SoylentNews is people
SoylentNews
An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian Hospital and Columbia University Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday.
From the article:
The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.
In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.
New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint. The hospitals also agreed to take "substantive" corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. HHS will also be provided with periodic progress updates under the agreement.
(Score: 5, Interesting) by Angry Jesus on Friday May 09 2014, @02:24PM
When I heard about this story, I wanted to submit it myself. But the specifics of what actually happened are extremely vague so I passed. It sure seems weird that "deactivating" a personal computer would cause a server to start exposing data. It made me wonder if the doctor is being scape-goated.
(Score: 4, Interesting) by Woods on Friday May 09 2014, @02:48PM
Yeah, the article almost seems to be written by the same people who do tech scenes in movies...
I assume this means he removed it from the domain? But really, there is no phrase "deactivate" in regards to an entire computer. Maybe he "deactivated" his antivirus, or firewall on his computer?
Whatever "deactivate" means, there is no reason "deactivating" anything on a personal computer would affect a server. If the server was misconfigured, it would have been that way before the PC was changed. Perhaps you are right about the "scape-goated" doctor.
(Score: 1) by Alien8r on Friday May 09 2014, @02:56PM
Yep, really short on details AND poorly worded.
The article mixes terms that might describe an end user device and a server.
In total they are talking a bout a server, not some end user device.
So, some doctor reconfigured a server and left it less secure.
-----
In hospital environments doctors are the top of the food chain and IT people are tolerated.
Different departments will set up their own systems, different departments will have outside vendors configure their systems and allow firewall holes for outside 'management'.
It is worse then you imagine and the CIO/CTO (in my experience) will be forced to allow the various doctors whims.
No brain, no pain.
(Score: 5, Interesting) by starcraftsicko on Friday May 09 2014, @02:57PM
I suspect that the reporter was just as qualified to explain what happened as the doctor was to do it in the first place. It could be the doctor being scapegoated, but I suspect something else.
Remember that lots of professionals and organizations dislike IT workers for always finding reasons NOT to do something. As an example - one of the supposed benefits of 'cloud' technology is supposed to be the democratization of IT... departments and individuals can run their own IT projects... but this case doesn't involve clouds (that we know of).
Wealthy(ish) professionals (like doctors...) also like to have the tools that they prefer rather than the ones that are tested and secure. This has led, for example, to the fast inclusion of iPads in corporate networks even though the tools do properly configure/manage/secure them did not exist. Where I work, every month or so, someone brings in some device -- computer/laptop/tablet/printer/etc. -- and expects full access to the corporate network along with software updates and special treatment...
Sounds to me like 'some doctor' brought in 'his computer' for something or other that IT didn't have the resources for and it wound up being used for for some kind of IIS or Sharepoint (??) server. At a later date, he then brought 'his computer' home and plugged it directly into his cable/dsl modem. If IIS was still serving pages...
Anyway, that's my guess.
This post was created with recycled electrons.
(Score: 2) by Woods on Friday May 09 2014, @03:50PM
+1 Insightful
A viable explanation, I did not think that they were mixing up PC and Server, but if they were then that makes way more sense.
In the end, I would think it would have to be a targeted attack against the doctor for the right person to get the information. If it were just a random "Hacker" going around looking into systems, I highly doubt they would be interested in looking for medical information to post publicly.
(Score: 3, Interesting) by starcraftsicko on Friday May 09 2014, @06:10PM
Possible, but not necessary.
Again, assume that IIS is running unsecured on a windows machine with a disabled firewall located on a public ipv4 IP (like you would have if you plug to a cable modem directly, for example). It is plausible that a crawler/search engine would try to index http://aaa.bbb.ccc.ddd/ [ccc.ddd].
If directory listing is permitted... then almost anything could be indexed -- patient notes, test reports, images...
Even if it isn't, if someone created a helpful 404 error page with a relative link back to an appropriate menu or start location, information could be innocently revealed...
And I haven't seen too many robots.txt files set up for intranet services. Google and it's honest competitors wouldn't even have to be evil to index the site.
This post was created with recycled electrons.
(Score: 2) by Woods on Friday May 09 2014, @06:43PM
Dang son, that is some smart thinking. Whoever you work for needs to give you a raise, and I should be embarrassed for not being able to come up with that.
I can definitely attest to people just plugging things in wherever they go. Too many times have I seen someone bring in a router from home, plug it in to the network, and bring the company to its knees instantly.
(Score: 2) by Angry Jesus on Friday May 09 2014, @07:44PM
Not a dis on sicko, but the general scenario he described happens all the time. [wikipedia.org]
(Score: 3, Interesting) by karmawhore on Friday May 09 2014, @03:34PM
Having worked in healthcare IT, I can say for certain that a provider will not be scapegoated. Even if the problem was the doctor's fault beginning-to-end, they would still find a way to can somebody in the datacenter instead. Doctors are recruited. IT personnel are tolerated. Doctors bring in patients and money. IT is a cost center.
So if this guy managed to catch the blame, either he was already on his way out or what he did was MUCH dumber that what they're saying in the press release.
=kw= lurkin' to please
(Score: 2) by egcagrac0 on Friday May 09 2014, @04:34PM
I am guessing that there was some "convenient" tool like PCAnywhere or LogMeIn running on the personally-owned-system that may have allowed the data to escape.
Of course, I don't know for certain, but it seems logical enough that a somewhat techie doctor might try to do "cool" stuff like that.
(Score: 5, Informative) by egcagrac0 on Friday May 09 2014, @04:36PM
Well, look at that... more information. [healthcareitnews.com]
The doctor in question was an application developer, too.
(Score: 2) by The Archon V2.0 on Friday May 09 2014, @08:08PM
Oh, good lord, one of those. Takes a decade to get where he is, then spends a weekend reading a "For Dummies" book and decides he can do the job someone else took a decade to get to.
(That is a snap judgement, I admit. To be fair, he could be a coder who went back to school and became an MD. I mean, it's possible. I suppose that happened. Once. Maybe.)
(Score: 1) by SecurityGuy on Friday May 09 2014, @08:19PM
It still highlights why there is and should be a separation of duties. If you're both guy charged with "getting things done" and securing the data, sooner or later you're going to cut corners.
"Dammit, I don't know why this isn't working but I need it to work RIGHT NOW! Lemme just turn the firewall off and see if that fixes it...it does! Great, I'll fix it for real later." Then you never turn the firewall back on because you're busy fighting the next fire(s).
(Score: 1) by MostCynical on Friday May 09 2014, @11:26PM
he developed for his own facility.. which means he said he could do it cheaper and better than any 'off the shelf product.. and he was right, provided he and the IT department did the bug fuxes and support on top of their usual duties..
Often, doctors get grants or donations of equipment, which are purchased, provisioned and set up completely independantly from hospital IT. The systems may, over time, get data from other systems in the hospital, eventually being the most complete set of records for patients in the doctor's department.
Once the grant money runs out, or when the doctor leaves, no one seems to be able to fidnout who 'owns' the data.
The doctor will claim it (collected using his grant money, after all), but does that include the rest of the patient's records, collected elsewhere in the hospital?
then the data gets one the web...
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex