A nonprofit privacy advocacy group called Open Privacy Research Society discovered that the sensitive medical information of patients being admitted to certain hospitals across the Greater Vancouver Area is being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are easily interceptable. The society discovered the vulnerability and notified Vancouver Coastal Health (VCH) immediately almost a year ago, but VCH ignored and downplayed the vulnerability for months.
Some of the patient data (PHI) being broadcast includes the following:
- Gender marker
- Attending doctor and room number
Healthcare organizations can\’t afford to be negligent about security when threat actors have proven their relentlessness in gaining access to and misusing patients’ personal health information (PHI). By broadcasting unencrypted PHI through radio waves, Vancouver Coastal Health opened a window of opportunity for cybercriminals to exploit patient data for their own personal gain. Despite Open Privacy’s initial alert over the security issue in late 2018, VCH continued to ignore and downplay the vulnerability for almost a year, which is even more alarming.
In general, there seems to be a lack of awareness of data protection requirements and technologies. In order for VCH and other healthcare entities to solve issues surrounding privacy, identity, consent, and all elements of processing personal data, these organizations must deploy and use proven security applications that are built from existing well-tested libraries and best practices. VCH needs to transition to a more secure messaging system immediately to prevent further and future access to PHI. It\’s now easier than ever to leverage security strategies and tools that prescribe real-time, contextual and continuous security, detecting irregular behavior and prompting further action, such as strong and adaptive identity authentication and authorization. Healthcare organizations that use these strategies and tools are in a better position to prevent malicious actors that seek unauthorized access to PHI.