Hey, there! Log in / Register
Doctor forced to unencrypt laptop with patient info in armed robbery
By adamg on Tue, 11/18/2014 - 12:29pm
Brigham and Women's Hospital is notifying 999 neurology and neurosurgery patients that their medical information may have been on a laptop and cell phone stolen from a doctor in an armed robbery on Sept. 24.
Although the devices were encrypted, the assailants forced the victim to disclose the pass codes during the robbery. The data contained on the devices included information of 999 patients who received treatment at BWH’s Neurology and Neurosurgery programs between October 2011 and September 2014, as well as a small number of individuals participating in research studies. The data on the devices includes patient names or partial names, and may also include one or more of the following: medical record number, age, medications, and information about diagnosis and treatment.
The hospital declined to say where the holdup occurred, except that it was not at the hospital.
BPD records show two gunpoint holdups that day: One at Jersey Street and Park Drive in the Fenway and the other one part of a series of armed holdups around Jamaica Pond, on Perkins Street.
Neighborhoods:
Topics:
Free tagging:
Ad:
Support Universal Hub
Help keep Universal Hub going. If you like what we're up to and want to help out, please consider a (completely non-deductible) contribution.
Comments
999
In other words, they aren't disclosing the number, which is standard policy.
999 is a stand-in "blank" code.
that would mean a deceptive press release
They are compelled to certain disclosure. I don't think they're supposed to be deceptive in that compelled disclosure.
Press releases are not mandatory
They put them out to shut down conspiracy theories, rumors, etc. once patients are contacted.
Patient notification is mandatory.
Well
I read almost all of the comments here and have one or two observations:
1. What I know about computers will fit into 640K. In FORTRAN. So there. I don't profess to know anything about modern cyber security.
B. As the person that posted the XKCD cartoon pointed out, security is point-related.
III. We depend on the hired guns to know how modern security is to be handled.
IV. We are disappoint.
FIVE. If the security people don't take into account mugged doctors, tired nurses, forgetful interns, then they're not doing it right. I don't give a shit about that flash drive. If it's that bad, then no flash drive for you. The military basically banned them.
Bottom line: I do not trust the medical profession with my personal information any more than I trust the government.
I'm sorry
Let me give you a wake up call. The government already has your personal information. Hello.. tax returns (unless you are a tax dodger). And regardless the government can get your information whether you like it or not.
It must suck to live in a state of paranoia and distrust all the time.
Paranoia.
Paranoia. That word, I don't think it means what you think it means...and no, I trust neither entity. A lack of trust that is justified by the facts.
Sucks to be you
Sucks to be you then.
Nice try btw, I know what paranoia is, and I think you have a heavy case of it.
(SARCASM)
OMG THE GOVERNMENT IS COMING TO GET ME AIEEEEEEEEEEEE
(/SARCASM)
Do you trust your bank with it? Amazon? Airlines?
The only personal information that is legally protected in the US is most medical (under HIPAA), and almost all info of private persons in the hands of the federal government (under the 1974 Privacy Act). Some court and criminal records are not covered, and a few odds & ends-- for example, personal information submitted with a patent application.
As this robbery shows, this is not a Magic Force Field That Stops Bad People from criminally taking personal information. However, unlike an ex-spouse getting your home address through an Amazon hack, anyone whose information was stolen here may very well end up with a killer federal case against the robber, and maybe against the hospital if it is found to be reckless.
On a different point, I'm all for a constitutional amendment that grants US citizens a right to privacy-- and as I have said on UHub & other sites, every earnest effort to get that has been undone by anti-abortion &/or anti-LGBTQ groups. Following this last election, my hopes are not elevated for a significant change in privacy rights.
Point the third:
A Right To Privacy Is Not A Right To Anonymity
God, I feel like every freaking time the issue of privacy rights comes up, this has to be repeated.
