Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday May 09 2014, @01:33PM   Printer-friendly
from the first-do-no-harm dept.

An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian Hospital and Columbia University Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday.

From the article:

The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.

In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.

New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint. The hospitals also agreed to take "substantive" corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. HHS will also be provided with periodic progress updates under the agreement.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by artman on Friday May 09 2014, @01:34PM

    by artman (1584) on Friday May 09 2014, @01:34PM (#41236)

    But I play one on TV.

    --
    No Sig for me Thanks
    • (Score: 2) by Woods on Friday May 09 2014, @01:59PM

      by Woods (2726) <woods12@gmail.com> on Friday May 09 2014, @01:59PM (#41243) Journal

      Was that a reference to a commercial that is a reference to a TV show? If so, you get five internets.

    • (Score: 1) by Jude on Friday May 09 2014, @02:19PM

      by Jude (3430) on Friday May 09 2014, @02:19PM (#41255)

      I think 8.1 is like 8, but with a separate channel for deep bass.

      Sad, replying to a sig, I know.

    • (Score: 5, Interesting) by Hairyfeet on Friday May 09 2014, @04:23PM

      by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday May 09 2014, @04:23PM (#41297) Journal

      I don't see what exactly they are blaming the doc for, it says something vague about trying to "deactivate" a personal system from the server network, whatever that means. Since its vague as hell one can only guess that like many doctors he had his laptop at work and when he found out that his work login also gave him access to patient records he did the prudent thing and tried to restrict access to patient records. TFA says that there was an "errant setting" which I can only guess to mean it let the users change or drop passwords?

      Look I know we need more articles but surely we don't need "here is a thing about a guy that did some stuff" style articles? Hell I'd rather deal with one of RJSVN or Ed Bott's trollbait stories than this because at least in those they give you enough information to form an opinion. After reading TFA twice all I can get is "a doctor did something wrong involving a server somewhere somehow and the government got a big payday from it". As we say here in the south "there just ain't no meat on the bone".

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
  • (Score: 0) by Anonymous Coward on Friday May 09 2014, @01:41PM

    by Anonymous Coward on Friday May 09 2014, @01:41PM (#41239)

    HIPAA-violation-stat

  • (Score: 2) by mrbluze on Friday May 09 2014, @01:48PM

    by mrbluze (49) on Friday May 09 2014, @01:48PM (#41240) Journal

    He shouldn't have been allowed to run a server that can serve anything but an intranet and even then under the supervision of IT staff. Hospital administrators know about some types of risk management but when it comes to IT they are clueless.

    --
    Do it yourself, 'cause no one else will do it yourself.
    • (Score: 5, Insightful) by pe1rxq on Friday May 09 2014, @02:13PM

      by pe1rxq (844) on Friday May 09 2014, @02:13PM (#41248) Homepage

      Why did the IT staff provide access to sensitive data to a random server in the first place?

      What the doctor was allowed to do should not even be the question.
      If the IT staff was even remotely competent it should not have been possible for the doctor's server to access the data in the first place.

      • (Score: 4, Interesting) by velex on Friday May 09 2014, @04:21PM

        by velex (2068) on Friday May 09 2014, @04:21PM (#41295) Journal

        Have you ever tried telling a doctor "no" before?

        There are some good doctors who are reasonable people, but the impression I get is that there must be a popular elective in med school about doing improv impersonations of Gunnery Sergeant Hartman.

        Oh well, at least it's only nurses who are actually assaulted by doctors on the job, not IT folks.

        This is why we can't have Nice Things.

        • (Score: 2, Informative) by Anonymous Coward on Friday May 09 2014, @04:27PM

          by Anonymous Coward on Friday May 09 2014, @04:27PM (#41300)

          Having supported hospital IT in the past; I can tell you that IT has to cave to the doctor's whims in many cases. The will threaten to leave and take their patients with them if they don't get hardware/software "X" installed.

          I still contend that all new doctors should be kicked in the groin when they get their diploma to remind them they are still human.

          • (Score: 2, Informative) by SecurityGuy on Friday May 09 2014, @08:13PM

            by SecurityGuy (1453) on Friday May 09 2014, @08:13PM (#41378)

            Having worked in healthcare before, I agree and would even add that they didn't even have to threaten. The IT guys usually don't work for the doctor in question in cases like this, but sometimes they share a common management chain.

            You know who is generally in the management chain of hospitals? Doctors.

            When a doctor and an IT guy go before the head of the department because one wants to do something risky (in the IT sense) in order to accomplish some kind of patient care or research, you know who wins? Usually the doctors.

            I was pretty happy to see HIPAA passed just for that reason. Really big fines were the only thing that was going to change that culture.

    • (Score: 2) by tangomargarine on Friday May 09 2014, @02:36PM

      by tangomargarine (667) on Friday May 09 2014, @02:36PM (#41264)

      Why do we have to blame only one party? IT should have known not to give him access, and Doc should have known that he didn't know what he was doing and to get somebody who was actually qualified to run his server or something.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 3, Interesting) by tangomargarine on Friday May 09 2014, @02:39PM

        by tangomargarine (667) on Friday May 09 2014, @02:39PM (#41265)

        It is not clear why a physician had a personally owned system connected to the network, or why he was attempting to "deactivate" it.

        In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.

        The leak was discovered after the hospitals received a complaint from an individual who discovered personal health information about his or her deceased partner on the Web.

        An investigation by the HHS Office for Civil Rights (OCR) found that neither CU nor NYP had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network.

        So it sounds like somebody got handed the Idiot Stick and just lay about themselves as hard as they could, really.

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2, Insightful) by Anonymous Coward on Friday May 09 2014, @04:00PM

        by Anonymous Coward on Friday May 09 2014, @04:00PM (#41290)

        There are always a few users at any sufficiently large organization who think they're particularly clever with computers and are powerful enough to get their way. It wouldn't surprise me if it was mostly the doctor's fault for demanding a certain level of access he didn't deserve and threatening the IT department to give him what he asked for; they probably have documented his demands and raised objections.

        This is based on my experience in a similar situation, doing IT work for various small health organizations. The doctors are usually more influential than the IT staff and get their way unless there is manager with a good head on their shoulders that knows how to tell them no.

      • (Score: 2) by Hairyfeet on Friday May 09 2014, @06:09PM

        by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday May 09 2014, @06:09PM (#41337) Journal

        Sorry but if you have to deal with assholes you learn quickly the magic word is "sandbox". If they want X you give them X and ONLY X by having X in a sandbox locked down so only Mr Asshole can access it.

          And where in TFA does it say he had his own server? Because I read it 3 times trying to parse WTF went on and its so vague for all I know he hooked his laptop into the network and somehow ended up with a blank password, the article is poorly written and so light on details it may as well read "doc did something to do with a server somewhere that was bad, costs lots of money" because as it is all I know is the doc did something wrong that involved a server, doesn't say if it was his, theirs, I can only guess theirs since patient records were on it but for all we know they were on his laptop. All we can do is pull scenarios out our ass at this point because there just isn't enough to go on to say one way or another.

        --
        ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
        • (Score: 2) by tangomargarine on Friday May 09 2014, @07:02PM

          by tangomargarine (667) on Friday May 09 2014, @07:02PM (#41355)

          The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.

          The two health care organizations have a mutual agreement under which CU faculty members serve as physicians at NYP. The two entities operate a shared network that links to systems contacting patient health data at NYP.

          It is not clear why a physician had a personally owned system connected to the network, or why he was attempting to "deactivate" it.

          I assumed that "personally owned" parsed to "personally owned by the physician in question" which is admittedly perhaps not the best assumption to make. And you're right, the article is extremely light on any sort of detail.

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
          • (Score: 2) by Hairyfeet on Friday May 09 2014, @09:35PM

            by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday May 09 2014, @09:35PM (#41402) Journal

            All that means is he had a PC on the network,for all we know he hooked his laptop into the network and ended up with patient records on it. Having set up several doctor's offices frankly I find this a more believable scenario, docs just looove their laptops and prefer using it to an onsite computer and if the numbnuts (it says something about "errant settings") gave him a single password that gave him full access i could see where there would be a problem.

