Absolutely, you should. Especially is you can't answer this question: do you know exactly how your personal health information is being protected by health providers, medical facilities, hospitals, and other health providers that you have shared it with?
In January, eHealth Saskatchewan suffered a data breach. At the time, ransomware had encrypted their data, but it was believed that no personal data was stolen. A recent article by CBC news confirms that the malware entered eHealth’s systems on December 20th where it copied sensitive health data from their internal sytems. eHealth admits it still doesn't know exactly what information was taken, who took it, where it went or what it's being used for. The copied files were encrypted and sent to a series of IP addresses, confirming 4 of those IP addresses were in Europe.
Toronto cybersecurity expert Claudiu Popa spoke with the CBC and told them “Best practices in our industry, in the security industry, dictate that if we don't know what was taken, we have to assume that everything was taken." Popa also told CBC that this type of information could be used to blackmail individuals by threatening to reveal sensitive test results, or the hackers could use the health care and social insurance numbers for identity theft.
Two days ago, the Saskatoon Star Phoenix reported that the province is allocating “an ‘unprecedented’ $13.6 million in capital funding and $7.4 million in operational funding that eHealth says will help it continue to upgrade data storage and security features, including work on a disaster recovery plan, as recommended by the provincial auditor’s office in 2017.” While it’s too late to prevent last winter’s attack, it could be seen as a step in the right direction. A statement from Ministry of Health spokeswoman Colleen Book said the new funding is “not directly related to the malware incident” but will ensure “eHealth has capacity and funding in place to plan, mitigate and respond to risks and incidents in the future.”
Raheel Qureshi, a partner at Toronto cybersecurity firm iSecurity, told the Star Phoenix that these types of attacks, like the one on eHealth, should be a wake-up call to the healthcare sector. Indeed, it’s not just Saskatchewan, or Lifelabs that needs to take note. A recent Security Boulevard article called out the Canadian Healthcare sector for being way behind in its approach to cyber security. All healthcare providers need to take note.
Qureshi believes that healthcare organizations would be best served by investing in 24/7 security monitoring to catch threats early. Ongoing testing of the security of the network needs to happen on a regular basis. Segmenting the system so that a hack in one part doesn’t spread as quickly to another part of the network is also a good cyber security best practice.
Is your company storing Personal Identifiable information “PII” or Personal Health Information “PHI”? If so here are 3 areas we recommend you review immediately:
1) Review your internal policies and compliance to confirm there are no gaps
2) Cyber Security Awareness training is on-going and evaluated to reduce user base compromises
3) Security solutions are patched, up to date and being monitored
If you have any questions regarding protecting your data please contact us today!