Risky hospital business: happy device hacking, insider data breaches

A heap of ‘insanely easy’ hospital hacking–but no harm done: Essentia Health’s head of information security, Scott Erven, set his team to work–with management approval–on hacking practically every internal device and system over two years, and found that most were ‘insanely easy’ to hack. They successfully hacked drug infusion pumps, EHRs, Bluetooth-enabled defibrillators, surgery robots, CT scanners, networked refrigerator temperature settings and X-ray machines with potentially disastrous results. Where the common security holes are in networked equipment: lack of authentication, weak passwords, embedded web services and the list goes on. Mr Erven presented this at an industry meeting in April, without naming brands or devices as he’s still trying to fix them. Essentia Health operates about 100 facilities, including clinics, hospitals and pharmacies, in Minnesota, North Dakota, Wisconsin and Idaho–and should receive much credit for facilitating this study. This is the environment into which we will be plonking tons of patient information in PHRs and telehealth monitoring. Pass the painkillers. Summary in HealthIT Outcomes, much more essential detail in Wired worth the read.

The ‘Maybe No One Will Notice’ Data Breach:  The recent incident at the University of Massachusetts Memorial Medical Center in Worcester illustrates the difficulty that even academic medical centers have with detecting data security breaches, particularly when they are small, sneaky, over time and by an insider. UMass uncovered a series of low-profile breaches by a former employee who helped himself to patient information such as name, address, date of birth and Social Security number–and may have used it to open up credit card and mobile phone accounts. Only four records appear to have been misused in this way, but at least 2,400 records were estimated to be improperly accessed–over 12 years, which made it even more difficult to find. Perhaps the employee was funding retirement? HealthcareInfoSecurity

The ‘Ambulance Chaser’ Data Breach: What better way for lawyers and shady outpatient clinics to get accident patients fresh from the ER (ED), than to have someone on the inside feeding them patient information? At New York’s Jamaica Hospital Medical Center, two registrars accessed the records of 250 patients with the usual secure data plus details on their injuries and medical treatment. Many were later contacted by said lawyers and clinics. The Queens District Attorney is now investigating whether this strange coincidence is actually cause-and-effect–whether the two defendants sold the patient information. HealthcareInfoSecurity Privacy experts concede that ‘insider’ theft–and this includes contractors, third party vendors and business associates–is extremely difficult to catch and requires human vigilance along with tech ‘snooping.’

The ‘Ask The Techie Before You Unplug It, Doc’ Data Breach: The largest HIPAA fine to date–$3.3 million–has been levied by the Department of Health and Human Services (HHS) against New York-Presbyterian Hospital and Columbia University for a 2010 breach of 6,800 records. It happened when a Columbia doctor, who had developed applications for both facilities, deactivated a personally owned server on the network holding data for NYP patients. “Lack of technical safeguards” caused the information to be accessible on Internet search engines. FierceHealthIT

Categories: Latest News.