The FBI's recent arrest of former Florida Hospital employee Dale Munroe for selling accident-victim information to doctors and attorneys has raised some interesting questions about the protection of medical information, the investigation of cyber crime, and the role of system logs in cyber crime prevention. For some people the biggest question raised by this incident will be, “Why would someone do such a thing?” The quick and easy answer revolves around money, but a longer answer has to do with wider factors, like the state of the economy and the prevailing moral climate. I will return to those factors in a moment after we “follow the money” and look at the use of system logs to crack this case.
The result of a 10-month investigation by the FBI and the Florida Department of Financial Services (DFS) are detailed in the criminal complaint U.S.A. v. Munroe. The case against Munroe alleges unauthorized access of protected health information (PHI) belonging to hospital patients. The term PHI comes from the privacy and security provisions of the Health Information Portability and Accountability Act (HIPAA). Accessing protected health data in America without permission is against the law, specifically Title 42, United States Code, sections 1320d-6(a) and 1320d-6(b)(3). If you knowingly violate this law with the intent to profit, as is alleged in this case, you face up to 10 years in prison plus a fine of up to $250,000.
Munroe is charged with seeking “compensation for providing the PHI to another individual who would benefit financially from the PHI.” The other individual, identified simply as S.K., is “known to employ ‘runners' to gather people to participate in staged vehicle accidents for the purpose of having those participants seek treatment at S.K.'s clinics and bill the participants' insurance companies for their treatment.” In street parlance, S.K. is a player in medical and insurance fraud.
Munroe is alleged to have received money for giving S.K. details of accident victims who could be targeted by doctors, lawyers and chiropractors. The complaint cites several cases in which this occurred and indicates that, from the beginning of 2009 through January 2011, Munroe received $7,840 in cash and $1,600 in checks that were deposited into his joint bank account. Furthermore, it seems Munroe's wife, employed at the same hospital, was also involved and received $1,200 in checks that were deposited into the joint bank account.
So how did Munroe get access to this data? He was hired in July of 2006 by Florida Hospital at its Celebration location. Florida Hospital is one of the country's largest nonprofit health care providers with 22 campuses serving communities throughout Florida, and Celebration is the town Disney founded, near Orlando. Munroe's job title was registration representative in the emergency department and his role was to use Florida Hospital's computer system to register patients as they came into the ER, including walk-ins and ambulance cases. Patient records are accessed on this system via a screen called RS23 that shows 10 records at a time. The system can be used to view ER patient lists for other Florida Hospital locations, not just the location at which the screen is being accessed.
A review of system logs revealed that from 2009 to Q3 of 2011 Munroe accessed more than 763,000 patient records this way, (the number of records you would normally expect an employee in this role to access in the same time period was put at 12,000). By analyzing the logs, the hospital, together with FBI Special Agent Andrew W. Culbertson, who is also a CPA, figured out that Munroe was rapidly scrolling through the lists of patients in the RS23 screen looking for a particular type of patient, then pausing when at least one of the 10 patients on the screen was involved in a motor vehicle accident. Using the logs, Florida Hospital has identified more than 12,000 patients whose records were inappropriately accessed with presumed intent to solicit. By correlating phone calls, text messages, system logs and HR records, the authorities can make a pretty compelling case that Munroe committed the alleged acts, knew they were illegal, and worked with S.K. to exploit the data so harvested.
This investigation shows why it is so important to maintain comprehensive system logs. As FBI Special Agent Brian Nielsen stressed to students at our recent Cyber Boot Camp, “preserving system logs can be vital to making a criminal case.” And what if Munroe tries to argue he is innocent because someone else had used his system credentials, or that he was just doing his job? Both claims can be disproven by correlating system logs with other data.
“Times are tough for many people right now and there are huge disparities between wages for hospital clerks and the salaries of doctors and hospital executives.”
– Stephen Cobb, security evangelist, ESET
While Florida Hospital deserves kudos for preserving the system logs, thereby enabling case-making analysis of inappropriate user behavior, the scorecard is not so good when it comes to detection of inappropriate behavior. We note that Munroe was accessing ER patient records at 60 times the normal rate for more than a year. Of course, there is nothing so annoying to IT managers as an IT security expert waxing wise after the fact, but given the clear and present danger of large fines for HIPAA violations you would think such behavior should set off some sort of alert or alarm. Florida Hospital could yet be taken to task for failure to read its own logs proactively.
In fact, according to the FBI, Florida Hospital fired Munroe in July 2011 for inappropriately accessing the records of a doctor who had been fatally shot in the hospital's parking garage, a HIPAA violation indeed, but not the pattern of gross violation by which Munroe was making money and for which he was arrested. The whole sorry scam only came to light a month or so later when Munroe's wife, who had not yet been fired, allegedly sold details of the ER record of a patient whose mother was a Florida Hospital employee. When the scammers contacted said mother and exhibited knowledge of medical details found only in her daughter's hospital records, the game was up.
But was this game? In all likelihood, the money generated by the scam was seen by the Munroes as much needed extra income. Times are tough for many people right now and there are huge disparities between wages for hospital clerks and the salaries of doctors and hospital executives. This pattern exists across the whole economy with S&P 500 CEOs now earning 380 times the wage of the average American worker (a wage disparity far greater than that of any other country in the Western world). What has this state of affairs got to do with cyber crime? Disparity can be an excuse for the morally weak, just as opportunity can be a temptation. There is no excuse for giving in to the temptation of violating the privacy of others for personal profit, but in the context of multi-billion dollar health care fraud cases, and successful business models built on the sharing of personal data, it is not hard to see how people might talk themselves into something like this.