            But again with so few details all we can do is speculate, there really isn't enough to go on to even know what happened, much less assign blame.

            --
            ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
            • (Score: 2) by mrbluze on Saturday May 10 2014, @02:07AM

              by mrbluze (49) on Saturday May 10 2014, @02:07AM (#41452) Journal

              If the stuff leaked via the hospital system it is the fault of IT, not the doctor. If the stuff leaked off his laptop the doctor should be prosecuted. IT systems are supposed to be designed to withstand abuse internally and externally. It's their policy decision to allow non corporate laptops access, if they don't know how to do that without protecting patient records then that's just plain stupid on IT's part.

              --
              Do it yourself, 'cause no one else will do it yourself.
              • (Score: 2) by Hairyfeet on Saturday May 10 2014, @05:10AM

                by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Saturday May 10 2014, @05:10AM (#41495) Journal

                You haven't ever done the whole consulting thing, have you? Oh how nice it must be to think logic and sanity actually exists in these big corps...BWA HA HA HA HA! In reality Dilbert is frankly being too kind, hell i have walked into the IT closet of a fricking LAW FIRM and found a shitload of DLink blue home routers and a dozen net connections all bastardized together because "He knew computers and was cheap".

                See what you get is basically a twist on "upward failure". MBA douche fires competent staff, replaces them with dipshits, saves company a ton of money. MBA gets bonus, gets a job at other company thanks to having "saved company X amount of money" on resume, meanwhile the replacements have royally fucked the place up, shit is falling apart, the guys that knew WTF was going on bailed leaving only those that either didn't care or were barely functioning to hold down the fort which is falling around their knees, but the MBA has already made his bucks and moved on so why should he care?

                THIS is why I run my little shop now and deal with mostly SOHOs, SMBs and home users. Sure its feast or famine and the pay ain't as nice but I don't have a bleeding ulcer and look like a corpse from being called into these places only to find a clusterfuck. the stress was getting me so bad at having to deal with the messes that my nephews actually staged an intervention, they said "We don't need the money, we need you healthy. We done lost mom and dad, we can't lose you too" and that woke me the fuck up. But sadly as we saw by that million dollar fine what SHOULD happen in these large corps and what DOES happen? Usually as far apart as my butt is to Pluto.

                --
                ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
  • (Score: 1) by TK-421 on Friday May 09 2014, @01:50PM

    by TK-421 (3235) on Friday May 09 2014, @01:50PM (#41241) Journal

    I would love to see a follow up article, five years from now, where each of the listed defendants is interviewed. It will take that long to see if anyone has learned anything from the incident and has applied the new knowledge in an effort to avoid similar mistakes. I don't actually expect that either to happen (follow up or knowledge application) but one can hope.

  • (Score: 3, Insightful) by egcagrac0 on Friday May 09 2014, @02:13PM

    by egcagrac0 (2705) on Friday May 09 2014, @02:13PM (#41247)

    I tell you what: I won't go doing surgery or prescribing drugs, you don't go trying to run the computers.

  • (Score: 1) by Anonymous Coward on Friday May 09 2014, @02:15PM

    by Anonymous Coward on Friday May 09 2014, @02:15PM (#41251)

    The summary isn't entirely clear to me.

    Did the privately owned computer contain the sensitive data? If so, what was that sensitive data doing on a privately owned PC? And how could de-registering that PC expose the data?

    Did the network segment contain the sensitive data? Then the PC de-registering procedure must be seriously broken if it can, even by accident, expose that data as result.

  • (Score: 5, Interesting) by Angry Jesus on Friday May 09 2014, @02:24PM

    by Angry Jesus (182) on Friday May 09 2014, @02:24PM (#41257)

    When I heard about this story, I wanted to submit it myself. But the specifics of what actually happened are extremely vague so I passed. It sure seems weird that "deactivating" a personal computer would cause a server to start exposing data. It made me wonder if the doctor is being scape-goated.

