Slashdot Mirror

← Back to Stories (view on slashdot.org)

Physician Operates On Server, Costs His Hospital $4.8 Million

Posted by timothy on from the s'posed-to-bury-your-mistakes dept.

Hugh Pickens DOT Com (2995471) writes "Jaikumar Vijayan reports at Computerworld that a physician at Columbia University Medical Center (CU) attempted to "deactivate" a personally owned computer from a hospital network segment that contained sensitive patient health information, creating an inadvertent data leak that is going to cost the hospital $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web. The breach was discovered after the hospital received a complaint from an individual who discovered personal health information about his deceased partner on the Web. An investigation by the HHS Office for Civil Rights (OCR) found that neither Columbia University nor New York Presbyterian Hospital, who operated the network jointly, had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network. "For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," say the hospitals. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS." HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations. In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data."

31 of 143 comments (clear)

  1. Typcial by nurb432 · · Score: 4, Insightful

    This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

    Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

    --
    ---- Booth was a patriot ----
    1. Re: Typcial by DigiShaman · · Score: 2

      I've done IT work for many clinics here in Houston, and I've never ran into that mentality before. I suppose it depends on the circles you do work with. In my case, it was next to impossible to get anything approved when they're too busy to handle anything business related. Again, these were small clinics.

      What they should be using is Bitlocker. It can be overly sensitive in that any major Windows Update, driver, and BIOS will flag for the recovery key at boot. You can back the key up to AD or have it stored elsewhere however. But when using Bitlocker for an organization, you really want a competent IT admin around to deal with this solution.

      BTW, you could use Linux or Mac. For the sake practicality of the discussion, I'm assuming most clinics use Windows already with an AD forest.

      --
      Life is not for the lazy.
    2. Re:Typcial by rotorbudd · · Score: 2

      I bet this was the typical "I'm a physician. I'm the smartest person in the building. I can handle anything."
      See: The most dangerous thing in the world
        "A Doctor in a Bonanza"

      --
      A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
    3. Re:Typcial by nurb432 · · Score: 2

      I used the term *doctor* for a reason, and did not want to limit it to "physician". I have seen this same attitude in other industries as well, far too often.

      And sure, not all educated people are like that, but i do tend to see a lot of them get a big head at a particular point.

      --
      ---- Booth was a patriot ----
    4. Re:Typcial by Kjella · · Score: 5, Insightful

      Except for IT of course. If you can master a computer then your impeccable logic and reasoning skills will make any other subject a piece of cake.

      --
      Live today, because you never know what tomorrow brings
    5. Re: Typcial by the_B0fh · · Score: 2

      How would BitLocker help in this case? Just curious why you think it'd help when it is information that's being exposed on the Internet, on a server that is running, and attached to the Internet, and not stolen laptops.

    6. Re:Typcial by Jeremy+Erwin · · Score: 2

      The HHS press release says

      The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

      So, the physician wasn't completely clueless about computers, though perhaps HHS is being deliberately vague about his exact role.

    7. Re: Typcial by otherniceman · · Score: 2

      At a company I worked for the CFO had used Bitlocker to encrypt his disk and didn't tell anyone. He was the only person in the company that had done this. We went through a major domain migration which failed and so the a new domain was created and everyone moved to it. Suddenly the CFO could not access his machine anymore and they could not recover anything.

    8. Re: Typcial by cbreak · · Score: 2

      That sounds stupid. He should have used proper encryption like Apple's File Vault or TrueCrypt. Those work independently of that domain stuff. And they allow you to back up a recovery key too.

    9. Re:Typcial by OakDragon · · Score: 2

      The patient never recovered.

      --
      Dark Reflection
  2. wait a minute by Anonymous Coward · · Score: 5, Insightful

    If they're gonna blame the doctor for "attempting to deactivate" something, they have to explain wth that means...otherwise it's just a scapegoat

    1. Re: wait a minute by Jeremy+Erwin · · Score: 2

      My guess is that he or she was developing an app for fellow doctors, and was running a backend on a personally owned server for testing purposes. When app development was complete, the physician reconfigured this machine to work on other projects, but neglected to scrub it of HIPAA data, or access rights to this data.

      The computer was then opened up to the outer world for another project that didn't involve patient data.-- google searched the machine, and found the data trove.

      But perhaps I'm reading too much into
      "The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. "

    2. Re: wait a minute by David_Hart · · Score: 3, Informative

      You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

      Wrong, you just have to have local Admin rights.

      The proper way to remove a computer from the domain is to log in as a user with local admin rights and then enter a domain account with the rights to Add/Remove Computers. This removed the computer from the domain and deletes the computer account from the domain.

      However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials. The domain part will fail, but the computer will be switched to workgroup mode on reboot. The difference is that there is now an orphaned computer account still listed in the domain. But the client is now no longer on the domain as far as it is concerned.

      The reason why this is allowed is simply because a mechanism is needed to switch a computer from domain mode to workgroup mode if, for some reason, the domain is unavailable.

    3. Re:wait a minute by Mendy · · Score: 3, Informative

      This describes it in a little more detail.

