Quote:
Saturday, April 14, 2007
By Steve Twedt, Pittsburgh Post-Gazette
A Web site containing Social Security numbers and other personal information for nearly 80 UPMC patients was still accessible on the Internet yesterday -- and computer security experts say the patients can never be entirely assured the content will be gone.
"It is too late. Once something is on the public Web, the only fundamentally safe security assumption you can make is that it is in the public domain forever," said Art Manion, a computer security expert at CERT, part of Carnegie Mellon University's Software Engineering Institute.
If a site is posted only a short time, if it's not popular, the chances are lower, Mr. Manion said.
"But, fundamentally, once it is posted, you have lost control forever."
Yesterday, the Pittsburgh Post-Gazette was again able to view confidential patient information included in former UPMC radiologist Dr. Paul J. Chang's 2002 PowerPoint presentation on managing multimedia electronic records.
The information -- now blocked -- was on a site operated by The Internet Archive, a California-based nonprofit that operates as an Internet library, archiving public Web sites that people can view for free.
"We've been collecting a snapshot of the World Wide Web every two months since 1996," said Brewster Kahle, digital librarian for the Archive. "It basically allows you to search the Web as it was."
Yesterday, UPMC officials said they already had contacted Internet Archive about removing the information, an accommodation Mr. Kahle said they were happy to make.
"We don't want sites in the archive that people don't want there. We're not that type of organization."
On Thursday, the Post-Gazette first reported that personal information -- which, in a few cases, included abdominal and chest scans, clinical notes, and medical screenings as well as social security numbers -- had been posted on the UPMC's Radiology Department Web site for about two years.
UPMC officials quickly disabled the site, which had been reachable in four mouse clicks from the department's home page. While still investigating how the patient confidentiality breach happened, John Houston, UPMC's privacy officer, said he thinks the file was restored to the site after the department got a new server for its computers.
When contacted earlier this week, Dr. Chang, now at the University of Chicago, expressed surprise the information had been posted. He speculated that someone inadvertently had downloaded it without checking to see if it contained confidential patient information.
The medical center said it was notifying each of the patients by letter, plus they are offering to pay a year's worth of credit protection services.
Mr. Houston said UPMC has contacted the major archive sites to remove the information, as well as any other site where it might appear.
"It's not entirely perfect. Unfortunately, whether we like it or not, it's the best solution we have."
As the Internet Archive example shows, however, the privileged patient information may never be completely recovered and deleted.
The concern is that while established sites such as The Internet Archive are willing to remove sensitive information, others with ill intent may have been actively looking for it, say security experts.
"The level of interest in malicious hacking will depend on what kind of information is there. If that information includes Social Security numbers, or anything that is truly sensitive, then that information is probably valuable to them," said Adriel Desautels, chief technology officer for Netragard, a New Jersey-based information security company.
With the information being posted for up to two years, he said, "the chance of it being harvested is nearly 100 percent."
Mr. Houston acknowledged that "the damage can never be completely undone," and others may have downloaded the information before the sites they've identified were taken down.
"You hope that, over time, the information becomes staler and staler, and eventually they throw it away."
By Steve Twedt, Pittsburgh Post-Gazette
A Web site containing Social Security numbers and other personal information for nearly 80 UPMC patients was still accessible on the Internet yesterday -- and computer security experts say the patients can never be entirely assured the content will be gone.
"It is too late. Once something is on the public Web, the only fundamentally safe security assumption you can make is that it is in the public domain forever," said Art Manion, a computer security expert at CERT, part of Carnegie Mellon University's Software Engineering Institute.
If a site is posted only a short time, if it's not popular, the chances are lower, Mr. Manion said.
"But, fundamentally, once it is posted, you have lost control forever."
Yesterday, the Pittsburgh Post-Gazette was again able to view confidential patient information included in former UPMC radiologist Dr. Paul J. Chang's 2002 PowerPoint presentation on managing multimedia electronic records.
The information -- now blocked -- was on a site operated by The Internet Archive, a California-based nonprofit that operates as an Internet library, archiving public Web sites that people can view for free.
"We've been collecting a snapshot of the World Wide Web every two months since 1996," said Brewster Kahle, digital librarian for the Archive. "It basically allows you to search the Web as it was."
Yesterday, UPMC officials said they already had contacted Internet Archive about removing the information, an accommodation Mr. Kahle said they were happy to make.
"We don't want sites in the archive that people don't want there. We're not that type of organization."
