Thursday, July 24, 2008

Do we really have the societal wisdom to put all healthcare data online?

The following story on IT security is simply stunning in its layers of apparent ineptitude.

I further find at this link that this system administrator was once convicted in Kansas of aggravated robbery and served time.


Yet numerous constituents of the "
Health IT Ecosystem" (a title I use to describe the complex HIT environment, link) espouse the value of national healthcare and genetics databases to be stored by commercial companies such as Google and Microsoft, and/or the Federal Government.

This raises the question: in 2008, do we really have the levels of societal wisdom necessary to put all health care data online?

-- SS

One admin's missing password leaves San Francisco in a lockdown state

By Michael Hatamoto , BetaNews
July 18, 2008, 5:00 PM

A former San Francisco city computer network administrator remains in a Bay Area jail after pleading not guilty to four charges of computer tampering. Meanwhile, the city's computer network is in limbo.

Prior to his arrest, Terry Childs, 43, of Pittsburg, California, managed to manipulate the city's computer system, creating a password that has effectively locked out all other city network administrators. As an employee in the San Francisco Department of Technology Information Services, he helped create a new network used for the San Francisco FiberWAN (wide-area network), his former defender said.

The FiberWAN network is responsible for controlling the city's e-mails, law enforcement records, payroll, and personal records. It controls 60 percent of the city's municipal data that also includes lawyer information and 311 information system.

In an interview today with the San Francisco Chronicle , Childs' attorney, Erin Crane, characterized his client as willing to cooperate, but may only turn over the password city officials need to operate their network after negotiations have concluded. Crane described Childs as more than the network's administrator -- indeed, as its architect.

Childs pleaded not guilty yesterday in San Francisco Superior Court, and is now being held in custody on $5 million bail. He will next face a bail hearing on Wednesday, July 23.

The public defender who initially defended Terry Childs, Mark Jacobs, removed himself from the case over suspected conflict of interest, after it was learned his own records were among those included in the files that Childs still holds hostage.

Specifically, Childs stopped authorized network users from accessing to parts of the network they should be authorized to use, and also enabled his own access to sections of the network to which he should have been restricted while he worked for the city, San Francisco district attorney spokespeople said.

Computer security experts have been quick to chastise the city for letting one person have access to the entire system, while recommending each person should only have access to a piece of the network. Aside from Childs, it's believed five or six people are expected to have accounts enabling universal access to everything in the network, though the identity or whereabouts of those individuals has not been made known.

In another mistake, the city apparently did not keep adequate system backups, which they could have used to restore the network and its passwords by now. Even so, it's unknown if there are any backups of the system and password, and if Childs also locked the administrator account from those backups.

There has been no data breach, no tampering with the system itself, and the only problem at the moment is that everyone is locked out, city officials confirmed.

San Francisco Mayor Gavin Newsom, city officials, and Cisco engineers are still trying to resolve network issues about five days after the initial incident. Earlier in the week, Mayor Newsom said it could take up to eight weeks to fully restore the network to working order, costing the city thousands of dollars in resources. But the eight week prediction is a worst-case scenario, in which an entirely new infrastructure would have to be built, and the current network dismantled.

During a press conference earlier in the week, Mayor Newsom described Childs as a "rogue employee" who became "a bit maniacal and full of himself."

The network restoration could happen much faster and easier with cooperation from Childs, who had said several times that he does not plan to help the city fix the network. After Childs' first court appearance, attorney Crane said this an entire issue was nothing but a misunderstanding, that the media and public had blown out of proportion.

Although the D.A. has not released the full criminal complaint against Childs, and what would have led him to do this, local Bay Area media outlets reported an alleged dispute between Childs and one of his managers. Unconfirmed reports indicate he was to be suspended on July 9 for alleged insubordination.

With little known details available out the case, the media, both professional admins and the general public have already formed their own opinion about the case, saying it's ludicrous that someone who has yet to hurt someone is being held on $5 million bail. Others, however, said effectively hijacking an entire city's computer network and holding it hostage is the wrong course of action, regardless of what grievances he has against his employers.

Even though Childs remains in police custody, he is still receiving paychecks from his $127,735 per year salary. Moving forward, the city of San Francisco hopes to work with Childs and his attorney to resolve the network issues in a timely matter, though specific talks are taking place behind closed

No comments: