Slashdot Mirror
Spyware Prank Exposes Hospital Medical Records
cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."
He should have just planted a GPS in her handbag, then he'd have the full protection of Massachusetts law.
So what's happening to the woman who stupidly ran an exe she recieved in an email?
I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.
Just for grins I went looking through their employment opportunities to see if any IT jobs opened up recently and stumbled upon this:
(Not relevant to this thread but interesting, nonetheless
Nicotine-free hiring policy
Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy.
Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use.
If you test positive for nicotine, the offer of employment made to you will be rescinded.
If after 90 days you successfully quit using nicotine, you may reapply for employment.
Uhh, we're not all psycho-privacy-invaders with no ability to let go and move on, you insensitive clod.
b) The woman for opening it and infecting the computer?
c) Yahoo for not blocking it?
d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.
e) Some combination of the above?
The article's title is "Spyware Prank Exposes Hospital Records".
The actions described are not a prank. They are serious, and illegal by many standards. If the accusations are true, the fellow deserves everything thrown at him. The article's title should be changed to reflect the severity. Installing spyware to keep tabs on your ex-GF is not a prank. It's stalking.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
In Belgium, many of the hospitals have most of their computers running Linux...
Almost a good analogy, except that mail bombs are not sent as frequently as malicious emails. If a significant portion of packages contained explosives, then yes, we probably would hold recipients accountable for not taking appropriate precautions when opening their mail.
does anyone else find it odd that the real damage was done to the patients and yet the hospital is being compensated for damages and not the patients? wouldn't the hospital also be liable for the damages considering that theri IT department failed to put up reasonable protection?
Sigs are too short to say anything truly profound so read the above post instead.
No.
If you mailed me a package with a cover letter saying "attach the fuse so and so, and you can see FUNNY KITTENS", and I did, THAT would be just as much my fault.
And since she ran the attachment, she's at fault too. In theory, his email account could have been taken over by bad bad men, who spammed evil viruseses to all his contacts. In that case, it would have been purely her fault (not his).
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).
I have an ugly truth for you - almost every hospital in the US uses Windows (95 through XP) for every single workstation. Every single Healthcare IT software vendor develops solely for windows (save a few web-based packages.) It's a very pure MS monoculture. I know, I know, it's sick. I agree completely with the above, but the emperor is threadless here.
Forensics, identifying exactly what the spyware was, conducting a thorough scan of all the network to see if it had spread, identifying what data was transferred, the infection vector, the administrative overheads of stopping the normal work to call an 'emergency situation' in which the sysadmins will concentrate on this exclusively, possibly not doing other maintenance work, or systems commissioning thus holding up medical projects (with the cost to them too).
Administrative time throughout the hospital, as a fair part of the management chain will have this as a high profile to concentrate on, police liaison (and having time to have them on site to investigate in situ, and having technical staff support them), communications time to liaise with press, people to field the phone calls that come in, extra load on the patient support lines to cope with frantic patients who aren't in the best state of mind anyway after suffering cardiac problems, who are now worrying about what of their information is in the wild.. That's the tip of the iceberg by the way.
Begin to see how that racks up to the big numbers? The machines aren't the expense, they're practically disposable. Unfortunately, data isn't tangible, so the non-IT staff don't see this shiny big item, and thus (out of sight, out of mind) don't consider it worth spending money over. All they see is that clicking a button makes data appear. Magic. Doesn't take effort, so why do they need an IT team to make it work? They decide they don't, cut IT funding (or never put it there), and eventually something like this happens because there isn't resource to make a secure network. And when it does, who gets the blame? Even from supposed 'geeks' who are supposed to understand what it's like being in an intensive overstressed IT role?
"Are there any proxies who can filter _all_ sort of packing/zipping/password protected executable files with a 100% hit rate? I doubt it."
What????
Don't you know about limited user rights? That prevents ANY installation of ANY program.
If someone accidentally kills someone else while driving a car, he or she will get less time for manslaughter than this man is supposedly getting for sending an email to a PRIVATE address.
Is this story a hoax? There is only one other report, and that report is identical: Misdirected Spyware Infects Ohio Hospital. Both apparently came from the IDG News Service. This is the last sentence of both stories: "A spokeswoman with the Akron Children's Hospital was unaware of the case and unable to comment." She was unaware of a case that is 18 months old?
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows.
Which part of HIPAA do you think precludes using Windows ?