It Took a Massachusetts Hospital 14 Years To Detect a Data Breach

An anonymous reader shares a report: To make matters worse, even after all that time -- it wasn't the medical center itself that discovered the incident. Tewksbury Hospital learned of the breach in the spring of 2017. It hasn't found any evidence to suggest the security incident resulted in attackers misusing patients data. Even so, it believes the event compromised the security of affected individuals' personal and medical information. As the state-run institution explains in a statement: "In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient's records without a good reason to do so. This discovery led to a broader review of the employee's use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients."

Re:Weapons Grade Negligence

[bobbied]

Oh please.. It was an INSIDER who did this and apparently wasn't out downloading mass amounts of data all at once. How do you distinguish between an insider doing their job and this? I'm just amazed that they kept the access logs for 14 years so they could go back and audit this one user.

You want every hospital in the world to put in strict access monitoring and then have a team that does nothing but monitor and verify each and every data access? Talk about expensive and adding to healthcare costs, for what? Certainly this won't have a positive affect on healthcare delivered...

Re:

[RKThoadan]

Actually, most hospitals do have just such a system in place. There are plenty of ways for it to be configured. In most cases it takes several unusual hits for it to flag for a review so a clinical user (nurse, therapist, etc) can definitely get away with a lot before it would flag them - it really depends on how they accessed it and what they accessed. Systems 14 years old probably don't have as much security.

I know that among other things our system even compares my address to those of patients I access t

mumps software is old and may not have much

[Joe_Dragon]

mumps software is old and may not have much security. Or security just get's in the way of it being linked to other systems.

Re:

[cmseagle]

You're over generalizing. Several of the major players in the EHR field run on an M database. They offer modern software suites with all the security bells and whistles that you'd expect of a program handling something as sensitive as medical record data.

The problem comes in when you have to start balancing cost/convenience against risk of abuse. You could lock down your EHR to an arbitrary degree, but then it starts to interfere with users' ability to do their jobs. The more stringent your auditing proto

Re:

[Anonymous Coward]

Actually, yes. Financial and medical institutions should have IT security folk that do nothing but review the security of their system.
That include equipment, patching schedules, user CONOPS, account maintenance, and of course, user access uses.

In this case, the misuse of the information seems to have been minimal. But it's exactly this sort of information that could be used for blackmail, to ruin or even end someone's life. So it needs to be protected.

And this hospital absolutely failed to do so.

Re:Weapons Grade Negligence

[K. S. Kyosuke]

The people who were responsible for information security should receive the death penalty for such egregious negligence.

Probably those MUMPS anti-vaxxers again...

Re:

[cmseagle]

If it ain't broke, don't fix it. M is archaic and lacks many of the conveniences and guardrails of modern languages, but it's also ludicrously fast and scalable. Much of the hate is actually for Meditech's in-house language MAGIC. It's often conflated with M but isn't the same language at all.

Re:

[bobbied]

Again with this "Evil corporations hold all the power" lie? I'm so tired of this...

Seriously, remember the old "corporations are people in the eyes of the law" complaint? Well, I do, and you have to understand that this legal principle really means that you, the individual, have the same standing in the eyes of the court as the huge corporation. You can take them to civil court and win...

So can we stop with the hypocritical conflicting complaints now?

Re:

[HiThere]

When is the last time that a corporation went to jail for murder?

Re:

[bws111]

When was the last time that a corporation committed murder?

Re:

[Wizy]

Ask the Navajo about Peabody Coal.

Re:

[bobbied]

I said "civil court" if you where paying attention. Maybe you don't understand how our courts actually work?

When was anybody EVER tried, convicted and sentenced for murder in a civil court? (That would be Never...)

You don't get sent to jail by a civil court, you get convicted of crimes like murder in a criminal court. Civil courts are only about property, money and stuff, not about punishing crimes.

Re:

[bws111]

Guess you missed the whole state run institution bit, eh?

