News of data breaches in the healthcare sector can easily become viral. Recently, a serious data breach concerning highly sensitive information affecting over six hundred patients has attracted the attention of public opinion in Ireland. The case in question demonstrates the importance for organisations to further develop their data governance programmes in order to prevent and detect such incidents.
The leaked patient data included information such as names, dates of birth and dispensed medicines relating to patients who attended the Emergency Department of the hospital in question between April 18th and April 22nd. The data was intentionally extracted from an automated system used in the Emergency Department to dispense medication safely. The former contracted systems administrator, who was entrusted with access to the patient data went on to publish the data in the form of a .SQL file from a Twitter account.
According to a spokesperson from the hospital, there was both “a data processing agreement” and “a data sharing agreement” in place between the Health Service Executive of Ireland (HSE) and the company providing the system, as well as “a confidentiality agreement”. Upon becoming aware of the breach on May 29th, the incident was not only referred to the Data Protection Commission (DPC) but also An Garda Síochána as a criminal matter. Shortly after, the HSE obtained a High Court Order on June 5th restraining the suspected individual from communicating confidential information and obliging him to return all documents and records containing confidential information.
Due to the potential impacts of the breach, the organisation shall notify all affected data subjects, contacting parents or guardians of the 95 concerned children. Although the residual risk of future unauthorised disclosure persists, the hospital does not believe that the data has been widely shared, due to the degree of technical knowledge required to read and access the file.
The need for robust audit trails
Hospitals can work to both prevent and detect the exploitation of sensitive data by its employees and contractors. In 2017, the Special Investigation Unit of the DPC examined the Irish Hospitals Sector to review the adequacy of data protection safeguards to protect patient data. The report identified key issues and outlined recommendations to further develop current practices. As threats develop and organisations build up a greater database of previous breaches, such guidance can be valuable to re-examine and redeploy.
Systems which contain electronic patient records are tracked and monitored using an audit trail (or audit log). As hospitals handle sensitive personal data, it is imperative that all such systems provide adequate audit trails. These audit trails should demonstrate who has accessed the system and what operation he or she performed in a given period of time. In order to maintain the security, integrity and confidentiality of an electronic database system, a robust audit trail function should be able to record both ‘read-only’ accesses (where users simply view or download the record) and ‘write’ accesses (where users amend or add information to the record). In its report, the DPC noted that while all inspected hospitals had activated the auditing functionality, only very few monitored ‘read-only’ accesses. Additionally, in some cases, hospital staff did not have local access to the auditing functionality, nor the ability to generate auditing reports.
According to the DPC, the absence of fully functioning audit trails increases the risks of undetected, unauthorised accesses, and organisations in the healthcare sector are recommended to implement robust audit trail components on all electronic patient record databases. Additionally:
- the audit trail output should be monitored on a regular basis, in order to detect if any unauthorised access or failed attempt to log in has occurred;
- rigid procedures should be put in place to ensure that access rights are confined to staff who require access on a ‘need to know basis’, in line with their job role and the care and treatment of the patient;
- no clinical, medical or nursing staff should be given unrestricted access to all electronic patient record irrespective of their business need to have such access;
- to deter staff from accessing patient records indiscriminately, internal policies treating unauthorised accesses as disciplinary matters should be put in place.
The bottom line
Organisations in the healthcare sector must be able to guarantee that their environment is protected against unauthorised accesses and misconfigurations. Additional attention must be paid due to the recent rise in cyber-threats targeting hospitals. Minimum safeguards should not be deemed sufficient since, as demonstrated by the described breach, data processing agreements alone will not be able to protect your organisation if the overall environment is lacking fundamental security measures. Organisations should, therefore ‘go the extra mile’ to ensure they rely on solutions and vendors that protect the privacy of their data subject both in transit and at rest. Our Data Protection and Cyber-Risk team can support your organisation both in the procurement phase and in the identification of the most appropriate technical and organisational measures.
Further reading: Ransomware attacks in healthcare on the rise