Archives For HIPAA

Great article sent in from Tom at  Heit.  A couple of things worth noting on this one:

  • It only set Scott back about $115 to begin capturing hospital data…that is until he got caught!
  • It took the hospital over 1000 screen captures to figure out they were under surveillance.
  • This crime was the result of a disgruntled lover – could have easily been an employee
  • I’m sure IT thought they had it covered….

http://www.pcworld.com/businesscenter/article/172185/misdirected_spyware_infects_ohio_hospital.html

 It was a bad idea from the start, but even as bad ideas go, this one went horribly wrong.

 A 38-year-old Avon Lake, Ohio, man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital.

 In late February 2008, Scott Graham shelled out US$115 for a spyware program called SpyAgent and sent it to the woman, according to a plea agreement filed in the U.S. District Court for the Northeastern District of Ohio.

 He allegedly sent the spyware to the woman’s Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital’s pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

 The complaint does not explain how Graham managed to convince the woman to install the program, but clever attackers often trick their victims into clicking on files by saying that they are interesting videos or some kind of useful software.

 Between March 19 and March 28 the spyware sent more than 1,000 screen captures to Graham via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states.

Advertisements

If you want sensitive data, see your local doctor

Many of the companies I work with are calling on the medical vertical.  Medical offices have highly sensitive data, they’re under HIPAA regulations (note the correct spelling on this), they’re somewhat recession proof, and unfortunately, in many cases doctors don’t seem to care.

I’ve had numerous sales people tell me, the doctors won’t get involved in security projects; they don’t want to spend money on security unless there is a clear regulation or pending audit.  And while there are some doctors that do care, practices are generally run by a group and getting everyone’s buy-in is difficult.

Today’s WSJ reports on the growing push by our government to move medical to electronic; however, they are also behind in addressing security.  Stay tuned for new regulations and possible funding – a few notes from an article entitled, New Epidemic Fears: Hackers

  • Portions of a $29 billion fund are available to reimburse hospitals and doctors’ offices that invest in electronic records systems and other software that might improve care and lower health-care costs.
  • In recent years, the number of reported data breaches at healthcare organizations has soared, despite laws requiring the groups to protect patient information.
  •  Criminals can use this information to open credit-card accounts in the victim’s name. Among the more nefarious crimes these breaches can lead to is medical identity theft, when someone receives health-care services using the victim’s name and insurance.