I wonder how much info the
I wonder how much info the thieves were able to access. If the doctor had to log-in to a system his/ her account could have been deactived. If there were documents actually saved to the devices; that is a different story. Was "find my iPhone" installed?
Don't Buy Story
Fishy....
There's an armed robbery somewhere besides the hospital. I can't imagine that it could have been anywhere where the doctor was actually working on said laptop. Maybe he was walking on the street toting the (closed) laptop case.
During the robbery, the thieves have the wherewithal to, first, know that there was encrypted information on the laptop, and second, to demand the password from the doctor? No way. The "value" in the robbery for the thieves is the device itself. There are other, more straightforward ways, to steal data if that's what you want to do.
I call bogus story, and say that the laptop was stolen and the private patient information it contained was unencrypted.
They may have just demanded the passwords
That would result in one layer of security gone, and trigger notification. Any time the data gets out of the hands of those who are officially allowed to see it, encrypted or not, the hospital has to notify patients/participants.
Having worked with such data, IRBs, etc. this story doesn't really add up for me, either. I suspect that they are deliberately obscuring some details to prevent the thieves from knowing exactly what they have, while performing the obligatory notifications of "999" patients that their data isn't in the hospital's control anymore.
If the theft happened on
If the theft happened on September 24th, almost two months ago now, I highly doubt the laptop is still in the thieves' possession.
Why
would the doctor who got jumped lie? It wouldn't be at all unusual for them to demand passwords to unlock the laptop.
My assumption was that the
My assumption was that the PHI was secured by its own password, separate from that of the computer. Wouldn't that be standard? Like a password protected app?
People are mugged for their phones pretty often, and I seldom hear of the thieves demanding the passcode. A friend of mine had her phone stolen, made the (incorrect) assumption that the phone was safe because it was locked, and then discovered that the thief was able to get into account information via her phone. I imagine that initial password is easy to wipe clean if you know what you're doing.
As others have said, it could be that the thieves were specifically after the data (which, if so, why?) or, as I said, this is a bogus story to cover up the fact that there was unencrypted PHI on a password protected laptop.
They weren't after the data
It seems pretty obvious that they weren't after the laptop, they were after the data. They demanded the password to be able to get into the laptop to make it usable, not to get the data.
(and before you start with "Yes, but there are other ways to..." -- do you think these are IT professionals here?)
Contradictory - can you
Contradictory - can you clarify a little ?
If you can clarify what it is
If you can clarify what it is you don't understand, yes.
They weren't after the data..
They weren't after the data...
...They were after the data.
One Way Or The Other, He's Absolutely Right
Adorable, Elmer.
Adorable, Elmer.
Unless they wanted both...
in which case, he's absolutely wrong.
Cue the Mission Impossible music
Puts the hospital in a much better light than than the more plausible headline : "Physician carries around laptop with unprotected PHI for years, then makes up farkakte story after forgetting it in some strip club bathroom"
I buy the story
A modern laptop or smart phone is a useless brick without the password; with the password it can be reset and resold. I think the explanations, in decreasing order of likelihood, are:
They often can be initialized
They often can be initialized without a password, which gives you an as-new configuration.
Not really
Not really. If you're using Intel TMP, its pretty much a brick. The whole point of ITMP is to go beyond being able to crack the computer and remove a jumper to reset the BIOS or Hard Drive password. (or power on password or anything BIOS related).
ITMP is exactly for what happened.. to make the device useless to anyone else who doesn't know the correct password.
Hidden-volume encryption
If the doc had been smart, he would have used TrueCrypt or the like to set the patient files into a hidden volume that would be invisible until you entered its password. He could even encrypt the entire hard drive with another password. When forced, he'd give up the password for the drive, but the thieves would have no way of knowing about the hidden patient info volume.
TrueCrypt is dead
its authors withdrew it from the market some while back in a manner suggestive of a warrant canary. From their website: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues." "Not secure as", eh?