      My guess is that he turned off a webapp which then caused the HTTP server to provide open directory access. This doesn't explain why he was doing it though or indeed why he was able to.

  3. The old laptop security chink by rmdingler · · Score: 5, Insightful

    It's not clear why a physician had a personally owned system connected to the network, or why he was attempting to deactivate it.

    Of course it is. It was more convenient for him/her personally, despite putting sensitive patient data at risk in a venue beyond the doctor's ken.

    It's a commons tragedy (the Bizzaro-World Spock-doctrine): better for one at the expense of the many.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:The old laptop security chink by mwvdlee · · Score: 2

      A personally owner system doesn't come with all those annoying login password and security confirmations.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:The old laptop security chink by Bill_the_Engineer · · Score: 5, Insightful

      Hospitals are slow about refreshing their IT hardware and the hospital in TFA involves physicians working for both New York Presbyterian and Columbia University Medical Center. I wouldn't be surprised that the only way the physician could get a newer laptop capable of running his software in a reasonable amount of time was to order one with his own money and have the IT staff configure it for him.

      The article has the smell of bullshit coming from the IT department that was ultimately responsible. Instead of saying they mishandled off boarding the physicians computer, they gave the impression that the physician was directly responsible for the breach. If a medical physician can cause a website to appear on the hospital network and have that page accessible to the internet then I think its about time to clean house and the hospital seriously needs to find new IT staff.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    3. Re:The old laptop security chink by TobinLathrop · · Score: 2

      And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

  4. Lock down your network dumbasses by wiredlogic · · Score: 3, Insightful

    What's the point in having a "secure" HIPAA compliant network that anyone can connect any old computer to? If the admins had just locked out unauthorized MAC addresses this wouldn't have happened. It would have cost them less than 4.8 million to implement even at healthcare contractor rates.

    --
    I am becoming gerund, destroyer of verbs.
    1. Re:Lock down your network dumbasses by Cederic · · Score: 2

      So learn how to work it.

      "Sure, get the Head of Compliance to sign off this breach of security standards and I'll get right on it. Yes, he'll require you to sign a personal liability waiver allowing the hospital to recharge any fines it receives due to insecurities arising from your computer"

      I hate bureaucracy but good corporate governance exists for a reason. "You can't do this" is seldom the right answer. "You can do this, here is how" is a great response to be able to give, and if the "how" is punitive, painful and personally embarrassing then hey, they shouldn't have asked for something so fucking stupid in the first place.

  5. Healthcare IT in the US by maple_shaft · · Score: 5, Interesting

    Having worked in IT and software development for a number of different health systems some common themes run true.

    1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

    2) Easy money. Money comes easy to these organizations. This plus...

    3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

    Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

    1. Re:Healthcare IT in the US by maple_shaft · · Score: 3, Interesting

      Allow my rebuttal...

      The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

      If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

      In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

      Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

      You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like

      Your arguments about malpractice risks and insurance for that are negligible.

      In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

      This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

      This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves hav

    2. Re:Healthcare IT in the US by Trax · · Score: 2

      As an emergency physician and former IT engineer with Unix system administration background, I'll say that most of the important software and hardware choices are made by the IT department and C-level executives without any input by physicians what-so-ever. I'll reply to your points line by line:

      > 1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are > made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect > for other professionals who are not a doctor.

      The healthsystem SHOULD EMPHASIS the need of the PHYSICIAN over that of the patient when we are the ones using the EMR, PACS (picture archiving and communication system), network drive, intranet, and other features day in and day out. The needs of the patient come into play when interfacing with these systems to retrieve their laboratory and imaging results, physician communication, and others when at home or elsewhere. If the IT department doesn't like this, then too bad as the users needs outweigh yours -- remember that this is coming from a practicing clinician.

      Just keep trotting out the old-line about how physicians have no respect for any other professionals as there's no basis for it in the real world. If you look around at the landscape of healthcare in the US, you'll see that it's the physicians that are dis-respected every day at the hands of the administration, fellow professionals, and patients.

      http://www.thedailybeast.com/a...

      > 2) Easy money. Money comes easy to these organizations. This plus...

      Money does not come easy to any of these organizations unless your are a huge health system such as Mount Sinai in NYC or Mayo Clinic or any of the other health systems around the country. If you're that big, you can tell the insurance companies how much they will need to pay up. However, the majority of hospitals are 1-2 hospitals and have a very limited budget for many things including EMRs, IT staff and departments, and ultimately hardware and software. It's not like they have money to burn...

      > 3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and > concern over things such as nepotism and incompetence aren't as important as they would be in other companies

      IT departments in hospitals are rampant with nepotism, incompetence, and wastefullness. The heads of the security, network, and support divisions have no clue when it comes to support clinicians including physicians, nurses, LPNs, or any other staff that requires using the computer for any health related work.

  6. Re:Free money for the government by Anonymous Coward · · Score: 5, Insightful

    If, in a democracy, the government money isn't being spent as if it is the people's money, the people are doing something wrong. And the whole point of public law is that it imposes sanctions "in the public interest", not for the sake of the specific victim. (Sometimes this justifies stupidity, e.g. anti-marijuana law, but mostly it's why we have a civilisation and not a libertarian dystopia.)