On Thursday, the Post-Gazette first reported that personal information -- which, in a few cases, included abdominal and chest scans, clinical notes, and medical screenings as well as social security numbers -- had been posted on the UPMC's Radiology Department Web site for about two years.
UPMC officials quickly disabled the site, which had been reachable in four mouse clicks from the department's home page. While still investigating how the patient confidentiality breach happened, John Houston, UPMC's privacy officer, said he thinks the file was restored to the site after the department got a new server for its computers.
When contacted earlier this week, Dr. Chang, now at the University of Chicago, expressed surprise the information had been posted. He speculated that someone inadvertently had downloaded it without checking to see if it contained confidential patient information.
The medical center said it was notifying each of the patients by letter, plus they are offering to pay a year's worth of credit protection services.
Mr. Houston said UPMC has contacted the major archive sites to remove the information, as well as any other site where it might appear.
"It's not entirely perfect. Unfortunately, whether we like it or not, it's the best solution we have."
As the Internet Archive example shows, however, the privileged patient information may never be completely recovered and deleted.
The concern is that while established sites such as The Internet Archive are willing to remove sensitive information, others with ill intent may have been actively looking for it, say security experts.
"The level of interest in malicious hacking will depend on what kind of information is there. If that information includes Social Security numbers, or anything that is truly sensitive, then that information is probably valuable to them," said Adriel Desautels, chief technology officer for Netragard, a New Jersey-based information security company.
With the information being posted for up to two years, he said, "the chance of it being harvested is nearly 100 percent."
Mr. Houston acknowledged that "the damage can never be completely undone," and others may have downloaded the information before the sites they've identified were taken down.
"You hope that, over time, the information becomes staler and staler, and eventually they throw it away."
Quote:
A second set of UPMC patient names, Social Security numbers, X-rays and other personal medical information has surfaced on a Web site maintained by a California archival company.
The data and related medical scans came from a PowerPoint presentation by Dr. Paul J. Chang to the Radiological Society of North America in 2002.
In December 2003, the California company, The Internet Archive, retrieved the presentation from the UPMC radiology department's Web site and posted it on its own Web site. That made it available to anyone searching the Archive site.
At some point, the presentation was deleted from the UPMC Web site, but it remained on The Internet Archive site until Friday.
On Thursday, the Pittsburgh Post-Gazette reported that another old PowerPoint presentation by Dr. Chang containing UPMC patient data was still accessible on the UPMC site, with identifying personal information for nearly 80 patients.
UPMC removed the item from its Web site Wednesday, but a copy was still available from The Internet Archive through Friday morning.
The latest presentation contains information on eight additional patients, including X-ray scans. At least two of the patients have since died. But other slides clearly show valid Social Security numbers for still-living patients.
Both sites were taken down Friday afternoon after the Post-Gazette inquired about them, and Internet Archive access to UPMC radiology sites now has been blocked.
But information security experts say it's impossible to know whether other copies of the presentations have been downloaded or are still on the Internet.
UPMC officials are contacting patients whose data were disclosed, and they have offered to pay for credit monitoring services for one year to guard against identity theft.
"We want to have this purged as soon as possible," said John Houston, privacy officer for UPMC.
The federal government set up strict patient-privacy restrictions in 2003 under Title II of the Health Insurance Portability and Accountability Act, or HIPAA.
A spokesman for the Office of Civil Rights in the U.S. Department of Health and Human Services said that even if medical records predate the enactment of HIPAA, the law covers all identifiable information in both active and stored medical records. Office of Civil Rights officials were unavailable last week to discuss what happened at UPMC, according to spokesman Mike Robinson.
Reached by phone Friday, Dr. Chang said he remained puzzled about how the patient information got posted.
Mr. Houston said the first site was flagged for removal two years ago, but somehow reappeared, perhaps when the radiology department changed its Internet server.
"When you delete a file, it goes away, right?" said Dr. Chang.
While acknowledging that he doesn't know what happened, Dr. Chang said the only plausible explanation was that an old backup must have been used when the new server was installed. Then he asked rhetorically, "But why would they use an old backup?"
Dr. Chang, educated at Harvard and Stanford, was once named one of the 20 most influential people in radiology by Diagnostic Imaging magazine. While at UPMC, he developed software that allowed doctors to view X-rays on personal computers.
Using that technology, Dr. Chang and UPMC started a medical imaging and information management company called Stentor Inc., which was sold to Royal Philips Electronics in July 2005 for $280 million.
On the two presentations, Dr. Chang lists grants from the National Institutes of Health and the Defense Advanced Research Projects Agency, part of the U.S. Department of Defense.
