The following tale is fictitious, only in that certain details have been changed to protect the… patients. Several weeks ago, I had a conversation with an employee named Rachel who works for a small healthcare provider called Gotham Aging-Care Clinic (GACC).
This particular clinic specializes in the care and well-being of the City of Gotham’s citizens of advanced age. During the course of our conversation, we discussed several key aspects surrounding HIPAA and data security relating to patient information. Rachel explained that her clinic did not have much of an IT budget and that most of the clinicians were using personal laptops to perform their daily duties. While concerns have been raised with management at this small practice numerous times, those concerns have fallen on deaf ears. The clinicians are essentially responsible for their own machines and the security of those machines. Of those that I’ve personally spoke with, few are familiar with HIPAA requirements on patient privacy and one didn’t know what HIPAA actually was.
While in the office, Rachel connects to an open, unsecured company wireless network to access their hosted EMR system. She also connects her smartphone to this same wireless network to listen to streaming music, update Facebook status, tweet, and perform other non-work related activities during her break or lunch hour. Sometimes during lunch, she will visit a coffee shop that occupies the building next door and work on updating her patient records from her morning rounds, while still connected to the clinic’s wireless network.
Now, there are several red flags in the previous paragraphs, all of which were a part of our discussion. The EMR system is hosted with a known, reputable provider of secure electronic medical records. They enforce frequent password changes, have very granular logging and access controls, and encrypt traffic to and from the system. Unfortunately, that’s the ONLY portion of the patient access that could be considered secure.
The following is a list of the security related items that I noticed during a ten minute inspection of Rachel’s personal laptop:
Rachel’s password to log into her laptop is a single character…the space bar. She says this is secure because, “no one would ever guess that as my password”.
Rachel uses Microsoft Terminal Services to access a remote desktop in her office over the internet on the standard port, unencrypted. Frequently, via unsecured wireless connections remotely. Her password is saved, so she doesn’t have to type it in every time she logs in. While in the office, she has a software client that she runs to access the EMR system while connected to the clinic’s unsecured wireless network. The account she uses to access the EMR system is one of four accounts that are shared amongst 10-12 clinicians (a cost-saving decision related to licensing purchases).
Rachel doesn’t run any form of Endpoint Protection / Anti-virus because it “slows her machine down”.
Rachel has Excel spreadsheets containing patient data stored locally on her laptop so she can update information for patients in areas of their clinic where wireless signal is absent or unreliable. This is standard, and practiced by all clinicians in those wings of the building and was recommended by management due to the fact that “wireless networks are expensive to install and maintain”.
Now, following my inspection of Rachel’s laptop and subsequent discussion of all of these findings (and others that I’ve decided to omit, again, to protect the patients), Rachel dropped the security bomb of all bombs. Her clinic handles the care and wellbeing of senior citizens in Gotham City. Their “hosted” EMR system is actually nothing more than “secure” remote access to the EMR system that resides at Gotham Memorial Hospital (GMH), which is one of the largest healthcare providers in Gotham City. Where GACC has several hundred patients for which they provide services in a given year, GMH services hundreds of thousands of patients throughout the year. Now, GACC does NOT have access to all of their patient data, but an attacker with the proper skill set would have the capabilities to gain this access. An attacker with very little skills could gain access to the hundreds of patients that GACC serves with virtually no effort.
There are multiple lessons to be learned here. So many so, in fact, that I would surely miss one if I tried to hit all of them. My biggest concern here isn’t with GACC and their lack of security policy, although that is a part of it. What concerns me most is that GMH still allows them access to their data, most likely, due to the lack of checks and balances when it comes to the “covered entity” portion of HIPAA. Their system is inherently at risk due to the lack of security of one of their partners. It’s okay though. When a breach occurs, they will have all of the necessary measures in place to be able to pinpoint the source of the breach, tie that to GACC and their lack of security, and wash their hands of any responsibility for the theft of hundreds of thousands of patient records. I know I’ll sleep better at night knowing that the healthcare provider I chose to take care of my family’s healthcare needs isn’t responsible for the identities of my wife and children being stolen. After all, it’s not their fault that GACC checked all of the right boxes on the form. HIPAA doesn’t say they have to validate anything, just that they have to ask the right questions and receive the right answers – so they can still be compliant without being secure.
Between the time of authoring this document and publishing, Rachel resigned from this clinic and has moved on to a larger clinic with a specialization more aligned with her degree. Her laptop was inspected by the GACC system administrator on her last day to ensure that no sensitive data remained on Rachel’s personal laptop. This procedure was performed in less than five minutes. Not only did this system administrator miss several local documents containing patient information, but remote access to the Microsoft Terminal Server and subsequent access to the EMR system is still available. I’m sure access to the EMR system will be terminated when the users are forced to change the passwords on their shared accounts. A report has been filed with the appropriate compliance agencies.