Staff, patients concerned about data breach at university hospital
Loose network and cybersecurity with the problem-plagued Hospital Information Management System (HIMS) that’s gobbling up millions in cost overruns has exposed to hackers thousands of patient data at the University Hospital of the West Indies (UHWI), a Sunday Gleaner investigation has found.
Although Advanced Integrated Systems (AIS), which is implementing the project that’s four years past its delivery date, has thrown the spotlight on the hospital administration, one of the country’s leading technology experts insists the company has questions to answer.
The project to make the hospital paperless has cost the Mona campus of The University of the West Indies (UWI) more than $500 million, with no completion date in sight. Mona signed the September 2015 contract for UHWI, it’s teaching arm.
There’s no readily available data on patient volume but the annual report for 2013/2014 pointed to approximately 50,000 persons seen in the emergency division and 17,500 admitted to wards – figures expected to have grown significantly by now.
Over the past month, The Gleaner has interviewed over a dozen UHWI staff who interact at different levels with the web-based HIMS, as well as several patients, after observing a staff being warned upon entering the system that the “connection” to the site “isn’t secure”.
“Don’t enter any sensitive information on this site (for example, passwords or credit cards). It could be stolen by attackers,” read the notice that appeared, as multiple users tried to enter the system which stores basic personal and sensitive information such as patients’ names, addresses, telephone numbers, financial and medical data.
This was observed for a two-week period and was the major concern for the health workers who spoke on condition that their names are not included in the publication because they were not authorised to speak with the media.
‘STILL BEING INSTALLED’
The Sunday Gleaner requested a tour to view HIMS at work but the hospital said it was “still being installed” and would issue an invitation when the project, that had an April 2017 deadline, is completed.
“How can you have a system that is dealing with patient information and you’re getting a message that the site is not safe?” asked a senior medical official, who said she and colleagues support the “intent” of HIMS but not the way it is being implemented.
HIMS is at most wards and is partially working in several clinics and departments, including for X-rays. Observations and reports suggest records are sometimes difficult to retrieve, and for billings, workers have had to resort to the old ‘PIMS’ system.
Just last week, the system went down, forcing an “urgent” message to department heads advising of problems at the clinics, to use paper or reschedule appointments.
What looms large for staff, though, is that security of the site may not be safe and the potential for the compromise of patient data at the region’s premier medical facility.
AIS explained that the pop-up is a “standard warning” that appears in the website address bar of a browser whenever a user is attempting to connect to a website over an unsecure connection.
It acknowledged that a risk could involve communications between the user and the website being intercepted by hackers, causing sensitive information to be compromised.
But this is unlikely to happen with UHWI patient records, argued AIS in commenting on a photo of the warning this newspaper provided it with.
NEVER BEEN BREACHED
AIS said HIMS’s website address is private and not accessible over the Internet and that the “not secure” prompt is not an indication of a problem or vulnerability with the website. It said the system has never been breached.
“It’s the connection to the website that is insecure,” said Shekar Sanumpudi, director of health applications at AIS, adding that “most of the users are using HTTP (not secure) connections instead of HTTPS (secure) to access HIMS – hence the concern. However, this presents no risk to patient records.”
HTTP is the means by which a web browser communicates with a server. In recent times, the protocol has been extended to ‘HTTPS’, with the ‘s’ indicating when the connection is secure and to prevent interception of information.
“Based on the fact that the application link is private, this issue does not pose any significant risk to HIMS; it is essentially a network configuration matter for the UHWI,” Sanumpudi concluded.
But it’s not just an issue for the hospital, countered Trevor Forrest, CEO of 876 Technology Solutions, a company specialising in website design, cloud hosting and document management.
“When you say most of the users are using HTTP versus HTTPS, that is not a choice for them. They don’t choose that. It is the website that dictates that response – whichever website you’re connecting to,” he argued.
“It is the server that you’re connecting to that dictates whether the connection is secure or not.”
AIS has indicated that except for radiology information, all other data collected through HIMS are stored at its data centre or on its servers.
“If you’re in control of the server that this application runs on, even though it’s on a private network, why wouldn’t you put SSL certificates on that box?” Forrest questioned, referring to the Secured Sockets Layer, a digital certificate that authenticates a website’s identity and assures of data integrity.
SSL has evolved into Transport Layer Security (TLS), which appears as a padlock icon in web browsers when secure connection is established.
The security concerns are serious, Forrest said, noting that while HIMS is on a private network, the machines connecting to it are also connected to the Internet, which is public, giving opportunities to insistent hackers.
The view that an application is on a private network which reduces the risk of compromise is a “common misconception” among businesses, he said.
“Your value is in the fact that you might have a big client that you have access to whose data is valuable. Hackers won’t hack the secure thing, they’ll hack the insecure,” said the cybersecurity expert.
“I wouldn’t say it doesn’t present a risk – a risk, albeit somewhat remote but a risk exists. If you don’t have end-to-end security, the weakest link will mash yuh up.”
The UHWI, Forrest warned, also has work to do to ensure its networks are secured, an issue he said AIS should insist on to reduce its liability for any breach. The hospital owns the data collected.
HOSPITAL IS RESPONSIBLE
One patient said it was the “hospital’s duty to make sure my information is protected. I don’t want to hear about a vulnerability like this.”
AIS said it “constantly” reviews its security protocol, which it said is based on several key factors, including data centre certification which got its PCI badge in 2017 for financial transactions and HIMS certification which has two approvals from the International Organization for Standardization.
The PCI certification comes from the PCI Security Standards Council, which is a global forum that sets standards for safe payments such as for health insurance, for which AIS is well known through its health adjudication system.
Most of the key stakeholders from whom responses have been sought are yet to reply. From the first series of reports, the UHWI has directed all questions about HIMS to the UWI, Mona.
After the story broke on June 13, Mona indicated that it would address additional questions in its review of the HIMS procurement.
But in light of the data security concerns, this newspaper has pressed for a response but none has been forthcoming.
In a June 24 statement, UWI Vice-Chancellor Sir Hilary Beckles said he asked university management auditor Judith Nelson to “deepen an investigation into the UWI’s role in the project because institutional and public accountability is a primary expectation”.
There’s been no update from Health Minister Dr Christopher Tufton on his request for a brief from UHWI board chairman Professor Evan Duggan and the health ministry has not responded to several questions submitted on the HIMS issue over the last month.
Without specific reference to HIMS, eGov, the lead government entity on ICT, confirmed that the UHWI approached it in June 2020 to assist with managing “a few ICT projects”.
eGov said “no further comments will be provided as we await a meeting with our client to determine the way forward”, declining to confirm reports that it has serious data privacy concerns with the HIMS and that since the scandal emerged, its representative ended her assignment.
Professor Archibald McDonald, under whose principalship the controversial HIMS was procured, has suggested that the contract be renegotiated in light of the delays. McDonald is also the deputy chairman of the UHWI board.
The 2015 contract, which was inked as the Cayman Islands government was close to terminating an AIS-backed patient claims project, shows that Mona agreed to buy HIMS from Health Administration Systems (HAS), an opaque St Lucia-registered company.
Mona paid US$1.25 million for the software, which is being implemented by the Douglas Halsall-led AIS that’s being paid US$600,000 in annual maintenance fees.
AIS has a stake in Suvarna Technosoft, the India-based company that developed HIMS.
A 2018 UHWI project status report was scathing of HIMS as appearing to be “still in development” with the project running beyond its deadline, over budget, fraught with problems with “massive customisations” being done.
The UHWI issue comes months after the exposure of millions of personal data on the Amber Group-gifted government web-portal, JamCOVID, used to process travellers to the island.