FTA: "UCLA's concern for its patients is absolute, and we deeply regret any breach of confidentiality and the stress and concern it might cause our patients," the statement said.

"...except for Michael Jackson, Farrah Fawcett, Britney Spears, and about sixteen thousand other folks."

So, when does the federal government step in and audit the EMR policies of this friggin' hospital?0

Still better than UPMC's security.

XSS vulnerabilities and unencrypted data which includes SSNs.

Sounds like when I worked for a long distance company back in the before time. It was very important to control access to the switches so they used those little credit card dealies that flashed a new code every couple of minutes. To log into a particular switch, you needed a username, password, and the code-of-the-moment for that switch. So they set up a row of workstations near the warehouse entrance with each switch's code card secured to a workstation and the username and password printed on a big piece of laminated paper which was taped to the desk.

Just one more reason I will never go to a hospital.

The first and only other reason is I can't afford it or health insurance.

But least my id will be safe.

As an employer, it would be nice if there was a searchable database to check if an applicant had any serious medical issues. It is expensive and counter productive to hire chronically sick and chronically pregnant people. And people will lie through their teeth just to get a job with health benefits that they know they cannot work.

spentmiles: As an employer, it would be nice if there was a searchable database to check if an applicant had any serious medical issues. It is expensive and counter productive to hire chronically sick and chronically pregnant people. And people will lie through their teeth just to get a job with health benefits that they know they cannot work.

That is also against the law. If you employ people you really should know that is discrimination. It comes on those big OSHA/dept. of labor charts.

According to the textbook sitting on the desk in front of me, a friend/family member can only be told if a person is present, general condition, and just about nothing else.

And of possible interest only to the HIM people...

PENCIL

FormlessOne: FTA:

So, when does the federal government step in and audit the EMR policies of this friggin' hospital?

They have contracted with a data security firm to work with patients and notified the U.S. Department of Health and Human Services Office for Civil Rights, which has previously investigated privacy violations at the hospitals.

Basically, in 3...2...1...right now.

mgshamster: I'm dubious about blaming the physician. Medical doctors often take their work home and work off hours to help patients by finishing the charts.

There are ways to take work home that doesn't involve actually physically bringing a copy of data with you. There are also ways which don't involve the "post-it method" of password storage.

However if the Hospital wasn't employing those methods, and approved this inane process, then yes, I'd say the onus of culpability lies chiefly on them.

jso2897: How much competence is expected at a medical center named after one of the most incompetent motherf**kers to ever walk the earth?

I can't recall.

I would think that with personal information like this you would have some sort of blind in place to prevent id. Such as a doctor could carry a hard drive of all the patients medical history stripped of names and other identifiers. With of course information containing ids being strictly left in a hospital vault.

/any health care administrators got an answer?

jtown: Sounds like when I worked for a long distance company back in the before time. It was very important to control access to the switches so they used those little credit card dealies that flashed a new code every couple of minutes. To log into a particular switch, you needed a username, password, and the code-of-the-moment for that switch. So they set up a row of workstations near the warehouse entrance with each switch's code card secured to a workstation and the username and password printed on a big piece of laminated paper which was taped to the desk.

Holy crap! I have not seen credit card-sized RSA tokens in over a decade.... Damn you old.... ;)

Hobo Jr.: I would think that with personal information like this you would have some sort of blind in place to prevent id. Such as a doctor could carry a hard drive of all the patients medical history stripped of names and other identifiers. With of course information containing ids being strictly left in a hospital vault.

/any health care administrators got an answer?

Again, there's no need to carry the actual data with you in order to have access to it. You don't need a health care administrator to tell you this, either. Though perhaps some health care administrators should be employing people who have knowledge of data security to keep them informed... >.>

Where was IT and data security?

So somehow the doc was able to download 16,000 records to his personal hard drive which should have been an impossible task. Non-technical people don't understand the implications or the seriousness of data security.

I'm guessing most companies still have not gotten wise to using a VPN, instead of just loading crap to your HD?

Our company has a strict "We see it on your HD, you get fired" policy when it comes to privacy-related data.

And I am ok with that.

SkunkWerks: Hobo Jr.: I would think that with personal information like this you would have some sort of blind in place to prevent id. Such as a doctor could carry a hard drive of all the patients medical history stripped of names and other identifiers. With of course information containing ids being strictly left in a hospital vault.

/any health care administrators got an answer?

