Spyware Prank Exposes Hospital Medical Records

cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."

The Woman

[some_guy_88]

So what's happening to the woman who stupidly ran an exe she recieved in an email?

Re:The Woman

[mcvos]

Whitelist, don't blacklist, it's the first rule of security.

Except when you're mandated to provide general internet access.

If for whatever silly reason you need to provide general, unprotected internet access, you do that with seperate machines, isolated from the hospital medical record stuff.

Whichever way you spin this, it's a horrible, gaping hole in the security of the hospital's computer system. The people who set it up and authorised it need to be fired and replaced by people who know something about (the need for) security.

HIPAA - SHMIPAA

[C18H27NO3+]

I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.


Just for grins I went looking through their employment opportunities to see if any IT jobs opened up recently and stumbled upon this:
(Not relevant to this thread but interesting, nonetheless

Nicotine-free hiring policy
Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy.
Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use.
If you test positive for nicotine, the offer of employment made to you will be rescinded.
If after 90 days you successfully quit using nicotine, you may reapply for employment.

Re:HIPAA - SHMIPAA

[neurogeneticist]

I actually am a physician, and work at a hospital with electronic records. We do not have, nor have I ever worked at a hospital the does have, an independent set of computers with medical records, separate from ones to use for other purposes. The work-flow is just not feasible with such a system, which would require us to look things up on one computer while referencing and typing notes into another one, while dozens of other people walk around the unit trying to do the same thing.

If you really want your mind blown, many electronic medical record systems run through internet browsers, and are not compatible with anything other than IE.

Oh, and I can access it from home with an RSA key if Clean-client thinks my machine looks OK.

Locking down sounds good to some of you, but it would break the workflow in a medical system that is already operating near the breaking point.

Who is really at fault?

[89cents]

a) The man for emailing the spyware?

b) The woman for opening it and infecting the computer?

c) Yahoo for not blocking it?

d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

e) Some combination of the above?

Re:Who is really at fault?

[wordsnyc]

d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

Bingo. They failed to take steps a reasonably prudent person would have taken to protect patient confidentiality under Federal law. Spyware installation via email is not exactly news.

Re:Who is really at fault?

[malkavian]

Right. Ever worked in that environment? Nope? Thought not.. I have..
You're faced with:

Consultant (medical doctor) says "I need to access the net to be able to read research papers, proposals, and various ad hoc sites that contain research on the subjects that I deal with, along with external mail that I use because I move from hospital to hospital quite regularly.".
IT says: "You can't access the net from that machine".
Consultant goes to see hospital directors, stamps feet, and IT get overridden.

Bear in mind there are several thousand PCs on a lot of hospital sites, with maybe 3 technicians to go fix and maybe one or 2 sysadmins. Hospital HR frequently sees IT as just waving a magic wand and things happen miraculously, so it's a "good way to save costs".
If you tie machine names down that can't access the net, I can guarantee a consultant will find a way to get a machine in the area that does, even if it's moving someone else's there.
As for breaking terms and conditions of use. Who do you think will win that pissing competition? Someone in the beleagured and under funded/under resourced IT department who is overlooked and overworked, or the consultant with the hand shakes and the ear of the board of directors?

Coupled with the fact that not all antivirus and anti-malware will spot every variant. It'll get 90+ percent, but you always hear about the ones that get through.
I'm surprised an executable got through the proxy filtering there, but hey.. Without knowing all the ins and outs of this in detail, I'm going to reserve judgement.

The real world can be a messy morass of politics.. Working in a hospital, or academia, really has that in excess.. Try working in one if you think it's easy.. I'd be interested in hearing your opinion after doing it for a while..

Re:Who is really at fault?

[Dhalka226]

d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed. Bingo. They failed to take steps a reasonably prudent person would have taken to protect patient confidentiality under Federal law.

Consultant goes to see hospital directors, stamps feet, and IT get overridden.

You make a compelling argument for not firing the IT guy for what happens which, let's face it, is probably what will happen after they scapegoat him if anything bad happens to the hospital.

However, "they" in the GP's post referred to "the hospital." In that sense it doesn't really matter if it's an incompetent IT staffer, a cranky doctor or poor executive management. Something that needed to be done under the law wasn't done, and the result was the leaking of confidential medical information. The hospital still deserves both blame and punishment for that.

Couldn't happen here...

[Nomaxxx]

In Belgium, many of the hospitals have most of their computers running Linux...

Re:Hospital management at fault, not employee

[horatiocain]

1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).

I have an ugly truth for you - almost every hospital in the US uses Windows (95 through XP) for every single workstation. Every single Healthcare IT software vendor develops solely for windows (save a few web-based packages.) It's a very pure MS monoculture. I know, I know, it's sick. I agree completely with the above, but the emperor is threadless here.

Re:Not a Prank

[coaxial]

why is this that fellow that is responsible for getting the records - this was obviously not his goal and if he is charged for it then it is just laughable.

What the hell is this supposed to mean? Since when has committing a crime unintentionally ever been a defense?

"Oh officer! I wasn't INTENDING to kill all the cancer stricken orphans when I driving drunk, speeding, and firing my gun wildly! I just intending to disturb the peace!"
"Oh! Well, that's a horse of a different color! I'll let you go with a warning then. Just try and keep it down next time. People are trying sleep around here."
"Will do!"

but why is the hospital getting the money - they are guilty of criminal negligence in handling patients' data so they should be paying not getting paid.

1. It's criminal trespassing to access a computer without permission. Which he did by sending the spyware to someone with the intent to observe them.
2. The hospital didn't hand out the data. It was stolen. It's still theft even if I leave the door wide open. It wasn't his. He has it, as a result of his actions.

to me it looks like one more example of justice system malfunctioning. It is not a great malfunction but shows that punishment and the crime are matched not by the facts but by the random acts of gov. officials. Was it not something that american constitution tried to prevent?

The opinion of someone who is woefully ignorant of the law, the intent of the law, common law, and basic morality, but yet somehow is an expert on constitutional law.

It must be tough being so smart and surrounded by so many people that are blind to your brilliance.

Go home and cry in your Ayn Rand novel.