(Quebec) Access to patients’ medical records is not sufficiently “controlled” by health establishments, concludes the Auditor General. The case of Véronique Cloutier, whose file had been consulted on several occasions, caused a stir in the spring.
The Press revealed last May that the medical file of the Quebec television star had been consulted by staff on several occasions without valid reasons. Mme Cloutier had not set foot in the Pierre-Boucher hospital in Longueuil since 2012 and yet the health establishment recorded more than fifteen unexplained accesses to his file.
The day after the publication of the investigation The PressMinister Christian Dubé ordered his CEOs to conduct an audit to find out “the extent” of the problem.
“Several cases of data leaks and theft, or unauthorized access to personal information held by ministries and public bodies have been reported by the media in recent years,” explains Guylaine Leclerc in her report published Thursday.
The work mainly focused on the period from January 2021 to March 2023, but “certain findings may relate to situations before or after this period”. The Ministry of Health and Social Services (MSSS) as well as two health establishments were audited, the CISSS de la Montérégie-Ouest and that of Laurentides.
After investigation, the VG notes that the controls for preventing and detecting unauthorized access are not sufficient to ensure that only people authorized to do so access users’ digital personal information.
She notes several “deficiencies” in the management of access to the systems:
- Access matrices (i.e. the information that different user groups can access, depending on their tasks) missing, incomplete or not up to date.
- Access rights granted without approval from responsible managers
- Access rights that are not promptly revoked when no longer needed
- Access rights are not subject to periodic review.
Furthermore, the minimum configurations used for user authentication “are insufficient, particularly those relating to passwords,” she notes.
A generic password, we don’t put that on yellow paper to put it on the screens. Well, we saw that.
Guylaine Leclerc, Auditor General of Quebec
The VG points out in passing that Minister Christian Dubé is deploying his Health Plan which “is based” in particular on improving access to data and information between network stakeholders. “ [Cela] is necessary, but still raises significant concerns regarding the protection of users’ personal information,” underlines M.me Leclerc.
Quebec also adopted a new law last March on health and social services information to make the circulation of data more fluid. This law does not concern the issues raised by the VG in its report.
Lack of rigor of establishments
In his report, Mme Leclerc deplores that the MSSS and health establishments “lack rigor” in the management of risks and incidents related to the confidentiality of digital personal information. Furthermore, awareness and training of healthcare staff as well as supervision are “insufficient” which “increases the risks related to the protection” of data.
She adds that confidentiality incidents “are not adequately handled or documented” and that cybersecurity measures need to be improved.
There are nearly 10,000 information systems in the health and social services network.
The MSSS and the two audited establishments adhered to all the recommendations of the VG. In particular, she recommended that the MSSS “review the directives issued to its organization as well as establishments, compliance with which contributes to the protection of digital personal information, and improve monitoring of their implementation.”