    • (Score: 4, Interesting) by Woods on Friday May 09 2014, @02:48PM

      by Woods (2726) <woods12@gmail.com> on Friday May 09 2014, @02:48PM (#41272) Journal

      Yeah, the article almost seems to be written by the same people who do tech scenes in movies...

      ...a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer...

      I assume this means he removed it from the domain? But really, there is no phrase "deactivate" in regards to an entire computer. Maybe he "deactivated" his antivirus, or firewall on his computer?

      In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server.

      Whatever "deactivate" means, there is no reason "deactivating" anything on a personal computer would affect a server. If the server was misconfigured, it would have been that way before the PC was changed. Perhaps you are right about the "scape-goated" doctor.

    • (Score: 1) by Alien8r on Friday May 09 2014, @02:56PM

      by Alien8r (1322) on Friday May 09 2014, @02:56PM (#41277) Homepage

      Yep, really short on details AND poorly worded.
      The article mixes terms that might describe an end user device and a server.
      In total they are talking a bout a server, not some end user device.
      So, some doctor reconfigured a server and left it less secure.
      -----
      In hospital environments doctors are the top of the food chain and IT people are tolerated.
      Different departments will set up their own systems, different departments will have outside vendors configure their systems and allow firewall holes for outside 'management'.
      It is worse then you imagine and the CIO/CTO (in my experience) will be forced to allow the various doctors whims.
       

      --
      No brain, no pain.
    • (Score: 5, Interesting) by starcraftsicko on Friday May 09 2014, @02:57PM

      by starcraftsicko (2821) on Friday May 09 2014, @02:57PM (#41278) Journal

      It made me wonder if the doctor is being scape-goated.

      I suspect that the reporter was just as qualified to explain what happened as the doctor was to do it in the first place. It could be the doctor being scapegoated, but I suspect something else.

      Remember that lots of professionals and organizations dislike IT workers for always finding reasons NOT to do something. As an example - one of the supposed benefits of 'cloud' technology is supposed to be the democratization of IT... departments and individuals can run their own IT projects... but this case doesn't involve clouds (that we know of).

      Wealthy(ish) professionals (like doctors...) also like to have the tools that they prefer rather than the ones that are tested and secure. This has led, for example, to the fast inclusion of iPads in corporate networks even though the tools do properly configure/manage/secure them did not exist. Where I work, every month or so, someone brings in some device -- computer/laptop/tablet/printer/etc. -- and expects full access to the corporate network along with software updates and special treatment...

      Sounds to me like 'some doctor' brought in 'his computer' for something or other that IT didn't have the resources for and it wound up being used for for some kind of IIS or Sharepoint (??) server. At a later date, he then brought 'his computer' home and plugged it directly into his cable/dsl modem. If IIS was still serving pages...

      Anyway, that's my guess.
         

      --
      This post was created with recycled electrons.
      • (Score: 2) by Woods on Friday May 09 2014, @03:50PM

        by Woods (2726) <woods12@gmail.com> on Friday May 09 2014, @03:50PM (#41289) Journal

        +1 Insightful

        A viable explanation, I did not think that they were mixing up PC and Server, but if they were then that makes way more sense.

        In the end, I would think it would have to be a targeted attack against the doctor for the right person to get the information. If it were just a random "Hacker" going around looking into systems, I highly doubt they would be interested in looking for medical information to post publicly.

        • (Score: 3, Interesting) by starcraftsicko on Friday May 09 2014, @06:10PM

          by starcraftsicko (2821) on Friday May 09 2014, @06:10PM (#41338) Journal

          In the end, I would think it would have to be a targeted attack against the doctor for the right person to get the information.

          Possible, but not necessary.

          Never attribute to malice that which is adequately explained by stupidity.

          Again, assume that IIS is running unsecured on a windows machine with a disabled firewall located on a public ipv4 IP (like you would have if you plug to a cable modem directly, for example). It is plausible that a crawler/search engine would try to index http://aaa.bbb.ccc.ddd/ [ccc.ddd].

          If directory listing is permitted... then almost anything could be indexed -- patient notes, test reports, images...