    Any personal damages can still be claimed in civil court.

  7. Re:No. by lagomorpha2 · · Score: 3, Insightful

    I won hands down - technology people are the arrogant asses.

    Though you would never guess that by reading slashdot comments.

  8. An Assumption of Competence by Rambo+Tribble · · Score: 2

    In their education, professionals, whether physicians or IT admins, are often inculcated with a professional swagger to the effect that they assume superiority in any situation. It is wise not to trust the judgement of those who exhibit this characteristic. They are commonly blind to their own failings and dismissive to others' concerns. Sadly, many are most impressed by this phenomenon, which they misapprehend as, "confidence".

  9. Re: Network, heal thyself by TheRealHocusLocus · · Score: 2

    No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

    I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

    Clearly the [recital 2a] Googlebot and others were spidering patient data for some time, those 6,800 records would account for a lot of traffic. EVEN IF the queries were https encrypted or the URLs contained session hashes instead of data, logs would show web spiders accessing presumably 'internal use only' functions.

    It is the responsibility of the senior IT administrator to establish a 'normal' baseline and track data flows at the router level, also set up an automated system which profiles web logs to profile transactions into as narrow a 'normal' definition as possible... and flag unusual patterns. If unusual flow is spotted this responsibility includes direct content sniffing of unencrypted communications.

    No real hacker would identify as Googlebot when vacuuming out an internal-use database, for fear of setting off trip wires. If only such trip wires had been in place...

    Ask Slashdot: How Do You Tell a Compelling Story About IT Infrastructure?

    I hereby submit this one.

    --
    <blink>down the rabbit hole</blink>
  10. Re:No. by greenbird · · Score: 4, Insightful

    I won hands down - technology people are the arrogant asses.

    The difference is technology people are typically arrogant about technology, what should be their area of expertise, whereas most of the arrogant ass doctors I've encountered are arrogant about everything. The technology guy isn't going to walk into the doctor's office and start telling him about how to do doctoring stuff. A great many people will tell tell technology people all about how to do their job.

    In any field I usually take arrogance as a sign of incompetence. Typically smart people think they know less then they really do and stupid people usually think they know more. The caveat being perception of arrogance is somewhat relative also. Arrogant people usually perceive anyone who knows more about something then they do as arrogant. That being said though, there are definitely a lot of incompetent technology people, almost certainly a lot more then there are incompetent doctors.

    --
    Who is John Galt?
  11. Yeah, can someone fill in ANY blanks on this story by mekkab · · Score: 2

    Let's ignore how the IT dept should have some kind of network traffic scans to see this stuff, how the heck does a non-admin do something like this? And I'm not attributing it to malice, I'm sure this guy "meant well" and in the process managed to screw everything up. Otherwise, I'm going with "scapegoats" for 1000, Alex.

    --
    In the future, I would want to not be isolated from my friends in the Space Station.
  12. Re:Amateurs that do not know their limits by sconeu · · Score: 2

    "Hey, doc! I've done some first aid before. Mind if I treat your patient?"
    "Hell no!"
    "Why not?"
    "Because I spent years obtaining an advanced degree, and have spent years since practicing and keeping my skills up to date."
    "Well, then, doc, for the exact same reason, KEEP YOUR HANDS OFF OF MY NETWORK".

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  13. Low accountability by Trax · · Score: 2

    I see it as an issue of low accountability for the most part, having different IT areas budgeted and the need to spend that budget before the year is out or otherwise we won't get the same amount of money next year. That's the mentality that most organizations take with silo-ing of budgets but to me seems to be a waste.

    In my organization, they have outsourced the servers and support for the EMR to the EMR manufacturer for them to host in the "cloud" while adding more Citrix redirections and latency for the users. The entire EMR support staff is several orders of magnitude larger than the database / networking / software engineers combined. The people that they do hire to write support side software are imbeciles at best and have been here for several years -- no one is fired for incompetence but layoffs do occur.

    Unfortunately, the higher ups in the C-level do not seem to understand the sandcastle that they've built within the hospital and IT department as their vision of what should be and the reality of it are completely divorced. I can see it as a physician with engineering and consulting experience who works in the ED day in and day out but the C-levels who are mostly non-physicians do not see the cruft that's built up or the inefficiencies that they have introduced.

    If I had my way, I would bring everything in-house, bring in more open source systems, and hire engineers to write custom applications. Nonetheless, there is so much you can do when your ONE community hospital.

    As to IT supporting its users, the issue is very simple and cuts across the entire healthcare system. Engineers do not talk to clinicians about the systems that they build and in so doing build clinical systems for engineers. I understand the mindset but as a emergency physician that has to see many patients in the day, the system that they've hoisted on us becomes a PITA to work with as the workflow I have created for myself does not equate with the workflow software engineers "think" that I should have. I want more input from physicians into the systems that are built. I want the engineers to come to the ER or to the inpatient floors or to the office to see how we work and help us perform in efficiently and safely.