It's 'too late' to assure security of patient data

It's 'too late' to assure security of patient data
It's 'too late' to assure security of patient data 

By Steve Twedt
Pittsburgh Post-Gazette
April 14, 2007

A Web site containing Social Security numbers and other personal 
information for nearly 80 UPMC patients was still accessible on the 
Internet yesterday -- and computer security experts say the patients can 
never be entirely assured the content will be gone.

"It is too late. Once something is on the public Web, the only 
fundamentally safe security assumption you can make is that it is in the 
public domain forever," said Art Manion, a computer security expert at 
CERT, part of Carnegie Mellon University's Software Engineering 

If a site is posted only a short time, if it's not popular, the chances 
are lower, Mr. Manion said.

"But, fundamentally, once it is posted, you have lost control forever."

Yesterday, the Pittsburgh Post-Gazette was again able to view 
confidential patient information included in former UPMC radiologist Dr. 
Paul J. Chang's 2002 PowerPoint presentation on managing multimedia 
electronic records.

The information -- now blocked -- was on a site operated by The Internet 
Archive, a California-based nonprofit that operates as an Internet 
library, archiving public Web sites that people can view for free.

"We've been collecting a snapshot of the World Wide Web every two months 
since 1996," said Brewster Kahle, digital librarian for the Archive. "It 
basically allows you to search the Web as it was."

Yesterday, UPMC officials said they already had contacted Internet 
Archive about removing the information, an accommodation Mr. Kahle said 
they were happy to make.

"We don't want sites in the archive that people don't want there. We're 
not that type of organization."

On Thursday, the Post-Gazette first reported that personal information 
-- which, in a few cases, included abdominal and chest scans, clinical 
notes, and medical screenings as well as social security numbers -- had 
been posted on the UPMC's Radiology Department Web site for about two 

UPMC officials quickly disabled the site, which had been reachable in 
four mouse clicks from the department's home page. While still 
investigating how the patient confidentiality breach happened, John 
Houston, UPMC's privacy officer, said he thinks the file was restored to 
the site after the department got a new server for its computers.

When contacted earlier this week, Dr. Chang, now at the University of 
Chicago, expressed surprise the information had been posted. He 
speculated that someone inadvertently had downloaded it without checking 
to see if it contained confidential patient information.

The medical center said it was notifying each of the patients by letter, 
plus they are offering to pay a year's worth of credit protection 

Mr. Houston said UPMC has contacted the major archive sites to remove 
the information, as well as any other site where it might appear.

"It's not entirely perfect. Unfortunately, whether we like it or not, 
it's the best solution we have."

As the Internet Archive example shows, however, the privileged patient 
information may never be completely recovered and deleted.

The concern is that while established sites such as The Internet Archive 
are willing to remove sensitive information, others with ill intent may 
have been actively looking for it, say security experts.

"The level of interest in malicious hacking will depend on what kind of 
information is there. If that information includes Social Security 
numbers, or anything that is truly sensitive, then that information is 
probably valuable to them," said Adriel Desautels, chief technology 
officer for Netragard, a New Jersey-based information security company.

With the information being posted for up to two years, he said, "the 
chance of it being harvested is nearly 100 percent."

Mr. Houston acknowledged that "the damage can never be completely 
undone," and others may have downloaded the information before the sites 
they've identified were taken down.

"You hope that, over time, the information becomes staler and staler, 
and eventually they throw it away."

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods