One In Four Indiana Residents' E-Record Data Exposed in Hack

Reader chicksdaddy reports that a data breach involving four million patients and more than 230 different data holders (from private practices to large hospitals) hit Indiana especially hard. It's the home state of Medical Informatics Engineering, maker of electronic records system NoMoreClipBoard. While data exposed in the breach affected 3.9 million people, 1.5 millon of them are in Indiana. According to the Security Ledger, though: [The] breach affects healthcare organizations from across the country, with healthcare providers ranging from prominent hospitals to individual physicians' offices and clinics are among 195 customers of the NoMoreClipboard product that had patient information exposed in the breach. And, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed.

'We have received no information from MIE regarding that,' said a spokeswoman for Fort Wayne Radiology Association (http://www.fwradiology.com/), one of hundreds of healthcare organizations whose information was compromised in the attack on MIE..

How is this even possible?

Why should a company storing confidential data have any ability to access any part of that data? Especially when there are hundreds of separate owners of the data!

Each data owner should encrypt data before it leaves their site. In fact, individual documents should be uniquely encrypted.

These stories of leaks of massive amounts of data -- again and again! -- just prove that nobody cares.

Re:How is this even possible?

[sumdumass]

I think it has something to do with the online records requirements of the ACA. If you live in Chicago and have an accident while vacationing in Florida, the doctors in Florida are supposed to be able to access your medical records from Chicago without much effort in order to treat you more effectively and timely. Encrypting it would somewhat end that and somehow this is all supposed to be controlled by the IRS who will share information with about 200 or more other government agencies between the state, local, and federal levels.

Not good enough!

Only one in four? Lame. They need to sweep up the other 75% of medical records from Indiana. Go big or go home!

HIPAA is irrelevant... attacks are past stopping

I hate to be a doomsayer, but with the way weapons have surpassed armor, security is almost a pointless battle for companies. If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

Take network security. Backdoor in appliance gets an attacker to the management network from there, the TFTP server. From there, copying a modified config. IDS/IPS systems are pointless, as big companies already have these. Same with AV.

Take privacy. Show me one single Web browser that can pass the Panopticlick test and not have an individual fingerprint. One. The hackers and the ad people know who you are no matter what you do with cookies and LSOs.

Take malware. All it takes is one infection on a PC, and firmware on a video card, BIOS, hard drive, or many other subsystems can be updated so malware can load back in. This isn't new. Macs since the 1980s had the SCSI hard disk driver load code the second it saw the drive, so placing malicious code there would be trivial, and at the time, there were zero defenses. Modern malware goes through the Web browser, which runs with a full user context, and is commonly subverted via an add-on.

Take the system of updating PCs. All it takes is to subvert Microsoft's, Apple's, Adobe's, or anyone's update mechanism, and you can pwn PCs at will, with no way someone can trace it back.

Take physical attacks. Take the US, where 99% of locks on doors are bumpable. Even the boffins showing off their high security card readers have pin tumbler locks that can be opened with a pick gun (not even Medeco, and definitely not Abloy.)

Take economies. The US economy is so shitty, almost anyone can be bribed.

If the bad guys can't find a way in through some other compromise, they can browbeat someone for access. Dress up with a suit, get in someone's face that one is an auditor with so-and-so law firm, or a representative of the BSA, then scream in their ear that they will be fired or arrested if they don't hand access over -STAT-, the intruder can get into virtually any server room out there. Bonus points if they do a tiny bit of homework and drop a name or two. They can easily wind up screaming at someone, (think "command voice"), and said IT person gladly handing over the enterprise admin credentials even after their ancestry was questioned, capability to reproduce was asked about, capability to work was doubted, and their family's ancestry as sentient creatures was brought to question.

How can HIPAA do a single thing, if any known security precaution that is mentioned is roflstomped in days? No law is going to help in this case. If laws could, they would be implemented and in place, just like the DMCA.

TL;dr: You cannot win, and if a hacker wants your shit, they got it.

Re:HIPAA is irrelevant... attacks are past stoppin

[phantomfive]

If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

I don't think anyone ever said they were the most secure organizations in the world. In the case of Sony specifically, their security was notable for its poor quality.

Re:Figures

HIPPA discourages unauthorized disclosures, but it discourages looking for these disclosures even more.

Re:clipboards?

[Z34107]

What was so bad about clipboards again?

Clipboards have a bunch of known deficiencies. They're effectively write-only, especially if no one else can read the doc's handwriting.

Then, they're hard to duplicate. Should you end up in the hospital (heaven forbid), hopefully you're conscious enough to explain your drug allergies to the EMT, because it'll take a while to find out which clinic you normally see and get a copy of their clipboard. Then the copy of the clinic clipboard ends up in the hospital's clipboard, but the stuff in the hospital clipboard probably won't make it back to the clinic clipboard.

There's also only one copy of the hospital clipboard, so the cardiologist treating your heart attack can't put notes in your clipboard if the hospitalist took it to figure out what meds you were (or should be) on. If they do make copies, someone has to make sure the cardiologist's annotations make it into all of them without error. Those charts then have to be stored in a giant bunker somewhere, forever.

Clipboards are also bad at medication safety. When you're giving millions of med administrations to millions of patients, eventually you end up giving the wrong drug to the wrong one. Clipboards can't verify that you nabbed the right patient or the right drug, which kills people once you scale up the mistakes that would have happened to a national level.

