This is a cautionary tale. The morals of the story may not apply to health IT applications the same way they do to other parts of the information technology world, according to some industry experts. Others say they do, indirectly.
Either way, the saga of how a network administrator held a city’s information system hostage has implications for anyone who comes in contact with health care IT — and that covers an increasingly large portion of our culture as we move toward a digital society.
Last month, an administrator hijacked San Francisco’s computer system, refusing to divulge passwords only he knew. The network controls data for the city and county’s police, courts, jails, payroll and other services. For nine days, no one had control of the system, parts of which continued to function.
Arrested and jailed with bail set at $5 million, the administrator, Terry Childs, eventually gave the passwords to Mayor Gavin Newsom (D). Childs, who faces four felony counts of computer network tampering, pleaded not guilty. He’s still in custody.
San Francisco officials said the city’s health system was not affected.
“The Department of Public Health operates its own separate system,” said David Counter, chief information officer for the San Francisco Department of Public Health. “We have our own IT team which oversees our own, distinct computer system.”
Counter and other health officials said it is unlikely a large health system — public or private — could be held hostage in a similar way.
“Health care agencies have much more stringent security regulations in place than most parts of government,” Counter said. “There are so many privacy and oversight provisions in HIPAA (Health Insurance Portability and Accountability Act of 1996) that any health system that deals with federal agencies like Medicare and Medicaid — and that’s almost everybody — could not possibly be put in a situation like the city’s system was last month,” Counter said.
“And frankly, I can’t imagine any system — health or any other kind — letting one engineer have that much control. That’s the first rule in Security 101 — don’t give all the clout to just one individual or even one group of people,” Counter said.
San Francisco’s health IT system is separated into more than 100 segments, Counter said. “No one individual or even one group has control over all 100 segments,” Counter said. “We have an internal system of checks and balances and we’re audited regularly on our IT security.”
Health care IT people in most government agencies “are further along on the security learning curve than IT people in other parts of any government. There’s a very, very high level of security consciousness in health care IT,” Counter said.
The Pacific Research Institute, a free-market think tank generally opposed to government-run health programs, seized the opportunity to promote private industry and lambaste government.
“No network is perfect, and no patient can ever be ‘certain’ that his information is secure,” said Daniel Ballon, a policy fellow in technological studies at the Pacific Research Institute in San Francisco. “That being said, private networks consistently outperform their public counterparts in speed, efficiency, and security.”
“Government networks lack accountability because they operate as protected monopolies,” Ballon said. “There is no incentive for the government to maintain high security standards if citizens can’t take their business elsewhere.”
Ballon, in an essay titled “Lessons for Sacramento From San Francisco’s High-Tech Heist,” wrote:
“After Childs’ arrest, officials revealed they had failed to back up the network properly. If not for this simple and preventable mistake, the city could have easily restored access. Instead, taxpayers faced a restoration that could have taken months and cost millions of dollars. The follies continued when the district attorney prosecuting Childs accidentally compromised the network by releasing 150 sensitive names and passwords in open court. When the city rushed to change these passwords, it caused the entire system to fail.”
The saga of the rogue engineer has prompted San Francisco’s non-health IT department to re-think network oversight and consider hiring outside contractors to help with a security upgrade.
Despite design and security problems elsewhere in the city’s information infrastructure, San Francisco’s health IT network is running smoothly, according to city officials.
The city health department, with an annual budget of $1.5 billion, has two divisions — one overseeing the city’s public hospitals and one running more than 500 community health centers and clinics. Each division has its own chief technical officer and dedicated IT staffers.
“Although some people say government isn’t as efficient as the private sector, that isn’t necessarily the case when it comes to security of health care data,” Counter said.
“The advantage that health care IT professionals have is that federal regulations drive a lot of what happens in health care, and Medicare and Medicaid regulations have caused health care systems to be designed and used in much more secure ways than other municipal and government systems,” Counter said.