SoylentNews is people
SoylentNews
An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian Hospital and Columbia University Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday.
From the article:
The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.
In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.
New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint. The hospitals also agreed to take "substantive" corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. HHS will also be provided with periodic progress updates under the agreement.
(Score: 2) by mrbluze on Friday May 09 2014, @01:48PM
He shouldn't have been allowed to run a server that can serve anything but an intranet and even then under the supervision of IT staff. Hospital administrators know about some types of risk management but when it comes to IT they are clueless.
Do it yourself, 'cause no one else will do it yourself.
(Score: 5, Insightful) by pe1rxq on Friday May 09 2014, @02:13PM
Why did the IT staff provide access to sensitive data to a random server in the first place?
What the doctor was allowed to do should not even be the question.
If the IT staff was even remotely competent it should not have been possible for the doctor's server to access the data in the first place.
(Score: 4, Interesting) by velex on Friday May 09 2014, @04:21PM
Have you ever tried telling a doctor "no" before?
There are some good doctors who are reasonable people, but the impression I get is that there must be a popular elective in med school about doing improv impersonations of Gunnery Sergeant Hartman.
Oh well, at least it's only nurses who are actually assaulted by doctors on the job, not IT folks.
This is why we can't have Nice Things.
(Score: 2, Informative) by Anonymous Coward on Friday May 09 2014, @04:27PM
Having supported hospital IT in the past; I can tell you that IT has to cave to the doctor's whims in many cases. The will threaten to leave and take their patients with them if they don't get hardware/software "X" installed.
I still contend that all new doctors should be kicked in the groin when they get their diploma to remind them they are still human.
(Score: 2, Informative) by SecurityGuy on Friday May 09 2014, @08:13PM
Having worked in healthcare before, I agree and would even add that they didn't even have to threaten. The IT guys usually don't work for the doctor in question in cases like this, but sometimes they share a common management chain.
You know who is generally in the management chain of hospitals? Doctors.
When a doctor and an IT guy go before the head of the department because one wants to do something risky (in the IT sense) in order to accomplish some kind of patient care or research, you know who wins? Usually the doctors.
I was pretty happy to see HIPAA passed just for that reason. Really big fines were the only thing that was going to change that culture.
(Score: 2) by tangomargarine on Friday May 09 2014, @02:36PM
Why do we have to blame only one party? IT should have known not to give him access, and Doc should have known that he didn't know what he was doing and to get somebody who was actually qualified to run his server or something.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by tangomargarine on Friday May 09 2014, @02:39PM
So it sounds like somebody got handed the Idiot Stick and just lay about themselves as hard as they could, really.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2, Insightful) by Anonymous Coward on Friday May 09 2014, @04:00PM
There are always a few users at any sufficiently large organization who think they're particularly clever with computers and are powerful enough to get their way. It wouldn't surprise me if it was mostly the doctor's fault for demanding a certain level of access he didn't deserve and threatening the IT department to give him what he asked for; they probably have documented his demands and raised objections.
This is based on my experience in a similar situation, doing IT work for various small health organizations. The doctors are usually more influential than the IT staff and get their way unless there is manager with a good head on their shoulders that knows how to tell them no.
(Score: 2) by Hairyfeet on Friday May 09 2014, @06:09PM
Sorry but if you have to deal with assholes you learn quickly the magic word is "sandbox". If they want X you give them X and ONLY X by having X in a sandbox locked down so only Mr Asshole can access it.
And where in TFA does it say he had his own server? Because I read it 3 times trying to parse WTF went on and its so vague for all I know he hooked his laptop into the network and somehow ended up with a blank password, the article is poorly written and so light on details it may as well read "doc did something to do with a server somewhere that was bad, costs lots of money" because as it is all I know is the doc did something wrong that involved a server, doesn't say if it was his, theirs, I can only guess theirs since patient records were on it but for all we know they were on his laptop. All we can do is pull scenarios out our ass at this point because there just isn't enough to go on to say one way or another.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by tangomargarine on Friday May 09 2014, @07:02PM
I assumed that "personally owned" parsed to "personally owned by the physician in question" which is admittedly perhaps not the best assumption to make. And you're right, the article is extremely light on any sort of detail.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Hairyfeet on Friday May 09 2014, @09:35PM
All that means is he had a PC on the network,for all we know he hooked his laptop into the network and ended up with patient records on it. Having set up several doctor's offices frankly I find this a more believable scenario, docs just looove their laptops and prefer using it to an onsite computer and if the numbnuts (it says something about "errant settings") gave him a single password that gave him full access i could see where there would be a problem.
But again with so few details all we can do is speculate, there really isn't enough to go on to even know what happened, much less assign blame.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by mrbluze on Saturday May 10 2014, @02:07AM
If the stuff leaked via the hospital system it is the fault of IT, not the doctor. If the stuff leaked off his laptop the doctor should be prosecuted. IT systems are supposed to be designed to withstand abuse internally and externally. It's their policy decision to allow non corporate laptops access, if they don't know how to do that without protecting patient records then that's just plain stupid on IT's part.
Do it yourself, 'cause no one else will do it yourself.
(Score: 2) by Hairyfeet on Saturday May 10 2014, @05:10AM
You haven't ever done the whole consulting thing, have you? Oh how nice it must be to think logic and sanity actually exists in these big corps...BWA HA HA HA HA! In reality Dilbert is frankly being too kind, hell i have walked into the IT closet of a fricking LAW FIRM and found a shitload of DLink blue home routers and a dozen net connections all bastardized together because "He knew computers and was cheap".
See what you get is basically a twist on "upward failure". MBA douche fires competent staff, replaces them with dipshits, saves company a ton of money. MBA gets bonus, gets a job at other company thanks to having "saved company X amount of money" on resume, meanwhile the replacements have royally fucked the place up, shit is falling apart, the guys that knew WTF was going on bailed leaving only those that either didn't care or were barely functioning to hold down the fort which is falling around their knees, but the MBA has already made his bucks and moved on so why should he care?
THIS is why I run my little shop now and deal with mostly SOHOs, SMBs and home users. Sure its feast or famine and the pay ain't as nice but I don't have a bleeding ulcer and look like a corpse from being called into these places only to find a clusterfuck. the stress was getting me so bad at having to deal with the messes that my nephews actually staged an intervention, they said "We don't need the money, we need you healthy. We done lost mom and dad, we can't lose you too" and that woke me the fuck up. But sadly as we saw by that million dollar fine what SHOULD happen in these large corps and what DOES happen? Usually as far apart as my butt is to Pluto.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.