This month’s New England HIMSS event filled our usual meeting place, Papa Razzi in Wellesley, MA to near capacity. While the events typically start off with networking and socializing, it was difficult to walk around the room because of the crowd on hand. The draw? Mac McMillan, the National Chair of HIMSS Privacy and Security Task Force and Chuck Podesta, the CIO of Fletcher Allen Healthcare were here to talk about a real life security incident that threatened the integrity of the organization’s data, and how they responded.
First, some statistics: Fletcher Allen Healthcare is Vermont’s academic and university medical center located in Burlington, VT (also home to offices of Galen Healthcare Solutions as well as Allscripts). There are 562 beds and in 2010 there were 50,419 outpatient admissions, and 60,356 ED visits (FletcherAllen.Org). Podesta currently runs a staff of about 150 people that support 10,000 end users on 6,000 work stations.
In the evening of March 29th, end users of Fletcher Allens’ system were infected with a virus. Six users, who were physicians, clicked links in emails purported to be delivery tracking updates. Instantly the system was infected with a variant of the virus known as ‘PinkSlipBot’, for which there was no virus definition available.
Podesta’s team reacted immediately and was able to ‘secure the perimeter’, including blocking outbound traffic, and isolating the effected networks. Luckily, only a handful of packets had escaped the network and they were actually analyzed and found to have not contained any protected health information, or PHI. The virus was very aggressive. It was programed to obtain local admin rights, shut down the virus scanner that was installed (McAfee), install a rootkit which hid itself from detection, and lastly, install a keystroke logger. Podesta and his team were able to learn off of this after analysis of the temp files left behind by the virus. Before it was brought entirely under control and mitigated, the virus had infected over one thousand hosts!
“The whole org is much more focused on [security] as a result of the virus”, Podesta told the NEHIMSS audience. At the time of the incident, the team at Fletcher Allen consisted of less than ten people. In the 48+ non-stop hours spent protecting and cleaning up their networks, the initiative grew to include about sixty people, which spent ninety minutes on each infected host, and ultimately cost the organization “in the 6 figures”.
At the conclusion of the presentation the speakers asked the audience (by a show of hands…) if security is a regulatory issue, or a patient safety one.
While no PHI was disclosed, and no patients were harmed, the answer is simple: it’s both.
While the EHR remained functional and connected throughout the ordeal, portions Fletcher Allen’s network were down for periods of time. Galen Healthcare Solutions offers VitalCenter, a downtime solution for the Allscripts Enterprise EHR – no matter why the EHR is unavailble. For more information visit vitalcenter.galenhealthcare.com.
If you missed it, check out my PHI related blog from last month here.