Leaked video exposes how patient data in Hong Kong public hospitals can be accessed by any user without needing a password


Software developer says A&E program carries huge risk and was built with an ‘intentional back door’ that allows anyone to access data while leaving no trace. — SCMP

Software developer says A&E program carries huge risk and was built with an ‘intentional back door’ that allows anyone to access data while leaving no trace. — SCMP

Patient data at Hong Kong’s public hospitals can be accessed by any user with no need for a password, a leaked video shown to the Post and verified by multiple hospital sources has revealed.

Software developer Wong Ho-wa warned the program used in public accident and emergency (A&E) wards called AEIS carried a huge risk and was built with an “intentional back door”, allowing anyone to access patients’ files while leaving no trace.

It meant there was no control over who had permission to access the data and no way of monitoring who had seen it, Wong said.

Public hospitals in the city were already under fire over concerns that information leaks from hospitals had led police to arrest injured protesters who took part in demonstrations against a contentious extradition bill last Wednesday.

Dr Pierre Chan, the medical sector lawmaker said the program could be accessed without using passwords, prompting fear that such loophole had helped the police force identify protesters.

Police have arrested 32 people, some in public hospitals, since the clashes, including five for rioting. A source said of the five, at least three were arrested while getting medical care, including one who was detained before receiving treatment.

It sparked concerns that injured protesters would skip treatment to avoid possible apprehension.

The leaked video showed how a user could bypass the normal login through the use of a short cut on the computer’s start menu. A black window popped up to launch AEIS, also known as the Accident and Emergency Department Clinical Information System.

A nurse who had worked at North District Hospital A&E, in Sheung Shui, speaking on the condition of anonymity, confirmed the video was accurate.

“It is exactly how we used AEIS,” he said. “Anyone standing next to that computer can easily see who is in the accident and emergency queue.”

He stressed that while he had never seen a police officer operating such a system, there was no way to trace who had read the information as the whole department used the same password when opening it.

Another doctor at a public hospital said: “I’ve worked in A&E for eight years, I don’t even know the password [to AEIS].”

He agreed extra security measures should be added and that having to enter a password would not hinder his work.

But the doctor was not convinced patient data had been leaked to the police via AEIS.

“Supposedly these computers are in the clinical areas, used only by relevant hospital staff,” he said.

Sources suggested the system could also be accessed from other computers outside the emergency department of a hospital.

Lawmaker Chan urged the authority to rectify the problems as soon as possible.

On Monday, he expressed concerns over the loose security measures, suggesting that anyone who could approach the computer desk could read patients’ information.

Chan presented a list with patients’ names, ID card numbers, ages, conditions and whereabouts in the hospital as evidence, on which the words “for police” were printed in a corner.

Two patients, aged 27 and 29, were put under a separate category of “mass gathering outside Legco” on June 12.

Two doctors groups – Frontline Doctors’ Union and Hong Kong Public Doctors’ Association – issued separate statements on Tuesday, urging the authority to improve its computer system and form an investigation committee.

Information sector lawmaker Charles Mok said the level of security was low and urged the Hospital Authority, which runs the city’s public hospitals, to launch a full investigation into the alleged leak.

On Monday night, Dr Chung Kin-lai, the authority’s director in quality and safety, admitted that logging in to the system was not required, but stressed it had never authorised anyone to print patient data for police.

Chung said it was normal for public hospitals to go into disaster mode when responding to major events that could produce a lot of patients.

He said patient information would be given to police in only two circumstances: when a patient list would help the police account for injured or missing people; and when a hospital needed police help to contact a patient’s family.

Staff members presumably would not have passed protesters’ information to police because the two criteria were not met, Chung said.

The authority promised to look into how to enhance patient privacy without affecting A&E operations when responding to disasters.

Commissioner of Police Stephen Lo Wai-chung denied officers at police posts in public hospitals had done any wrong, stressing they were responsible for checking whether people sent to A&E were involved in crimes. – South China Morning Post

SCMP , News , Hong Kong , Politics , Tech