Video Sharing and UCSF Breach

UCSF has had two security breach announcements already this year, both this month, according to etiolated.org. The latest news relates to patient data:

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual. Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database. The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer. The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

This brings up the usual questions for auditors:

  • Do you know where sensitive data is stored?
  • Do you know who has access to that data/those areas?
  • Do you block and monitor torrents, P2P, and related “sharing” protocols in network segments with sensitive data?
  • And then my favorite…

  • How do you know?

This case sounds like a research computer, which are infamous for being managed loosely by under-paid students who load things with sensitive “research” data along with music and movies. The argument made by researchers is usually that restrictions on their systems impacts their creativity and freedom to achieve results. This is true in high-tech companies that model themselves after academic environments too, not just educational institutions (ask me sometime about my visit to Google security in 2002). The reality, however, is that anyone who wants to play with high-risk material must learn to abide by proper handling procedures or be denied access. This is much easier to explain to a researcher who handles explosives, or radioactive material, where the danger is direct to their personal health and the welfare of the laboratory.

I would recommend UCSF start mandatory data handling examinations for anyone working with data. If someone does not pass the test, no access. Perhaps when the “other health care providers” start refusing to allow data to go to anyone with a prior-breach record the researchers will understand better how to self-police their systems and understand the enhancement to their success that comes from security.

Any guesses what the movie was?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.