Search News


Browse Archives

News

Security Hacks

January 27, 2011

Share This Story

Related Stories

FREE Daily News Alerts

Advertisement

The University of North Carolina at Chapel Hill found out last year that, in 2007, someone had hacked into a server holding personal information of 180,000 mammography patients from around the state. The hacker was never found or charged, and did not appear to have copied any of the data, which included 114,000 Social Security numbers. But the university tried to fire -- and is still trying to punish -- the researcher who was in charge of the information.

Although she had an unassailable track record, administrators concluded that Bonnie Yankaskas, a professor of radiology at the medical school who had been collecting and analyzing mammography data for more than a decade without incident, had been careless with sensitive information and had damaged public trust in the university, and should be terminated. A faculty hearings committee later persuaded the university instead to demote Yankaskas to associate professor. She could keep her tenure, but her pay would be cut by half.

The case is gaining attention from academics who believe the university is trying to make Yankaskas into a scapegoat in order to save face. Now her supporters at North Carolina and elsewhere are saying that the way the administrators have handled the case could in fact cause more damage to the research university’s reputation than the data security breach Yankaskas is alleged to have enabled.

“You couldn’t pay me a gazillion dollars to work at UNC based on what they’ve done,” says Patricia Carney, a professor of family medicine at Oregon Health & Science University. The idea that a university would make a researcher with Yankaskas’s record walk the plank because some hacker managed to foil a firewall that Yankaskas did not personally set up could impede on North Carolina’s ability to recruit research faculty, Carney says. After all, says Richard McCann, a surgery professor at Duke University’s medical school, “Why would you go to someplace that wouldn’t support you?”

Carney and McCann were two of 127 researchers, mostly from the North Carolina system, who earlier this month signed a petition in support of Yankaskas. “Systemic institutional failure,” not the carelessness of the principal investigator, is to blame for the breach, wrote Michael Knowles, a professor of physiology, and C. William Davis, a professor of cell biology, on behalf of the undersigned. The petition, which echoes comments by the faculty, is addressed to the Chapel Hill board of trustees. The board has tabled an appeal by Yankaskas while the university tries to settle the matter through third-party mediation. (This paragraph has been updated since publication to correct an error.)

The problem was not that Yankaskas failed to keep her data secure, her champions argue; it was that she did not have the necessary training or technical expertise to be reasonably held accountable for its security. “I did everything I knew to do, but I did not know how to secure a machine,” Yankaskas told Inside Higher Ed. The university tests its researchers’ knowledge of confidentiality rules every year, she says, but the assessment is oriented to ethical and legal matters surrounding confidentiality — not technical skills needed to understand and safeguard against the sophisticated cyber-attacks enabled by networked data storage.

In fact, Chapel Hill does not require research investigators such as Yankaskas to learn how to put up and maintain a firewall; it merely requires that they appoint a tech-savvy “server custodian” to do so on their behalf. In an October 2009 memo to Yankaskas expressing Chapel Hill’s original intention to fire her, Bruce Carney, the provost, criticized the professor for hiring a university software programmer who “had no certification or experience as a server administrator” to be in charge of installing security updates on the server that was later hacked. Carney further asserted that Yankaskas ignored her custodian's requests for additional training, and consistently rated her as an “excellent” server administrator despite her lack of qualifications. “It is my opinion that Dr. Yankaskas was negligent in the fact that she hired an individual without the proper credentials or experience for that responsibility,” wrote Matthew Mauro, the chair of the radiology department, in a different memo.

The administration proffered a whole other set of reasons for trying to fire Yankaskas having to do with whether the researcher had acquired her data by ethical means; it was the faculty hearings committee’s absolution of Yankaskas on that question that led the university to dock her pay rather than fire her. What the faculty review board did not dispute was that Yankaskas was accountable for the breach according to existing university policy. Rather than exonerate her on that count, the board concluded that she made the errors in good faith, while suggesting in vague terms that the burden that policy places on the shoulders of non-techie academics in the event of tech-intensive leaks ought to be rethought. “This case, as presented to the Committee, reveals a weakness in the linkage between campus security professionals who understand and monitor computer networks and the researchers who acquire and use confidential data,” it said, adding: “The security failures revealed by this case should prompt wider consideration of reform in how University research involving confidential data is carried out."

