Breach at UCSF gets leadership response
Technorati Tag: Security Breach
Date Reported:
5/28/08
Organization:
University of California
Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Departments of Pathology and Laboratory Medicine
Victims:
Patients
Number Affected:
3,569
Types of Data:
"names, dates of pathology service, health information and, in some cases, social security numbers"
Breach Description:
"The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information."
Reference URL:
UCSF News Release
Report Credit:
Kristen Bole, UCSF
Response:
From the online source cited above:
The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information.
There is no indication that any patient files were accessed.
UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.
During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers.
[Evan] Its good that the unusual traffic was detected through routine monitoring, but I wonder how long the traffic was present before it was detected. Later on in the news release there is mention that an unauthorized movie-sharing program was installed on the computer on or about December 2, 2007. It seems likely that the unusual traffic may have started on or about December 2, 2007. Why the time gap between presence and detection?
The computer was immediately removed from the network to prevent further access.
UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised.
The investigation was completed this month.
[Evan] This is a long investigation. January 11th, 2008 through May 1st, 2008 is more than 3 1/2 months.
During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual.
[Evan] Uh oh. If the installation of the program requires administrative access to the computer, it is conceivable that the local administrator credentials were compromised. The fact that the news release states "unknown individual" leads me to believe that the account used was potentially a shared account.
Installation of this program required high-level system access, which is why the incident is considered a security breach.
This computer contained files with lists of patients from the UCSF pathology department’s database.
The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.
The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer.
The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.
UCSF has established a special phone line and a special email address to answer questions from patients who receive the notification letters.
The security of protected health information at UCSF is of utmost importance
The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach.
[Evan] Great! I just want to point out that the word "undertaken" is past tense. Information security is a lifecycle employing continuous management, improvement, monitoring, etc.
this event and others nationwide have caused UCSF to redouble its efforts in this area.
UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data.
[Evan] Excellent! This demonstrates good organizational leadership, of which information security is integral. It stinks that it took a breach affecting over 6,000 people before this action was taken.
This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.
Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies.
He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.
Commentary:
I commend UCSF leadership for the establishment of the new task force led from the top. Hopefully the momentum will continue. All organizations, non-profits and profits alike, need information security leadership that comes from the uppermost echelons in order to be effective.
Past Breaches:
University of California:
May, 2008 - Health care practices and UCSF patient records exposed
April, 2008 - University of California Irvine students are hit with mysterious breach
Date Reported:5/28/08
Organization:
University of California
Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Departments of Pathology and Laboratory Medicine
Victims:
Patients
Number Affected:
3,569
Types of Data:
"names, dates of pathology service, health information and, in some cases, social security numbers"
Breach Description:
"The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information."
Reference URL:
UCSF News Release
Report Credit:
Kristen Bole, UCSF
Response:
From the online source cited above:
The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information.
There is no indication that any patient files were accessed.
UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.
During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers.
[Evan] Its good that the unusual traffic was detected through routine monitoring, but I wonder how long the traffic was present before it was detected. Later on in the news release there is mention that an unauthorized movie-sharing program was installed on the computer on or about December 2, 2007. It seems likely that the unusual traffic may have started on or about December 2, 2007. Why the time gap between presence and detection?
The computer was immediately removed from the network to prevent further access.
UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised.
The investigation was completed this month.
[Evan] This is a long investigation. January 11th, 2008 through May 1st, 2008 is more than 3 1/2 months.
During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual.
[Evan] Uh oh. If the installation of the program requires administrative access to the computer, it is conceivable that the local administrator credentials were compromised. The fact that the news release states "unknown individual" leads me to believe that the account used was potentially a shared account.
Installation of this program required high-level system access, which is why the incident is considered a security breach.
This computer contained files with lists of patients from the UCSF pathology department’s database.
The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.
The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer.
The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.
UCSF has established a special phone line and a special email address to answer questions from patients who receive the notification letters.
The security of protected health information at UCSF is of utmost importance
The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach.
[Evan] Great! I just want to point out that the word "undertaken" is past tense. Information security is a lifecycle employing continuous management, improvement, monitoring, etc.
this event and others nationwide have caused UCSF to redouble its efforts in this area.
UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data.
[Evan] Excellent! This demonstrates good organizational leadership, of which information security is integral. It stinks that it took a breach affecting over 6,000 people before this action was taken.
This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.
Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies.
He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.
Commentary:
I commend UCSF leadership for the establishment of the new task force led from the top. Hopefully the momentum will continue. All organizations, non-profits and profits alike, need information security leadership that comes from the uppermost echelons in order to be effective.
Past Breaches:
University of California:
May, 2008 - Health care practices and UCSF patient records exposed
April, 2008 - University of California Irvine students are hit with mysterious breach
Posts Atom 1.0
Comments