Spyware Prank Exposes Hospital Medical Records 319
Posted
by
kdawson
from the epic-keylogger-fail dept.
from the epic-keylogger-fail dept.
cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."
Re:The Woman (Score:5, Interesting)
In a hospital no less.
What happened to the geek who setup the transparent web proxy that allowed that?
Couldn't happen here... (Score:5, Interesting)
Re:Who is really at fault? (Score:3, Interesting)
a) The man for emailing the spyware?
b) The woman for opening it and infecting the computer?
Is this like that question in ethics class where we had to decide who was the most moral, a question seemingly designed to start fights? I'm no good at those - I say the goon at the end, but then people call me horrible.
Explanation in case it's not as universal as I thought....
A woman has to get to her wedding, but the only way is to ride with the boat captain, who will only accept sex for payment. She rides the bumpy boat to the church, makes it there on time. The groom ditches the bride at the altar when he learns what happened so she hires a goon to beat her would-be husband nearly to death, which he does while she laughs.
Who's the most moral? The bride, the groom, the boat captain, or the goon? I always figured the goon was the most moral because he's offering a business service in a free market, and seems to have a willingness to make sure the customer gets his or her money's worth. No one agreed with me.
Re:HIPAA - SHMIPAA (Score:4, Interesting)
Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
That'll be interesting in the future - discrimination on the grounds of disability or medical condition, perhaps?
There's some evidence that nicotine delivered by patch can help with things like parkinsons, alzheimers, depressive conditions, ADD and a whole lot of other things. Various native peoples have ingested tobacco to treat constipation and wom infestations, and I see no reason why people using it exclusively as a herbal remedy for these or other conditions should be penalised. I'm a non-smoker and won't take it up - I think it's disgusting - but if nicotine patches were safe and effective and cheap when compared with other medication I'd use them and take my prospective employers to court if need be. I'd also be the guy passing around the poppseed bagels, fwiw...
Re:Not a Prank (Score:3, Interesting)
to me it looks like one more example of justice system malfunctioning. It is not a great malfunction but shows that punishment and the crime are matched not by the facts but by the random acts of gov. officials. Was it not something that american constitution tried to prevent?
Re:Who is really at fault? (Score:5, Interesting)
Right. Ever worked in that environment? Nope? Thought not.. I have..
You're faced with:
Consultant (medical doctor) says "I need to access the net to be able to read research papers, proposals, and various ad hoc sites that contain research on the subjects that I deal with, along with external mail that I use because I move from hospital to hospital quite regularly.".
IT says: "You can't access the net from that machine".
Consultant goes to see hospital directors, stamps feet, and IT get overridden.
Bear in mind there are several thousand PCs on a lot of hospital sites, with maybe 3 technicians to go fix and maybe one or 2 sysadmins. Hospital HR frequently sees IT as just waving a magic wand and things happen miraculously, so it's a "good way to save costs".
If you tie machine names down that can't access the net, I can guarantee a consultant will find a way to get a machine in the area that does, even if it's moving someone else's there.
As for breaking terms and conditions of use. Who do you think will win that pissing competition? Someone in the beleagured and under funded/under resourced IT department who is overlooked and overworked, or the consultant with the hand shakes and the ear of the board of directors?
Coupled with the fact that not all antivirus and anti-malware will spot every variant. It'll get 90+ percent, but you always hear about the ones that get through.
I'm surprised an executable got through the proxy filtering there, but hey.. Without knowing all the ins and outs of this in detail, I'm going to reserve judgement.
The real world can be a messy morass of politics.. Working in a hospital, or academia, really has that in excess.. Try working in one if you think it's easy.. I'd be interested in hearing your opinion after doing it for a while..
Re:odd (Score:2, Interesting)
and yet the hospital is being compensated for damages and not the patients
Does this remind anyone of the RIAA?
Is this story a hoax? (Score:5, Interesting)
What????
Don't you know about limited user rights? That prevents ANY installation of ANY program.
If someone accidentally kills someone else while driving a car, he or she will get less time for manslaughter than this man is supposedly getting for sending an email to a PRIVATE address.
Is this story a hoax? There is only one other report, and that report is identical: Misdirected Spyware Infects Ohio Hospital [pcworld.com]. Both apparently came from the IDG News Service. This is the last sentence of both stories: "A spokeswoman with the Akron Children's Hospital was unaware of the case and unable to comment." She was unaware of a case that is 18 months old?
Re:Who is really at fault? (Score:2, Interesting)
You know what. IT support are janitors. Much in the same way that the janitors can't tell Doctors/executives "you can't do that for the good of the hospital/company", IT support can't do that either.
So the chances of locking down a network that people work on is essentially zero. And much like janitors, when users make a mess of things is IT support's job to clean it up.
Re:Hospital management at fault, not employee (Score:3, Interesting)
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows.
Which part of HIPAA do you think precludes using Windows ?