Larry Conrad, the chief information officer at Chapel Hill, says updating the university’s information security protocols across the board has been one of his top projects since he took the reins in 2008. But with more than 3,000 faculty members at Chapel Hill, the computing environment is too spread out for the central I.T. office to hold every researcher’s hand, says Conrad. “I’m no lawyer, yet I’m held responsible for the contracts I sign and ensuring I get competent legal help,” he says. “There are resources available to me to help determine who is competent... [and] it’s my responsibility to seek that help.” Both the medical school and the central I.T. office at Chapel Hill have people Yankaskas could have turned to, he says. (Yankaskas says that she did turn to university I.T. for help, in effect, by hiring someone that university I.T. had trained. She says she figured her server custodian’s former bosses would have said something if their former pupil was unfit to oversee server security, but they did not.)

John Baines, assistant director of security standards and compliance at the nearby North Carolina State University, says Chapel Hill's policy of holding the principal investigator of a research project wholly accountable for mistakes made in his or her own shop is not unusual; North Carolina State has a similar policy, says Baines. "I remember the case well," he told Inside Higher Ed via e-mail. "I have used it as a case study in various presentations. I am sorry, but the principal investigator on any research project is always ultimately responsible for the care and security of the research data in his/her care. Particularly with Social Security numbers and how much of a lightning rod they have become in identity theft."

The autonomy granted to research faculty is considered a great strength at large research institutions, says Paul Howell, the chief I.T. security officer at the University of Michigan. "They’re given a great deal of latitude and freedom in how they operate, and they’re asked to make good decisions within that,” Howell says. That includes taking full responsibility for the actions of their hired help, he says.

But to some members of the North Carolina faculty, the university's handling of the Yankaskas case has tarnished their faith that the university will treat them fairly. Knowles, the physiology professor who co-authored the petition to restore Yankaskas to her former status, says he cannot believe that her sins were so egregious as to warrant the fate her bosses have sought for her, given her otherwise unblemished record and the $12 million in grants she has secured for the university over 25 years.

Davis, the cellular biologist, says that if the university does have a compelling counternarrative to justify its treatment of his colleague, the administration has so far failed to articulate it to the dozens of researchers who have reacted to the news with fear and outrage. He feels angry enough to resign in protest, he says.

But, for the same reason he fears being similarly punished for failing to prevent data intrusions that he does not understand, Davis says he will probably not quit: he can’t afford it.

For the latest technology news and opinion from Inside Higher Ed, follow @IHEtech on Twitter.

Steve Kolowich
Go to comments (0) »

Get Hired!

Advertisement
Advertisement

Matching Jobs

Faculty Position in Breast Cancer

University of Pennsylvania
The Division of Hematology-Oncology in the Department of Medicine at the University of Pennsylvania School of Medicine seeks candidates for an ...

Athletic Training Education Faculty Position

Daemen College
Daemen College offers a combined Bachelor of Science in Health Care Studies and Master of Science in Athletic Training major within the Division of ...

Head Lacrosse Coach & Facility Coordinator of Bryan Campus Life Center

Rhodes College
Head Men’s Lacrosse Coach & Facility Coordinator of Bryan Campus Life Center Athletics Founded in 1848, Rhodes College is a highly selective, ...

Instructor at Frances Payne Bolton School of Nursing

Case Western Reserve University
We are seeking a faculty member at the instructor level who has a record of scholarship and commitment to students in improving health care. ...

Vice President for Academic and Student Services

Arizona Western College
This is a senior administrative position serving in an executive capacity reporting to the College President. The successful candidate will oversee ...

