Slashdot Mirror
Spyware Prank Exposes Hospital Medical Records
cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."
I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.
Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.
Given this transgression and their draconian nicotine policy (which surely must be illegal), the moral of the story is clear: do not, under any circumstances, seek treatment at Akron Children's Hospital.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
The article's title is "Spyware Prank Exposes Hospital Records".
The actions described are not a prank. They are serious, and illegal by many standards. If the accusations are true, the fellow deserves everything thrown at him. The article's title should be changed to reflect the severity. Installing spyware to keep tabs on your ex-GF is not a prank. It's stalking.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).
I have an ugly truth for you - almost every hospital in the US uses Windows (95 through XP) for every single workstation. Every single Healthcare IT software vendor develops solely for windows (save a few web-based packages.) It's a very pure MS monoculture. I know, I know, it's sick. I agree completely with the above, but the emperor is threadless here.
I've worked in the IT department of hospitals in the UK, Australia, and the United States. The situation is the same in every one, you described it perfectly. Physicians are gods, and will be allowed to circumvent any IT policies they see fit, even if it exposes the entire hospital to a security risk.
I actually am a physician, and work at a hospital with electronic records. We do not have, nor have I ever worked at a hospital the does have, an independent set of computers with medical records, separate from ones to use for other purposes. The work-flow is just not feasible with such a system, which would require us to look things up on one computer while referencing and typing notes into another one, while dozens of other people walk around the unit trying to do the same thing.
If you really want your mind blown, many electronic medical record systems run through internet browsers, and are not compatible with anything other than IE.
Oh, and I can access it from home with an RSA key if Clean-client thinks my machine looks OK.
Locking down sounds good to some of you, but it would break the workflow in a medical system that is already operating near the breaking point.