Even before the nurse gives the meds, a clipboard can't tell the doctor that one of the medications he's ordering will interact with the medications someone else ordered. That also kills people. If one lot of those medications was tainted and recalled, it's also really, really hard to find out who was affected if all your administrations are documented on paper.

Finally, it's really hard to bill correctly if all of your documentation is on paper. If the coder going over the clipboard misses a charge, the hospital loses out on money. If the coder invents a charge, you lose out on money. If the coder can't find whatever documentation a kafkaesque insurance company demands to justify a procedure, you both lose out on money. Also harder to reject a claim for not being written in blue pen with block caps when the claim is electronic.

There's a bunch of other ways clipboards suck, and a bunch of ways the clipboard-replacements suck, but the former tends to suck a lot more than the latter.

Re:HIPAA is irrelevant... attacks are past stoppin

[dbIII]

Spot on. I'll bet in both cases there are plenty of stupid shortcuts that would induce facepalms or "I told you so" on a lot of the readers here.
Last year I had one idiot ask to put the phone system he was sometimes called out to work on onto the internet with telnet access - with no password! Another wanted direct RDP access to a machine over the internet. Neither of course seemed to have heard of a VPN or gave a shit about security - people who actually do what these idiots say are probably going to get burnt within days with the number of bots out there scanning for stuff.

Re:HIPAA is irrelevant... attacks are past stoppin

[dbIII]

It was the same guy that put an open drink can down on a large live UPS after someone let him into the server room so it's possible that stupidity has killed him by now.
Turns out the "new" phone system is a ten year old model - so telnet in with no password to change the settings and he wanted us to unblock and port forward telnet to the thing. I wonder if he convinced someone else in another place and who is getting free calls out of diverting through hacked phone systems?

So yes, these sort of people are around trying to convince anyone who will listen to punch huge holes through security to make it easier for them to support their crap devices. See the Target hack via an alarm system as an example.

what a bunch of bullshit

[waspleg]

You're a liar or a troll. It's as simple as that. I've lived in Indiana my whole life and experienced, firsthand, racists of all colors (you did know that anyone can be a racist, right?) but they're far from the majority. Stop playing the victim, bitterness like this doesn't do anything but keep you locked in and your eyes closed to reality.

Re:clipboards?

[AthanasiusKircher]

Clipboards have a bunch of known deficiencies.

Your post is informative and makes a lot of sense. On the other hand, I think there are plenty of new types of errors which can be created with electronic systems. In particular, when you abstract data from records and substitute codes in, you make it easier for people to stop looking at original records. Those original records might also contain contextual information that would prevent some errors. In most cases, I imagine the benefits of electronic records outweigh the problems, but when you depend on a computer system to check a bunch of codes, it's harder to realize there's an error in the coding compared to a paper record with context.

Finally, it's really hard to bill correctly if all of your documentation is on paper. If the coder going over the clipboard misses a charge, the hospital loses out on money. If the coder invents a charge, you lose out on money. If the coder can't find whatever documentation a kafkaesque insurance company demands to justify a procedure, you both lose out on money. Also harder to reject a claim for not being written in blue pen with block caps when the claim is electronic.

I'd actually like a citation showing the medical billing has improved since the system became all-electronic. Most studies seem to agree that the majority of medical bills these days contain errors. I never realized how bad it was until I switched to a high-deductible plan (for various reasons) a few years ago. Since I had to pay out-of-pocket for almost everything, I started paying detailed attention to medical bills.

And out of all the interactions my family has had with doctors in the past 3 years, at least 75% of them have had billing errors. And it's not just your "kafkaesque insurance company" -- I think we've seen at least 8 different providers, and the majority of them have made billing errors. I'd say the insurance company was responsible for maybe 1/3 of errors at most... it's primarily the providers.

As part of my plan, I'm supposed to receive a free annual physical. The first year, my doctor's office filed the claim FOUR TIMES and each time made different coding errors. Finally, the last time they ended up double-crediting me on something, and I ended up $5 ahead of what I was supposed to pay, so I just gave up. Last year, I tried to fix this problem by bringing in a copy of the relevant page from my benefits booklet explaining exactly what was covered in a routine exam, and requesting that the office ONLY perform those procedures. They still screwed something up. A family member saw a different doctor and did the same thing, and both the insurance company and the doctor's office made errors -- which combined resulted in four charges we weren't actually responsible for.

Medical billing in the U.S. is a disaster. I don't think most people seem to notice, because insurance "covers it" and so people just pay their $20 co-pay for most things and moves on. For those poor people who actually need to pay bills (and people who elect to through a high-deductible plan), it's beyond kafkaesque.

I'm not saying clipboards would fix this problem. But if documentation were actually attached to most things, rather than existing only as random billing and procedure codes, I'd imagine it would be easier to track things down. As it is, I find it next-to-impossible to even resolve billing errors because all the statements I receive from the physician and insurance company have a bunch of numbers and too little explanation of what they are actually doing. I have spent hours examining the bills, matching up charges (since they aren't reported the same), then querying the insurance company (who, when pressed, will actually tell me what the diagnostic codes mean), which I then have to call the doctors office and force them to code them correctly, rather than using some random diagnostic code for something I didn't even have.

I've talked to ot