Mary Washington Hospital in Fredericksburg, Virginia has a convenient online registration system for expectant mothers. Unfortunately, a security glitch on the site exposed the private medical information of 803 patients. The records contained social security numbers, phone numbers, and birth dates.
The breach was discovered when “Mike,” the husband of an expectant mother experienced some problems with the hospital’s website. Mike discovered the records by deleting part of the long URL in his browser window. He was attempting to fix a “certificate revoked” error message that hampered his registration.
Mike viewed a couple of records and notified the record holders that their information was available on the web. One of them contacted a local sheriff, who reported the problem to the hospital. A hospital spokeswoman described the breach as a “one-time incident,” and reported that Mike was the only person to person to see the records.
This incident points out the risks associated with web-based systems. Although convenient, a simple administrative error can create a serious vulnerability. Mary Washington’s system had at least two serious vulnerabilities. The first problem was a revoked SSL encryption certificate. The certificate helps the website encrypt sessions to verify user identity and protect data.
The second problem involved file and directory permissions. In this case, an administrator allowed “directory browsing,” which means anyone can view the contents of a website directory, even though the information isn’t displayed on a web page. Mike unwittingly stumbled onto a well-known hacking procedure. By deleting parts of the website’s URL, he was able to direct his web browser to view the directory containing patient records. If the website was configured properly, he should have received a “Forbidden” error, stating that he does not have permission to access the directory.
Although web-based information systems can be useful, organizations run a significant risk if they deploy mismanaged systems. The devil is in the details, and more complex systems run a greater risk of configuration errors. System administrators should be proactive, and test their systems for any vulnerabilities that could expose protected information.
Ryan Ricks
Security Officer
www.xlemr.com
3 Comments
Politico - Jan 16, 2009
Nice article Ryan.
Does the $50 Billion that is earmarked by Obama for Health Information technology include any features that are designed to improve security?
There have been a number of recent surveys of the public regarding EHR technology, and in many of them the overwhelming concern of the public is the security of their information.
When one realizes that companies such as Google and Microsoft, each of which is vying to maintain patients’ medical records online, are not covered by HIPAA restrictions, the issue of security is even more critical to consider!
One would hope that there will be significant attention paid to the security issue, particularly as records become more interoperable, the risks associated with a breach of security increases geometrically.
Ryan - Jan 16, 2009
I have not seen any specific mention of health IT security from Obama’s official websites.
Politico - Jan 20, 2009
Ah yes – here it is:
“Barack Obama and Joe Biden will ensure that patients’ privacy is protected.”
As seen on page 2 of a 9 page pdf, located here: http://www.barackobama.com/pdf/issues/HealthCareFullPlan.pdf
I don’t think that the above sentence provides much information regarding HOW they plan on doing this. However, at least they are aware of the issue, and that is clearly a start!