TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

BUSINESS
Playing for Iraq's jackpot

Coke & smoke bite Dow

Sun Microsystems posts tiny profit

(MORE)

MARKETS	4:30pm ET, 4/16
DJIA	144.70	8257.60
NAS	3.71	1394.72
S&P	10.90	879.91

SPORTS
Jordan says farewell for the third time

Shaq could miss playoff game for child's birth

Ex-USOC official says athletes bent drug rules

(MORE)

All Scoreboards

WORLD

Quake help not fast enough, says Indian PM

U.S.

Bush: No help from Washington for California power crunch

POLITICS

Bush signs order opening 'faith-based' charity office for business

LAW

Prosecutor says witnesses saw rap star shoot gun in club

ENTERTAINMENT

Can the second 'Survivor' live up to the first?

HEALTH

Heart doctors debate ethics of testing super-aspirin

TRAVEL

Nurses to aid ailing airline passengers

FOOD

Texas cattle quarantined after violation of mad-cow feed ban

ARTS & STYLE

Ceramist Adler adds furniture to his creations

(MORE HEADLINES)

MAINPAGE WORLD U.S. WEATHER BUSINESS SPORTS

TECHNOLOGY

computing personal technology

SPACE HEALTH ENTERTAINMENT POLITICS LAW CAREER TRAVEL FOOD ARTS & STYLE BOOKS NATURE IN-DEPTH ANALYSIS LOCAL
EDITIONS:
CNN.com Europe change default edition
MULTIMEDIA:
video video archive audio multimedia showcase more services

E-MAIL:

Subscribe to one of our news e-mail lists.
Enter your address:

DISCUSSION:

chat
feedback

CNN WEB SITES:

CNNfyi.com
CNN.com Europe
AsiaNow
Spanish
Portuguese
German
Italian
Danish
Japanese
Chinese Headlines
Korean Headlines

TIME INC. SITES:

CNN NETWORKS:

CNN anchors
transcripts
Turner distribution

SITE INFO:

help
contents
search
ad info
jobs

WEB SERVICES:

Hospital confirms copying of patient files by hacker

From...

by Marc L. Songini

(IDG) -- A major university hospital in Seattle Thursday confirmed that a hacker penetrated its computer network last summer and made off with files containing information about 5,000 patients.

Officials at the University of Washington Medical Center said the hacker -- who calls himself "Kane" -- stole user passwords and copied thousands of files while he had access to the hospital's systems. The hacker slipped into the network through a server in the hospital's pathology department, said medical center CIO Tom Martin.

The medical center suspected at the time that its network had been infiltrated and took steps to cut off the hacker's access, Martin said. But, he added, the hospital was unaware that the files had been pilfered until Kane provided information about the intrusion to SecurityFocus.com, a San Mateo, Calif.-based Web site that focuses on security issues.

MESSAGE BOARD

Security on the Net

Kane, who said he lives in the Netherlands, shared some of the copied files with SecurityFocus.com to verify that he had accessed the sensitive data. SecurityFocus.com staffer Kevin Poulsen said Kane views himself as an ethical hacker and indicated that he simply wanted to expose the vulnerability of the hospital's network. "He portrays himself as more of a whistle-blower than as an outlaw," Poulsen said.

But after being informed of the file copying, officials at the medical center reported the hacking incident to the FBI for investigation, Martin said. The hospital also beefed up its firewalls in an effort to better protect its network, and it began notifying all of the patients whose personal information was in the files copied by Kane.

IDG.net INFOCENTER
Computerworld main page
Computerworld's topic-oriented communities
Computerworld's IT career center
Free daily newsletters
Related IDG.net Stories
Cyberattacks against Pentagon on the rise
U.S. could face 'Pearl Harbor' in cyberspace
FTC, FBI sites leave opening for hacker access
Features
Cool gifts for cool nerds
Mastering e-commerce by degrees
Fast-track training puts nontechies in IT jobs
Visit an IDG site

IDG.net search

In a statement, the hospital said the copied information wasn't directly related to the delivery of care to its patients. Instead, it added, the information was stored in administrative databases and was used for patient tracking and for following up on research studies.

"There is no evidence that anyone has breached our main electronic medical records system," the hospital said. "We assure patients and the public that this system remains fully protected by the highest levels of security possible."

Martin said Kane used sniffer software to steal the electronic identifications of a number of hospital employees from an exposed server and then used those credentials to access thousands of files related to patients in the medical center's cardiology and rehabilitation departments. Martin added that the hospital plans to comply with the Health Insurance Portability and Accountability Act (HIPAA), a set of privacy and security guidelines that the federal government is close to finalizing.

The hacking incident wasn't that unusual and appears to have been relatively minor compared with the amount of damage that a malicious attacker could have inflicted, said Wes Rishel, an analyst at Gartner Group Inc. in Stamford, Conn. Rishel described Kane's intrusion as "a classic penetration of a secondary system" that was running a personal application with collected data, rather than an attack on the hospital's main database server.

"Academic medical centers are prone to this, as part of the spirit of academic freedom that creates pressure for open access," Rishel said. The only major impact from the hacking incident might be to get policymakers in Washington to push through the HIPAA as quickly as possible, he added.