A hole in medical record security - the transcription servic

[tnf]

I don't know how it is in other countries at the moment, but right now in the states medical record privacy is a huge issue that everyone is attempting to take very seriously. I never think much about it, other than the times when I go to the doctor and have them go through the mandatory overview of the privacy acts with me.

Today I was asked to fix a machine that had the virtumonde trojan on it. The machine belonged to someone who did medical transcription - owned a business. This person used this machine to do his transcription on - he also used it to do all of his internet stuff, his limewire downloading, etc. It's a simple little HP pavilion slimline running XP media center. No virus scanner, no firewall, nothing updated on windows. At first I was just going to do a clean install of windows and fuck trying to remove all those things, but then I realized there was a bigger issue here. This computer had thousands and thousands of private medical records on it - as well as audio files that doctors would send for transcription. I checked all the transcription software and was surprised to see that not a single program had any sort of password protection on it - the software didn't ask for usernames, etc. Just opened right up with a list of stuff as recent as a few days ago.

I found out that this transcription company employs 3 others who all do the transcription from their homes on their own machines and save documents locally as well as sending them to the owner. I've got this machine sitting here in front of me and have watched over 30 intrusion attempts blocked by norton in the last 30 minutes. Most of them are tidserv requests...I think that is mainly for fucking with intenet searches to redirect people to places, but I'm guessing that there are a lot of opportunities for someone to just completely own this box without any difficulty whatsoever.

I doubt someone would be looking for any specific records on this machine, but if they were snooping around and see a directly called "medical transcription" they might be interested at the contents within.

With all the effort made to privatize and protect medical records, its interesting to think that there are likely tens of thousands of little old ladies doing medical transcription from home on their Windows 98 machines from home.

I might be overreacting, but this seems like a potentially huge issue in terms of secure private information. I could not believe what this computer would give a person access to with absolutely no effort to hack whatsoever.

[Whiskey 7]

In this day and age, that is unbelievably incredible and possible as you've explained, and you're not overreacting

My wife works in the medical field (knows work like this remote letter/report writing goes on all too much) and agrees this is probably happening all around the globe.

Sad, but maybe there's a buck in it for you? No, not blackmail, but a letter to the originators explaining what you have discovered and offer your expert service to remedy

[U4EA]

There's no liability and therefore it's not in their best interest to spend time and/or money worrying about security or protecting people's information. For them, it's an externality, a cost that is borne by someone else. Unless you make these folks liable for the theft of information, they have no incentive to care about it.

[EtUL]

It's no secret to anyone working in health care that things are only as secure as they need to be to appear secure. In reality, when I worked in the kitchen in a hospital I would constantly hear or see things that would be a breach of HIPAA, but it's SOP because it's minor. The reality is that no one cares about anyone else for the most part, so while privacy is important, the average person is not important.

[Geebs]

In the UK, we take essentially the same approach towards security of medical records as that taken towards hiding the Ark of the Covenant in Raiders of the Lost Ark.... lose them in some warehouse and hope nobody comes looking

[Whiskey 7]

Hi Geebs

Where's u bin

..............reality is that no one cares about anyone else ........... the average person is not important.

You're right of course

[werldhed]

It probably varies from hospital to hospital.

I don't know the details, but from what I've heard my wife describe, most of the hospitals she's at do keep their medical records decently protected. Transcription is done in-house, I believe.

[Giraffe }{unter]

I would contact the owners of all the medical records and the press!!! Kick off a conspiracy and spin it in your favor.

[Mr. Frustrated]

All stored electronic records are supposed to be secured on a password protected machine, and encryption is recommended. Most institutions are moving to whole drive encryption on every machine, and USB encryption if flashdrive access is allowed. Most instutions similarly are securing smartphones with network access.

For outside vendors, they are legally held to the same standard both for storage and transmission. If they don't follow it they have significant potential liability. Imagine is Suzy Homemaker's office notes for her STD treatment got leaked onto myspace.

[scared?]

All stored electronic records are....

fuck u...

[Scarface]

I would contact the owners of all the medical records and the press!!! Kick off a conspiracy and spin it in your favor.

No you wouldn't