Tag: breach

Medical records breach in Mass took place over 14 years

Medical records breach in Mass took place over 14 years

I just read this article about a medical records “breach” at a hospital in Massachusetts. The headline reads, “It took 14 years for this Massachusetts hospital to detect a data breach”. When I see something like that, I kinda pause a bit. Why would it take 14 years? That just seems ludicrous.

My first thought is, “Shouldn’t there be some kind of auditing happening at the hospital?” I posed the question to a hospital information security professional (this person has no connection to the hospital in question), and I was told that the employee likely “was in a team that had horizontal access to records” and that it is “almost impossible, short of tagging a record as a VIP (think a movie star, politician) and daily reviewing who touches the record to catch this.” Spot checking by Joint Commission that should happen during audits (the hospital is Joint Commission accredited according to this website) didn’t find it either.

What also struck me was that it wasn’t even the hospital who found the issue:

In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient’s records without a good reason to do so. This discovery led to a broader review of the employee’s use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.

So how did the patient know or even suspect something funny was happening? Was there some activity in the electronic medical record that was visible to the patient? I asked the same information security professional as above for some thoughts on this point. Here’s the reply: “I suspect they occasionally snooped on people in the hospital. Not for profit but because they were nosy. And they talked to somebody about the procedure the person who reported this had and they were upset and tracked it down.” That seems plausible to me. I have had a couple of stints in healthcare as an IT professional, and I have seen first hand how gossipy people can get about patients (plus I am binge-watching past episodes of Grey’s Anatomy with my wife, so I know all about how hospitals operate).

A final quote from my anonymous information security professional leads to the main point of this particular situation: “End of day we have to trust people do not snoop. Sometimes they don’t keep that trust. That’s what sanction policies for for.” That is very true and reflects the way we have to think about security at all levels. You have to give people access so they can do their job. Locking things down to the Nth degree just makes it more difficult for them to do their jobs, so you have to trust at some point. Yes, there should be reasonable levels of control to stop these things from happening. But you’ll never stop it all. Review as much as you can. Train people to not do bad things. Expect that someone will eventually do a bad thing.

But seriously, please put in some deeper level of review that will hopefully enable you to catch this kind of thing in a little less than 14 years. 14 years? Seriously?

An Information Security Place Podcast – Episode 15

An Information Security Place Podcast – Episode 15


Link to MP3

Here is episode 15. There was a lot to cover in this episode. Jim and I were in discussion mode, so be prepared to sit down for a while longer than normal this time. Jim and I were also in a joking mood and consequently cracked ourselves up on this episode, so enjoy the laughter and comedy at a fellow human’s expense.

BTW, I am a milestone guy, and any time a “0” or a “5” is at the end of the episode number, I think it is cool. So 15 is a cool number to me. On to the show notes.

Show notes:

InfoSec News Update: whole lot of crap!

Discussion: File Under DUH! Unauthorized Web Use On The Rise

Consultants Corner: How does “Compliant” equal Owned?

Music Notes:

An Information Security Place Podcast – Episode 14

An Information Security Place Podcast – Episode 14


Link to MP3

Episode 14 is here.  First off, let me thank everyone that is listening to Jim and me spout off about everything.  Fourteen shows does not seem like a big number, but it involves a lot of work getting this going (especially on Jim’s part – thanks Jim) and keeping it going, and Jim and I appreciate everyone sticking in there with us.

Second, we have made some changes with my setup, so there might be a sound difference and some issues with this episode.  Forgive us as we get some new kinks worked out.

Third, this episode includes an interview with Mike Rothman from eIQnetworks.  You might know him better as that guy from Security Incite that has a yankee accent and tells everyone what he is thinking.  Either way, Mike is a great guy and a great friend, and I was honored to interview him.  I think you will enjoy that portion of the show.

And lastly, there is a programming note.  The geek toys segment that is brought to you by Jim every show is now going to be made more of a quarterly thing.  The reason is because Jim has to find something to talk about every time, and it is getting a little more difficult to find something for every show.

Here’s the breakdown of the show.

Show Notes:

InfoSec News Update: there’s been a lot happening the last two weeks

DiscussionNew president declares his plan for US Cyber Security (more cynicism from Michael)

Vendor Interview – Michael interviews Mike Rothman from eIQnetworks

Consultants Corner –Combining compliance initiatives and what that means for security practices

Music Notes: