- A major university hospital in Seattle this week confirmed that a hacker penetrated its computer network this past summer and made off with files containing information on approximately 5000 patients.
Officials at the University of Washington Medical Center say the hacker, who calls himself "Kane," stole users’ passwords and copied thousands of files while he had access to the hospital’s systems. The hacker slipped into the network through an exposed Linux server in the hospital’s pathology epartment, says medical centre CIO Tom Martin.
The medical centre suspected at the time that its network had been infiltrated and took steps to cut off the hacker’s access, Martin says. But, he adds, the hospital was unaware that the files had been pilfered until Kane provided information about the intrusion to SecurityFocus.com, a San Mateo, California-based website that focuses on security issues.
Outlaw or whistle-blower?
Kane, who told SecurityFocus that he lives in the Netherlands, shared some of the copied files with the security website to verify that he had accessed the sensitive data. SecurityFocus.com staffer Kevin Poulsen says Kane views himself as an ethical hacker and indicated that he simply wanted to expose the vulnerability of the hospital’s network. "He portrays himself as more of a whistle-blower than as an outlaw," Poulsen says.
But after being informed of the file-copying, officials at the medical centre reported the hacking incident to the US Federal Bureau of Investigation for investigation, Martin says. The hospital also beefed up its firewalls in an effort to better protect its network, and it began notifying all of the patients whose personal information was in the files that Kane copied.
In a statement, the hospital says the copied information wasn’t directly related to the delivery of care to its patients. Rather, the information was stored in administrative databases and was used for patient tracking and following up on research studies.
"There is no evidence that anyone has breached our main electronic medical records system," says the hospital in a statement. "We assure patients and the public that this system remains fully protected by the highest levels of security possible."
Martin says Kane used sniffer software to steal the electronic identifications of a number of hospital employees from the exposed server and then used those credentials to access files related to patients in the medical center’s cardiology and rehabilitation departments.
He says the hospital will be compliant with the Health Insurance Portability and Accountability Act (HIPAA), a set of privacy and security guidelines that the federal government is close to finalising.
Wes Rishel, an analyst at Gartner Group in Stamford, Connecticut, described Kane’s intrusion as "a classic penetration of a secondary system" that was running a personal application with collected data, rather than an attack on the hospital’s main database server.
"Academic medical centres are prone to this, as part of the spirit of academic freedom that creates pressure for open access," Rishel says. The only major impact from the hacking incident might be to get policy-makers in Washington to push the HIPAA through as quickly as possible, he adds.