Ramblings of an old Doc

 

They’ve done it again. This time from Community Health Systems, Inc. What was stolen? Personal data including Social Security numbers and other personal data like weight and height. The health records are supposed to be safe. This appears to be the work of the same group which has stolen info from several major industries. The FBI is said to be investigating.

So how could this affect you? Well, the loss of the Social Security number isn’t good. However, from the Healthcare industry’s point of view, the major impact might well be stolen medical identity.

How would that work? According to one CIO, say an uninsured person needs a procedure – say, open heart surgery. He/she would buy the data of a person he/she resembles physically (6’2”. brown eyes, gray hair) and that person’s policy number, etc. Then he would sign into the hospital using that person’s data and get the procedure done.

The real ‘John/Jane Doe’ would end up with the bills. Of course, the ‘real’ person would find it easy to prove he/she didn’t have the procedure (for many procedures, though not all). Also, Community Health Systems, Inc. is insured against such losses…so, your health insurance will increase in cost.

So, this is just another of those great news items which sweeten our lives daily.

Source:

http://www.dailymail.co.uk/news/article-2728347/Personal-data-belonging-4-5MILLION-Americans-stolen-cyber-attack-Chinese.html


Comments (Page 1)
3 Pages1 2 3 
on Aug 19, 2014

I really think cyber warfare will be the tune for the future. Most people don't understand the risks and don't understand what can be done. Stuck with the idea that a "hacker" is some pimple-faced teenager, in reality it's state-funded offices filled with pros. This story is just one piece of the puzzle, every government wants a piece of the pie now that the lid has come off. 

on Aug 19, 2014

If they stole my records the Chinese would have a whip-round for me

on Aug 19, 2014

I used to work for Community. Let me assure you, at minimum.. 30% of physicians will share their passwords with staff, spouses, etc., install random software on their PC's, visit malicious websites, etc. Do you think they are held accountable? NO. Do you think they actually care about what they are doing or the necessity adhering to policy? HELL NO.

Their overall IT infrastructure is a joke at best.

Community is EXTREMELY dishonest. They recently settled with the federal government (out of court) on a charge of unnecessarily admitting patients that were on medicare/medicaid (so they could get more $$$ from insurance) for a mere $98 million. Trust me, that is chump change to these guys. They admitted to no wrong doing.

I can tell you first hand that I've had physicians tell me that they were instructed by community to perform unnecessary admissions for this reason.

 

So in essence.. don't believe the media story on this 100%. 

on Aug 20, 2014

In reply to Phoon (seems I still can't quote... lol),

As an IT tech for a paper company... you're first paragraph is spot on for here, too.  We try telling people all the time, don't share or write down your passwords.  They still do.  We tell them, don't install anything without clearing it with us first.  Yet every time I have to go work on someone's system for a virus, I find all kinds of other things installed on there... some (of the laptop users) even joke/admit to their kids using/playing games on em.  WTF?

on Aug 20, 2014

That means that the hacking was ok? The fact that the IT structure is poor? That's ITs fault for not exposing the company's defects to the FBI, etc....as for fraud? That should be dealt with using the DoJ...and has nothing to do with the hacking.

If the computers were run the way IT knows how, the hacking would have been VERY difficult, but still not impossible.

on Aug 20, 2014

DrJBHL

That means that the hacking was ok? The fact that the IT structure is poor? That's ITs fault for not exposing the company's defects to the FBI, etc....as for fraud? That should be dealt with using the DoJ...and has nothing to do with the hacking.

If the computers were run the way IT knows how, the hacking would have been VERY difficult, but still not impossible.

 

Agreed.

 

Not having proper IT structure in place is no real excuse.  However, I suppose once enough of these types of stories break (who knows when enough is truly enough) management might make use of the controls IT already has at their disposal.  In the modern IT world there is no reason for a user to be allowed the privilege elevation necessary to install anything.  If the internal systems (database servers, edge communication servers etc. etc.) are secured properly and good use is made of things like group policy and network access quarantine there is no reason why a simple user sharing their password around (or leaving it lying around) should cause catastrophe.  When breaches like this happen, it is almost without exception the fault of poor planning/structure on the part of IT to blame.  Of course getting management to allow for the planning/structure necessary to secure things as best as possible is not always easy or even possible and a discussion for another time.

on Aug 20, 2014

Let me jump back in and say, it's not IT's fault (at least, when it comes to my company).  Some of the users I talk about for around here... are VPs... even our own CEO is that way.  Essentially, we got no teeth.

 

<- See?  No teethies.

on Aug 20, 2014

furyofthestars

Let me jump back in and say, it's not IT's fault (at least, when it comes to my company).  Some of the users I talk about for around here... are VPs... even our own CEO is that way.  Essentially, we got no teeth.

 

<- See?  No teethies.

 

Believe me I understand. 

