Blog / Is that the Doctor on the Line? – Part 2: Province of Saskatchewan Moves to Online Patient Records
A few weeks ago, I wrote about a disturbing call we received at our house, that professed to be from a medical clinic in BC wanting our input on a survey, in exchange for a gift. It was a hoax from start to finish.
But shortly after the article was published, I was contacted by a reader in Saskatchewan who pointed me to an interesting article from Global News. They were reporting that the Government of Saskatchewan are introducing a new website: MySaskHealthRecord. The intent of the site is to allow Saskatchewan residents access to some of their medical records online. The reader was interested in my thoughts on this development. I had a few things to say.
But first a brief synopsis of the article and the intent of the website. Naturally, the provincial government is very proud of this new site, as you can see from this quote:
“This is a game-changer, giving patients information they need to play an active role in their Healthcare. We are putting your own Health information in your hands. You have a right to access it anywhere, anytime,” said Warren Kaeding, Rural & Remote Health Minister, SK.
The article explained briefly the services that will be offered:
The program also allows residents to add personal information to track and generate reports, set medication and appointment reminders and upload information from health devices like wearable activity trackers.
Finally, the article described the access and Security Protocols:
MySaskHealthRecord available to those 18 years of age and older. Residents need a Saskatchewan Health-card, an SGI Driver’s Licence or ID card to register. After online verification, a unique pin # will be mailed to the address associated with their Health-card number. The pin generation is to support further Security and to assure that people are who they are.
It’s the last part that caught my Cyber Security attention. If the protocols sound familiar, it’s because they are very similar to the systems used by the banks and the federal government, when accessing services online. If access is granted as described, I have a problem with it. It doesn’t use Two-Factor Authentication.
Two-Factor Authentication is a system that requires users to identify themselves from two different Technology sources. That’s different than having two identity “tags” entered into the same system interface. For example, if I have the Health-card number and the unique PIN suggested above, I enter them into the same web page in the MySaskHealthRecord website. If they match, I’m in. But if I have a virus BOT on my computer that captures keystroke and website URLs (a very common attack vector), then the hacker has all the information they need to access my Health Records.
Two-Factor Authentication would add another Technology source to the equation. In our example, it might be that a unique verification code is also sent to my Smartphone via TEXT message and I have to enter the code into the website before I have access. Thus, two (Technology) factors are required – the PIN and Heath-card combination entered on the website from my computer AND the verification code sent to the Smartphone. The hacker might have the first, but they don’t have the phone to get the unique code sent at each login attempt. Google and many other secure-access systems routinely use Two-Factor Authentication; the technique has been around for years and can employ many different devices. We use it for many of our clients, when they access their sensitive information remotely. We’re also starting to require it when we host Client Systems on our Cloud Data Centre, in Stony Plain.
I went on to describe a few more concerns about online health records:
– Does the sight have an Education section alerting people to Security dangers and how to protect themselves, if accounts are hacked?
– Banks use a similar system for secure access to individual accounts over the web. But dealing with a bank is a commercial transaction and individuals have financial recourse with the bank, if something goes wrong. If someone hacks your account for $10,000 – and the bank’s at fault, then they owe you $10,000. What recourse does someone have if their Medical Records are hacked?
– As access to Medical Records over the web is a new frontier, it’s hard to guess how the hackers will monetize it. Ransom, malicious manipulation, spoofing, identity theft, and profile-building come to mind – but who knows. Someone is going to be the unfortunate poster child for the first-ever hack.
– Finally, there was no mention of allowing people to opt out – and have their records removed from this system. Are everyone’s records there for the asking? For example, if the system was in Alberta, my wife has a 90+ year-old mother who will NEVER access the system. Why would we allow the risk of having her records online that will never be accessed? Perhaps a better way is to have people OPT IN. You apply to have the system activated, and only once approved, are your records available online. Otherwise, they stay off the “web server”.
As I grow older, I’m all for having better and more accurate Health information available, making it inevitable for more systems to move online. I just hope the Security Protocols keep up!
If you would like more information on Two-Factor Authentication and how to keep your sensitive information secure, please contact me or your TRINUS Account Manager for some stress-free IT.