          Even if it isn't, if someone created a helpful 404 error page with a relative link back to an appropriate menu or start location, information could be innocently revealed...

          And I haven't seen too many robots.txt files set up for intranet services. Google and it's honest competitors wouldn't even have to be evil to index the site.

          --
          This post was created with recycled electrons.
          • (Score: 2) by Woods on Friday May 09 2014, @06:43PM

            by Woods (2726) <woods12@gmail.com> on Friday May 09 2014, @06:43PM (#41348) Journal

            Dang son, that is some smart thinking. Whoever you work for needs to give you a raise, and I should be embarrassed for not being able to come up with that.

            I can definitely attest to people just plugging things in wherever they go. Too many times have I seen someone bring in a router from home, plug it in to the network, and bring the company to its knees instantly.

    • (Score: 3, Interesting) by karmawhore on Friday May 09 2014, @03:34PM

      by karmawhore (1635) on Friday May 09 2014, @03:34PM (#41286)

      Having worked in healthcare IT, I can say for certain that a provider will not be scapegoated. Even if the problem was the doctor's fault beginning-to-end, they would still find a way to can somebody in the datacenter instead. Doctors are recruited. IT personnel are tolerated. Doctors bring in patients and money. IT is a cost center.

      So if this guy managed to catch the blame, either he was already on his way out or what he did was MUCH dumber that what they're saying in the press release.

      --
      =kw= lurkin' to please
    • (Score: 2) by egcagrac0 on Friday May 09 2014, @04:34PM

      by egcagrac0 (2705) on Friday May 09 2014, @04:34PM (#41302)

      I am guessing that there was some "convenient" tool like PCAnywhere or LogMeIn running on the personally-owned-system that may have allowed the data to escape.

      Of course, I don't know for certain, but it seems logical enough that a somewhat techie doctor might try to do "cool" stuff like that.

      • (Score: 5, Informative) by egcagrac0 on Friday May 09 2014, @04:36PM

        by egcagrac0 (2705) on Friday May 09 2014, @04:36PM (#41305)

        Well, look at that... more information. [healthcareitnews.com]

        The doctor in question was an application developer, too.

        • (Score: 2) by The Archon V2.0 on Friday May 09 2014, @08:08PM

          by The Archon V2.0 (3887) on Friday May 09 2014, @08:08PM (#41375)

          Oh, good lord, one of those. Takes a decade to get where he is, then spends a weekend reading a "For Dummies" book and decides he can do the job someone else took a decade to get to.

          (That is a snap judgement, I admit. To be fair, he could be a coder who went back to school and became an MD. I mean, it's possible. I suppose that happened. Once. Maybe.)

          • (Score: 1) by SecurityGuy on Friday May 09 2014, @08:19PM

            by SecurityGuy (1453) on Friday May 09 2014, @08:19PM (#41380)

            It still highlights why there is and should be a separation of duties. If you're both guy charged with "getting things done" and securing the data, sooner or later you're going to cut corners.

            "Dammit, I don't know why this isn't working but I need it to work RIGHT NOW! Lemme just turn the firewall off and see if that fixes it...it does! Great, I'll fix it for real later." Then you never turn the firewall back on because you're busy fighting the next fire(s).

        • (Score: 1) by MostCynical on Friday May 09 2014, @11:26PM

          by MostCynical (2589) on Friday May 09 2014, @11:26PM (#41427) Journal

          he developed for his own facility.. which means he said he could do it cheaper and better than any 'off the shelf product.. and he was right, provided he and the IT department did the bug fuxes and support on top of their usual duties..
          Often, doctors get grants or donations of equipment, which are purchased, provisioned and set up completely independantly from hospital IT. The systems may, over time, get data from other systems in the hospital, eventually being the most complete set of records for patients in the doctor's department.

          Once the grant money runs out, or when the doctor leaves, no one seems to be able to fidnout who 'owns' the data.

          The doctor will claim it (collected using his grant money, after all), but does that include the rest of the patient's records, collected elsewhere in the hospital?

          then the data gets one the web...

           

          --
          "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex