Workers, Sufferers Involved About Information Breach in College Hospital | information
Loose network and cybersecurity with the troubled Hospital Information Management System (HIMS) devouring millions in cost overruns has exposed hackers to thousands of patient records at the University Hospital of the West Indies (UHWI), a Sunday Gleaner research found.
Although Advanced Integrated Systems (AIS), which is implementing the project four years after the delivery date, has put the hospital administration in the spotlight, one of the country’s leading technology experts insists the company has questions to answer.
The project to make the hospital paperless has cost the University of the West Indies (UWI) Mona campus more than $ 500 million with no completion date in sight. Mona signed the contract for UHWI, his teaching arm, in September 2015.
Data on patient numbers are not readily available, but the 2013/2014 annual report indicates around 50,000 people in the emergency room and 17,500 ward admissions – the numbers are likely to have risen significantly by now.
Over the past month, The Gleaner interviewed over a dozen UHWI employees who interacted with the web-based HIMS at various levels, as well as several patients after seeing an employee entering the system warned that the “connection” to the site was ” it is not save”.
“Do not enter any sensitive information (such as passwords or credit cards) on this site. It could be stolen by attackers, ”said the notice that appeared when multiple users tried to break into the system, which stores basic personal and sensitive information such as patient names, addresses, phone numbers, financial and medical details.
This was observed over a two week period and was the main concern of health care workers, who spoke on the condition that their names not be included in the publication as they were not allowed to speak to the media.
The Sunday Gleaner asked for a tour to see HIMS at work, but the hospital said it is “still being installed” and would issue an invitation when the project, which had an April 2017 deadline, is completed.
“How can you have a system that handles patient data and you get a message that the site is not secure?” Asked a senior medical officer, who said that she and her colleagues support but not the “intent” of HIMS the way it is implemented.
HIMS is at most wards and sometimes works in several clinics and departments, including X-rays. Observations and reports suggest that records are sometimes difficult to access, and workers have had to use the old “PIMS” system for accounting.
Just last week the system crashed, forcing department heads to send an “urgent” message pointing out problems in the clinics, using paper or rescheduling appointments.
What is very important to staff, however, is that the security of the site may not be safe and there is a risk of patient data being compromised at the leading medical facility in the area.
AIS explained that the pop-up is a “standard warning” that appears in the website address bar of a browser when a user tries to connect to a website through an insecure connection.
It acknowledged that there could be a risk that communications between the user and the website could be intercepted by hackers, thereby compromising sensitive information.
However, this is unlikely with UHWI patient records, argued AIS in a comment on a photo of the warning that was attached to this newspaper.
NEVER HAVE BEEN INJURED
AIS said the HIMS website address was private and inaccessible on the Internet, and the prompt “not sure” was not an indication of a problem or vulnerability in the website. It was said that the system had never been broken.
“It is the link to the website that is unsafe,” said Shekar Sanumpudi, AIS Health Applications director of Concern, Concern. However, this does not pose a risk to the patient files. ”
HTTP is the means by which a web browser communicates with a server. Lately the protocol has been extended to ‘HTTPS’, where the ‘s’ indicates when the connection is secure and to prevent interception of information.
“Given that the application link is private, this issue does not pose a significant risk to HIMS; it is essentially a matter of network configuration for the UHWI, ”concluded Sanumpudi.
But it’s not just a problem for the hospital, countered Trevor Forrest, CEO of 876 Technology Solutions, a company that specializes in website design, cloud hosting, and document management.
“If you say that most users use HTTP versus HTTPS, this is not a choice for them. They don’t choose that. It is the website that dictates that response – no matter which website you connect to, ”he argued.
“The server you connect to determines whether the connection is secure or not.”
AIS has indicated that with the exception of radiological information, all other data collected through HIMS is stored in its data center or on its servers.
“If you have control of the server this application is running on even though it’s on a private network, why not put SSL certificates on this box?” Forrest questioned, referring to the Secured Sockets Layer, a digital certificate that authenticates a website’s identity and ensures data integrity.
SSL has evolved into Transport Layer Security (TLS), which appears as a padlock icon in web browsers when a secure connection is made.
The security concerns are serious, Forrest said, noting that while HIMS is on a private network, the machines connected to it are also connected to the public Internet, which opens up opportunities for persistent hackers.
The belief that an application is on a private network, which reduces the risk of compromise, is a “common misconception” among businesses, he said.
“Your value lies in the fact that you may have a large customer that you have access to, whose data is valuable. Hackers don’t hack what is secure, but rather insecure, ”says the cybersecurity expert.
“I wouldn’t say it’s not a risk – a risk, albeit a distant one, but a risk. If you don’t have end-to-end security, the weakest link will ruin you. ”
The UHWI, Forrest warned, also has work to do to ensure its networks are secure, an issue that AIS said it should insist on in order to reduce its liability for any breach. The hospital is the owner of the collected data.
HOSPITAL IS RESPONSIBLE
One patient said it is “the hospital’s duty to make sure my information is protected. I don’t want to hear anything about such a weak point. “
AIS said it “constantly reviews” its security protocol, which is based on several key factors, including data center certification, which received its PCI badge for financial transactions in 2017, and HIMS certification, which has two approvals from the International Organization for Standardization.
The PCI certification comes from the PCI Security Standards Council, a global forum that sets standards for secure payments such as health insurance, for which AIS is known for its health assessment system.
Most of the main stakeholders from which replies have been requested are pending. From the first series of reports, the UHWI directed all questions about HIMS to the UWI, Mona.
After the story broke on June 13, Mona announced that she would address additional issues in her review of HIMS sourcing.
However, given concerns about data security, this newspaper pushed for a response, but none came.
In a June 24 statement, UWI Vice Chancellor Sir Hilary Beckles said he had asked the university’s auditor Judith Nelson to “deepen an investigation into the role of UWI in the project as institutional and public accountability is a priority”.
There was no update from Minister of Health Dr. Christopher Tufton on his request for a letter from UHWI Board Chairman Professor Evan Duggan, and the Department of Health missed several questions about the HIMS issue over the past month.
Without explicit reference to HIMS, eGov, the lead government agency for ICT, confirmed that UHWI approached UHWI in June 2020 to help manage “some ICT projects”.
eGov said, “No further comments as we are waiting to meet with our client to determine how to proceed,” declined to acknowledge reports that it has serious privacy concerns with the HIMS and that his representative has ended their assignment since the scandal broke out.
Professor Archibald McDonald, under whose direction the controversial HIMS was procured, has proposed renegotiating the contract in view of the delays. McDonald is also vice chairman of the UHWI board of directors.
The 2015 contract, signed when the Cayman Islands government was on the verge of completing a patient claims project backed by AIS, shows that Mona has agreed to use HIMS from Health Administration Systems (HAS), an opaque St. Lucia registered company to buy.
Mona paid $ 1.25 million for the software, which is implemented by Douglas Halsall-led AIS, and pays $ 600,000 in annual maintenance fees.
AIS has a stake in Suvarna Technosoft, the India-based company that developed HIMS.
A UHWI project status report from 2018 destroyed HIMS as “still in development” because the project ran past its deadline, exceeded the budget and was fraught with problems with “massive adjustments”.
The UHWI issue comes months after millions of personal data were disclosed on the Amber Group gifted government web portal JamCOVID used to process travelers to the island.
Comments are closed.