Again, there's no need to carry the actual data with you in order to have access to it. You don't need a health care administrator to tell you this, either. Though perhaps some health care administrators should be employing people who have knowledge of data security to keep them informed... >.>

Well, I wouldn't feel any more comfortable knowing that some could access my records without actually having them. I am assuming you mean some sort of intranet but how quickly would that get broken into.

Paper locked in a drawer in an unlocked office labelled accountant is the safest way to store information these days.

Hobo Jr.: I am assuming you mean some sort of intranet but how quickly would that get broken into.

Not very, having been party to the level of sophistication employed to secure such records. Some people have for instance mentioned RSA Keys, which supply an additional password needed to access which changes passwords every minute. Possession of the token as well as the accessor's password credentials is necessary for access, and each token is unique. If you lose a token, you simply cancel it's access privileges.

The idea is to never have more than one copy of data in play at any given time. the more copies you have out there, the less secure the data is, and not just because some moron can take 16 thousand records home on a portable hard drive, either.

No system is perfect, of course, but some systems are "more perfect" than others, and any system which involves a doctor carrying around copies tens of thousands of patient records on an easily stolen device (external HDD, laptop, iPod, whatever) is so abysmally moronic it's criminally negligent- particularly for a "prestigious medical center".

SkunkWerks: Hobo Jr.: I am assuming you mean some sort of intranet but how quickly would that get broken into.

Not very, having been party to the level of sophistication employed to secure such records. Some people have for instance mentioned RSA Keys, which supply an additional password needed to access which changes passwords every minute. Possession of the token as well as the accessor's password credentials is necessary for access, and each token is unique. If you lose a token, you simply cancel it's access privileges.

The idea is to never have more than one copy of data in play at any given time. the more copies you have out there, the less secure the data is, and not just because some moron can take 16 thousand records home on a portable hard drive, either.

No system is perfect, of course, but some systems are "more perfect" than others, and any system which involves a doctor carrying around copies tens of thousands of patient records on an easily stolen device (external HDD, laptop, iPod, whatever) is so abysmally moronic it's criminally negligent- particularly for a "prestigious medical center".

Interesting. That does sound a bit more secure than their password on top of the laptop technique they are currently using.

DammitIForgotMyLogin: mgshamster: I'm dubious about blaming the physician. Medical doctors often take their work home and work off hours to help patients by finishing the charts.

Helping 16,288 patients? I don't think so...

Why in the name of sanity did he need to have ALL of those records, encrypted or not??

If he was doing research (which would be one of the few reasons) the most he should have been able to get out of the system was "de-identified" records which would be utterly useless to anybody else!

And doctors have no excuse whatsoever. The HIPAA privacy AND security rules are binding on them, and they are responsible for knowing what they can and cannot do with this information. Depending on which "Tier" the Feds classify this breach under, the doctor/hospital can expect a 7-figure fine and possibly jail time. The audit trail function in the software will show which Health Info tech it was that supplied the files in the first place. Oh, yes, there will be blood in the HIM department.

/Health Information Management tech student

johnson442: DammitIForgotMyLogin: mgshamster: I'm dubious about blaming the physician. Medical doctors often take their work home and work off hours to help patients by finishing the charts.

Helping 16,288 patients? I don't think so...

Why in the name of sanity did he need to have ALL of those records, encrypted or not??

If he was doing research (which would be one of the few reasons) the most he should have been able to get out of the system was "de-identified" records which would be utterly useless to anybody else!

And doctors have no excuse whatsoever. The HIPAA privacy AND security rules are binding on them, and they are responsible for knowing what they can and cannot do with this information. Depending on which "Tier" the Feds classify this breach under, the doctor/hospital can expect a 7-figure fine and possibly jail time. The audit trail function in the software will show which Health Info tech it was that supplied the files in the first place. Oh, yes, there will be blood in the HIM department.

/Health Information Management tech student

Will they drink his milkshake?

/I couldn't help it

Hobo Jr.: johnson442: DammitIForgotMyLogin: mgshamster: I'm dubious about blaming the physician. Medical doctors often take their work home and work off hours to help patients by finishing the charts.

Helping 16,288 patients? I don't think so...

Why in the name of sanity did he need to have ALL of those records, encrypted or not??

If he was doing research (which would be one of the few reasons) the most he should have been able to get out of the system was "de-identified" records which would be utterly useless to anybody else!

And doctors have no excuse whatsoever. The HIPAA privacy AND security rules are binding on them, and they are responsible for knowing what they can and cannot do with this information. Depending on which "Tier" the Feds classify this breach under, the doctor/hospital can expect a 7-figure fine and possibly jail time. The audit trail function in the software will show which Health Info tech it was that supplied the files in the first place. Oh, yes, there will be blood in the HIM department.