Re:Not a Prank (Score:3, Interesting)
Nobody has gotten killed here - your analogies are completely baseless. What's more, information wasn't actually stolen here. Yes the records were transmitted, and this guy probably glanced over things he shouldn't have been allowed to see. But as far as I understand, he didn't try to distribute this info further, or used it in any way. Most likely he didn't even read the records. So practically, there's no consequential harm with respect to the medical records here.
I agree what he did (spying on his ex) is illegal, but if his actions did not end up accidentally exposing glaring security problems with the hospital IT, you and the rest of the "think of the children" crowd wouldn't be calling for a public lynching here. 5 years in jail for spying on your gf's e-mail? That seems a bit extreme to me.
Re:HIPAA - SHMIPAA (Score:1, Interesting)
Also, if you believe the anti-smoking propaganda (disclaimer, I call all things propaganda), it's not the nicotine that is the main issue, but all the other crap that Big Tobacco puts into their death sticks. That, coupled with the information from your post, makes testing simply for nicotine bunk.
Re:Not a Prank (Score:3, Interesting)
Five years? That's the sort of sentence we hand out for burglary or aggravated assault. This is not a man who is a danger to society.
First sentence, I agree. And the amount of jail time is the only thing left actually to question, and I will not be presumptuous enough to correct it.
Actually most of your post I agree with...
Second sentence however, no, he clearly IS a danger to society. Not for anything computer related of course. But he is stalking his ex-girlfriend. He most certainly needs punished accordingly.
Any person that is not capable of controlling their actions based on their emotions is unpredictable and dangerous. On top of that, and the key point, he has proven he will act out on those emotions, putting aside all rational thought. THAT is why he is a danger to society (or at least the small portion of society that he has ever dated or talked sweetly to him.)
Now, I too agree that it would be much much better in our society to offer help for people with emotional problems, instead of putting them in a situation guaranteed to cause more of them and produce a better criminal from it.
That just is never going to happen. The humans doing the punishing are equally as irrational as those being punished, and so revenge will always be the primary concern for those people.
It's not right, it's just a sad truth.
Re:The Woman (Score:5, Interesting)
Also the admin needs to get fired too, he is not doing his job!
So many attempts to blame the admin, without knowing the circumstances. In the real world, security costs money. Money is limited. Security "interferes" with work. Interfering with work too much won't be tolerated by the higher ups. I've seen it multiple times. If security interferes with some new wiz-bang software that management wants, then the security goes. An admin that refuses get fired. For those that don't work in IT, you'd be surprised how many security decisions are made by people not qualified to make such decisions.
Let me give you two real-life examples. I worked as the IT head at a medical clinic. Some medical billing software was leased with my knowledge and it came with it's own AIX server. The root password was blank and it had to be connected to the rest of the LAN. I was not allowed to touch the machine by my boss's boss. Later on, she had the bright idea of allowing remote access. I objected in writing, backed by my boss. Objection overruled. Within a week, the server was rooted. It took the company who owned the server 3 months to figure out it wasn't a hardware issue, despite my warnings on the first day of trouble.
Second, more recent example, from just two weeks ago. I was ordered to connect an XP SP2 machine (not under my control) directly to the Internet AND the internal LAN. I was not allowed to filter any traffic (I tried and was ordered to stop) or purchase/install any additional hardware (no approval), including wiring. It's a VOIP server and the company higher ups what to be able to have a company phone anywhere. A port scan shows Windows Firewall is disabled, and I have no idea if there is at least any AV software (not allowed to touch it). Remember, I'm under orders to give it unfettered Internet and LAN access, at the same time. Secure? No. But I'm under direct orders to do it this way. At this point, the best I can think to do is put my objections in writing so I have a CYA paper trail (already done).
Re:HIPAA - SHMIPAA (Score:2, Interesting)
Re:Not a Prank (Score:3, Interesting)
Sometimes, but more importantly it is pretty much always a mitigating factor. Your hypothetical person would be charged with reckless homicide, not capital murder (DUI = felony, murder = felony, having a gun during commission of a felony = felony). It sounds like he killed enough people in the anecdote for the differences to be semantic, but it's not nonexistent.
Intent does matter.
While intent does matter, intent can be transferable. For example if, intending to kill someone, you shoot at them, miss, and somehow kill forty innocent bystanders instead, your intent will suffice for forty counts of first degree murder.
Here, the guy intended to stalk and illegally access information from his g/f's home computer. He missed the mark and instead hit a hospital. That he intended specifically to stalk his girlfriend doesn't absolve him of the end result of his actions.
Re:The Woman (Score:3, Interesting)
It's the Golden Rule. "He who has the gold makes the rules." I've had gigs where when I stood up to management ("Look, giving everybody admin access on the main database server is a Bad Idea, and here's why...") and lost the contract. Why some PHB on the board of directors needs admin access to servers is beyond me, must be a control freak issue.