That said, Windows, OSX, and Linux all offer whole-disk encryption solutions. (WIndows offers BitLocker, only available with Windows Ultimate, though.)
I don't think anything is NSA-proof
But mere mortal thieves are more easily defeated. Do any of those whole-disk encryption schemes offer hidden volume encryption? That's the feature that would have been useful here. TrueCrypt is no longer supported, but you can still download and use it, and it's still as effective against ordinary attackers as it was.
A modern laptop or smart
Resetting the password on a laptop you have physical access to takes about five minutes if you know what you're doing. Smartphones are a little harder, but many can be reset to factory without the password.
The story smells fishy to me, but I'm not jumping straight to "doctor lied to coverup noncompliance with HIPAA policies"—for one thing, the hospital's IT department audits things. I think it's clear the burglars wanted the information on the device, but whether they knew it had medical records is up in the air.
not with ITP
Not with ITMP folks.. its not as easy as it seems.
We had discussions about this at work today with our CISO, and we do think they were after the data. Remember that clinical data has $$$ value to it to a competitor or someone else who may be developing drugs/treatments and needs to get an edge on.
Remember that data has far more value than the actual hardware. And the robbers know that.
The story does sound fishy.. sounds like an inside job or they knew exactly who to target it.
Resetting the password on a
How are you going to get past the trusted platform module?
Your not......
Glad it wasn't mine. You would need my fingerprint to log on! No PII on mine, nothing leaves the building and no VPN.
How are you going to get past
You're still assuming they want the data. If they didn't, the TPM doesn't matter.
Right, I'm sure BWI just made
Right, I'm sure BWI just made up a bogus armed robbery story.
The robber didn't need to know that it was a doctor or that there were patient records on the laptop. Many, if not most, laptops are password protected, so he was probably making sure he wasn't robbing someone at gunpoint for a brick.
When the story about the
When the story about the robbery at Jamaica bond originally came out there were rumors that a bag was placed over the victim's head and he was interrogated for passwords. I would guess this is the guy.
YIPPEE!! I'm a VICTIM!!!
I can proudly hold my head up and say: "Yes, I am a patient in the Brigham and Women's Neurology department." Now, where is my 5 seconds of fame?
/kidding, really
//I think
///damn, that brain cell just died...
Relevant XKCD
Rather true:
http://xkcd.com/538/
Doctor put himself ahead of his patients?
Way to go doctor.
WTF?
Seriously? you want him to defend with his life the password to his laptop, when chances are the thieves weren't even remotely interested in the patient data but were just looking to unlock the device, or maybe poke through it looking for credit card data?
Seriously.
I want all medical personal to protect patient data in the simplest way possible: Leave it at the hospital.
There is no good reason for this guy taking patient data home. None at all. Especially for "999" patients.
He is fully responsible for the lost data, laptop and deserves to lose his job.
Do you have a good reason for why he took data on all of these patients with him? No? Because there isn't one.
Not all work is done at one location
I think it's entirely reasonable to have patient data on an encrypted laptop drive that is used from home, or that is carried between someone's clinical office and his research office, or that is carried to a meeting with research collaborators at another institution.
Whether or not he deserves to lose his job depends entirely on whether or not he violated the rules, eh?
No excuse at all.
We now have proof of an encrypted drive being compromised. How many places do you know don't have internet? There is absolutely no reason this doctor can't log in remotely. None at all.
I still say fire the doctor.
Well we all know data on the
Well we all know data on the internet is secure! Many EMR systems prevent remote access specifically to protect patient confidentiality.
Blame
Blame management and IT Management for this. Not the doctor.
I've worked enough in medical facilities to know that Doctors aren't too bright sometimes when it comes to technology. But its change management and policies that are suppose to log when this is done. Seems to me that this was allowed by management.
Trust me, it's not the doctors fault at all. Policies start at the top, not the bottom folks. Blame your execs for not doing their job (or allow it to happen)
And the data on the internet.....
