Security of health information like 'Fort Knox': doctor
Last Updated: Thursday, July 9, 2009 | 11:40 AM MT
CBC News
The security of Albertans' health information is as good as Fort Knox, according to a senior Edmonton doctor, despite the fact that a virus infected 150 Alberta Health Services computers in May.
The personal health information of 11,582 people was skimmed from the AHS Edmonton network between May 14 and May 29. Notification to those people has been sent by mail by AHS and should be received within the next seven business days.
The virus, Coreflood, captured lab results, diagnostic imaging reports and whatever else was on a computer screen and then transmitted the information to an external website.
Dr. Nigel Flook, chief of family medicine at the University of Alberta hospital, says health information is as secure as "Fort Knox." (CBC) Despite this breach, the system is highly secure, with multiple security steps involving passwords, a special key fob, and security identification that changes every six months, Dr. Nigel Flook, chief of family medicine at the University of Alberta hospital, said Wednesday.
"The security is like Fort Knox, but if you're a criminal you can still get into Fort Knox if you want to," Flook said. "And if you're some kind of a crook, you can get into the health system, too, if you want to.
Fort Knox is a U.S. Army base south of Louisville, Ky., where the Department of the Treasury has maintained a gold bullion depository since 1937. It is commonly known for its high security, given the value of the gold held there.
The value of having health information stored electronically far outweighs the downside, Flook said.
"The risks of that, and the downside of that, [are] much smaller than the tremendous health benefits to individuals of having all of their health information in one place," Flook said.
It's "unforgivable" that it took 14 days for antivirus software within AHS computers to detect the Coreflood virus, Anthony Nelson, president of Estec Systems Corp. in Edmonton told CBC News.
Coreflood has been around since 2002 and should have been easily detected, said the head of the information security consulting firm.
Anthony Nelson, president of Estec Systems Corp. said on Wednesday it's "unforgivable" that it took antivirus software 14 days to detect the Coreflood virus. (CBC) "For Coreflood to go for 14 days on any network in the world means that they have computers that are not adequately protected by antivirus .… Every antivirus program in the world currently recognizes and captures Coreflood," Nelson said.
For the virus to have infected AHS computers means that staff are turning off the antivirus program on the computers they use or perhaps the program hasn't been installed, he said.
"That's fundamentally an employee-training problem," Nelson said.
The war against computer hackers is a difficult battle to fight, he said.
"It's almost a war of good against evil, the good guys are always playing catch-up," Nelson said.
In terms of the information taken from the AHS computers, it's unlikely it would be of much use to hackers, he said.
Most hackers are after financial information that can be used to gain access to bank accounts, or personal information that can be used to set up new bank accounts.
Hospital employees who may have been accessing personal information such as this while using a computer at work may be at some risk, Nelson said.
That doesn't worry Dr. Nigel Flook. It's still easier for a hacker to get into the bank and steal my identity and money, he said.
"They can access all my funds with one pin number that hasn't changed in the last 10 years," he said.