This is normal and unavoidable

[Baron_Yam]

Data is useless if it is inaccessible. Eventually, one of your authorized users will break an access rule, and on occasion they will do so in a way that gets them caught.

Re:

[Baron_Yam]

Yep. And with employees who have some ethics, it's not a problem because they keep their mouths shut and don't share what they see.

I've worked in multiple environments like that. I've also seen a few not so ethical people get fired because in addition to looking at what they shouldn't, they couldn't resist blabbing about the bits they found interesting.

As a general rule, all people are occasionally stupid and some people are constantly stupid.

Re:

[Vermonter]

Or more generally speaking,you cannot have authorized access without possible unauthorized access

Do EMR systems have controls?

[ErichTheRed]

It sounds like this was an insider who was just accessing someone's records for fun or to find something out about someone. I'm not surprised it took them 14 years to detect it either -- Tewksbury Hospital is a psychiatric hospital. Every state, even ones like Massachusetts, has been running away screaming from the obligation to provide mental health services ever since Thorazine was invented. They probably have even less budget than a typical hospital's IT department. Where I live in New York, inpatient mental health care barely exists; you need to be truly dangerous to end up in a psychiatric hospital -- even too dangerous for prison or jail.

I'm not in healthcare IT so I don't know...are electronic health record systems designed to not allow random snooping through people's information? You would think, with HIPPA and everything, that record access would be limited to people who have reason to look at it, and of course the system admins. In my experience in other fields though, no one goes looking through system access logs until someone has reason to suspect something, so usually it takes someone reporting something like what happened here.

I guess patient record security would have limited this, but I'm sure there are still ways around it. Back in my client support days, I did a lot of work with HR -- talk about the world's worst gossip clique! HR people love snooping through peoples' files, basically just for the lulz.

Re:

[the_skywise]

I've worked with HIPAA level data handling and, like all things, its weakest point is the point of access. If somebody with credentials wants to peek at information they have access to (but aren't supposed to be looking at) they can. My system logged all read/write accesses and we made sure to encrypt any and all data in storage and only reveal data to people with proper credentials.

Locked down like a bank but any bank teller still has access to all the money. (so to speak) Bank Tellers get caught beca

Re:

[cmseagle]

You're over generalizing. The major players in the EHR marketplace offer modern software suites with all the security/access auditing bells and whistles you would expect of a program that handles something as sensitive as medical data. There are protections in place to prevent egregious abuses of access, but something as subtle as what's described in this story (occasional inappropriate access over the course of years) would be tough to catch.

The problem with security, as it is in all types of IT, is that

Re:

[darkmeridian]

Medical records are not supposed to be open to everyone in the medical facility. Accessing medical information just for shits and giggles will get you fired.

http://www.nydailynews.com/ent... [nydailynews.com]

Hats off to Hospital IT

[scubamage]

While I have never directly worked in hospital IT, I know plenty of folks who have. I did work for a PACS/RIS/HIS vendor, and I spent about 6 years working beside them. Not only do hospital IT teams chronically get underfunded and understaffed, they have to deal with vendors who give absolutely asinine support requirements ("no, our software only runs on windows NT!" or "Sorry, HP only allows you to use windows server for storage appliances for this device, why no, microsoft has never released a service pac

IOW

[nospam007]

They are still on Windows 95.

The flaw of averages

[jbmartin6]

Now we know why the "average time to detection" is 271 days or some such nonsense.

The data breach

[hey!]

was apparently an individual clerk abusing his authorization to poke around in patient files. The "14" years timing is interesting; HIPAA's privacy rules took effect in 2003, in other words 14 years ago.

So while by modern standards this event is a breach, it's not the kind of technical breach people seem to think it was. What's more at the time it may not even have resulted from violations of then-current standard practices. Back in the day it was common to simply trust people who needed access to records

Still shorter

[jmccue]

Well, that is still much shorter that it takes Massachusetts to build a simple Bridge.