If the doctor is going to be able to log in remotely, then the laptop is going to need to have cryptographic keying material, which is going to be protected by a password.... which means that whoever has the laptop and the password has the data from the Internet, too.
SSL
For browser based transactions SSL (tls) is sufficient to prevent eavesdropping in transit.
PKI requires no passwords.
Apples and oranges
OK, but the question at hand isn't securing the pipe, it's preventing unauthorized access. For almost all access schemes, anyone who has your laptop and the password to your laptop can get at the access-controlled resource, either because the access token (password, etc.) is stored on the laptop, or because access to your laptop gives the attacker access to your e-mail, so he can click the "I forgot my password; send me a reset link" link.
In the real world hardly anyone is going to have separate passwords for each resource they access, with none of the passwords stored locally on the laptop.
Ever work with medical records?
Ever work with an IRB? Work in IT for a medical organization?
No?
Then maybe you should pay attention when those who have try to answer your questions.
There are a lot of regulations regarding electronic files that are archaic, and a lot of internet systems that are not secure enough compared to encrypted data on a laptop.
If you think paper records in files are secure, I have a nice bridge in the Seaport I'd love to sell you ...
There are plenty of reasons
Doctors work in multiple places.
Doctors travel and need to prep for appointments during times when they are not on site.
Research data needs to be analyzed on computers that can handle it.
There are multi-site research consortia that require data transfer.
I can go on.
No excuse even on your list.
Doctors work in multiple places.
Dropbox, Google docs, Apple cloud. secure hospital network all allow access from multiple locations.
Doctors travel and need to prep for appointments during times when they are not on site.
Same as above. I also highly doubt he's reading data on over 900 patients.
Research data needs to be analyzed on computers that can handle it.
I transfer gigabytes of data without ever having to take it out on a laptop. I'm an individual. If I can do it then so can a hospital.
There are multi-site research consortia that require data transfer.
And this guy just what? Happens to have a better DSL connection at home than the hospitals T1? I don't think so.
I can go on.
There is nothing that can be argued in defense of what this guy did. There was no reason at all for him having data on a laptop.
When my husband works
When my husband works remotely, he has to log into his computer and he has to use some kind of ever-changing PIN system to log in. Nothing work related is ever stored on a computer that is not in his company's possession. I can understand why every organization has not invested in this type of expensive system (mainly they want to avoid spending the $$$) but I disagree with the assertion that it's impossible to work remotely without toting around sensitive information on a remote device.
I miss using it
Sounds like SecureID....a card or FOB with a pin that changes every min.
Hopefully no social security numbers were in there.
SecureID isn't, though
SecureID was compromised in a very public way.
I assume this is non-medical data
And that he is thus legally allowed to do these things.
Lets face it: look at the buffoons in Congress assigned to the technical and science committees - do you really think that they understand any of this security stuff? That they would be able to change the laws to keep up with technology?
There are some very restrictive rules about transmitting sensitive data over a network, and those rules have not substantially changed and will not change for a long while.
Wow
You don't work in IT do you?
first off...
BW is a hospital. You would NEVER EVER EVER EVER use such things above. Too insecure. Too many risks. HIPAA compliance would have a lot to say about this, and it would be a non-starter. Most companies BLOCK what you list above in fear of data loss. (hell even where I work we block most file sharing apps like DropBox and iCloud because we write proprietary software and we don't want it leaked)
Are you a medical research person? A doctor? Yeah I didn't think so. So you don't know. Don't make assumptions that you have zero knowledge about. Sometimes its about crunching data or finding trends. Its not that they are looking each file, they may be looking at data sets.
This may work for you, but not for everyone. Data collection, review, and processing can mean very different things. Not everyone is a home user. Medical and Business needs are far different than home user's needs.
I agree with swirly on this. There's more to this than you (or I) know.
