Slashdot Mirror

← Back to Stories (view on slashdot.org)

It Took a Massachusetts Hospital 14 Years To Detect a Data Breach (grahamcluley.com)

Posted by msmash on from the security-is-hard dept.

An anonymous reader shares a report: To make matters worse, even after all that time -- it wasn't the medical center itself that discovered the incident. Tewksbury Hospital learned of the breach in the spring of 2017. It hasn't found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals' personal and medical information. As the state-run institution explains in a statement: "In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient's records without a good reason to do so. This discovery led to a broader review of the employee's use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients."

52 comments

  1. Re:Weapons Grade Negligence by bobbied · · Score: 5, Insightful

    Oh please.. It was an INSIDER who did this and apparently wasn't out downloading mass amounts of data all at once. How do you distinguish between an insider doing their job and this? I'm just amazed that they kept the access logs for 14 years so they could go back and audit this one user.

    You want every hospital in the world to put in strict access monitoring and then have a team that does nothing but monitor and verify each and every data access? Talk about expensive and adding to healthcare costs, for what? Certainly this won't have a positive affect on healthcare delivered...

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  2. Re:Weapons Grade Negligence by K.+S.+Kyosuke · · Score: 4, Funny

    The people who were responsible for information security should receive the death penalty for such egregious negligence.

    Probably those MUMPS anti-vaxxers again...

    --
    Ezekiel 23:20
  3. How long did it take by Anonymous Coward · · Score: 0

    for them to detect the patient died?

  4. None of our data is safe. by Anonymous Coward · · Score: 0

    Remember that. Business doesn't give a rat's ass about us or our data security.

    And when it is stolen and abused, we have no recourse because we are peons. And all the damage that is caused has to be cleaned up by us, the victim.

    We must have European style data and privacy protection laws and regulations in this country because it has been proven that businesses are incapable and unwilling to do anything.

    And if any business doesn't like it, they can go do something else: they shouldn't be in a business that handles private information.

    BTW, did you know that Bank of America's data services are all in India and other third world countries?

    1. Re:None of our data is safe. by bobbied · · Score: 1

      Again with this "Evil corporations hold all the power" lie? I'm so tired of this...

      Seriously, remember the old "corporations are people in the eyes of the law" complaint? Well, I do, and you have to understand that this legal principle really means that you, the individual, have the same standing in the eyes of the court as the huge corporation. You can take them to civil court and win...

      So can we stop with the hypocritical conflicting complaints now?

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:None of our data is safe. by HiThere · · Score: 1

      When is the last time that a corporation went to jail for murder?

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    3. Re:None of our data is safe. by bws111 · · Score: 1

      Guess you missed the whole state run institution bit, eh?

    4. Re:None of our data is safe. by bws111 · · Score: 1

      When was the last time that a corporation committed murder?

    5. Re:None of our data is safe. by Wizy · · Score: 1

      Ask the Navajo about Peabody Coal.

    6. Re:None of our data is safe. by bobbied · · Score: 1

      I said "civil court" if you where paying attention. Maybe you don't understand how our courts actually work?

      When was anybody EVER tried, convicted and sentenced for murder in a civil court? (That would be Never...)

      You don't get sent to jail by a civil court, you get convicted of crimes like murder in a criminal court. Civil courts are only about property, money and stuff, not about punishing crimes.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    7. Re: None of our data is safe. by Anonymous Coward · · Score: 0

      Well on might beg to differ on some of your statement. Jail? No. Convicted in civil court and fined extensively, yes.

  5. Gossip Queen by Anonymous Coward · · Score: 0

    According to the Boston Glove, it was a female clerk at the hospital reading people's medical records for no other reason than snooping. No identity theft involved. The person that reported possible data breach to the hospital refused to state what led him to believe a breach had occurred. If I had to guess, based on my time working for the California State Compensation Insurance Fund, the lady was reading records out of curiosity and gossiping about people behind their backs. She probably told someone that ended up telling the man or either herself or someone she gossiped with accidentally let slip out some knowledge of the guy's medical issue(s). Medical records can be crazy interesting to read, so many fake insurance claims and such. Doctor's can't write worth shit though, toddlers have better penmanship.

