Spyware Prank Exposes Hospital Medical Records 319
cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."
Re:HIPAA - SHMIPAA (Score:4, Informative)
I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.
Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.
Given this transgression and their draconian nicotine policy (which surely must be illegal), the moral of the story is clear: do not, under any circumstances, seek treatment at Akron Children's Hospital.
Not a Prank (Score:5, Informative)
The article's title is "Spyware Prank Exposes Hospital Records".
The actions described are not a prank. They are serious, and illegal by many standards. If the accusations are true, the fellow deserves everything thrown at him. The article's title should be changed to reflect the severity. Installing spyware to keep tabs on your ex-GF is not a prank. It's stalking.
Re:Who is really at fault? (Score:3, Informative)
Of course the dude's at fault. But this could easily have been prevented. I could try to fit this into a rape analogy, but that would just be sad.
You can never prove that a rape wouldn't have happened if not for the miniskirt.
The spyware would not have gotten installed if not for her running weird programs on a hospital computer.
On the other hand, she should probably not have been allowed to check her private email on that computer at all.
Re:Hospital management at fault, not employee (Score:5, Informative)
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA [informit.com] compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).
I have an ugly truth for you - almost every hospital in the US uses Windows (95 through XP) for every single workstation. Every single Healthcare IT software vendor develops solely for windows (save a few web-based packages.) It's a very pure MS monoculture. I know, I know, it's sick. I agree completely with the above, but the emperor is threadless here.
Re:Not a Prank (Score:3, Informative)
Since when has committing a crime unintentionally ever been a defense?
Um, always? Most crimes require intent. Some require merely negligence. If you're charged with a crime that requires intent, and intent cannot be proven, then you cannot be sentenced for it.
"Oh officer! I wasn't INTENDING to kill all the cancer stricken orphans when I driving drunk, speeding, and firing my gun wildly! I just intending to disturb the peace!"
1. You're not being charged with anything by a police officer. That's the job of the prosecutor. And you'd be stupid for saying anything like that to the police officer arresting you. Remember the Miranda rights?
2. Killing people is one of the few things that are a crime even if done negligently. However, there's a difference between murder and involuntary manslaughter.
Re:HIPAA - SHMIPAA (Score:3, Informative)
I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
And exactly why wouldn't be allowed? It's not like the computer is sitting in the surgery theater.
It's connected to sensitive hospital records. That's more than enough reason to lock it down and not allow web browsing or the execution of arbitrary programs.
Re:Is this story a hoax? (Score:3, Informative)
Don't you know about limited user rights? That prevents ANY installation of ANY program.
You don't need to install software for it to run and do nasty things.
Re:Who is really at fault? (Score:5, Informative)
I've worked in the IT department of hospitals in the UK, Australia, and the United States. The situation is the same in every one, you described it perfectly. Physicians are gods, and will be allowed to circumvent any IT policies they see fit, even if it exposes the entire hospital to a security risk.
Re:Who is really at fault? (Score:2, Informative)
Right. Ever worked in that environment? Nope? Thought not.. I have.. You're faced with:
[snip incredibly accurate account of working in healthcare IT
Almost creepy to hear you describe the situation. Your experiences so exactly match what I face each day that I had to check the userid to make sure it wasn't me who wrote that comment. I suppose I can take some solace knowing that I'm not alone.
Re:HIPAA - SHMIPAA (Score:5, Informative)
I actually am a physician, and work at a hospital with electronic records. We do not have, nor have I ever worked at a hospital the does have, an independent set of computers with medical records, separate from ones to use for other purposes. The work-flow is just not feasible with such a system, which would require us to look things up on one computer while referencing and typing notes into another one, while dozens of other people walk around the unit trying to do the same thing.
If you really want your mind blown, many electronic medical record systems run through internet browsers, and are not compatible with anything other than IE.
Oh, and I can access it from home with an RSA key if Clean-client thinks my machine looks OK.
Locking down sounds good to some of you, but it would break the workflow in a medical system that is already operating near the breaking point.
Re:The Woman (Score:3, Informative)
You're right. I forgot how brain damaged the Windows security model is...
In Linux, of course, you would need admin privilege to run an executable which is one reason Linux doesn't get viruses. But in Windows, anyone can download and execute anything... dumb.
So I guess I should rephrase that as "So what happened to the IT administrator who installed Windows computers in a situation where patient privacy and security could be compromised?"
What? Any user can set something executable and run it in a Unix system. It'll just run with the privileges of the user, which in this case is more than enough.
Re:The Woman (Score:3, Informative)
Uhh. Mounting things lusers have write access to as noexec deals with that.
Re:The Woman (Score:3, Informative)
Not necessarily. Some system utilities, for example, fsck, can only be run in root. If the user isn't part of the suid users group and started an su session, they can't run it.
Re:Couldn't happen here... (Score:3, Informative)
As a programmer, I run custom executables on systems without obtaining root access all the time. On Unix you can execute anything that has an 'x' flag, they don't need to be installed in special system directories. (other obscure operating systems required that all executables be installed in special privileged directories/volumes)
You can put foo.sh in an email and convince someone to run it fairly easily.