Beth Israel Deaconess Medical Center in Boston is notifying 2,021 patients that their information was on a radiology workstation that was found to be transmitting data to an unknown location via the Internet.

Protected health information on the workstation included name, date of birth, gender, medical record numbers, and names and dates of radiology procedures undergone. No financial information or Social Security numbers were on the workstation.

The workstation had been configured to not connect to the Internet. A vendor doing routine maintenance failed to restore proper settings on the machine, it connected to the Internet and was infected with malware that used a specific port on the workstation to encrypt and transmit data, says Beth Israel CIO John Halamka, M.D. "So, you could assume that someone received the data and unencrypted it because it was out of our control."

The hospital's intrusion detection system detected the activity. But because the transmitted data was encrypted by the malware, the hospital has no idea what type of data was breached. "It could be nothing but operating system information was transmitted, but we don't know," Halamka says.

Notified patients have been offered a year of paid identity protection services. The hospital permanently removed the workstation's capacity to connect to the Internet even if settings are changed, but for further protection also installed anti-virus software and monitors the machine.

The world of malware is becoming increasingly challenging, Halamka says. "It's a Cold War and I spend a million dollars a year trying to protect our information systems from the Internet."

 

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access