Slashdot Mirror
It Took a Massachusetts Hospital 14 Years To Detect a Data Breach (grahamcluley.com)
An anonymous reader shares a report: To make matters worse, even after all that time -- it wasn't the medical center itself that discovered the incident. Tewksbury Hospital learned of the breach in the spring of 2017. It hasn't found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals' personal and medical information. As the state-run institution explains in a statement: "In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient's records without a good reason to do so. This discovery led to a broader review of the employee's use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients."
Oh please.. It was an INSIDER who did this and apparently wasn't out downloading mass amounts of data all at once. How do you distinguish between an insider doing their job and this? I'm just amazed that they kept the access logs for 14 years so they could go back and audit this one user.
You want every hospital in the world to put in strict access monitoring and then have a team that does nothing but monitor and verify each and every data access? Talk about expensive and adding to healthcare costs, for what? Certainly this won't have a positive affect on healthcare delivered...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
The people who were responsible for information security should receive the death penalty for such egregious negligence.
Probably those MUMPS anti-vaxxers again...
Ezekiel 23:20
Actually, most hospitals do have just such a system in place. There are plenty of ways for it to be configured. In most cases it takes several unusual hits for it to flag for a review so a clinical user (nurse, therapist, etc) can definitely get away with a lot before it would flag them - it really depends on how they accessed it and what they accessed. Systems 14 years old probably don't have as much security.
I know that among other things our system even compares my address to those of patients I access to make sure I'm not trying to snoop on neighbors.
It sounds like this was an insider who was just accessing someone's records for fun or to find something out about someone. I'm not surprised it took them 14 years to detect it either -- Tewksbury Hospital is a psychiatric hospital. Every state, even ones like Massachusetts, has been running away screaming from the obligation to provide mental health services ever since Thorazine was invented. They probably have even less budget than a typical hospital's IT department. Where I live in New York, inpatient mental health care barely exists; you need to be truly dangerous to end up in a psychiatric hospital -- even too dangerous for prison or jail.
I'm not in healthcare IT so I don't know...are electronic health record systems designed to not allow random snooping through people's information? You would think, with HIPPA and everything, that record access would be limited to people who have reason to look at it, and of course the system admins. In my experience in other fields though, no one goes looking through system access logs until someone has reason to suspect something, so usually it takes someone reporting something like what happened here.
I guess patient record security would have limited this, but I'm sure there are still ways around it. Back in my client support days, I did a lot of work with HR -- talk about the world's worst gossip clique! HR people love snooping through peoples' files, basically just for the lulz.