  6. Re:Gossip Queen (typo) by Anonymous Coward · · Score: 0

    *Boston Globe* Lack of post-comment submission editing at Slashdot strikes again.

  7. This is normal and unavoidable by Baron_Yam · · Score: 1

    Data is useless if it is inaccessible. Eventually, one of your authorized users will break an access rule, and on occasion they will do so in a way that gets them caught.

    1. Re:This is normal and unavoidable by Anonymous Coward · · Score: 0

      On occasion they will do so unintentionally. With the electronic records at my facility, the list of patients is divided by unit. It's trivial to accidentally bring up the wrong unit and pull up "John" before you realize it was the John Smith from down the hall instead of your patient John Oliver. And there before your eyes are his diagnoses, medication orders, treatment orders, allergies, etc. etc. etc.

      One of the computers on unit A where I work defaults to unit B's patient list, so every time I log in to the particular computer I have to switch it back to A. IT can't be bothered to fix it, so I often accidentally open the patient records from unit B because I forget to switch it back to A.

    2. Re:This is normal and unavoidable by Vermonter · · Score: 1

      Or more generally speaking,you cannot have authorized access without possible unauthorized access

    3. Re:This is normal and unavoidable by Baron_Yam · · Score: 1

      Yep. And with employees who have some ethics, it's not a problem because they keep their mouths shut and don't share what they see.

      I've worked in multiple environments like that. I've also seen a few not so ethical people get fired because in addition to looking at what they shouldn't, they couldn't resist blabbing about the bits they found interesting.

      As a general rule, all people are occasionally stupid and some people are constantly stupid.

  8. Re:Weapons Grade Negligence by RKThoadan · · Score: 2

    Actually, most hospitals do have just such a system in place. There are plenty of ways for it to be configured. In most cases it takes several unusual hits for it to flag for a review so a clinical user (nurse, therapist, etc) can definitely get away with a lot before it would flag them - it really depends on how they accessed it and what they accessed. Systems 14 years old probably don't have as much security.

    I know that among other things our system even compares my address to those of patients I access to make sure I'm not trying to snoop on neighbors.

  9. Happens more often than you think by Anonymous Coward · · Score: 0

    Other massive data breaches have happened yet there's never been a public announcement. I'm talking on the scale of Yahoo's data breach.

  10. Sensationalist headline much? by Anonymous Coward · · Score: 0

    This sounds like a curious nurse who forgot a couple of details about HIPPA. Nothing to see here, move along..

  11. Do EMR systems have controls? by ErichTheRed · · Score: 2

    It sounds like this was an insider who was just accessing someone's records for fun or to find something out about someone. I'm not surprised it took them 14 years to detect it either -- Tewksbury Hospital is a psychiatric hospital. Every state, even ones like Massachusetts, has been running away screaming from the obligation to provide mental health services ever since Thorazine was invented. They probably have even less budget than a typical hospital's IT department. Where I live in New York, inpatient mental health care barely exists; you need to be truly dangerous to end up in a psychiatric hospital -- even too dangerous for prison or jail.

    I'm not in healthcare IT so I don't know...are electronic health record systems designed to not allow random snooping through people's information? You would think, with HIPPA and everything, that record access would be limited to people who have reason to look at it, and of course the system admins. In my experience in other fields though, no one goes looking through system access logs until someone has reason to suspect something, so usually it takes someone reporting something like what happened here.

    I guess patient record security would have limited this, but I'm sure there are still ways around it. Back in my client support days, I did a lot of work with HR -- talk about the world's worst gossip clique! HR people love snooping through peoples' files, basically just for the lulz.

