Slashdot Mirror

← Back to Stories (view on slashdot.org)

It Took a Massachusetts Hospital 14 Years To Detect a Data Breach (grahamcluley.com)

Posted by msmash on from the security-is-hard dept.

An anonymous reader shares a report: To make matters worse, even after all that time -- it wasn't the medical center itself that discovered the incident. Tewksbury Hospital learned of the breach in the spring of 2017. It hasn't found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals' personal and medical information. As the state-run institution explains in a statement: "In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient's records without a good reason to do so. This discovery led to a broader review of the employee's use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients."

25 of 52 comments (clear)

  1. Re:Weapons Grade Negligence by bobbied · · Score: 5, Insightful

    Oh please.. It was an INSIDER who did this and apparently wasn't out downloading mass amounts of data all at once. How do you distinguish between an insider doing their job and this? I'm just amazed that they kept the access logs for 14 years so they could go back and audit this one user.

    You want every hospital in the world to put in strict access monitoring and then have a team that does nothing but monitor and verify each and every data access? Talk about expensive and adding to healthcare costs, for what? Certainly this won't have a positive affect on healthcare delivered...

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  2. Re:Weapons Grade Negligence by K.+S.+Kyosuke · · Score: 4, Funny

    The people who were responsible for information security should receive the death penalty for such egregious negligence.

    Probably those MUMPS anti-vaxxers again...

    --
    Ezekiel 23:20
  3. This is normal and unavoidable by Baron_Yam · · Score: 1

    Data is useless if it is inaccessible. Eventually, one of your authorized users will break an access rule, and on occasion they will do so in a way that gets them caught.

    1. Re:This is normal and unavoidable by Vermonter · · Score: 1

      Or more generally speaking,you cannot have authorized access without possible unauthorized access

    2. Re:This is normal and unavoidable by Baron_Yam · · Score: 1

      Yep. And with employees who have some ethics, it's not a problem because they keep their mouths shut and don't share what they see.

      I've worked in multiple environments like that. I've also seen a few not so ethical people get fired because in addition to looking at what they shouldn't, they couldn't resist blabbing about the bits they found interesting.

      As a general rule, all people are occasionally stupid and some people are constantly stupid.

  4. Re:Weapons Grade Negligence by RKThoadan · · Score: 2

    Actually, most hospitals do have just such a system in place. There are plenty of ways for it to be configured. In most cases it takes several unusual hits for it to flag for a review so a clinical user (nurse, therapist, etc) can definitely get away with a lot before it would flag them - it really depends on how they accessed it and what they accessed. Systems 14 years old probably don't have as much security.

    I know that among other things our system even compares my address to those of patients I access to make sure I'm not trying to snoop on neighbors.

  5. Re:None of our data is safe. by bobbied · · Score: 1

    Again with this "Evil corporations hold all the power" lie? I'm so tired of this...

    Seriously, remember the old "corporations are people in the eyes of the law" complaint? Well, I do, and you have to understand that this legal principle really means that you, the individual, have the same standing in the eyes of the court as the huge corporation. You can take them to civil court and win...

    So can we stop with the hypocritical conflicting complaints now?

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  6. Do EMR systems have controls? by ErichTheRed · · Score: 2

    It sounds like this was an insider who was just accessing someone's records for fun or to find something out about someone. I'm not surprised it took them 14 years to detect it either -- Tewksbury Hospital is a psychiatric hospital. Every state, even ones like Massachusetts, has been running away screaming from the obligation to provide mental health services ever since Thorazine was invented. They probably have even less budget than a typical hospital's IT department. Where I live in New York, inpatient mental health care barely exists; you need to be truly dangerous to end up in a psychiatric hospital -- even too dangerous for prison or jail.

    I'm not in healthcare IT so I don't know...are electronic health record systems designed to not allow random snooping through people's information? You would think, with HIPPA and everything, that record access would be limited to people who have reason to look at it, and of course the system admins. In my experience in other fields though, no one goes looking through system access logs until someone has reason to suspect something, so usually it takes someone reporting something like what happened here.

    I guess patient record security would have limited this, but I'm sure there are still ways around it. Back in my client support days, I did a lot of work with HR -- talk about the world's worst gossip clique! HR people love snooping through peoples' files, basically just for the lulz.

    1. Re:Do EMR systems have controls? by the_skywise · · Score: 1

      I've worked with HIPAA level data handling and, like all things, its weakest point is the point of access. If somebody with credentials wants to peek at information they have access to (but aren't supposed to be looking at) they can. My system logged all read/write accesses and we made sure to encrypt any and all data in storage and only reveal data to people with proper credentials.

      Locked down like a bank but any bank teller still has access to all the money. (so to speak) Bank Tellers get caught because cross audits discover missing money which trigger the investigation. Stolen data doesn't disappear from the database so it's often never noticed.

      I went to a doctor affiliated with a major hospital chain (EG not an independent doctor but one who's offices were in hospital owned space and who handled the IT for the billing and records) and got diagnosed with a condition. After some discussion my doctor decided it might be temporary and we decided to monitor it - no prescriptions were written and I made no other contact with any other medical facility/pharmacy about it. Only the doctor's office knew. Not 2 weeks later my parents (whom I hadn't lived with in 20 years) were getting calls advertising drugs and therapies for my condition. HIPAA my ass....

