By Brennen Schmidt
ALEUS Technology Group
and Allan Bonner
Personal information is personal. Period.
Other than professional athletes and most presidential candidates, few people want the world to know what medical procedures they’ve had.
People who’ve had abortions, psychiatric counselling, sexually transmitted diseases (STDs) or sex reassignment surgery have done so thinking it would be a private matter. They also don’t want the trouble that some employers or interest groups might cause.
As long ago as the 1960 American election, the office of candidate John F. Kennedy’s physician was broken into and all the files beginning with K were ransacked. Luckily for Kennedy and his doctor, a security system was in place. The candidate’s records were filed under another letter. It wasn’t sophisticated but it worked.
You don’t need to be famous to be vulnerable. You only need to be working for one of the many institutions that may want a statement of faith or assume certain behaviours among staff members.
With so much hospital technology going digital – including diagnostic imaging, X-rays and MRIs – a security breach isn’t just an inconvenience, it’s a matter of life or death. If a patient needs a diagnosis, and if the machinery that can detect stroke, blood clot, aneurism or other emergency is hacked, disabled or held to ransom, the data might not be accessible in time.
Yet some of these cases didn’t involve hackers, high technology or ransom. It’s not uncommon for hospitals to find that certain electronic medical records had just been accessed by someone without the security clearance to do so.
Why? Was it research on a previous spouse? Was it holding patient files for ransom?
Sometimes we don’t know. The alleged perpetrator might be under no obligation to speak to an outside consultant, the hospital or the police.
But there may be clues. In one case, an alleged perpetrator who didn’t have clearance to access these files was of the same demographic group as the patients.
For discussion purposes, think of the Republic of ABC. The alleged perpetrator may be part of this group and married to a person of this group. The spouse of the alleged perpetrator may run a business that caters to citizens and former citizens of the republic. Think of a settlement agency, travel agency or immigration service – lots of organizations that would benefit from a database of like-minded people.
The circumstantial evidence in cases like this is pretty clear. Aside from being a true story, this is only one case where a hospital employee wanted the contact information for a group that might buy certain services.
Legislation requires hospitals to tell patients and former patients when their information might have been compromised. This is where the hard work begins. How are notifications issued to the affected individual or individuals?
Imagine the conversation on the street in a small community: “Did you get that letter from the hospital? If you did, was it about your former psychiatric services, AIDS, spouse’s STDs or an old abortion?”
The intent of the legislation may be great but the effect may not be so great.
Then there’s the letter and spirit of the legislation. How far back do you go to find out and to notify? What if this perpetrator had a recent spree of collecting confidential data, was inactive for some years and had a spree a few years even farther back – farther back than you’re required to look?
Sure, the investigators assigned will complete their required work collecting and analyzing information, possibly even compiling a report with recommendations. But that investigation might not be helpful in preventing a future event.
One solution may be a requirement to publicly report and post the names of individual(s) found guilty of this crime. Perhaps this would serve as a disincentive to snoop.
Another option could include adding machine learning as a means of electronically reviewing access to health information systems. Access to records by an unauthorized user should trigger an alert to the individual’s employer for review.
The risk is clear. We can’t just look for genius hackers, North Koreans, the Chinese, Iranians or Russians. The threat can range from someone down the street running a small business to a curious former spouse.
Dr. Allan Bonner, MSc, DBA, is a crisis manager based in Toronto. His forthcoming book is Cyber City Safe. Brennen Schmidt (BEd, Certiftied PR, CUA) is principal of the ALEUS Technology Group, a boutique digital communications firm in Regina.
The views, opinions and positions expressed by columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of our publication.