Case study: Keeping it private at Beth Israel Deaconess after the Boston Marathon Attacks

Doctor and healthcare CIO shares his lessons learned from the Boston Marathon attacks and how to protect patient data

When you are entrusted to care for the 24 victims and the suspects of the Boston Marathon bombings, it is a duty to protect their data and respect their privacy, as the CIO of Beth Israel Deaconess knows all too well.  

John Halamka, is a professor of medicine at Harvard Medical School and chief information officer (CIO) of Beth Israel Deaconess Medical Centre, which served as the treatment site for the suspects and 24 victims of the Boston Marathon bombings.

Over the next two years, Beth Israel Deaconess will spend millions on reducing its security risk profile. During Rapid7’s United 2013 security summit, Halamka shared how and what 14 worksteams are needed to protect against the internal and external threats it faces daily.

“As a doctor and a CIO my responsibility is to the patients – and to respect their privacy," said Halamka. "I had to spend hundreds of thousands of dollars to do that and add new staff, as it is all part of the mission. Once that patient’s information is all over the Boston Globe, then you have lost their trust.” 

The nature of triage

He said none of the victims were assessed and assorted on where their medical record was being held, but simply assessed on their injuries and sent to the nearest hospital that could help them. Therefore the medical data needed to be shared freely, for the sake of patients’ health, but it needed to be shared securely.

More on IT security

  • Android mobile malware rebounds in Q2, reports McAfee
  • Groklaw legal news site shuts over US surveillance
  • TV executive Dawn Airey to run Yahoo Europe
  • Facebook leads mission to connect the world
  • Enterprise security still possible, say tech suppliers
  • (ISC)² expands UK exam centres to 33 locations
  • Cyber Security Challenge UK embraces Raspberry Pi
  • Ask.fm to introduce safety measures
  • LinkedIn opens up to younger users

Halamka said the centre's privacy officer had to put a note out as a reminder about accessing medical records explaining: “Yes, share data to save lives, but you have a responsibility to respect the privacy of those patients. A medical record can sell for about $1,000. People might be accessing medical records out of the curiosity of the moment and that’s a violation.”

As a doctor himself Halamka said he was visited by a certain famous patient who came to him after making a famous sex-tape, complaining of symptoms of nausea. “I ordered her a pregnancy test and the lab clerk decided to sell the results to the National Enquirer for $250,000,” he said.

Continuing on the Boston Marathon attack, he added: “There was also a risk with doctors who treated victims and went home to use social media. We had to start thinking about how this could be a weak point too.

“The suspects’ details were all over the news at the time and could have been used maliciously to answer security questions to hack personal accounts. The security questions on email accounts and Twitter accounts for example could have been what is your brother’s name, date of birth, where did you grow up? All of this information was freely available on the news at the time.”

The medical centre has 22,000 employees and thousands of connected devices. 

“You can face fines of millions of dollars for security breaches, but we need to share information across a wide healthcare team,” said Halamka.

After calling upon Deloitte to review its current situation, the medical centre was presented with 14 workstreams for improvement which Halamka commented on.

  • Adapt a formal risk management profile.
  • Identity and rights – which staff need to access to medical records and which staff do not – “as a doctor is promoted to chief medical officer, for instance, they may lose certain access rights.”
  • Logging in and monitoring – “if Ben Affleck comes in, it is a violation to look up his medical record if I have no therapeutic connection to him.”
  • Information security program governance policies and procedures.
  • User awareness and training: “On how not to be stupid.”
  • MSSP transition.
  • Web application security and SDLC.
  • Data ownership, classification and protection “and how to freely move data around.”
  • Configuration management.
  • Asset management: “Who owns what, who is accessing what and is it encrypted.”
  • Third-party risk management
  • Endpoint security and home computers.
  • Enterprise resilience.
  • Physical security: “We have Doctor Famous’s MacBook thief on camera, and is now in prison, but there’s still no sign of the MacBook”

The centre estimated that between $4.6m and $6.4m would be needed per year to improve its security profile. Halamka said he needed 27 new staff and that he has 14 so far to start getting the work done. There are nine active projects taking place currently.

Halamka added: “To guide the project, we needed the creation of an overall executive committee. When the project sounds like how you’re trying to make a doctor’s life harder, you need the support of the COO, CISO, chief of compliance, CIO and CFO.

It is like trying to change the wings on a Boeing 747 while in flight

John Halmaka

“To close the configuration gaps, we plan to be 90% more remediated within 60 days of starting and 100% within 180 days. The greatest resource consumption will be used on upgrading the firewall that borders the internet with no downtime. 

"It is like trying to change the wings on a Boeing 747 while in flight.”

Halmaka said ensuring all Androids and iPhones couldn’t access their network was reasonably straight forward, but that securing laptops was harder:  “Some laptops were too old and even though the user was fine with still having them, they were too old to encrypt.  We had to spend $300,000 replacing old laptops because of this issue.

“We also looked into how to track some our more privileged users, for instance if one doctor wanted to attach and email records to his Yahoo account, we scan the email and send a URL instead which he has to log into to access.”

Support requirements added so far are adapted authentication, Sailpoint identity management, security incident event management, a cloud storage solution, Proof point email data leakage and research storage centralisation (100TB).

The benefits so far according to Halamka are improved formality and structure: “We have grown out team organically as a result of this project,” he said. In addition to adopting a federally recognised framework NISN managed by the board, he said it has better management of identities and privileges which are different for different users, positive control over every network attached device, the ability to provide more secure storage options for research, enhanced monitoring alerting and containment, through adding firewall, intrusion protection and instrumentation and the creation of a comprehensive asset inventory.

Security in a healthcare environment

Halamka described three security breaches, which he had experienced at the medical centre in the past.

Doctor famous and his laptop. A doctor went out and bought himself a new Macbook Pro, which is unmonitored and he downloads over a 1,000 emails. One of his emails contains a presentation and one slide is a chart that has 4,000 patient names, details and diagnoses.

“I didn’t procure the device, nor have the chance to set policies against it, but I am responsible for the negative results of this device. That stolen laptop amounted to about $500,000 when we took all the legal fees into account,” he said.

He added: “Chest X-rays in China. We were only allowed to use FDA-approved devices, so were advised to just add Java to open to the internet and it will be fine. One person needed to download something so they changed all the settings, added their own IP information and forgot to change the settings back when they were finished.

When we started seeing large amounts of encrypted data going over port 80 and we started to think that was odd. The radiology workstation, where the settings had been changed, was transporting data over to China and I was accountable for that.

“The nurse and Angry Birds. A nurse’s son downloaded Angry Birds from a Chinese site, at home onto a work device, and 1,000 spam emails went out under her name. This didn’t manage to get into any medical records, but it was sufficient to get into email,” added Halamka.

Read more on Privacy and data protection