25 November 2007

Security breach at public health lab

Officials in Newfoundland and Labrador are investigating a security breach involving the province's

Public Health Laboratory.

On Friday, justice minister Jerome Kennedy and health minister Ross Wiseman told reporters that an unnamed consultant working with the lab received a call from an individual claiming to be a security specialist. The caller said he had patient information that was on a computer at the lab consultant's home. As cbc.ca/nl reported:

The data, including lab test results for infectious diseases such as HIV and hepatitis along with patient names and health numbers, was stored on a government desktop computer, said Health Minister Ross Wiseman.

The computer was unplugged and taken to the home of a consultant working for the Provincial Public Health Laboratory, something Wiseman said should never have happened.

The lab's website describes its functions more broadly;

The Public Health Laboratory(PHL) provides routine, specialized and reference laboratory services in clinical and public health microbiology to all hospitals, clinics and other health related agencies in the province. These services are offered only through authorized health care professionals.

Bacteriological water quality testing service is provided to private individuals, communities, municipalities, private and public agencies, etc.

With a mandate, role, and functions at the provincial level, the PHL has been able to keep up with technological developments and maintain the state-of-the-art microbiological laboratory services, procedures and facilities.

The PHL has also been active in undertaking a wide variety of research and special projects in medical microbiology and infectious diseases epidemiology and initiatives in relation to existing and emerging public health issues. The PHL publishes periodically articles and abstracts pertaining to the above.

While the lab consultant appears to have been fired, there is no indication of other action.  The incident would appear to involve a breakdown of security practices at the lab that allowed a computer to be removed from the lab in the first place, let alone how it could be operated from an unsecured Internet connection. The incident calls into question both the security policies and procedures as well as way in which highly sensitive data is stored. A consultant needing to work from home could easily have been given external access to data through secure log-in procedures, including frequently changed passwords and data encryption.

Kennedy told reporters on Friday that "We don't now the extent of the breach, we just know a breach has occurred."  However,

Kennedy claimed the incident appears to "be an isolated situation," and that no files were lost from the province's wider computer network.

There is no explanation for Kennedy's assurance given that he had acknowledged not knowing the extent of the security breach. Other security-related information may have also been stored on the computer used by the consultant.

Curiously, a unnamed private security consultant is being retained by the province to investigate the incident alongside the provincial police force.  There is no indication the provincial officials considered using other police sources, such as the Royal Canadian Mounted Police or data security and computer security experts with the Communications Security Establishment. Both federal agencies routinely secure information at least as sensitive as the patient information compromised by the security failure revealed on Friday.

This local security failure comes in the wake of news that security of 25 million records in the United Kingdom was compromised by the theft of compact disks containing unencrypted data. technology security consultants describe  government security for many types of data as being extremely lax.

-srbp-