Dean, Chatham College for Women

Chatham University
The Dean will play a critical role in developing and executing an academic strategy and vision for the college that is women-centered and establishes ...

Most Popular

More...
On the Job Market Together?

Comments on Security Hacks

  • Object Lesson
  • Posted by Tracy Mitrano , Director of IT Policy at Cornell University on January 27, 2011 at 7:45am EST
  • Every faculty senate in the country -- and beyond! -- should put this article/issue on their agenda, invite the provost and chief technology, security and policy officers to the discussion to work out together not blame but a positive program of privacy and security responsibilities for their institution.
  • Responsibility & accountability
  • Posted by B. , Patient at MegaU on January 27, 2011 at 8:30am EST
  • So, as usual, tenured state employees are so noble in their umbrage for their kind.

    What about patients and their privacy rights? Medical data files can be sold for high prices.

    In the case of public figures (actors, politicians), there have been well-publicized cases of health care staff "peeking" illegally at patient files for tabloids. Cries of "understanding" for those terminated workers are then heard.

    No sale. It is patients first.

    Either do the job right -- or move on. There can be no middle ground with digitized medical data that can be distributed worldwide, easily and quickly.

    This is not abstract legal "theory." This is about the reality of patients who can be harmed. Those "theorists" who cannot grasp the reality of the potential harm should not be allowed to be around patients and patient data, IMO.

    Patient data leaks are a future Fannie/Freddie, Medicare/Medicaid fraud, and Enron and Lehman Brothers, in the making.
  • "Blame and Shame" Doesn't Work
  • Posted by A Patient Safety Researcher on January 27, 2011 at 9:15am EST
  • In the patient safety world, we sadly aren't at the forefront of systems improvement, but at least in many places we're a decade ahead of this mess.

    Yes, the lead doctor on a team is ultimately responsible for the care a patient receives. But if that doctor works within a system where that team is set up to fail, we know that "blaming and shaming" the doctor doesn't improve safety. In the long run, it makes things worse because it promotes a culture of hiding problems instead of fixing them.

    The answer to a problem like this one is for the University to put a system in place to prevent things like this -not just from happening, but from even being POSSIBLE.

    This is a systems fault, with a systems solution. Period.

    All UNC has accomplished with its witch hunt is to make a university where I'd once wanted to work look like a miserable, backward place to be.
  • Food for thought: Security of medical records? What security?
  • Posted by vfichera on January 27, 2011 at 9:45am EST
  • Security of medical data, eh? Anyone out there tracking the administrators who happen to be physicians who invade the records of patients involved in litigation or formal Federal/state agency complaints against their institutions?

    Try formally requesting a lock on your medical records at a university hospital or health center with an electronic track on all who view the file. (Yes, CCHIT criteria for the HIPAA certification of electronic medical records software require that capability.) You'll discover that your request will be shuffled all over the place and the name and email address of the Privacy Officer will be almost impossible to locate.

    Meanwhile HHS has strengthened HIPAA with regulations just going into effect that clamp down on releases without the patient's permission. Right. I have one of those proverbial bridges for sale if you believe we have any chance of enforcement. I have a filed HIPAA complaint with HHS that has been ignored for years. Yes, that's right: years.

    There's so much going on out there in the matter of HIPAA privacy violations of protected health information (and even an SSN in the file is considered PHI) that the scapegoating of the two women would put me on alert to see just what medical records files the dean of the medical school of UNC has visited lately, for example.

