Break-In Compromises 160k Medical Records At UC Berkeley 167
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
Duh.. (Score:3, Insightful)
Hackers or Crackers? (Score:1, Insightful)
If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...
Auditing Logs (Score:5, Insightful)
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
Brutal (Score:5, Insightful)
This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.
This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.
Re:Hackers or Crackers? (Score:3, Insightful)
Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?
(bad) Hacker may be an appropriate term. Just as there are probably (good) hackers probably trying to figure out who did this.
Re:Time to live in secrecy (Score:2, Insightful)
And... (Score:2, Insightful)
Sometimes you need an air gap (Score:5, Insightful)
It's not just military-grade information that needs protecting.
If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.
With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.
For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.
Re:Auditing Logs (Score:3, Insightful)
That's only reserved for a select few sites.
Odd behavior is sometimes hard to distinguish from normal behavior, so you can't get everything. And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns because the deed may be over at the time the analysis has finished.
And then - many systems today lacks necessary logs and may even lack logs completely. That's all too common in those cost-pressed projects. Even if there is a log it's often incomprehensible unless you are the programmer.
Re:Auditing Logs (Score:5, Insightful)
Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.
I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.
Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.
The old saying "don't fix it, if it ain't broke" runs many IT Depts.
Re:And... (Score:2, Insightful)
Re:Brutal (Score:2, Insightful)
Re:Sometimes you need an air gap (Score:3, Insightful)
So when you go to the emergency room, how is the hospital supposed to query your electronic medical records at your family doctor when it's behind an air gap?
Re:This is a huge, everyday, constant problem. (Score:3, Insightful)
Maybe we should stop making SSNs the end all be all of who we are.
Re:Hackers or Crackers? (Score:5, Insightful)
If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...
Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
</feeding the troll>
Maybe they aren't. Re:Sometimes you nee (Score:2, Insightful)
If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.
However, the details of your bout with the flu 2 years ago or your recovery from your car accident 10 years ago won't be available without human assistance. Neither will the details of your insurance coverage.
There is a balance that needs to be struck between "what could reasonably be so important it can't wait until normal business hours to access" and everything else. Only the former would be retrievable 24/7 without waiting for a person.
Re:Brutal (Score:3, Insightful)
But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?
Stand the problem on its ear: what if this information were worthless to credit thieves? What if this information simply was no longer able to wreck someone's life?
What we should do instead is make the paradigm of "name, address, SSN, etc.", valueless. Figure out a way to issue credit that wasn't strictly information based. One way would be to make the banks stop issuing credit by mail. If you physically had to walk into a secure building, and present credentials to someone trained to review them, credit fraud and identity theft would dramatically slow down.
We stupidly keep putting up with this crap. Regardless of how much security burden we place on banks, stores, schools and hospitals, there are always going to be leaks. With so many millions of retailers that have little to no oversight, there statistically HAVE to be "weak spots." Always. We have to change the fundamentals if we're going to fix the real problem.