/Health Information Management tech student

Will they drink his milkshake?

/I couldn't help it

They'll drink it up....

mgshamster: I'm dubious about blaming the physician. Medical doctors often take their work home and work off hours to help patients by finishing the charts.

I sort of half-agree. But I think you can say he probably broke security policy by writing down a password and storing it next to the computer.

I take work IP home with me 5 to 7 days a week. It is always encrypted, and always on a company laptop. The laptop is considered an extension of the company. Especially when I work from home by VPN. No the password isn't written anywhere. If for some reason I forget my password, the IT guy uses his password to reset mine. No biggie. At worst, I lose a day's productivity, and look stupid to the snotty little IT guy..

For me to log in to work....

1) need an ID/pw to boot the lappy
2) need an ID/RSA pin+token to connect via VPN to the corp network
3) need an ID/pw to connect to anything else (email, files, chat, payroll, etc)

Pretty dang secure and all... And not that cumbersome. Why 'professionals' such as doctors and such can not jump on the techno bandwagon like corporations do, is beyond me. Seems you would want to protect your patient/client info like it was the secret recipe for Coke®.

Maybe it is a lack of understanding? Private offices do not have the money for an IT dept, so they just do not know maybe? Still, by now everyone that has an office should know this stuff....

betona: Where was IT and data security?

So somehow the doc was able to download 16,000 records to his personal hard drive which should have been an impossible task. Non-technical people don't understand the implications or the seriousness of data security.

The doctors arrogance and bull-headedness often gets the best of the IT folks. I have never ever, once, in my life, met a doctor that wasnt both arrogant, and at least a little bit thinking being good at one thing, made him or her good at all things. Stories about the lengths doctors will go to get around some rule where the same effort would have finished the project within the rules months ago are common place with the med-IT guys.

That's a situation designed to make data breeches.

DysphoricMania: I'm guessing most companies still have not gotten wise to using a VPN, instead of just loading crap to your HD?


Even with VPN you still have the vulnerability of a written down password if an entire laptop is stolen. At least for a window of time until the admin locks out the account. A lot of data can be downloaded in a few hours.

Actually, I think what companies have to get wise to is the security basics. The basic basics that have been around pre-computer. Pick a strong password. No. Stronger than that. Nope, stronger. We don't care if it takes you an extra 5 seconds to log in. Pick a new one every 60 days. Don't ever write it down, speak it, or communicate it to any other person. (If you forget it, no biggie, Augie Farks down in IT will help you.) No exceptions, and if you are caught not following company security policies, it will be, at a minimum, a disciplinary offence that will be reflected in your next performance review. If you don't report a security breach, such as a missing laptop or magnetic badge within 8 hours, it may be a termination offence.

ThrobblefootSpectre: If you don't report a security breach, such as a missing laptop or magnetic badge within 8 hours, it may be a termination offence.

In the case of Protected Health Information security breaches, it is literally a Federal Offence to NOT report it to the government, contact those affected, etc. The doctor in the article will be lucky if getting fired is all that happens to him.

johnson442: ThrobblefootSpectre: If you don't report a security breach, such as a missing laptop or magnetic badge within 8 hours, it may be a termination offence.

In the case of Protected Health Information security breaches, it is literally a Federal Offence to NOT report it to the government, contact those affected, etc. The doctor in the article will be lucky if getting fired is all that happens to him.

That said, I'm betting he somehow manages to get out of this with a slap on the wrist. Our Federal agencies are too busy providing Cybersecurity on the Intertubes to comprehend this "IT Security" jibba-jabba we're all talking here. Add the "cyber-" prefix to it and we might be ahlfway to some sort of coherency for them...

vernonFL: UCLA Medical Center, like all hospitals, has to abide by HIPAA laws.

Providers can not disclose any patient information.

Lindsay Lohan and Michael Jackson will show up at UCLA and share a room with Elizabeth Taylor and Pamela Anderson, but you'll never know, because their business is private, as it should be.

I hope Michael Jackson and Elizabeth Taylor don't show up at the hospital seeing as how they're dead, especially if there's any brain surgery being done at the time.

But when others read the password on the paper, they only see "*******"


/oblig

ThrobblefootSpectre: Actually, I think what companies have to get wise to is the security basics. The basic basics that have been around pre-computer. Pick a strong password. No. Stronger than that. Nope, stronger. We don't care if it takes you an extra 5 seconds to log in. Pick a new one every 60 days. Don't ever write it down, speak it, or communicate it to any other person.