    (One can't help but wonder whether the university's reaction would have been the same if a male researcher and male IT worker had been involved. But I digress...or do I?)
  • Social Security numbers?
  • Posted by Layla , Professor, Sociology at NCSU on January 27, 2011 at 9:46am EST
  • Granted that UNC overreacted -- dismissal is a bit too much in this case -- but why would anyone put Social Security numbers in a dataset that is stored online? This is Data Security 101 stuff. The researcher certainly wasn't qualified to judge the security of the system's firewalls but she certainly was aware that she was storing easily-identifiable data in a potentially risky location.
  • And yet Faculty holds themselves above the audit process...
  • Posted by ITAuditor on January 27, 2011 at 10:00am EST
  • Faculty brings this upon themselves by living in their Ivory Towers and holding themselves above the audit process.

    I have one "Leader" who told their audit liaisons to not allow internal audit to talk with the researchers. Gee, that's helpful. (We cried "Scope Limitation" and they backed off, but still)

    And who will this "leader" blame when they have a serious breach like this one? Central Administration, for not protecting them.
  • Posted by Jonathan Dresner on January 27, 2011 at 10:00am EST
  • And people wonder why I don't put grades or other student data on our LMS....
  • The other person involved...
  • Posted by Just curious on January 27, 2011 at 10:45am EST
  • The faculty member isn't the only person involved here. What happened to the "server custodian," the I.T. administrator she hired? This person presumably knew what the position entailed. Why did she apply for it or consent to be considered for it if she didn't have the background for it? How did she present herself? Why did she accept it? If she was uncomfortable with the support she was getting, why didn't she leave? There is a whole other side here that hasn't been addressed in the article. Did UNC address it?
  • Posted by mb on January 27, 2011 at 10:45am EST
  • crickets wrote: "One can't help but wonder whether the university's reaction would have been the same if a male researcher and male IT worker had been involved. But I digress...or do I?"

    I think that if anything the university would have come down on the men harder, and there would not have been nearly the outpouring of support from their peers that these women are getting. As always, YMMV.
  • Shared Goverment = Shared Responsibility
  • Posted by Research Support at Very Large Public on January 27, 2011 at 11:30am EST
  • As I've twice been involved with major incidents where researchers scream "it's IT's fault!" so far in my career. Both incidents I experienced were not security leaks, thank goodness, they were projects where the PI shunned IT support but never backed up critical data. One loss by catastrophic hardware failure, the other where data was "lost" (or may not have existed to begin with) just prior to a mega-sized deadline.

    From my experience, any PI worth their salt should at the very least keep a backup of (or secure in the case of UNC) a single document (or project in the case of UNC) that they supposedly spent 2 years Working on. At the same time, IT should repeatedly reach out to offer support and services to the PI, grant admin, department, school, college, etc. - but sadly in some cases IT will always be shunned.

    With this said, it is my opinion that both responsibility, and blame, are usually shared by both IT and the researcher. Based on what is presented in this article, this seems to be true for UNC incident as well.
  • the goose and gander
  • Posted by bradley bleck , English instructor at Spokane Falls CC on January 27, 2011 at 11:45am EST
  • I guess this means that anytime there is an IT security breach at UNC and environs, the IT staff should be the first to go. Or should it be the VP who manages their budget? Or the president who oversees the VP? Or the board who hired the president? The governor who appointed the board members? The electorate who put the governor in office? Oh wait, we need scapegoats and blame. Not answers or understanding.
  • With power comes responsibility
  • Posted by IT security , IT Security at Large CA inst. on January 27, 2011 at 6:30pm EST
  • Faculty don't want to be told what to do. Managers, including chancellors and deans, don't want to offend any faculty by making mandates, much less backing them up. Great things flow from the lack of a top-down authority on US college campuses, we are told.

    The down side is that you, the faculty member, must be responsible if you don't want to be told how to do things securely.

    This researcher should never had this data on a personally run server, administered or not. There should be strict rules in place detailing what faculty can and can't do with sensitive data. Instead you have the governed as governors, one and the same. A recipe for disasters, just like this. And when its time to pay the piper, they rise up to protect their own, so there never is culpability, only victims and a warped system that self-perpetuates.

