It's 'too late' to assure security of patient data

Share with others:


Print Email Read Later

A Web site containing Social Security numbers and other personal information for nearly 80 UPMC patients was still accessible on the Internet yesterday -- and computer security experts say the patients can never be entirely assured the content will be gone.

"It is too late. Once something is on the public Web, the only fundamentally safe security assumption you can make is that it is in the public domain forever," said Art Manion, a computer security expert at CERT, part of Carnegie Mellon University's Software Engineering Institute.

If a site is posted only a short time, if it's not popular, the chances are lower, Mr. Manion said.

"But, fundamentally, once it is posted, you have lost control forever."

Yesterday, the Pittsburgh Post-Gazette was again able to view confidential patient information included in former UPMC radiologist Dr. Paul J. Chang's 2002 PowerPoint presentation on managing multimedia electronic records.

The information -- now blocked -- was on a site operated by The Internet Archive, a California-based nonprofit that operates as an Internet library, archiving public Web sites that people can view for free.

"We've been collecting a snapshot of the World Wide Web every two months since 1996," said Brewster Kahle, digital librarian for the Archive. "It basically allows you to search the Web as it was."

Yesterday, UPMC officials said they already had contacted Internet Archive about removing the information, an accommodation Mr. Kahle said they were happy to make.

"We don't want sites in the archive that people don't want there. We're not that type of organization."

On Thursday, the Post-Gazette first reported that personal information -- which, in a few cases, included abdominal and chest scans, clinical notes, and medical screenings as well as social security numbers -- had been posted on the UPMC's Radiology Department Web site for about two years.

UPMC officials quickly disabled the site, which had been reachable in four mouse clicks from the department's home page. While still investigating how the patient confidentiality breach happened, John Houston, UPMC's privacy officer, said he thinks the file was restored to the site after the department got a new server for its computers.

When contacted earlier this week, Dr. Chang, now at the University of Chicago, expressed surprise the information had been posted. He speculated that someone inadvertently had downloaded it without checking to see if it contained confidential patient information.

The medical center said it was notifying each of the patients by letter, plus they are offering to pay a year's worth of credit protection services.

Mr. Houston said UPMC has contacted the major archive sites to remove the information, as well as any other site where it might appear.

"It's not entirely perfect. Unfortunately, whether we like it or not, it's the best solution we have."

As the Internet Archive example shows, however, the privileged patient information may never be completely recovered and deleted.

The concern is that while established sites such as The Internet Archive are willing to remove sensitive information, others with ill intent may have been actively looking for it, say security experts.

"The level of interest in malicious hacking will depend on what kind of information is there. If that information includes Social Security numbers, or anything that is truly sensitive, then that information is probably valuable to them," said Adriel Desautels, chief technology officer for Netragard, a New Jersey-based information security company.

With the information being posted for up to two years, he said, "the chance of it being harvested is nearly 100 percent."

Mr. Houston acknowledged that "the damage can never be completely undone," and others may have downloaded the information before the sites they've identified were taken down.

"You hope that, over time, the information becomes staler and staler, and eventually they throw it away."


Steve Twedt can be reached at stwedt@post-gazette.com or 412-263-1963.


Advertisement
Advertisement
Advertisement

You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here