    1. Re:Do EMR systems have controls? by the_skywise · · Score: 1

      I've worked with HIPAA level data handling and, like all things, its weakest point is the point of access. If somebody with credentials wants to peek at information they have access to (but aren't supposed to be looking at) they can. My system logged all read/write accesses and we made sure to encrypt any and all data in storage and only reveal data to people with proper credentials.

      Locked down like a bank but any bank teller still has access to all the money. (so to speak) Bank Tellers get caught because cross audits discover missing money which trigger the investigation. Stolen data doesn't disappear from the database so it's often never noticed.

      I went to a doctor affiliated with a major hospital chain (EG not an independent doctor but one who's offices were in hospital owned space and who handled the IT for the billing and records) and got diagnosed with a condition. After some discussion my doctor decided it might be temporary and we decided to monitor it - no prescriptions were written and I made no other contact with any other medical facility/pharmacy about it. Only the doctor's office knew. Not 2 weeks later my parents (whom I hadn't lived with in 20 years) were getting calls advertising drugs and therapies for my condition. HIPAA my ass....

    2. Re:Do EMR systems have controls? by Anonymous Coward · · Score: 0

      EHR systems vary WIDELY between providers, but largely access is based on either the accessing user's department assignment and a variety of other potentil measures. So essentially you could access the information for all patients in department "x" if you are granted access at all, truly all or nothing most of the time.

      Additionally, most EHRs only log the access so unless the hospital in question specifically is reviewing the access no one will notice. There are certain regulations that require auditing, but mostly they are just check boxes and I know of a lot of facilities that just pretend like they are auditing when they actually are not.

    3. Re:Do EMR systems have controls? by Anonymous Coward · · Score: 0

      As a resident physician (in anesthesia), I can tell you that it would be very difficult to create meaningful access restrictions for health care personnel that did not get in the way of patient care, and a trust but verify approach (i.e. audit) is a much more reasonable than most restrictions.

      Here are a few examples of situations where restrictions that did not get in the way are likely to be too broad to be useful:

      1) Multiple people each day are assigned to look through the upcoming patients scheduled for surgery in the next few days, make sure we have enough information to safely perform anesthesia, and call/go see the patient if needed. All of us in the anesthesia team rotate through this role, and it requires us to potentially look at the medical records of everyone scheduled for surgery.

      2) It's not uncommon to get a tip from a colleague about a patient in the ED or medical floor whose status is worsening and might need an emergent surgery/emergency intubation by anesthesia/ICU admission. Reviewing the chart in advance can help avoid dangerous surprises if and when that urgent consult comes (e.g. non-anesthesiologists might not realize that a recent echocardiogram showing an estimated right ventricular systolic pressure of 65 mmHg would mean your standard induction drugs are very risky to use). Again, at the time of the review no formal consult has been made, and the tip might come from a consultant (e.g. trauma surgery) because the primary team is busy resuscitating the patient.

      3) Psychiatry is considering electroconvulsive therapy (ECT) for one of their inpatients with worsening catatonia. They're having difficulty tracking down a family member for consent (and thus the procedure is not on the schedule yet), but want us to see the patient and provide advice on any labs/testing that needs to be done before we can provide anesthesia for the procedure.

      We do have audit logs for every access of patient data. For some patients (e.g. hospital employees, psychiatric patients, and VIPs) we have an extra dialog box we have to click through to access the record, warning us that access is audited.

      In the end, I'd argue that adding tighter access restrictions tight enough to prevent "random snooping" would worsen patient care in ways that might lead to additional injury or death. Instead, the effort would be better directed towards auditing efforts to catch people misusing their access.

    4. Re:Do EMR systems have controls? by Anonymous Coward · · Score: 0

      Hi, I work in healthcare IT:

      "are electronic health record systems designed to not allow random snooping through people's information?"
      No :(

      "no one goes looking through system access logs until someone has reason to suspect something,"
      correct

      "HR -- talk about the world's worst gossip clique! HR people love snooping through peoples' files"
      thankfully not here.


