Slashdot Mirror
Medical Data on 365,000 Patients Stolen
Anonymous writes "Backup tapes and disks with data on 365,000 patients were stolen out of the car of a worker at a healthcare company in Portland. According to this Computerworld story, the tapes were in his car because he took them home as part of a disaster recovery plan, to protect the information from fire and other on-site disasters. D'oh!"
do they have a recovery plan for this disaster?
The higher the technology, the sharper that two-edged sword.
Cue the "bandwidth of a station wagon of backup tapes" cliches? If it's stuff they really don't want stolen, why not buy a safe for his car? Better yet, give him a company truck/van with secure storage. If they have 365,000 patients (customers) then they can surely afford to protect their information.
I could be wrong, but I don't think there are a lot of 100 degree days in Portland.
It took me a minute to decypher that cyrptic comment, but look at these two parts from the article together:
In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. The incident was reported by the employee on Dec. 31, according to the health care system.
The data on the tapes was encrypted, Walker said. The data on the disks was in a proprietary file format that was not encrypted, but "is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it," he said.
So think about it - Tapes AND Disks were stolen (at first I had thought it was just tapes). The hard to read media (tapes) were encrypted. But it doesn't matter, chuck 'em in the river because the DISKS (fasr easier to read by any fool with a computer) have data that is in a format that is just "hard to read"!!
Give me five minutes with Emacs and/or a Hex editor and/or Strings and I'll bet I could start churning SSN's out of the files right quick! I don't care if they are ISAM or DB2 or Pig-Latin! Security by file format obscurity is zero security, that data has to be treated as widely known at this point.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
$20 says the worker is the one that "stole" the tapes. Who randomly walks up to a car and says "Oh look! Patent info! I'll take this home right away and start using my cryptography techniques to unlock it right away!"
Ex nihilo nihil fit.
To be fair, I have a medium term solution inthe pipe and there is budget for it. Rather than wait for the DR datacenter project to mature, we will pursue tape elimination and replicate the backup over the wire. Basically we are going to go with a content addressable disk backup target. Something like Data Domain. It still has no value from a DR perspective, but it eliminates the HIPAA exposure and restore latency. It alsogetsw us out of the tape management business (yay!). Basically we replace tape with CAS and replicate the CAS box to a second one in another site. The second site does not have to be a full data center, only meet minimal standards. That will get me by until the DR project comes to fruition. Right now we are reviewing possible target.
It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man
-James Baldwin
Show me the place where HIPAA says you can't send medical information over the internet...
And if you can (which you can't) you will find that every state health agency in the country, most federal agencies, and most hospitals and health care providers are in violation.
HIPAA only requires you to make every possible effort to protect data. Protection can include things like encryption and tunneling, all the way down to privacy screens and closed office doors.
Nothing about not using the internet...