22,000 pateints’ personal records including names, Social Security Numbers (SSN), and dates of birth were exposed at Massachusetts General Hospital (HIPAA Journal, 2016). In addition some appointment details were also exposed. The incident came to the attention of the hospital in February 2016. However, patients were notified of the breach in May 2016.
Such incidents appear to be occurring a little too often. Identity Theft Resource Center (2016) lists 572 such incidents for the calendar year 2016 as of August 6. Houston (2000) addressed the privacy issues dealing with storing and transmitting medical records over fifteen years back nor was the author the first one to do so going by the list of references cited. In this report we consider what took place and how the breach occurred. The technical fix will be obvious. The difficult part would be to convince people of the importance of the issue. We conclude by suggesting that software developers take security more seriously.
Patterson Dental Supply Inc., (PSDI) develops Eaglesoft a software for managing dental patient records. Massachusetts General Hospital contracted PSDI to host the data relating to their dental patients which PSDI did using Eaglesoft ( (HIPAA Journal, 2016) Sometime in February 2016, Justin Schafer logged on to one of PSDI’s anonymous FTP server and could potentially download 22,000 patient records (Goodin, 2016). Neither Schafer nor PSDI claim that the data was actually downloaded. (No harm done; let’s go home… Not so fast.)
What are the issues involved
There are two issues here. Why is the data important? One of the most common identification information in the US is the SSN. In fact the last four digits of the SSN is requested almost everywhere your identity needs to be confirmed. From the name it is possible to get the address in most cases. Armed with is information and a little social engineering it is possible to masquerade as somebody else on the social media. For example, Honan (2012) was locked out of his Twitter and Apple accounts using much less information. The attacker caused a lot of inconvenience because Honan now had to identify himself even more rigorously to get back his Apple account. The author had to register for a new Twitter account. Identity theft of this kind can lead to financial loss as well.
The next question is: Did PSDI do enough to secure the data? Consider its track record. In addition to this incident Schafer had reported earlier that PSDI had been using ‘dba/sql’ as user-name/password for “years and years and years” (HIPAA Journal para. 9). In this case the company attempted to ‘shoot the messenger’, by getting the Federal Bureau of Intelligence to treat Schafer like a dangerous criminal (Goodin, 2016). They seem to be practising security through obscurity.
How could the breach have been prevented
No damage was known to have been done because the breach was exposed by a security researcher. That merely means that any previous breaches if any went undetected. Houston (2001, p. 91) quoting Simpson (1996) claims that the majority of such breaches stem from internal sources. It is thus highly likely that people within the company knew of these anonymous FTP sites. The patients can only hope that internal sources were all honest and ethical. That companies are still using unsecure FTP use is cause for concern.
Technical measures to reduce such incidents.
Access to Personal Health Information must be controlled. Some of the common access control methods are authentication, audit logging, limited access privilege and firewalls (Pfeeger C., Pfeeger S. and Marguiles pp. 72-75). The need for authentication is obvious. Consider logging. Obviously logging every operation will not be practical as the log files will be so big that important details might get overlooked. The user name and the IP address of the machine used to connect to the information server are the minimum requirements. Intelligent firewalls can help. The IP address can be used to check if a third party is masquerading as a legitimate user because legitimate users usually login from the same IP address or a small set of IP addresses. Limited access privilege essentially means that specific users have access to specific sections of the data and the operations that can be performed. (Pfeeger et al. p. 75) For example, a receptionist booking appointments has no need to access diagnostic information.
Data breaches are becoming so common that unless millions of people are involved it is not taken seriously. Citizens must take more interest in the issue. As Houston (2001, p. 93) in his five point plan suggests, security must designed into the system. While modern programing languages and practices have taken care of insecure programming practices to a large extent, software engineers and system architects must be aware of the trade-offs between security and usability.
- Goodin, D. (2016, 5 28). Armed FBI agents raid home of researcher who found unsecured patient data. Retrieved from arstechnica.com
- HIPAA Journal. (2016, 6 30). Massachusetts General Hospital Reports PHI Incident. Retrieved from hipaajournal
- Honan, M. (2012, 8 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved from www.wired.com
- Houston, T. (2000). Security Issues for Impementation of E-Medical Records. Communications of the ACM, 89-94.
- Identity Theft Resource Center. (2016, 8 2). Retrieved from www.idtheftcenter.org
- Pfleeger, C., Pfleeger, S., & Marguiles, J. (2015). Security in Computing. Upper Saddle River: Prentice Hall.
- Simpson, R. (1996, December). Security threats are an inside job. Nursing Management, 27(12), 43.