A mundane hospital hack
If there's anything that reminds you of how fast the world of technology moves, it's receiving news from the Consumer Electronics Show in Las Vegas via live video through Twitter featuring former McKnight's intern Ashley Carman, now a Verge reporter.
Long-term care, historically, has not moved quickly when it comes to technology, whether it's embracing electronic medical records or spending money on activity-related products. The tertiary issue related to this is providers often believe technology requires special skills and that problems related to it are caused by a brilliant malcontent.
That's why it's worthwhile to examine news from Concord, NH, involving a data breach of 15,000 patient records. On first blush, the question both providers and journalists might ask is if the compromised records were a result of a sophisticated hacking scheme.
The answer from the state Department of Health and Human Services was a resounding “nope.”
A computer used by patients at the state psychiatric hospital offered easy access to the data, according to the New Hampshire Union Leader. The computer was configured in a way that individuals could gain access to information such as names, Social Security numbers and Medicaid ID numbers.
The desktop used in a breach was a “legacy computer” at New Hampshire Hospital, used for years before signs of the breach came to light in October 2015. Those signs, by the way, were of an employee watching a patient looking at DHHS training materials not meant for the public, the paper reported. According to state officials, the employee didn't notify anyone in management. While the information wasn't confidential, it was restricted, which should have raised an alarm in both the employee and a supervisor.
The breach occurred not because of a sophisticated hack, but because someone left an account open with their logged-in password. Basically, imagine the times you've used a computer at work and had your email, social media accounts or other private accounts saved via a password system or browser. Now imagine that computer is in the middle of a state psychiatric hospital that's used by patients.
To a lesser extent, I've seen this situation happen at long-term care shows. I once pulled up Twitter via a public computer at a national show and discovered I was logged in as a fellow attendee. Being a good person, I logged out and went back in as myself. But I could have caused mild havoc. This is repeated at libraries, hospitals and hotels around the country where the system doesn't automatically log out a user.
In the case of the psychiatric hospital, patients were banned from using the computer in August and it appears all legacy computers were removed last November. This is a shame, given that psychiatric patients likely benefit from being able to use technology, and the fact that no one at the hospital seemed able to figure out basic precautions for their old computer strikes me as punishing the wrong people.
I don't want to diminish how hackers can target healthcare operations, as there is a market for private health information. But for long-term care providers, this case offers teachable moments.
One, reminding employees to log out of their accounts, whether that's email, medical records and social media, and to lock their desktops when they leave. Two, listen for how often you hear about “hacking,” and know the difference between what's legitimate versus someone leaving their account open. Three, talk to not only your technology staff but clinical staff about what precautions they are taking. Four, insist on strong passwords — the days of using your child's name and birthday should be behind you. In fact, don't use names, dictionary words or house numbers at all. A randomly generated password with an upper and lowercase letter, numbers and punctuation is better.
The final step to consider is the repercussions related to passwords, computers and other technology. This will vary based on administrators and facilities, and no one wants to dampen morale by punishing well-meaning employees. But finding out there's a lackadaisical approach to security may require a firmer stance. It's not only about personal responsibility, but about protecting your residents and facility. Otherwise, a lawsuit could be headed your way.
Follow Elizabeth Newman @TigerELN.