Management are often the biggest culprits in circumventing their own security measures.  In my experience there has never been a case where an executive needed elevated privileges on their account to 'do their job'.  Do they sometimes 'want' those privileges?  Sure.  If so, I always ask the executive exactly how important the security of their system (ie. explain potential breach scenarios etc.) is to them.  Without fail they always say 'very important' and should be number one in their IT policy.  Then I tell them 'If that's true let's do things my way, when you find you can't do something come to me and if necessary and/or possible I will find a way to make it happen that won't compromise the first point of your IT policy which we just agreed on right'?  Sometimes they grumble, but in the end (as long as you show you are working with them to get them what they want while not allowing them to undermine themselves) I find they let you lead.  Sometimes a painful and lengthy process, but the results will speak for themselves.

Then again, maybe the management I've dealt with to date have been more understanding of their job description.......

on Aug 20, 2014

the_Monk

In the modern IT world there is no reason for a user to be allowed the privilege elevation necessary to install anything.  If the internal systems (database servers, edge communication servers etc. etc.) are secured properly and good use is made of things like group policy and network access quarantine there is no reason why a simple user sharing their password around (or leaving it lying around) should cause catastrophe.  When breaches like this happen, it is almost without exception the fault of poor planning/structure on the part of IT to blame.  Of course getting management to allow for the planning/structure necessary to secure things as best as possible is not always easy or even possible and a discussion for another time.

the_Monk

Management are often the biggest culprits in circumventing their own security measures.

Absolutely. 100% correct.

on Aug 20, 2014

lol... yeah, I think yours is more understanding.  Ours... well, as an example (and maybe it's coincidence), we've been through a few VPs because they didn't think our CEO's idea was the best....

 

But it's funny you mention "elevated privileges".  We have to set up all of our users as local Administrators on their PCs.  Why?  Because we have some in house software that requires access to the registry.  Our Apps team claims that "there is no other way".  Course, until we got off from XP, Outlook wouldn't work, either, if the user wasn't local Admin.  *sigh*

on Aug 20, 2014

DrJBHL

That means that the hacking was ok?

Of course not Seth, and I didn't say anything of the kind.

I'm pointing out that until end users (Physicians) are knocked off their pedestals and held accountable for their negligence then these things will happen. 

Until upper management is knocked off their pedestals and held accountable for their actions, then these things will happen.

I also pointed out that indeed, upper management has not demonstrated accountability for what I KNOW are illegal actions. They settled with DOJ, out of court and publicly announced that they did nothing wrong. They just broke out their wallets and made it go away...

on Aug 20, 2014

the_Monk

there is no reason why a simple user sharing their password around (or leaving it lying around) should cause catastrophe. 

I disagree. These passwords allow access to patient information, vpn access, and various other things.

If they are shared, then such information is/can be comprimised very easily.

Another good example of this is the fact that external email services ( hotmail, gmail.. etc ) are allowed for physicians. I'm not comfortable with my patient info being sent out from those services. It also takes the accountability out of the picture because IT security really has no audit trail once it leaves the corporate network. 

Had these emails been confined to the corporate exchange system only, then accountability/audit trail mechanisms are in place to a higher degree.

on Aug 20, 2014

Pedestals? Maybe they just know Medicine better than IT/computer security?

Why go reaching for insulting aspersions? Why not just try establishing sensible rules and explaining them?

I wonder if that approach was ever tried. Also, you neglected to mention Nurses, Nursing Ass'ts., Medical Ass'ts. PAs, NPs, etc. 

Anyone with 10 fingers or prostheses is an equal possible guilt sharer.

on Aug 20, 2014

Ya take care not to have your stuff compromised and then they hack the hospital you was in.  Great

on Aug 20, 2014

DrJBHL

Pedestals? Maybe they just know Medicine better than IT/computer security?

Let me clear up a misconception... 

In my first comment I stated "at minimum.. 30%" of the physicians I knew. That means that 70% of them were stand up, great people that honestly cared.

Now... I don't give a rats ass if they know medicine better than IT. OF course they should!! 

HOWEVER.. they think the rules don't apply to them because of their positions. It doesn't matter HOW you explain it to them. They are arrogant and extremely elitist and think they are entitled to have the world bow down before them. They simply do not care about following security policy and they get away with it!
They are more concerned with the quantity of patients they see instead of the quality of care they give. ( and quite a bit of that is due to corporate management pressure to achieve the almighty $$ ). 

 

This story wreaks of false and misleading information. The big giant is crying and playing the victim when in fact. Their holier than thou attitudes and actions were mostly to blame and I sincerely hope that they are held accountable for their negligent behavior this time.

 

DrJBHL

Also, you neglected to mention Nurses, Nursing Ass'ts., Medical Ass'ts. PAs, NPs, etc
The attitudes and actions of these people were saintly compared to the above mentioned 30%.

3 Pages1 2 3