Canada: Prince Edward Island: Auditor raises security concerns about private information in e-health
Younker outlines his security concerns in his 2010 report made public earlier this week. That report also highlighted serious concerns about delays in implementing the program and significant cost overruns.
The program wasn’t supposed to cost taxpayers a dime. But costs have ballooned to more than $15 million for taxpayers.
Total costs for the program are now at $33 million and the program is still not fully functional and there are no plans to fully implement the program.
Younker specifically points to one aspect of e-health, the Drug Information System or DIS.
DIS is a provincewide system where information on all prescription drugs dispensed to residents is processed and stored.
He said the information contained in the DIS is considered personal information, which means information within the system should be secure and only available to those who have authorized access.
But the auditor general found that there is “... not a comprehensive set of formal security policies, standards, and procedures in place to govern and maintain the confidentiality, integrity and availability of patient information within the DIS.”
Younker’s security assessment found little in the way of security checks for external users including pharmacists. That is left to the individual pharmacy.
“The result is that external systems accessing the DIS may have weak security controls or user access management processes which increases the risk of unauthorized/inappropriate access,” he writes in his report.
There are also no formal procedures for removing access when a user leaves their job. That could also mean inappropriate or unauthorized use.
There are also no controls in place to enforce minimum password length, password complexity and no password expiration.
Service providers, or those who work on the computer systems, have full access to the computer system and their access is not tracked.
There is also no disaster recovery plan in place and the business continuity plan hasn’t been updated since 2007.
Younker is also critical of information technology staff for not reviewing security and audit logs on an ongoing basis.
“Failure to review logs regularly increases the risk of inappropriate activity not being identified in a timely manner.”
---
Autor(en)/Author(s): Wayne Thibodeau
Quelle/Source: The Guardian, 09.04.2010
Bitte besuchen Sie/Please visit:
