Hospital Breach by Job Applicant

Posted on October 27, 2010 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

During a bond hearing Thursday in Superior Court, Wheeler’s Macon attorney Reza Sedghi described his client’s actions as a job application gone awry with “no criminal intent or compromise of sensitive patient information.” Sedghi said Wheeler had obtained access to the database with a password and access codes obtained while working on a Macon physician’s connectivity problems with the hospital.

The attorney said Wheeler uncovered seven flaws in the hospital’s system and sought to use the discovery to land a job with the countywide medical complex, spending several hours with Rhodes and David Griffin, the hospital’s security chief.

“They asked for and received a copy of his resume and a written report of his findings,” Sedghi reported in court. “Then they walked out of the conference room and returned with two Warner Robins police officers.”

Wheeler’s acts were stupid, the Macon attorney conceded, but “he had no malicious intent. He was the one exposing the flaws.” –source

I must admit that I’m a bit torn by the story of this kid who I believe didn’t have any malicious intent when he breached the hospitals security system. The crazy thing is that if he’d had malicious intent they wouldn’t have likely known that there were these security holes and that he had breached them.

Certainly the kid is dumb to have done it, but the reaction by the hospital system is terrible. Here’s a quote from the same article excerpt above:

“I condemn any effort of any party to justify his acts,” Rhodes [CIO] said in an exclusive Warner Robins Patriot interview. “This is a criminal act and he did not do Houston Healthcare or its patients any favors. His actions were illegal and we will support the authorities in prosecuting this to the full extent of the law.”

Talk about a major overreaction. Of course his condemnation of efforts to justify his acts makes people more interested in doing so. Honestly, Robert Rhodes, chief information officer for Houston Healthcare, just sounds like an angry CIO whose security efforts were torn to shreds by a 21 year old. I’d be angry too if I were Robert Rhodes. Mostly because Robert Rhodes is the one that should be fired for having such porous security and they should hire Christopher Wheeler to help them actually implement some real security.

Of course, the CIO is quick to point out that “He did not breach our internet security. He got in through a stolen pass word. He didn’t discover a breach. He was the breach.”

This is just wrong. It wasn’t stolen, but given to him as part of his duties to help the doctor connect to the hospital. That’s not a breach. What’s insane is that a doctor’s password would have the ability to create all these back doors and expose seven flaws in the hospital’s IT systems. The CIO should be held accountable for that. So much for only giving users the access that they need. Or maybe the doctors at Houston Healthcare need that ability. Yeah, right.

I don’t want to give the impression that security isn’t important. It is and what this guy did was wrong and he’ll be punished in the legal system for what he did. Although, it does seem that it wasn’t with malicious intent and so some leeway should be given there. However, the CIO accepting a c-level executive salary with responsibility over a network with so many security flaws that could be exposed by a 21 year old using a doctor’s password sounds much more inappropriate to me.