Leaked report reveals lax cybersecurity over Alberta patient health records

Alberta Health Services failed to properly safeguard the electronic system that holds the personal health information of hundreds of thousands of Albertans, leaving the system vulnerable to outside security threats, according to a leaked report.

CBC News has obtained a May 2018 internal Alberta Health Services (AHS) summary of a vulnerability assessment conducted for the health authority earlier this year.

Procyon Security Group, an external firm, examined how AHS protects information in the Alberta Netcare Portal, the electronic system that gives health-care providers access to key information from a patient's medical history such as laboratory test results and hospital visits.

"The vulnerability assessment identifies a number of significant risks that need to be addressed and/or properly mitigated and/or accepted in a timely fashion," the AHS summary states. "While it is difficult to quantify the risk, we might be considered to be in breach of the Health Information Act and the duties it outlines relative to our role in protecting health information."

The Health Information Act states that a "custodian" of private health information has a duty to protect against any reasonably anticipated threat to the security or loss of that information.

Most security issues addressed: AHS

Alberta Health Services declined an interview request. In emailed statements, it said there wasno breach of the Health Information Actand neither had there been any breaches of the Alberta Netcare Portal from outside sources. The health authority stressed that the company only reviewed the Alberta Netcare Portal application, not the broader AHS network.

"Patient information continues to be protected," an AHS statement said.

AHS also said it had already acted on most of the issues identified in the report, "including steps to add an additional layer of security (firewall) around Netcare, to enact a more sophisticated password system, and to protect us from developing threats. These are in progress or already complete."

• Alberta nurse fined for snooping in patients' health information
• AHS failed to train,oversee hospital staff who snooped on private health info, investigation finds

But when CBC News showed the leaked report to John Zabiuk, a NAIT instructor with more than 20 yearsexperience in computer security, he said he remains concerned about security risks.

"For the average Albertan, is their information at risk? Absolutely it is," Zabiuk said. "And should they be concerned? I certainly would be concerned. I am quite concerned myself."

While Alberta Health is considered the manager of Netcare's information, AHS runs the system under an operating agreement.

The health authority must conduct vulnerability assessments every two years and must meet certain service level targets. Procyon's review, completed in February, found AHS is "in breach" of the targets detailed in its operating agreement with Alberta Health.

Procyon identified 108 security risks in the Alberta Netcare Portal and its associated infrastructure: 11 critical, 34 high, and 63 medium.

"Highly insecure" database access

Of particular concern was the portal's "highly insecure" database access. Procyon found AHS last applied security updates to its system in July 2014 three and a half years before the company conducted its review and the health authority did not securely store users' passwords.

The Alberta Netcare Portal protects users' passwords through a common method called hashing, a process that replaces an entered password with a unique string of different numbers and letters. These password "hashes" are then stored and compared against a user's actual password each time it is entered.

But Procyon was able to obtain the password hashes of database users and crack nearly 40 per cent of the users' actual passwords.

"The bigger part of this vulnerability would also have allowed [Procyon] to exfiltrate all data in the database, including the password hashes of Alberta Netcare Portal users," the AHS summary states, and also access "personally identifiable medical records."

In its summary, AHS recommends internal experts review each security vulnerability and recommend whether to fix it in the way Procyon suggested, find a workaround for the problem, or accept the risk it poses.

Alberta Health Services' ability to secure patient information will only become more relevant as the health authority moves to create a single medical record.

Last year, AHS signed a $459-million deal with a Wisconsin-based company for a new clinical information system called Connect Care, which will consolidate most of the more than 1,300 information systems. Under the new system, patients will be able to access their own medical files.

If you have any information about this story, or information for another story, please contact us in confidence at cbcinvestigates@cbc.ca

@jennierussell_ @charlesrusnell