Let me put to you this way. If you want to be mad at someone for such data being on his laptop, blame Partners IT Department or senior management. Its Management's decision to ALLOW that type of data on the laptop. Blame them, not the doctor. Not saying its excusable but its not like the doctor said one day "I'm going to put tons of data on my laptop", sorry it doesn't work like that.
Maybe, maybe not
Except sometimes it does. I'm remembering a couple of scientists at Los Alamos who got in very hot water because they had secret nuclear-weapons research on laptops that they took home. One of them was a Chinese national* who was being looked at very hard as being a spy, until he somehow convinced the authorities he wasn't one.
* I still can't imagine why someone would think it's a good idea to turn over nuclear secrets to a citizen of the PRC.
just so you know
PHS probably has better security, change management, and policies than the government. PHS has far more to lose than the gov't.
Actually I have a few friends at the Fed (Various agencies) and all of them say the same thing, unless you're at the NSA, DoJ, DoD, or FBI, they have very little restrictions and policies. Very few computer restrictions at all. My friend at the census bureau surfs porn right from his office on the same computer that has access to the data base where they keep all your PI from the census. Now THAT is scary...
My friend at the census
As long as he doesn't get them mixed up...
Good way to get fired
If hs boss finds out he's surfing for porn on his work computer, he's toast.
Really?
Most fed computers have noxiously high filters-- I was blocked from donating to PPLM on a fed computer during my lunch break because it was determined to be "porn." When I complained & got an exception, I still couldn't access it because it was caught as a "lobbying organization."
This happened while working a federal job that included a lot of work with disabled clients, and contact with medical professionals, when I had occasion to contact OBGYN providers pretty often.
I worked at three federal agencies. Porn and gambling were the pet peeves of the folks setting the filters.
Sorry
Not at the census bureau. You'd be surprised at what federal employees get away with... kinda sick of you ask me.
It's strictly forbidden....
... and grounds for dismissal. Pretty dumb stunt to count on not getting caught, when the consequences of getting caught are quite drastic.
AFAIK
The Census Bureau has no access to either patient information or nuclear-weapons secrets. My point was that having a rule about what can be on a laptop is no assurance that nobody will ever break that rule.
Are you obtunded?!
Because you sound obtunded.
...why would any personally
...why would any personally identifiable sensitive information, encrypted or not, need to be stored locally on a mobile device?
Mobile sites, mobile people
I had patient information on laptops because I was in charge of the data for a study being conducted out of four different clinics of a large HMO.
We had trained interviewers meet with people in their homes and ask questions according to a script. Those interviewers would also have medical data (so they would know which questions to ask) and other confidential information. They used laptops because they traveled. I used a laptop so I could go get all the data. There was an entire protocol for this, with safeguards, but theft and loss was always a possibility.
Other reasons are that doctors frequently have patient info on mobile platforms because they work at MGH, Children's Hospital and their private practice. I once rescued a thumb drive from a conference room floor, but did not access it. It belonged to a researcher who also has an active medical practice and he was very grateful the next day when he discovered that it was safe. He had patient information on it (encrypted) because he was working while he traveled. Because I didn't access it, he didn't have to report it.
Some organizations - like the National Center for Health Statistics - make you come to them, sign in, and use their computers in their labs, and take home only results.
scrub the personal data
I understand that there might be some corner cases where this is true, but it should be very rare. Furthermore, this obstacle is very easy to overcome: scrub personally identifiable fields from the data and reference them through a remote look up table.
Technically easy to accomplish and very commonly done.
For rare diseases ...
It wouldn't help. Too much other info could be put together to deanonymize it.
Everybody knows that 11-year old kid with the rare brain tumor in their town/neighborhood - hell, there was a fundraising walk a thon a couple weeks ago!
Etc.
Also, if a doctor is studying data from his or her own medical files pertaining to patients who have upcoming appointments or are in follow up, that would be counterproductive.