    The lesson here is not that we need to work more together, it that faculty have to cede power where they have no ability to determine the correct course.
  • Reality check: SSNs are in most medical records databases
  • Posted by vfichera on January 27, 2011 at 8:45pm EST
  • One commenter above chastises the professor for having SSNs in the database. I agree it would be "loverly" if that weren't the standard practice for most providers, employers, et al.

    For example: The SUNY faculty-professionals union, UUP, negotiates into its contract with the State of New York that UUP gets access to the state's payroll deduction system to raise money for the statewide teachers' union PAC (yes, you read that correctly: for VOTE-COPE)-- and it bargains away additional employee rights (little things, like accepting "contracting out" for faculty and professionals) for the ability also to run two medical plans with state monies: dental and vision. (Those other employee unions for whom the state directly oversees the dental and vision have better coverage; see how this works?)

    Every single month, the UUP does an electronic data dump of the personal data provided to it by the state -- including SSNs as identifiers -- to its business partners to update enrollment history. And it hires the state AFT affiliate, NYSUT, to administer its IT services and have access to these data (including SSNs: it's all there) which both UUP and NYSUT share with AFT and sell to even more vendors for "benefits" through their "trust funds" -- and UUP and NYSUT use the state payroll deduction system as their collection agency in the bargain.

    Imagine UUP members' surprise one year when an auto club membership solicitation arrived in the mail with SSNs right there on the letters. Protests were to no avail; it took a recent NYS law to forbid the open use of SSNs on mail. Electronic transfers? No problem: just encrypt. So what if the employees of corporations all across the nation have access to those files? State law just requires encryption on the initial send -- but the new HIPAA regulations are not so indulgent. Stay tuned.

    Do you think that the delegates of the SUNY UUP faculty/professionals union had the backbone to pass a resolution to force UUP to eliminate their SSNs from these databases? I think you can guess the answer.

    So don't for a minute think that UNC isn't scapegoating the professor for its own internal failures to coordinate IT for the campus in accordance with HIPAA, etc. It's a nightmare -- everywhere.

    (As for the alternate scenario where a male professor is the PI whose data were hacked, there would be no outpouring of support, of course, because, most likely, we wouldn't even be given his name in the press.)
  • Two Hats
  • Posted by A Frustrated Digital Humanist , Asst Prof at East Cosat Public U on February 10, 2011 at 5:15am EST
  • This is obviously a polarizing issue, yet as someone who has worn both an IT hat and a faculty hat I find the polarization troubling. I spent many years working in the health care IT sector dealing with confidential patient data everyday; so with this hat my reaction is shame on the researcher for not being more careful--I mean at least generate unique IDs and keep the correlation data between IDs and SSNs on a non-networked computer. That's just a no brainer. However, as a current humanities professor I brizzle at the responses posted here by "IT" folks. I'm a former MCSE, so I know how to administer and maintain a server, and as a digital humanist who designs and builds digital tools I need a server to do my research. But, when I tried to purchase a server with start up funds given to me by my dean for that purpose, our university IT group refused to let me purchase it--and refused to give me root access to any of their "secure" servers. This was confusing to me since I knew a colleague in CS had been given the same funds and put in the same purchase request (we'd speced the servers out together), but his request was approved. When my chair and dean pressed the CIO's office for an explanation they were told that university policy was that only the College of Engineering could purchase independent servers since they "knew how to properly maintain them." Despite providing proof that I knew how to do this work, my request has been repeatedly denied, and my research has been hampered. Yes, I've found work arounds, but I shouldn't have to do that. One of the primary goals of research institutions is research and IT folks at these institutions need to find better, more nuanced ways to work with their faculty and their various ranges of technological competence. There is no one-size-fits-all solution; neither side of this debate is all right or all wrong.

    Just out of curiosity, would this professor have been demoted if she kept the same data in hard copy in a locked filing cabinet in a locked office and those locks had been broken to get to the data?

Print
© Copyright 2011 Inside Higher Ed