Security breach into PharmaNet

Written By Vaclav Vincalek

CTV reported yet another security breach. This time, the stolen information resides in PharmaNet. To provide context for the story, here is a description of PharmaNet provided by Medinet, the Integrated Electronic Health Solutions entity responsible for managing the system.

Out-patient prescriptions filled in British Columbia are entered into PharmaNet, the province-wide pharmacy network.

The College of Physicians and Surgeons of BC considers the use of PharmaNet a best practice, and recommends that physicians use the provincial system for appropriate patient care.

Medical practices, clinics and hospitals in BC access PharmaNet over our secure, private network. Users obtain detailed patient drug profiles showing medication history for the past 14 months, and have access to other information necessary to prescribe new medications safely.”

It appears, the security breach didn’t happen through hacking activities directed at the central system. The security breach came through an end-point, a doctor’s laptop. In other words, the hackers found the weakest link in the defence system and exploited it.

To assess the security risk, let’s see who else can access the system. Another quote from Medinet:

Who can access the system?

Physicians and anyone in a medical practice who is sponsored by a physician, like nurses, medical office assistants and clerks.”

What equipment do I need?

If you have access to the Internet, you are ready to go! We will give you our web-based program that runs through your Internet browser. No special equipment or installation is required, although high-speed Internet access is recommended.”

As you can see, there are thousands of people with access to PharmaNet and in Medinet’s own words, there nothing but a browser required to access it. They make absolutely no mentioned of securing your device, two-level authentication, no security measures at all… just a browser.

If you are designing a secure system for access over public networks, take the time to ensure end-point devices are protected to the same level.



Vaclav Vincalek
Previous

Amazon wants to be like Netflix
Next

Facebook is taking advantage of your emotions