Friday, 13 April 2007

Health Information Exposed

A scary report from an organisation responsible for the health information of 5% of New Zealand.

An anonymous “war driver” has told Computerworld that it’s possible to access internal systems through the wireless service run by the Otago District Health Board (ODHB). As a result, the Dunedin hospital authority may have to review the security arrangements relating to its wi-fi pilot.
The ODHB’s acting CIO, John Tolchard, says the need to achieve a balance between security and cost-effectiveness was behind the choice of WEP. There are always trade-offs between security and complexity for users, he says.

Tolchard asks: with the WEP key cracked, “then what would he [the attacker] do?”

According to Tolchard, all the systems on the ODHB’s network are password-protected and only select users who need access — and who attend a training programme — get logins. There is no way anyone could access confidential information, such as patient records, without a valid username and password, he says.[my emphasis]
Yeah Right! as they say around here. Generously assuming that any brute force attack would be detected and foiled, the unprotected network can be sniffed to collect user id/passwords of "select users" or passively collect information handled by legitimate users. Aside from that, it would appear possible to mount denial of service attacks on the internal network or worse, subvert network components.

As George Ou reported way back in March 2005, any WEP based network with or without Dynamic WEP keys can now be cracked in minutes!

While I can have some sympathy with an organisation caught with its guard/pants down in this way, there is incredible naivety shown in the report. We may debate the value of information revealed by illicit access to networks or services and the loss an individual may face when medical information is exposed and therefore establish what is to be traded-off. However, loss of confidence in the medical provider's security of information may have the fundamental outcome of people simply not trusting the organisation as a whole.

The legalese that covers the issue in NZ is contained in the Health Information Privacy Code 1994

Rule 5 Storage and Security of Health Information
(1) A health agency that holds health information must ensure:
(a) that the information is protected, by such security safeguards as it is
reasonable in the circumstances to take, against:
(i) loss;
(ii) access, use, modification, or disclosure, except with the authority of
the agency; and
(iii) other misuse;

Perhaps it is time that the protection of information here in New Zealand had the visibility and force of law in the manner of HIPAA in the USA. Then boards and officers would have it brought home to them that protection of information is a requirement and not an optional extra.

No comments: