

We are looking forward to sharing these, and other topics with you. Let us know what might be of particular interest to you. We will make sure they are given a high priority.

In the meantime, check out our other blogs on clinic security Best Practices.

If you need help, contact us.

 

 

A recent ransomware presentation… while the Petya attack was underway

I was recently invited to present two talks on ransomware at EMR-related seminars attended by physicians, clinical staff and service providers, held last week in British Columbia.

Interestingly, the last seminar took place just as news was emerging that morning of Petya, described as a new, massive ransomware attack, was spreading across the Ukraine, Europe, and the US. We are now learning that, because it encrypts entire hard disks but does not appear to have the capability to decrypt them, Petya may not have been ransomware at all. Instead, some analysts believe it may have been designed to be a weapon to cripple systems, possibly targeting infrastructure in the Ukraine. This gives little comfort to organizations around the world that have been hit with it, including shipping companies, a multinational law firm, and the giant pharmaceutical firm, Merck.

What was immediately apparent during the morning of the attack, however, is that it won’t be the last.  The need to protect information systems in health care clinics is more important than ever.

My presentation summarizes some of the information that is described in more detail here:

 

Update 20170630: More information is emerging concerning the Petya attack. For further information, here is the latest update from US National Health Information Sharing and Analysis Center (NH-ISAC)

Cybersecurity and Patient Safety

With the WannaCry ransomware attack fresh on our minds, a new report has just been published by the US Department of Health and Human Services, (HHS) Cyber Security Task Force on improving cybersecurity across the health care industry.

Although it presents recommendations that are well worth reading, what is particularly striking about this report is the focus it has on cyber security and patient safety.  The task force producing the report writes that it reflects “a shared understanding that for the health care industry, cyber security issues are, at their heart, patient safety issues.” Further to this, they write, “As health care becomes increasingly dependent on information technology, our ability to protect our systems will have an ever greater impact on the health of the patients we serve”.

An editorial in the BMJ (formerly the British Medical Journal)  last month contained essentially the same message when it highlighted “the poor state of cybersecurity in the NHS and the failure to recognize it as a fundamental matter for patient safety.”

The BMJ editorial cites risks incurred through “the extremely fragmented governance of cybersecurity in the NHS”, and that this was a core issue “underpinning the recent attack, and affects healthcare more profoundly than other critical sectors such as financial services, energy or central government”. If this sounds familiar, it is because these issues can be found across many countries, including Canada.  And while a considerable amount of effort is being undertaken to support privacy and cybersecurity best practices across Health Authority hospitals and health care institutions here in British Columbia, there is much to be done to provide the same level of support in physician offices and dental clinics.

Cybersecurity risks to networked medical devices and connected IT networks cited in the HHS report which can impact patient safety include:

  • Failure to provide timely security software updates and patches to medical devices and networks to address related vulnerabilities
  • Malware which alters data on a diagnostic device
  • Device reprogramming which alters device function by unauthorized users, malware, etc
  • Denial of service attacks which make a device unavailable
  • Unauthorized access to the health care network
  • Uncontrolled distribution of passwords, disabled passwords, hard-codes passwords for software intended for privileged device access
  • Security vulnerabilities in off-the-shelf software due to poorly designed security features
  • Misconfigured networks or poor network security practices
  • Open, unused communication ports on a device which allows for unauthorized, remote firmware downloads.

These risks impact confidentiality, integrity, and availability of health care information in varying degrees, and in different ways. As do, the HSS report cites, risks arising from the complex mix of applications, programs and interfaces from a variety of vendors supporting Electronic Health Records (EHRs).  But, according to the HSS report, they all have a direct effect on patient safety.

This raises some important questions.

When it comes to managing health care information, are clinics doing enough to protect patient safety? And if more must be done, how can clinicians be better supported, so that their patients are not put at risk?

We will be writing more about recommended privacy and cybersecurity best practices for health care clinics here in western Canada. In the meantime, there is much you can do already. When you have a moment, check out our growing collection of posts on Best Practices.

If you need help, contact us.

No “pwn” intended: how do I know if someone has hacked a site where I have an on-line account?

shutterstock_190390037

Part 7 of our series on Privacy and Data Security Best Practices.

“Pwned accounts”, you might be interested to know, is a term that went viral across the Internet thanks to a simple typo.  Someone reporting that a hacker had ‘owned’, i.e., illegally ‘took ownership’ of a web account, typed the word “owned” a bit too quickly and hit the juxtaposed keyboard letter “p” instead of “o”. Voila, a brand new geeky word was born.  Today, tens of millions of accounts have been “pwned”, i.e., “owned” by hackers from companies around the world. And you can find them being actively distributed as part of a lucrative underground business on “the dark Net”,  places on the Internet where most law-abiding folks don’t ever want to visit.

Pwned accounts are important for clinicians to be aware of because if they are not carefully handled, they can become an ‘Achilles heel’, allowing attackers to gain access to even more confidential data.

So, other than the affected company emailing you directly with a warning, how can you find out if one of your accounts might have been compromised?

