An investigation by the Office of the Information and Privacy Commissioner into a computer server that had been compromised by malicious software has resulted in several recommendations to protect computer systems.
In January, 2010 the University of Calgary informed the Commissioner that a server at the University of Calgary Medical Clinics’ Sunridge location had been infected by 9 Trojan horse programs, which allow the creation of back door that in turn allows an external party to take control of and to steal data from the affected computer.
The server in question housed information including patient demographics, patient referrals, health insurance billing codes and Personal Health Numbers. UCMC promptly informed the 5000 patients who were impacted by this breach and took immediate action to stop the information leakage.
In his Investigation Report, Health Information Act Director, Brian Hamilton said the root cause of the breach was an unmanaged computer server that was not included in regular security scans. The server’s operating system and anti-virus software were out of date and the server had several unnecessary administrator accounts, which allowed malicious software to spread. Effectively, the server was a “time bomb,” waiting to be exploited. The Report makes several recommendations to better identify and fix vulnerable computer systems. Those recommendations include conducting an annual review of information systems to ensure that health information is safe, conducting a risk assessment before installing new equipment or software and to provide annual training to staff.
Information and Privacy Commissioner Frank Work says, “If you run out-of-date computer operating systems and anti-virus software, along with unneeded administrator accounts, you will be owned by hackers.
Everyone needs to be aware of what is installed on their network. It only takes one neglected computer to make your entire infrastructure vulnerable.”
The University of Calgary Medical Clinics’ cooperated fully with the Investigation and is implementing the recommendations made in the Investigation Report.