HIPAA & 4 Lessons From an Insider Threat Example: Former Healthcare IT Manager Hacks Into System and Deletes PHI

There are so many ways in which bad things can happen with the authorized access personnel and business partners have to sensitive data, personally identifiable information (PII), and business systems. Many times the bad things that happen are a result of a lack of awareness of how to properly protect information, a result of mistakes, or a result of malicious intent. Here is just one more example to add to your file of actual insider threat incidents.

On August 27 a federal jury found Jon P. Oson, a former computer network engineer and technical services manager for the Council of Community Health Clinics, guilty of two counts of violating the Computer Fraud and Abuse Act.

“According to court documents, Mr. Oson was employed as a network engineer and as technical services manager for the Council of Community Health Clinics from May 2004 until October 2005. CCC is a non-profit organization that provides a variety of services to its membership and consists of seventeen Community Health Clinics located in San Diego and Imperial Counties. The largest member clinic is North County Health Services. NCHS, like the other member clinics of CCC, provides medical services to the poor, the uninsured and the under-insured. NCHS used CCC’s information technology services to host and manage its Practice Management system. This software is used by NCHS for billing, scheduling of patient appointments and for tracking medical information of NCHS patients, including diagnosis, treatment plans and case history. Mr. Oson’s resignation from CCC followed a performance evaluation that he perceived as negative.
The jury convicted Mr. Oson of accessing the CCC network without authority on December 23, 2005, and disabling the automatic process that created backups of the patient information for the NCHS database. The jury also found that on December 29, 2005, Oson attacked the CCC system again and systematically deleted data and software on several CCC servers, including the patient data for NCHS. In addition to attacking the NCHS servers at CCC, Oson deleted and attempted to delete data and software in several other CCC servers used by CCC and by other clinics.”

Look at not only the damage Oson did to the clinics’ business systems, but also the potential harm he may have done to the patients whose protected health information (PHI) he deleted. Oson’s actions could very well inhibit the medical care of the people whose PHI he deleted; hopefully there are still handwritten copies of it in the clinic and hospitals.
This seems like a very real violation of the Health Insurance Portability and Accountability Act (HIPAA); the clinic clearly did not have appropriate required safeguards in place. However, since these safeguards were likely the responsibility of Oson, based upon the Department of Health and Human Services’ (HHS) past record with HIPAA enforcement, they will likely not apply penalties.
Here are just a few of the important lessons that all organizations can learn from this situation:
1. Make sure one person does not have all authority, control over, or access to critical and sensitive data. This is a situation that can be hard to address within small and medium sized businesses (SMBs), but as this situation points out, it is something important to do.
2. Make sure multiple generations of backups are made of critical systems and data, and ensure copies are stored in a secure offsite location. You don’t want malicious former employees able to get to the backups and erase them, such as in this case.
3. Log the access of personnel with authorized access to sensitive data and systems. When management knew there was going to be a negative performance review given to Oson, others outside Oson’s line of management should have started logging Oson’s access to the systems for which he was responsible, if it wasn’t being logged already. No one individual should be controlling the entire network and data resources. If this is the situation, there should be another position, outside the individual’s area, logging and monitoring the individual’s activities.
4. Have thorough exit plans in place and follow them consistently for when employees in critical positions are terminated or resign. As soon as Oson resigned, all his access, especially including from remote locations, should have been immediately terminated. There should also be heightened monitoring following the unharmonious resignation of an employee from a position of execessive systems and data access control and responsibility.

Tags: , , , , , , , , , , , , , , , , , , ,

Leave a Reply