Slashdot Mirror

← Back to Stories (view on slashdot.org)

Physician Operates On Server, Costs His Hospital $4.8 Million

Posted by timothy on from the s'posed-to-bury-your-mistakes dept.

Hugh Pickens DOT Com (2995471) writes "Jaikumar Vijayan reports at Computerworld that a physician at Columbia University Medical Center (CU) attempted to "deactivate" a personally owned computer from a hospital network segment that contained sensitive patient health information, creating an inadvertent data leak that is going to cost the hospital $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web. The breach was discovered after the hospital received a complaint from an individual who discovered personal health information about his deceased partner on the Web. An investigation by the HHS Office for Civil Rights (OCR) found that neither Columbia University nor New York Presbyterian Hospital, who operated the network jointly, had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network. "For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," say the hospitals. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS." HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations. In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data."

13 of 143 comments (clear)

  1. Typcial by nurb432 · · Score: 4, Insightful

    This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

    Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

    --
    ---- Booth was a patriot ----
    1. Re:Typcial by Kjella · · Score: 5, Insightful

      Except for IT of course. If you can master a computer then your impeccable logic and reasoning skills will make any other subject a piece of cake.

      --
      Live today, because you never know what tomorrow brings
  2. wait a minute by Anonymous Coward · · Score: 5, Insightful

    If they're gonna blame the doctor for "attempting to deactivate" something, they have to explain wth that means...otherwise it's just a scapegoat

    1. Re: wait a minute by David_Hart · · Score: 3, Informative

      You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

      Wrong, you just have to have local Admin rights.

      The proper way to remove a computer from the domain is to log in as a user with local admin rights and then enter a domain account with the rights to Add/Remove Computers. This removed the computer from the domain and deletes the computer account from the domain.

      However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials. The domain part will fail, but the computer will be switched to workgroup mode on reboot. The difference is that there is now an orphaned computer account still listed in the domain. But the client is now no longer on the domain as far as it is concerned.

      The reason why this is allowed is simply because a mechanism is needed to switch a computer from domain mode to workgroup mode if, for some reason, the domain is unavailable.

    2. Re:wait a minute by Mendy · · Score: 3, Informative

      This describes it in a little more detail.

      My guess is that he turned off a webapp which then caused the HTTP server to provide open directory access. This doesn't explain why he was doing it though or indeed why he was able to.

  3. The old laptop security chink by rmdingler · · Score: 5, Insightful

    It's not clear why a physician had a personally owned system connected to the network, or why he was attempting to deactivate it.

    Of course it is. It was more convenient for him/her personally, despite putting sensitive patient data at risk in a venue beyond the doctor's ken.

    It's a commons tragedy (the Bizzaro-World Spock-doctrine): better for one at the expense of the many.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:The old laptop security chink by Bill_the_Engineer · · Score: 5, Insightful

      Hospitals are slow about refreshing their IT hardware and the hospital in TFA involves physicians working for both New York Presbyterian and Columbia University Medical Center. I wouldn't be surprised that the only way the physician could get a newer laptop capable of running his software in a reasonable amount of time was to order one with his own money and have the IT staff configure it for him.

      The article has the smell of bullshit coming from the IT department that was ultimately responsible. Instead of saying they mishandled off boarding the physicians computer, they gave the impression that the physician was directly responsible for the breach. If a medical physician can cause a website to appear on the hospital network and have that page accessible to the internet then I think its about time to clean house and the hospital seriously needs to find new IT staff.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  4. Lock down your network dumbasses by wiredlogic · · Score: 3, Insightful

    What's the point in having a "secure" HIPAA compliant network that anyone can connect any old computer to? If the admins had just locked out unauthorized MAC addresses this wouldn't have happened. It would have cost them less than 4.8 million to implement even at healthcare contractor rates.

    --
    I am becoming gerund, destroyer of verbs.
  5. Healthcare IT in the US by maple_shaft · · Score: 5, Interesting

    Having worked in IT and software development for a number of different health systems some common themes run true.

    1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

    2) Easy money. Money comes easy to these organizations. This plus...

    3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

    Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

    1. Re:Healthcare IT in the US by maple_shaft · · Score: 3, Interesting

      Allow my rebuttal...

      The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

      If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

      In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

      Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

      You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like

      Your arguments about malpractice risks and insurance for that are negligible.

      In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

      This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

      This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves hav

  6. Re:Free money for the government by Anonymous Coward · · Score: 5, Insightful

    If, in a democracy, the government money isn't being spent as if it is the people's money, the people are doing something wrong. And the whole point of public law is that it imposes sanctions "in the public interest", not for the sake of the specific victim. (Sometimes this justifies stupidity, e.g. anti-marijuana law, but mostly it's why we have a civilisation and not a libertarian dystopia.)

    Any personal damages can still be claimed in civil court.

  7. Re:No. by lagomorpha2 · · Score: 3, Insightful

    I won hands down - technology people are the arrogant asses.

    Though you would never guess that by reading slashdot comments.

  8. Re:No. by greenbird · · Score: 4, Insightful

    I won hands down - technology people are the arrogant asses.

    The difference is technology people are typically arrogant about technology, what should be their area of expertise, whereas most of the arrogant ass doctors I've encountered are arrogant about everything. The technology guy isn't going to walk into the doctor's office and start telling him about how to do doctoring stuff. A great many people will tell tell technology people all about how to do their job.

    In any field I usually take arrogance as a sign of incompetence. Typically smart people think they know less then they really do and stupid people usually think they know more. The caveat being perception of arrogance is somewhat relative also. Arrogant people usually perceive anyone who knows more about something then they do as arrogant. That being said though, there are definitely a lot of incompetent technology people, almost certainly a lot more then there are incompetent doctors.

    --
    Who is John Galt?