The website ‘;–have i been pwned? , created by Troy Hunt, a well-known web security analyst, keeps track of over 3.7 billion accounts that have been hacked, exposing userIDs, passwords, and frequently other personal information. The site will look up any email address you enter to see if accounts associated with it have been reported to be “pwned”.

Keep in mind though, that the information on this database exists only because website breaches listed there are now widely available on the Internet.  If your email address is not listed in the database, this doesn’t necessarily mean that all of your accounts associated with it are safe. Sometimes it can take years before a company knows it has been breached.

So here are five steps to help protect yourself before you find yourself on the list, and especially if you find your account has been pwned:

  1. Change the password on any pwned accounts immediately, if you have not done so already.  Consider the incident to be a potential breach, and investigate accordingly.
  2. Even if a particular web service is of relatively little importance to you, these accounts, if compromised, may be used to gain access to much more sensitive information.  Called “credential stuffing”, this hacking technique relies on the fact that many individuals use the same or very similar passwords elsewhere.  Therefore protect yourself by NEVER using the same password twice for any account.  If you use the same or similar passwords for any other account, you are just asking for trouble.  How do you keep your sanity while maintaining all of all of these unique, complicated passwords? Use a password manager.
  3. If you use a password manager, let it generate very strong, unique passwords for you. Wherever possible, we use passwords with 16 or more complex characters for pretty much every account we have.  However, we never need to remember them because the password manager will automatically pop the user id and password into the login field on your browser or smartphone.  All you need to remember is the master password for all of your accounts.
  4. Use 2-step verification for Gmail, Facebook, LinkedIn, Office 365, your clinic EMR (if it doesn’t allow this as an option, they should), and any other web service that allows it.  And, of course, use a password manager that is designed to support 2-step authentication for its own master password.  “2-step” codes, sent via your smartphone or simple to use devices such as a Yubikey at the moment you start to login, changes every minute. This goes a long way towards protecting yourself from hackers collecting passwords through breached websites or malware.
  5. Check your web accounts, especially old ones, to make sure you have not configured the ‘password reset’ feature with what is now a little-used email address.  If hacked, that ancient email account could become a ‘back door’ to gain access to any other account that uses it for a ‘password reset’.  Use an email address that is very unlikely to change over time… a personal Gmail account, for example. And please make sure you have set that email account up with 2-step verification so that it doesn’t become the weak link, allowing hackers to change the password to all web accounts configured to send the ‘password reset’ message to this email address, locking you out, and giving them access.

What password manager should you use? It’s best to check the latest reviews, and carefully select it based on your clinic security policies.  There are free applications out there that can generate and store passwords, but because we value our accounts, we have elected to purchase yearly subscriptions to a robust commercial product that supports smartphones, 2-step verified master passwords, etc.

For more information on protecting your clinic’s accounts, see our Best Practices post entitled How can I protect access to my confidential accounts? Lessons learned from the PharmaNet breach.

If you need help, contact us.

Ransomware revisited

shutterstock_283347215

A few months ago, we wrote an article on Ransomware: ten ways you can help protect your clinic .  Since then, the Doctors Technology Office (DTO), at Doctors of BC, has published a brief indicating there has been an increase in reports from doctors about attacks by ransomware.

We agree with the DTO’s statement in their accompanying technical bulletin called “Ransomware – What should I do?“, “It’s spreading like the plague. Healthcare organizations must know that they ARE a target and will be attacked”.

Furthermore, the DTO indicated, quite rightly, that antivirus software does not provide sufficient protection from ransomware. The best practices we’ve published above, and the DTO’s technical bulletin, provide some helpful measures to assist in preventing some of the most common ways clinics may be hit with ransomware.

What we have been observing since our first report is that ransomware and malware tools are rapidly evolving to trick users into installing it onto their computers.  And attacks are becoming increasingly sophisticated. For example,

  • If you are scanning your email for possible “phishing” attempts to get you to download malware, be aware that no matter how carefully you examine the embedded link, it can be almost impossible identify malware websites based on the URL.
  • It used to be thought that PDF documents were safe. No longer. A new ransomware variant has emerged that will embed itself inside a PDF document.
  • Some variants that are emerging will also leak your data if you don’t pay the ransom.  Will keeping your patient files on a server outside the clinic help prevent this? Perhaps, but remember that for network efficiency reasons temporary files are frequently generated on local computers every time files are downloaded and reports are printed, all of which may contain confidential data.

Since our last “best practices” post was published, we have noticed it seems a number of clinicians and even some IT technical support staff have mistaken ideas about the threat of ransomware in medical and dental clinics.  Here are some examples.

“I don’t keep my electronic medical records (EMR) data on my Windows laptop. It is stored on a Linux server, so if ransomware hits my computer, it won’t be affected”.  Simple answer, no, that’s not correct.

  • Linux systems are not immune to ransomware. And more and more cross-platform threats are appearing, due to multi-platform frameworks that are available nowadays under Linux. Frameworks such as Adobe Flash and Reader, Java, JavaScript, Perl, PHP, Python, Ruby, etc.
  • In addition to mapped network drives which are always at risk, Microsoft Active Directory is now being used by some ransomware for reconnaissance and to spread across an entire network, encrypting files on every server and computer.
  • There is nothing to prevent other malware to be installed along with ransomware that could exploit vulnerabilities on any system.

