Lorenzo's Security Blog

Hacker causes ID theft concern
By David Hasemyer
UNION-TRIBUNE STAFF WRITER

2:00 a.m. July 17, 2009

LA JOLLA — The hotline established by UCSD‘s Moores Cancer Center after a hacker breached the center’s computers and gained access to patients ‘personal information has been swamped with hundreds of calls from worried patients.  [Donald]:  I just can’t imagine why the phone lines are swamped!  Can you?

Their primary concern has been whether their Social Security numbers were among the information stolen by whomever obtained the electronic files of 30,000 patients, according to DeAnn Marshall, UCSD Health Sciences chief of marketing and communications officer. [Donald]: The primary concern is the social security numbers?  Whoa, what about the patients private information on their health condition? Wouldn’t that be a big concern as well?  Can you say health insurance fraud?

She said hospital officials have determined that just 36 of the files contained Social Security numbers. [Donald]:  Now if you expect us to believe that out of 30,000 + records that only 36 of them had SSN’s in the records, then I have some land in Tonawanda, NY that I can sell you very cheap…

A letter was sent to all of the patients earlier this month telling them that the center’s computer network was “illegally accessed” twice by overseas hackers and that some personal information may have been stolen. [Donald]:  okay this is a good one… letters were sent to all patients earlier this month, but only 36 records were identified with SSN’s, please explain?

The Internet assault on the hospital’s computer records has sparked an investigation to determine the identity of the hackers and prompted hospital officials to begin a review of security measures to find any weakness and, if necessary, take additional precautions, Marshall said. [Donald]:  Now that is a great idea, isn’t it?  Why haven’t they been doing this all along?  The law requires hospital organizations to maintain an active Information Security program.

The computer servers affected contained information such as patients’ names, dates of birth, medical record numbers, diagnoses and treatment dates back to 2004,  Marshall said. So far, she said, there has been nothing to indicate the information has been viewed or used. [Donald]:  Oh isn’t this great…. 5 years of data stored on servers…nice…NOT!  So has this data been backed up?  Are there data owners to this information?  Seems to me that there are a lot of unanswered questions.  One in particular would be “what were the indicators used to make the determination that the data wasn’t used or viewed.“

The July 9 advisory letter was sent as a precaution to inform patients that the computers had been compromised on June 26. Since the letter went out, the hotline has received 758 calls from people mostly concerned with identity theft, Marshall said. [Donald]:  Precaution that the computers had been compromised?  An advisory letter with instruction?  Did it explain how it happened? Who is responsible? blah blah….

Patients are being told to contact one of the three national credit bureaus to place a fraud alert on their credit file and obtain a copy of their personal credit report to make sure nothing is amiss, Marshall said. [Donald]:  Is this being paid by UCSD?

So far, the breach has not echoed beyond San Diego. Although hospital association leaders say such leaks are not widespread, it still acts as a reminder that hospitals and other medical facilities must remain vigilant. [Donald]: The breach is all over the internet so I am not sure what this paragraph means

“If a breach occurs it is a good opportunity for hospitals to exam and revise their security procedures,” said Elizabeth Lietz, a spokeswoman for the American Hospital Association. [Donald]:  Isn’t it a good idea to revise the security procedures before a breach occurs?

She said hospitals and health systems take seriously their responsibility to protect the privacy and confidentiality of their patients’ information. [Donald]: How could UCSD have taken it seriously?  30,000 records have been compromised.  Who is responsible for security at this location?  Researching the organizational structure of UCSD it looks like another scenario where IT is in charge of Security and should not be.  Does Information Security report to IT?  Has Information Security brought these weaknesses to the attention of Senior Management and been turned away?  It seems to me that there are still lots more questions that are unanswered.

Jan Emerson, a spokeswoman for the California Hospital Association, said it’s difficult to assess what allowed the hacker into the UCSD system, and consequently there is little alarm to be raised for other hospitals.  [Donald]: It is not difficult to assess the hack if the proper alignment of security in an organization is in place.  Too many times Information Security is totally ignored when it deals with Technology.

“Every hospital is different,” she said. “They employ their own security.”  [Donald]:  Every hospital might be different, but Information Security is the same at every organization.  It just needs the proper level of authority and the funding that is commensurate with the data that is to be protected.  This is not Rocket Science…. it is Data Protection

Medical facilities report fewer hacking attempts than other institutions, such as banks and financial institutions, according to Murray Jennex, an associate professor in San Diego State University‘s Information Decisions Systems Department.  [Donald]: This is absolutely a false statement.  Professor Jennex should research this in more detail.

That’s because most hackers are looking for information that can be used for financial gain. [Donald]: So what Professor Jennex is stating is that a hacker cannot financially gain anything from having medical information of patients?  What about insurance fraud, high profile patients whose medical conditions need to be keep as private as possible or for that matter any patients medical conditions should be private.  This is the normal response from those that don’t understand about confidentiality or integrity of data but only the availability of the data.  Again, Information Security is not a Technology issue.  It is an Information Security issue.

“Medical records have no real value other than the very specific medical information,” Jennex said. [Donald]:  Again, I must reiterate that Professor Jennex needs to research the value of private health information.  For him to state this in a public forum is absolutely ludicrous.