    2. Re:Do EMR systems have controls? by darkmeridian · · Score: 1

      Medical records are not supposed to be open to everyone in the medical facility. Accessing medical information just for shits and giggles will get you fired.

      http://www.nydailynews.com/ent...

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    3. Re:Do EMR systems have controls? by cmseagle · · Score: 1

      You're over generalizing. The major players in the EHR marketplace offer modern software suites with all the security/access auditing bells and whistles you would expect of a program that handles something as sensitive as medical data. There are protections in place to prevent egregious abuses of access, but something as subtle as what's described in this story (occasional inappropriate access over the course of years) would be tough to catch.

      The problem with security, as it is in all types of IT, is that you have to weigh risk against cost and convenience. You can lock down your EHR to an arbitrary degree, but then you start interfering with the ability of clinicians to do their jobs and introduce a ton of administrative overhead if you're reviewing all of that access audit data.

      The major players in the field are starting to do some cool stuff with the "big data" and "machine learning" buzzwords to automate some of these processes for picking up on inappropriate access. It'll be a while before that's viable for a production application.

  7. Re:Weapons Grade Negligence by Anonymous Coward · · Score: 1

    Actually, yes. Financial and medical institutions should have IT security folk that do nothing but review the security of their system.
    That include equipment, patching schedules, user CONOPS, account maintenance, and of course, user access uses.

    In this case, the misuse of the information seems to have been minimal. But it's exactly this sort of information that could be used for blackmail, to ruin or even end someone's life. So it needs to be protected.

    And this hospital absolutely failed to do so.

  8. Re:None of our data is safe. by HiThere · · Score: 1

    When is the last time that a corporation went to jail for murder?

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  9. Hats off to Hospital IT by scubamage · · Score: 1

    While I have never directly worked in hospital IT, I know plenty of folks who have. I did work for a PACS/RIS/HIS vendor, and I spent about 6 years working beside them. Not only do hospital IT teams chronically get underfunded and understaffed, they have to deal with vendors who give absolutely asinine support requirements ("no, our software only runs on windows NT!" or "Sorry, HP only allows you to use windows server for storage appliances for this device, why no, microsoft has never released a service pack for it, why do you ask?"). Worse, a lot of their extremely expensive equipment has embedded OS's that will likely never see an update because the vendors simply don't supply them, or because risking a bad update can quite literally cost lives. It's a really, really tough IT segment. People like to derp at them "well why don't you just update things!" without realizing that in many cases they simply can't because of the vendors who release the hardware not providing adequate support. Preventative measures would be their best bet, but boards of trustees rarely see it as worthwhile to give those IT departments funding to implement those preventative measures well. It's a shit sandwich.

  10. mumps software is old and may not have much by Joe_Dragon · · Score: 1

    mumps software is old and may not have much security. Or security just get's in the way of it being linked to other systems.

    1. Re:mumps software is old and may not have much by cmseagle · · Score: 1

      You're over generalizing. Several of the major players in the EHR field run on an M database. They offer modern software suites with all the security bells and whistles that you'd expect of a program handling something as sensitive as medical record data.

      The problem comes in when you have to start balancing cost/convenience against risk of abuse. You could lock down your EHR to an arbitrary degree, but then it starts to interfere with users' ability to do their jobs. The more stringent your auditing protocols, the more cost you pile on in administrative overhead. The "security vs. convenience" battle is not at all specific to M or to healthcare IT.

  11. Re:None of our data is safe. by bws111 · · Score: 1

    Guess you missed the whole state run institution bit, eh?

  12. Re:None of our data is safe. by bws111 · · Score: 1

    When was the last time that a corporation committed murder?

  13. IOW by nospam007 · · Score: 1

    They are still on Windows 95.

  14. Re:None of our data is safe. by Wizy · · Score: 1

    Ask the Navajo about Peabody Coal.

  15. Re:None of our data is safe. by bobbied · · Score: 1

    I said "civil court" if you where paying attention. Maybe you don't understand how our courts actually work?

    When was anybody EVER tried, convicted and sentenced for murder in a civil court? (That would be Never...)

    You don't get sent to jail by a civil court, you get convicted of crimes like murder in a criminal court. Civil courts are only about property, money and stuff, not about punishing crimes.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  16. The flaw of averages by jbmartin6 · · Score: 1

    Now we know why the "average time to detection" is 271 days or some such nonsense.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  17. The data breach by hey! · · Score: 1

    was apparently an individual clerk abusing his authorization to poke around in patient files. The "14" years timing is interesting; HIPAA's privacy rules took effect in 2003, in other words 14 years ago.

    So while by modern standards this event is a breach, it's not the kind of technical breach people seem to think it was. What's more at the time it may not even have resulted from violations of then-current standard practices. Back in the day it was common to simply trust people who needed access to records to use that access responsibly.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  18. Still shorter by jmccue · · Score: 1

    Well, that is still much shorter that it takes Massachusetts to build a simple Bridge.

  19. Re:Weapons Grade Negligence by cmseagle · · Score: 1

    If it ain't broke, don't fix it. M is archaic and lacks many of the conveniences and guardrails of modern languages, but it's also ludicrously fast and scalable. Much of the hate is actually for Meditech's in-house language MAGIC. It's often conflated with M but isn't the same language at all.