“If ransomware hits my computer, I have other computers that I can use until I get my laptop back”.  Don’t depend on this. Some types of ransomware can propagate across a network. And besides, if your clinic is unfortunate enough to experience it, you will be immediately affected, without warning. Do you really want to have to deal with this problem when you have a waiting room full of patients?

If I am hit with ransomware, I’ll simply recover my data from backups”  We agree, backups are essential to recover from an attack. But only if backups are done right.

  • Any information you have entered that has been encrypted by ransomware since the last backup may not be recoverable.
  • We have seen cases where perfectly good backups have been overwritten with later scheduled backups where dormant malware will simply reinfect the computer when it is restored.
  • If the backup is located on a shared drive that a user can access with a network-connected computer, ransomware can encrypt those backups, too.

“If ransomware strikes, I’ll pay the ransom to get my files back.”  That, of course, is your decision, and with respect to some forms of ransomware, the FBI has actually recommended this. But just know that:

  • There are known variants of ransomware that will encrypt your data, but the ‘unlock’ key you receive after paying the ransom may not actually unlock it.  In the case cited, involving a hospital, the extortionist tried asking for more money.
  • Attendees at an RSA cybersecurity conference in February learned that 31% of victims have been hit multiple times, and 25% did not get their data back, even after they paid the ransom.
  • Even if you pay the ransom, this doesn’t necessarily resolve the risk of personal health information having been disclosed.  It should be treated as a potentially serious privacy breach.

The impact:  Ransomware may do more than just lock you out from using your laptop or desktop computer. Once it gets a foothold in your clinic, it can be difficult and costly to eradicate. The threat to clinic business continuity and protecting patient personal health information is considerable. Understanding the specific risks your clinic may have at this time is a vital first step towards taking proactive measures to mitigate them and ensuring you have well-tested procedures to quickly recover if needed.

The bottom line:  Please take the threat of ransomware in your clinic seriously.  Make sure you have tested, proactive measures in place to mitigate risks before ransomware hits.

If you need help, contact us.

 

How can I protect access to my confidential accounts? Lessons learned from the PharmaNet breach.

The recent PharmaNet breach in BC, where it appears that several incidents allowed for unauthorized access to personal health records over the past five months and affected 7,500 residents, provides a number of useful lessons that physicians and clinic managers should think about with respect to safeguarding clinic health data.

First, it underscores statistics cited in one of our recent blogs that 80% of breaches are undetected for months.  If this can happen with a province-wide service such as PharmaNet, is it possible that some clinics with electronic medical record (EMR) systems are already compromised and don’t know it?

Second, and this is not unusual when data breaches are discovered, there were warnings and even incidents that had occurred long before the most recent one.

Third, unauthorized access appears to have occurred through a physician’s login userid and password.

Fourth, the impact of the breach was significant. As the Ministry of Health warned on February 6th, breaches of this nature are a ‘starting point’ for identity theft.

So what does this mean for private medical and dental clinics, where thousands of confidential medical records may be stored in an EMR and are accessed on a daily basis, employing userids and passwords not unlike the ones used to access PharmaNet,  on computers and servers that are completely managed by the clinic or their contracted providers?

  1. Don’t wait, especially if you have nagging concerns over how health care data is being managed in your clinic.  If you have not done so within the past few months, take the time to conduct a thorough review of your clinic privacy and data security practices. With ransomware threats now targeting health care, the urgency to conduct a review of this nature cannot be overstated. This is as important as having an earthquake kit in your home, and probably more urgent to your business.
  2. Use best practices.  When it comes to protecting your clinic, the value of doing things right will more than pay for itself if it avoids a catastrophic breach or clinic disruption. There is lots of excellent advice available to help you. Our own blogs on this topic are a good starting point.
  3. Be vigilant.  To safeguard your patients and your clinic’s daily operations, all staff must be engaged in creating a culture of privacy and security that is consciously maintained, and always alert to risks that could endanger it.

Are there any other lessons that might be learned from the most recent PharmaNet breach?

4. Use stronger methods to authenticate your accounts than just passwords.  This is part of best practices noted above, but because the PharmaNet breach is on everyone’s mind in BC right now, it merits special attention.  There are so many ways that accounts with even very strong passwords can be quickly compromised, experts in the healthcare data security industry are saying using just passwords is not enough. In fact, the BC Office of the Information & Privacy Commissioner (OIPC) states that, as a minimum security requirement, 2-factor authentication should be used whenever handling sensitive personal information, including financial information (see section 13.23 of the OIPC Self-Assessment Tool that is mentioned in Part 4 of our series on Best Practices). If your EMR vendor and service providers are not providing 2-factor authentication as an option that your clinic can implement, ask why they are not doing so. While doing this, ask about convenient technologies such as Yubikeys, adaptive authentication and other methods that could make this method of securing your accounts easy to use in a clinical practice.

If you need assistance, contact us.