      Our problem is the Healthcare provider is locked into an old 1970's system designed way before good access audits were common or programmed in off the shelf.
      The discussion on why we are locked in is a WHOLE other can of worms.


      -sorryBestIpostAnonymous

    5. Re:Do EMR systems have controls? by darkmeridian · · Score: 1

      Medical records are not supposed to be open to everyone in the medical facility. Accessing medical information just for shits and giggles will get you fired.

      http://www.nydailynews.com/ent...

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    6. Re:Do EMR systems have controls? by cmseagle · · Score: 1

      You're over generalizing. The major players in the EHR marketplace offer modern software suites with all the security/access auditing bells and whistles you would expect of a program that handles something as sensitive as medical data. There are protections in place to prevent egregious abuses of access, but something as subtle as what's described in this story (occasional inappropriate access over the course of years) would be tough to catch.

      The problem with security, as it is in all types of IT, is that you have to weigh risk against cost and convenience. You can lock down your EHR to an arbitrary degree, but then you start interfering with the ability of clinicians to do their jobs and introduce a ton of administrative overhead if you're reviewing all of that access audit data.

      The major players in the field are starting to do some cool stuff with the "big data" and "machine learning" buzzwords to automate some of these processes for picking up on inappropriate access. It'll be a while before that's viable for a production application.

  12. Re:Weapons Grade Negligence by Anonymous Coward · · Score: 1

    Actually, yes. Financial and medical institutions should have IT security folk that do nothing but review the security of their system.
    That include equipment, patching schedules, user CONOPS, account maintenance, and of course, user access uses.

    In this case, the misuse of the information seems to have been minimal. But it's exactly this sort of information that could be used for blackmail, to ruin or even end someone's life. So it needs to be protected.

    And this hospital absolutely failed to do so.

  13. Admittedly, this was 15 years ago... by Anonymous Coward · · Score: 0

    ... I was dating a medical resident, and met her in the hospital.

    She showed me how easy it was for any staff to look up patient info in the hospital's system - she showed me my records.

    I doubt the hospital ever did anything about it...

    1. Re:Admittedly, this was 15 years ago... by Anonymous Coward · · Score: 0

      From people I know who do IT work in hospitals, anyone on the medical staff gets anything they want. It's not uncommon for hotshot doctors to storm into the administration's office and claim they don't have time to deal with security, passwords, etc. -- and get exceptions to policies. So I would imagine that the chief resident demanded that all his residents have unrestricted records to every patient record or he would quit and go work for the other hospital across town.

      Doctors are kind of like corporate executives in terms of IT support -- they don't want to deal with you, and don't want to deal with anyone telling them what to do.

    2. Re:Admittedly, this was 15 years ago... by Anonymous Coward · · Score: 0

      It's not just 'doctors and corporate executives' who have that view of IT, it is everyone. This is larely because IT tends to act as if they are the main reason the business or organization exists. They aren't. They are there to SUPPORT the business.

  14. Hats off to Hospital IT by scubamage · · Score: 1

    While I have never directly worked in hospital IT, I know plenty of folks who have. I did work for a PACS/RIS/HIS vendor, and I spent about 6 years working beside them. Not only do hospital IT teams chronically get underfunded and understaffed, they have to deal with vendors who give absolutely asinine support requirements ("no, our software only runs on windows NT!" or "Sorry, HP only allows you to use windows server for storage appliances for this device, why no, microsoft has never released a service pack for it, why do you ask?"). Worse, a lot of their extremely expensive equipment has embedded OS's that will likely never see an update because the vendors simply don't supply them, or because risking a bad update can quite literally cost lives. It's a really, really tough IT segment. People like to derp at them "well why don't you just update things!" without realizing that in many cases they simply can't because of the vendors who release the hardware not providing adequate support. Preventative measures would be their best bet, but boards of trustees rarely see it as worthwhile to give those IT departments funding to implement those preventative measures well. It's a shit sandwich.

