Slashdot Mirror

← Back to Stories (view on slashdot.org)

Physician Operates On Server, Costs His Hospital $4.8 Million

Posted by timothy on from the s'posed-to-bury-your-mistakes dept.

Hugh Pickens DOT Com (2995471) writes "Jaikumar Vijayan reports at Computerworld that a physician at Columbia University Medical Center (CU) attempted to "deactivate" a personally owned computer from a hospital network segment that contained sensitive patient health information, creating an inadvertent data leak that is going to cost the hospital $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web. The breach was discovered after the hospital received a complaint from an individual who discovered personal health information about his deceased partner on the Web. An investigation by the HHS Office for Civil Rights (OCR) found that neither Columbia University nor New York Presbyterian Hospital, who operated the network jointly, had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network. "For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," say the hospitals. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS." HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations. In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data."

8 of 143 comments (clear)

  1. Typcial by nurb432 · · Score: 4, Insightful

    This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

    Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

    --
    ---- Booth was a patriot ----
    1. Re:Typcial by Kjella · · Score: 5, Insightful

      Except for IT of course. If you can master a computer then your impeccable logic and reasoning skills will make any other subject a piece of cake.

      --
      Live today, because you never know what tomorrow brings
  2. wait a minute by Anonymous Coward · · Score: 5, Insightful

    If they're gonna blame the doctor for "attempting to deactivate" something, they have to explain wth that means...otherwise it's just a scapegoat

  3. The old laptop security chink by rmdingler · · Score: 5, Insightful

    It's not clear why a physician had a personally owned system connected to the network, or why he was attempting to deactivate it.

    Of course it is. It was more convenient for him/her personally, despite putting sensitive patient data at risk in a venue beyond the doctor's ken.

    It's a commons tragedy (the Bizzaro-World Spock-doctrine): better for one at the expense of the many.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:The old laptop security chink by Bill_the_Engineer · · Score: 5, Insightful

      Hospitals are slow about refreshing their IT hardware and the hospital in TFA involves physicians working for both New York Presbyterian and Columbia University Medical Center. I wouldn't be surprised that the only way the physician could get a newer laptop capable of running his software in a reasonable amount of time was to order one with his own money and have the IT staff configure it for him.

      The article has the smell of bullshit coming from the IT department that was ultimately responsible. Instead of saying they mishandled off boarding the physicians computer, they gave the impression that the physician was directly responsible for the breach. If a medical physician can cause a website to appear on the hospital network and have that page accessible to the internet then I think its about time to clean house and the hospital seriously needs to find new IT staff.

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  4. Healthcare IT in the US by maple_shaft · · Score: 5, Interesting

    Having worked in IT and software development for a number of different health systems some common themes run true.

    1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

    2) Easy money. Money comes easy to these organizations. This plus...

    3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

    Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

  5. Re:Free money for the government by Anonymous Coward · · Score: 5, Insightful

    If, in a democracy, the government money isn't being spent as if it is the people's money, the people are doing something wrong. And the whole point of public law is that it imposes sanctions "in the public interest", not for the sake of the specific victim. (Sometimes this justifies stupidity, e.g. anti-marijuana law, but mostly it's why we have a civilisation and not a libertarian dystopia.)

    Any personal damages can still be claimed in civil court.

  6. Re:No. by greenbird · · Score: 4, Insightful

    I won hands down - technology people are the arrogant asses.

    The difference is technology people are typically arrogant about technology, what should be their area of expertise, whereas most of the arrogant ass doctors I've encountered are arrogant about everything. The technology guy isn't going to walk into the doctor's office and start telling him about how to do doctoring stuff. A great many people will tell tell technology people all about how to do their job.

    In any field I usually take arrogance as a sign of incompetence. Typically smart people think they know less then they really do and stupid people usually think they know more. The caveat being perception of arrogance is somewhat relative also. Arrogant people usually perceive anyone who knows more about something then they do as arrogant. That being said though, there are definitely a lot of incompetent technology people, almost certainly a lot more then there are incompetent doctors.

    --
    Who is John Galt?