Doesn't add up to me either
If the HD itself was encrypted then the theives could have chucked the HD, purchased a new cheap one (<$100), sell the laptop for $200 and still make a profit. Granted petty theives tend to have petty brains.
On the other hand if the laptop contains confidential data should the application that controls the data also be encrypted? Even if just Word or Excel files they could still be password encrypted.
On the third hand why was there encrypted data on the laptop? With the varieties of telecommunications there are plenty of reasons to use the laptop to remotely access data on a better protected server.
Perhaps Brigham needs to review their policies concerning laptops and data.
Interesting that of all the people in the city carrying laptops in laptop cases in pubilc that a doctor whose laptop contains confidential patient information should be the victim. Possible. The story might be completely legit as it stands. But from a viewpoint of data security this doctor and his or her employer have failed in basic protection of data.
At least it wasn't something blantant like leaving a laptop at a subway station.
Well...
"At least it wasn't something blantant like leaving a laptop at a subway station."
Or, at least, that's the story anyway.
Profit margin, sensitive info
>could have chucked the HD, purchased a new cheap one (<$100), sell the laptop for $200 and still make a profit
-They're criminals, not entrepreneurs. Why would they take $100 when they can take $200 with a little extra thuggery?
>Interesting that of all the people in the city carrying laptops in laptop cases in pubilc that a doctor whose laptop contains confidential patient information should be the victim.
-I'm guessing that there are plenty of laptops in this city that contain more sensitive or valuable information than what was on that one. (No disrespect to patient files.)
Why would a crook reduce his
Why would a crook reduce his profit by $100 when he could just demand the password from the guy?
Hard Drive
I worked for a lab that rented out equipment from Partners. In order to use a computer on their network- even if it doesn't have patient data on it, even if it had nothing to do with them- it has to be encripted with this incredibly invasive encription client in order to get on their network. It's in the BIOS, on the motherboard, so you simply can't swap out the hard drive, and if you forget to update your password periodically, it bricks your computer. It was so invasive that the lab purchased two communal-use laptops exclusively for taking to Partners and prohibited people from using their own.
One researcher left a personal-but-employer-issued laptop in a drawer when she moved onto another job, the password expired, the computer was bricked, and Partners IT refused to fix it unless we met some impossibly stringent forms of proof that we were the rightful owners of said laptop. Our funding admins got involved because with the computer bricked, the data on it was locked in, which was a violation of the terms of the funding from the issuing agency that could have resulted in penalties or sanctions. It was a nightmare.
So yeah, I doubt this guy was being willy-nilly with his patient data.
fundamental flaw
Why is sensitive patient data even stored locally on the HD?
Sensitive data should never be stored or cached locally!
Is the Internet rationed at Brigham and Women's that the doctor needs the data locally?
See comment
Above
I still don't understand why
I still don't understand why the data are stored on that particular computer. See my above comment about my husband's remote-working situation. Why wouldn't such a setup work for a large hospital system?
because
Sometime it is not possible. And sometimes it is far faster to work on a local copy of the same data. Some times internet is not avaliable. Sometimes VPN Connections not avaliable. Lots of reasons why it wasn't done remotely.
And frankly, sometimes internet is just not avaliable. As far as it may be for you to believe, there are still some places where internet is just not avaliable.
JP tree robbery/laptop.........
Something about this story just doesn't add up at all, IMHO.
Which one sounds more
Which one sounds more pausible:
An evil research scientist hires a hit man to rob a rival doctor, knowing that that doctor has a specific set of patients and data about those patients would gain him an edge
************************* OR***************************
Criminal who steal phones and laptops sees a guy with a laptop case and robs him. Criminal knows most of these devices have passwords. If criminal is a computer genius he might be able to hack the laptop with some work, provided it isn't too strongly encrypted. Of course if he were a computer genius he probably wouldn't need to rob people. But he does have a gun, which is handy in getting people to tell you the password.
Update: Yes, doctor was tied to a tree
Jamaica Plain News confirms.