Real Life: How I broke into a hospital computer

Computerworld - Recently I was able to break into a hospital computer system. I couldn't change settings, alter clinical records, hack into the Pentagon or launch nuclear missiles, but I could and did send and receive e-mail from an unauthorized terminal, surf the Web, and view official hospital documents unchallenged. My story offers some simple, low-tech, common-sense precautions you can take to prevent a similar occurrence at your site.

It was late evening. My friend had just undergone a surgical procedure at a Midwestern teaching hospital. I was told that I might be in the waiting room for two or three hours. The waiting room magazines were antediluvian so I passed the time wandering through empty, dimly lit hallways. I knew that the hospital offered free Internet access to its patients so I asked a nurse where I could find a public computer. She pointed down the hall in a vague general direction.

I spotted small red and green lights on a desk that led to a vacant open cubicle containing a clerical workstation. I walked in and looked around. No one stopped me. The area might have been considered secure during the day by virtue of normal traffic flow, but now everything was exposed and up for grabs.

Tip: Maintain physical security during off hours. Close and lock your doors.

I touched the keyboard. Voila! The desktop appeared. There was no password-protected screensaver or acceptable use notice or warning screen with an authentication prompt.

The desktop contained a document in plain view opened by the previous user but never closed. It was only the weekly schedule of events, but it just as well could have been a confidential report. Because the user was still logged on, the document could be copied, changed or saved by any passerby.

Tip: Set and deploy automatic session timeouts.

The Start button was only partially disabled -- some programs couldn't be launched. But some local applications were still live. The Internet Explorer icon was renamed, but easily identified. I clicked on IE and it launched. The Web was mine!

Well, almost. The hospital system group had blocked some sites but not others. After a few tries the pattern became evident. They had blocked all .com and .org domains but not the .edu domain. I couldn't go to 1-800-flowers.com but I could go to almost any school or university on the planet. (This situation poses an interesting question: Why would the hospital block a legitimate user from the .org domain? Wouldn't they want staff to access medical organizations like the American Medical Association and hospital accreditation agencies?)