Vancouver, BC hospitals routinely wirelessly broadcast unencrypted patient telemetry and admissions data to physician paging systems, and, apparently, it would be a trivial matter to intercept such transmissions. The Canadian activist group Open Privacy Research Society bought this matter to the attention of Vancouver Coastal Health in 2018, and after a year of inaction, the privacy group went public with the complaint.
Badly in Need of Technical Modernization
The privacy activist report portrays Vancouver Coastal Health in bad shape when it comes to technical wherewithal, data protection, and privacy, noting that the hospital privacy officers are “unaware of the radio broadcasting component of the pager system(s).” Additionally, they reported that the paging system doesn’t log third-party access, reports Boing Boing. The publication did report that spokespersons “blithely asserted that no breach had taken place.” Could these allegations be true? If so, why wouldn’t they respond and remediate?
Demands for Disclosure
Open Privacy Research Society is not certain as to the scope or scale of the how many have been impacted by potential data protection and privacy breaches. They believe that the gaps identified have probably been in place for years. They had requested from VCH that they answer the following questions:
- How many patients’ information has been broadcast to date in this breach?
- Where were the legacy pager systems installed?
- Can a patient determine if their individual information was broadcast in the breach? If so, how?
- How many VCH patients continue to have their personal information broadcast unencrypted on a daily basis?
- How any mitigations, such as shutting down these systems or limiting what information is entered into the insecure paging system, have been put in place?
- How and when does VCH plan on notifying patients whose information was broadcast?
The activist group has notified the Office of the Information & Privacy Commissioner in British Columbia.
Patient Data Protection in Canada
There are several laws in Canada that relate to privacy rights. Enforcement of these laws is handled by various government organizations and agencies. They include national laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA). Canada’s law is similar in many ways to the U.S.-based HIPAA in regards to patient data protection. There are differences to keep in mind as well and TrialSite News provides a link for a compare and contrast of the two neighboring laws.