    1. Re:Hats off to Hospital IT by Anonymous Coward · · Score: 0

      I can concur with this to a certain extent. I worked for a medical equipment manufacturer supporting the Engineering Dept. (Hardware and Software). The Engineers were using tools on the servers and the tool vendors would come in to set up the, usually new, software. They demanded that they (the vendor) be giving Local Administrator access or root access or Domain Administrator access in order to set up their software instance. There were some vendors that wanted holes put into our corporate firewall so the vendor could "monitor" the activities of their software remotely, as in whenever they felt it was OK.

      I had to fight long and hard a couple of times to convince Engineering/Corporate Security to just say NO. I finally convinced the powers that be that giving a outside vendor access to the Corporate Intellectual Property was not a good thing. The Engineers developing the software often told me that "I know more about the OS that IT does, so when I say we don't need any firewall rules, I know what I want".

  15. mumps software is old and may not have much by Joe_Dragon · · Score: 1

    mumps software is old and may not have much security. Or security just get's in the way of it being linked to other systems.

    1. Re:mumps software is old and may not have much by cmseagle · · Score: 1

      You're over generalizing. Several of the major players in the EHR field run on an M database. They offer modern software suites with all the security bells and whistles that you'd expect of a program handling something as sensitive as medical record data.

      The problem comes in when you have to start balancing cost/convenience against risk of abuse. You could lock down your EHR to an arbitrary degree, but then it starts to interfere with users' ability to do their jobs. The more stringent your auditing protocols, the more cost you pile on in administrative overhead. The "security vs. convenience" battle is not at all specific to M or to healthcare IT.

  16. Re:Yuo Fail It!! by Anonymous Coward · · Score: 0

    ur ghey

  17. IOW by nospam007 · · Score: 1

    They are still on Windows 95.

  18. Re:Weapons Grade Negligence by Anonymous Coward · · Score: 0

    You'd think that anyone who had used MUMPS would be wildly in favor of anything that would get rid of it.

    For those of you who have mercifully never heard of MUMPS, it was featured on the Daily WTF some time ago, which should tell you what you need to know.

  19. The flaw of averages by jbmartin6 · · Score: 1

    Now we know why the "average time to detection" is 271 days or some such nonsense.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  20. The data breach by hey! · · Score: 1

    was apparently an individual clerk abusing his authorization to poke around in patient files. The "14" years timing is interesting; HIPAA's privacy rules took effect in 2003, in other words 14 years ago.

    So while by modern standards this event is a breach, it's not the kind of technical breach people seem to think it was. What's more at the time it may not even have resulted from violations of then-current standard practices. Back in the day it was common to simply trust people who needed access to records to use that access responsibly.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  21. Re:Jews did 9/11 by Anonymous Coward · · Score: 0

    The tin-foil hat is strong with this one.

  22. Re: Jews did 9/11 by Anonymous Coward · · Score: 0

    How much is the Chinese government paying you to spread idiocy and disunity among the American people?

  23. Re:Weapons Grade Negligence by Anonymous Coward · · Score: 0

    Due separation of privileges, IT is typically forbidden from reviewing user application access. That normally falls under the purview of the Risk/Compliance department.

  24. Still shorter by jmccue · · Score: 1

    Well, that is still much shorter that it takes Massachusetts to build a simple Bridge.

  25. Re:Weapons Grade Negligence by cmseagle · · Score: 1

    If it ain't broke, don't fix it. M is archaic and lacks many of the conveniences and guardrails of modern languages, but it's also ludicrously fast and scalable. Much of the hate is actually for Meditech's in-house language MAGIC. It's often conflated with M but isn't the same language at all.

  26. Re: Gossip Queen (typo) by Anonymous Coward · · Score: 0

    no glove, no love.