"I thought I understood security," Dr. Chang said. "But you can only fix what you know. I confess this never, ever entered my mind."
Dr. Chang said he believes that someone at UPMC may have inadvertently posted an early version of his PowerPoint presentations, before he had masked the patient information. He speculated that multiple versions of the presentation were on the department's server, and someone accidentally picked the wrong version to post. One lesson he has taken from all this, he said, is to keep early versions in a separate directory from finished work that will be presented publicly.
The benefits of having medical records in digital form still "far outweigh" the liabilities, including accidental postings that "show that we are still pretty young and pretty inexperienced at this," Dr. Chang said.
"I can guarantee this will never happen at UPMC again, but something else will. It's more than the Internet. It's being digital. If I burn a piece of paper, it's gone. If I shred a record, it's gone. But if I have an electronic version, it doesn't ever go away."
The data and related medical scans came from a PowerPoint presentation by Dr. Paul J. Chang to the Radiological Society of North America in 2002.
In December 2003, the California company, The Internet Archive, retrieved the presentation from the UPMC radiology department's Web site and posted it on its own Web site. That made it available to anyone searching the Archive site.
At some point, the presentation was deleted from the UPMC Web site, but it remained on The Internet Archive site until Friday.
On Thursday, the Pittsburgh Post-Gazette reported that another old PowerPoint presentation by Dr. Chang containing UPMC patient data was still accessible on the UPMC site, with identifying personal information for nearly 80 patients.
UPMC removed the item from its Web site Wednesday, but a copy was still available from The Internet Archive through Friday morning.
The latest presentation contains information on eight additional patients, including X-ray scans. At least two of the patients have since died. But other slides clearly show valid Social Security numbers for still-living patients.
Both sites were taken down Friday afternoon after the Post-Gazette inquired about them, and Internet Archive access to UPMC radiology sites now has been blocked.
But information security experts say it's impossible to know whether other copies of the presentations have been downloaded or are still on the Internet.
UPMC officials are contacting patients whose data were disclosed, and they have offered to pay for credit monitoring services for one year to guard against identity theft.
"We want to have this purged as soon as possible," said John Houston, privacy officer for UPMC.
The federal government set up strict patient-privacy restrictions in 2003 under Title II of the Health Insurance Portability and Accountability Act, or HIPAA.
A spokesman for the Office of Civil Rights in the U.S. Department of Health and Human Services said that even if medical records predate the enactment of HIPAA, the law covers all identifiable information in both active and stored medical records. Office of Civil Rights officials were unavailable last week to discuss what happened at UPMC, according to spokesman Mike Robinson.
Reached by phone Friday, Dr. Chang said he remained puzzled about how the patient information got posted.
Mr. Houston said the first site was flagged for removal two years ago, but somehow reappeared, perhaps when the radiology department changed its Internet server.
"When you delete a file, it goes away, right?" said Dr. Chang.
While acknowledging that he doesn't know what happened, Dr. Chang said the only plausible explanation was that an old backup must have been used when the new server was installed. Then he asked rhetorically, "But why would they use an old backup?"
Dr. Chang, educated at Harvard and Stanford, was once named one of the 20 most influential people in radiology by Diagnostic Imaging magazine. While at UPMC, he developed software that allowed doctors to view X-rays on personal computers.
Using that technology, Dr. Chang and UPMC started a medical imaging and information management company called Stentor Inc., which was sold to Royal Philips Electronics in July 2005 for $280 million.
On the two presentations, Dr. Chang lists grants from the National Institutes of Health and the Defense Advanced Research Projects Agency, part of the U.S. Department of Defense.
"I thought I understood security," Dr. Chang said. "But you can only fix what you know. I confess this never, ever entered my mind."
Dr. Chang said he believes that someone at UPMC may have inadvertently posted an early version of his PowerPoint presentations, before he had masked the patient information. He speculated that multiple versions of the presentation were on the department's server, and someone accidentally picked the wrong version to post. One lesson he has taken from all this, he said, is to keep early versions in a separate directory from finished work that will be presented publicly.
The benefits of having medical records in digital form still "far outweigh" the liabilities, including accidental postings that "show that we are still pretty young and pretty inexperienced at this," Dr. Chang said.
"I can guarantee this will never happen at UPMC again, but something else will. It's more than the Internet. It's being digital. If I burn a piece of paper, it's gone. If I shred a record, it's gone. But if I have an electronic version, it doesn't ever go away."
Kind of frightening that a hospital that is widely regarded as one of the best in the country has issues such as this. This has G.W.'s fingerprints all over it.