No. 60 day password expiration plus the insistence on the typically weak "strong" password rules pretty much guarantees the password will be unmemorable and thus written down somewhere from necessity. IT managers have utterly screwed the pooch with that particular arms race. Total math fail.

A piddly three word passphrase, drawn from a typical pre-schooler's 10000 word vocabulary, delimited by spaces (and no special character bullshiat) will have brute-force odds in the same order of magnitude as as an 8 character fully randomized password using 'strong' security rules.

And it's 10,000 times stronger for each word you add, even if the cracker knows exactly how you've delimited it, how many words their are in the passphrase, and has an electronic copy of your kid's vocabulary.

Hobo Jr.: Paper locked in a drawer in an unlocked office labelled accountant is the safest way to store information these days.

Dunning-Kruger shows up again!

Until you educate yourself about Kerckhoffs's principle, you're better off leaving secuity implementation to others.

MooseUpNorth: No. 60 day password expiration plus the insistence on the typically weak "strong" password rules pretty much guarantees the password will be unmemorable and thus written down somewhere from necessity. IT managers have utterly screwed the pooch with that particular arms race. Total math fail.

A piddly three word passphrase, drawn from a typical pre-schooler's 10000 word vocabulary, delimited by spaces (and no special character bullshiat) will have brute-force odds in the same order of magnitude as as an 8 character fully randomized password using 'strong' security rules.

And it's 10,000 times stronger for each word you add, even if the cracker knows exactly how you've delimited it, how many words their are in the passphrase, and has an electronic copy of your kid's vocabulary.


Hmmm, I didn't say a strong password had to be a random string of ascii gibberish. I agree about the random selection of dictionary words as a good method of generation for some applications.

Partially disagree that 3 words is enough for some applications, such as an encrypted file, where the attacker can brute force as many guesses as he wants at his leisure. Cracking 10k^3 would be a few days task. Though, in other cases, like a network login, brute force isn't a viable attack since server policy will probably lock out the account after 3 consecutive wrong guesses. So in that case I agree.

I disagree about the difficulty of remembering a few words or characters every 60 days.

lohphat: It's not all about you.

Well darn. Okay I guess I take back the part where I said It's all about me. ;)

betona 2011-11-05 06:29:08 AM

Where was IT and data security?

So somehow the doc was able to download 16,000 records to his personal hard drive which should have been an impossible task. Non-technical people don't understand the implications or the seriousness of data security.

Yeah, I'm not thinking you have ever work in a hospital.

FormlessOne: FTA: "UCLA's concern for its patients is absolute, and we deeply regret any breach of confidentiality and the stress and concern it might cause our patients," the statement said.

"...except for Michael Jackson, Farrah Fawcett, Britney Spears, and about sixteen thousand other folks."

So, when does the federal government step in and audit the EMR policies of this friggin' hospital?0



The medical files of countless celebrities are always stolen at UCLA. Some of this private information even shows up in tabloids. On your first day of employment at the UCLA hospital, you go through very, very thorough training about patient privacy. And you're told constantly throughout your employment that you should NEVER access a patient's file unless you need it to do your job. And you're also told YOU WILL LOSE YOUR JOB. And yet, as soon as someone famous checks into the hospital, there's always a few people who just can't seem to remember.

Oh, and the hospital records the name of everyone who ever accesses a patient's file. Unless you sign into a computer with another employee's log-in information, you will get caught and you will be fired.

source: me, myself, and I. I used to work there.

spentmiles: As an employer, it would be nice if there was a searchable database to check if an applicant had any serious medical issues. It is expensive and counter productive to hire chronically sick and chronically pregnant people.


It's also illegal to make a hiring decision based on the family status of a potential employee (e.g., that she's married and of child-bearing years and is therefore likely to get pregnant).

DammitIForgotMyLogin: mgshamster: I'm dubious about blaming the physician. Medical doctors often take their work home and work off hours to help patients by finishing the charts.

He had the password on a piece of farking paper next to the drive, I have absolutely no problem blaming the physician

Agreed. And there's no way this guy had 16,000 patients. He never needed access to the vast majority of those files.

I used to work at UCLA Medical Center (the old one across the street from the new one) in college and most of the security guys then were college students. Who had master keys. To student health records. That included STD testing results.

Let's just say we knew what we were getting into.

/Was before HIPPA