Network World - From the No Good Deed Goes Unpunished Department: Security experts trying to tell a Pennsylvania hospital that a pile of its sensitive data belonging to staff -- and possibly patients -- was sitting exposed on the Internet were stymied for five days recently by the fact that no one at the medical facility would respond to their repeated warnings.
Moreover, says one of the experts, this kind of situation happens with alarming regularity.
"This is more commonplace than you might suspect," says a healthcare professional who volunteers for the Open Security Foundation and blogs about privacy issues under the pseudonym Dissent Doe. "I've gone through hoops trying to notify various city agencies at times, and have gotten no responses to attempts to alert a major Canadian newspaper, a major U.S. health insurer where patient info was available on the web if you knew where to look, and a number of small businesses. And those are just the ones I can recall offhand."
In the case of the hospital, Dissent Doe and another OSF member made multiple phone calls, filled out a formal (outsourced) service desk ticket addressed to the hospital's systems administrator and technical analyst, and even sent an email to the hospital's CEO.
They got no response. (She was keeping the name of the hospital confidential out of concern that the vulnerability responsible for the data breach remained unaddressed.)
"The data were dumped on one of the ever-popular paste sites for hackers. Some of the data appear to be from their physician directory, which is no big deal. But there are other databases dumped that contain personally identifiable info such as contact details. One of the databases might be of newsletter subscribers. The other one... well, I have no clue. There are also a few names with email addresses, usernames, and encrypted passwords. I don't know whether those are admin passwords to the server."
Finally she tried a back-channel approach to get the hospital's attention.
"I did speak with a reporter local to them," she says. "My hope is that they'd take a phone call from a reporter if they won't respond to us. At least that way they'll find out they have a problem."
Contacting the local press is always an excellent idea, no matter the issue involved.
Dissent Doe also wrote about the episode on her blog:
"Every hospital tells patients that they take the privacy and security of their information seriously," she wrote. "I wouldn't believe them if they don't respond to security alerts and make people jump through hoops just to try to inform them that they may have had a breach involving personal information. And I certainly wouldn't believe any hospital that doesn't even return a phone call when you have left them a message that they may have a security problem with their public-facing server."
Eventually, the local reporter managed to make contact with a hospital administrator who told him that they were already aware of the breach and had rectified it earlier.
Even if that's true, Dissent Doe notes: "That doesn't explain why they didn't have the courtesy to respond when they could see that we were trying to alert them."
General incompetence probably explains that part.
Have a different take? The address is email@example.com.
Read more about wide area network in Network World's Wide Area Network section.
- The 20 Best iPhone/iPad Games of 2013 So Far
- 9 Steps to Build Your Personal Brand (and Your Career)
- 7 Consumer Technologies Coming to an Enterprise Near You
- 11 Signs Your IT Project is Doomed
- A walking tour: 33 questions to ask about your company's security
- 15 social media scams
- The 7 elements of a successful security awareness program
With the promise of big data (solving the unsolvable problems, informing better decision making, creating new products and services, discovering patterns and acting on them, etc.) on the horizon, what has really changed? Does this mean that everything we know and do with not-so-big data should be tossed?
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Case Study: Hospital Turns to Email Archiving Solution to Ensure Regulatory Compliances
- Read this case study to learn how a cloud-based email archiving solution enabled the hospital to meet government mandates and helps avoid thousands...
- Case Study: In-the-Cloud Email Service Replaces Three Point Products
- Read this case study for more information on a comprehensive in-the-cloud email service to help replace three point products.
- Case Study: Simplifying the Transition to Exchange 2010 with Email Management Solutions
- Read this case study to learn how a cloud-based email management solution greatly simplified the company's transition to Exchange 2010.
- Intelligent Systems: A Prescription for Health Care Transformation
- Facing an onslaught of regulatory changes and market pressures, health care providers are grappling with how to transform existing services as part of...
- The Importance of Network Time Synchronization
- Your network is time stamping files, email, transactions, etc., while your server logs are recording the transactions in case you need that information.... All Healthcare IT White Papers
- Becoming An Analytics Driven Organization
- Join us on Tuesday, June 18, 2013, 11:00 AM EDT and learn how your agency can create an analytics culture that will enable...
- 3 Reasons Why Sepaton is the World's Fastest Backup Solution
- Leading analyst, Storage Switzerland learns how Sepaton backs up and deduplicates massive data volumes while maintaining the industry's fastest performance - all in...
- Enterprise File Sharing: All You Need to Know
- Security. Scalability. Control. These are just some of the many benefits of enterprise cloud file-sharing that you'll discover in this KnowledgeVault, packed with...
- Bridging HTTP and FTP with FileXpress Internet Server
- What if you could take an FTP server on your internal network, and allow external users (partners or customers) to securely access it...
- MFT and FileXpress - An Overview
- Business users and applications exchange files on a regular basis. File transfer is a core part of the flow of business activity. All Healthcare IT Webcasts