I just read this article about a medical records “breach” at a hospital in Massachusetts. The headline reads, “It took 14 years for this Massachusetts hospital to detect a data breach”. When I see something like that, I kinda pause a bit. Why would it take 14 years? That just seems ludicrous.
My first thought is, “Shouldn’t there be some kind of auditing happening at the hospital?” I posed the question to a hospital information security professional (this person has no connection to the hospital in question), and I was told that the employee likely “was in a team that had horizontal access to records” and that it is “almost impossible, short of tagging a record as a VIP (think a movie star, politician) and daily reviewing who touches the record to catch this.” Spot checking by Joint Commission that should happen during audits (the hospital is Joint Commission accredited according to this website) didn’t find it either.
What also struck me was that it wasn’t even the hospital who found the issue:
In April of this year, a former patient expressed concern that someone may have accessed their electronic medical record inappropriately. A review conducted in response to this complaint revealed that one hospital employee appeared to have accessed the former patient’s records without a good reason to do so. This discovery led to a broader review of the employee’s use of the electronic medical records system at Tewksbury Hospital. As a result of this review, we were able to determine that the employee appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.
So how did the patient know or even suspect something funny was happening? Was there some activity in the electronic medical record that was visible to the patient? I asked the same information security professional as above for some thoughts on this point. Here’s the reply: “I suspect they occasionally snooped on people in the hospital. Not for profit but because they were nosy. And they talked to somebody about the procedure the person who reported this had and they were upset and tracked it down.” That seems plausible to me. I have had a couple of stints in healthcare as an IT professional, and I have seen first hand how gossipy people can get about patients (plus I am binge-watching past episodes of Grey’s Anatomy with my wife, so I know all about how hospitals operate).
A final quote from my anonymous information security professional leads to the main point of this particular situation: “End of day we have to trust people do not snoop. Sometimes they don’t keep that trust. That’s what sanction policies for for.” That is very true and reflects the way we have to think about security at all levels. You have to give people access so they can do their job. Locking things down to the Nth degree just makes it more difficult for them to do their jobs, so you have to trust at some point. Yes, there should be reasonable levels of control to stop these things from happening. But you’ll never stop it all. Review as much as you can. Train people to not do bad things. Expect that someone will eventually do a bad thing.
But seriously, please put in some deeper level of review that will hopefully enable you to catch this kind of thing in a little less than 14 years. 14 years? Seriously?
This is a Security Bloggers Network syndicated blog post authored by Michael Farnum. Read the original post at: An Information Security Place