Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

It Took a Massachusetts Hospital 14 Years To Detect a Data Breach (grahamcluley.com) 52

An anonymous reader shares a report: To make matters worse, even after all that time -- it wasn't the medical center itself that discovered the incident. Tewksbury Hospital learned of the breach in the spring of 2017. It hasn't found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals' personal and medical information. As the state-run institution explains in a statement: "In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient's records without a good reason to do so. This discovery led to a broader review of the employee's use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients."
This discussion has been archived. No new comments can be posted.

It Took a Massachusetts Hospital 14 Years To Detect a Data Breach

Comments Filter:
  • Data is useless if it is inaccessible. Eventually, one of your authorized users will break an access rule, and on occasion they will do so in a way that gets them caught.

    • Or more generally speaking,you cannot have authorized access without possible unauthorized access
  • by ErichTheRed ( 39327 ) on Friday August 25, 2017 @01:04PM (#55084493)

    It sounds like this was an insider who was just accessing someone's records for fun or to find something out about someone. I'm not surprised it took them 14 years to detect it either -- Tewksbury Hospital is a psychiatric hospital. Every state, even ones like Massachusetts, has been running away screaming from the obligation to provide mental health services ever since Thorazine was invented. They probably have even less budget than a typical hospital's IT department. Where I live in New York, inpatient mental health care barely exists; you need to be truly dangerous to end up in a psychiatric hospital -- even too dangerous for prison or jail.

    I'm not in healthcare IT so I don't know...are electronic health record systems designed to not allow random snooping through people's information? You would think, with HIPPA and everything, that record access would be limited to people who have reason to look at it, and of course the system admins. In my experience in other fields though, no one goes looking through system access logs until someone has reason to suspect something, so usually it takes someone reporting something like what happened here.

    I guess patient record security would have limited this, but I'm sure there are still ways around it. Back in my client support days, I did a lot of work with HR -- talk about the world's worst gossip clique! HR people love snooping through peoples' files, basically just for the lulz.

    • I've worked with HIPAA level data handling and, like all things, its weakest point is the point of access. If somebody with credentials wants to peek at information they have access to (but aren't supposed to be looking at) they can. My system logged all read/write accesses and we made sure to encrypt any and all data in storage and only reveal data to people with proper credentials.

      Locked down like a bank but any bank teller still has access to all the money. (so to speak) Bank Tellers get caught beca
    • Medical records are not supposed to be open to everyone in the medical facility. Accessing medical information just for shits and giggles will get you fired.

      http://www.nydailynews.com/ent... [nydailynews.com]

  • While I have never directly worked in hospital IT, I know plenty of folks who have. I did work for a PACS/RIS/HIS vendor, and I spent about 6 years working beside them. Not only do hospital IT teams chronically get underfunded and understaffed, they have to deal with vendors who give absolutely asinine support requirements ("no, our software only runs on windows NT!" or "Sorry, HP only allows you to use windows server for storage appliances for this device, why no, microsoft has never released a service pac
  • They are still on Windows 95.

  • Now we know why the "average time to detection" is 271 days or some such nonsense.
  • was apparently an individual clerk abusing his authorization to poke around in patient files. The "14" years timing is interesting; HIPAA's privacy rules took effect in 2003, in other words 14 years ago.

    So while by modern standards this event is a breach, it's not the kind of technical breach people seem to think it was. What's more at the time it may not even have resulted from violations of then-current standard practices. Back in the day it was common to simply trust people who needed access to records

  • Well, that is still much shorter that it takes Massachusetts to build a simple Bridge.

No spitting on the Bus! Thank you, The Mgt.

Working...