Network World - From the No Good Deed Goes Unpunished Department: Security experts trying to tell a Pennsylvania hospital that a pile of its sensitive data belonging to staff -- and possibly patients -- was sitting exposed on the Internet were stymied for five days recently by the fact that no one at the medical facility would respond to their repeated warnings.
Moreover, says one of the experts, this kind of situation happens with alarming regularity.
"This is more commonplace than you might suspect," says a healthcare professional who volunteers for the Open Security Foundation and blogs about privacy issues under the pseudonym Dissent Doe. "I've gone through hoops trying to notify various city agencies at times, and have gotten no responses to attempts to alert a major Canadian newspaper, a major U.S. health insurer where patient info was available on the web if you knew where to look, and a number of small businesses. And those are just the ones I can recall offhand."
In the case of the hospital, Dissent Doe and another OSF member made multiple phone calls, filled out a formal (outsourced) service desk ticket addressed to the hospital's systems administrator and technical analyst, and even sent an email to the hospital's CEO.
They got no response. (She was keeping the name of the hospital confidential out of concern that the vulnerability responsible for the data breach remained unaddressed.)
"The data were dumped on one of the ever-popular paste sites for hackers. Some of the data appear to be from their physician directory, which is no big deal. But there are other databases dumped that contain personally identifiable info such as contact details. One of the databases might be of newsletter subscribers. The other one... well, I have no clue. There are also a few names with email addresses, usernames, and encrypted passwords. I don't know whether those are admin passwords to the server."
Finally she tried a back-channel approach to get the hospital's attention.
"I did speak with a reporter local to them," she says. "My hope is that they'd take a phone call from a reporter if they won't respond to us. At least that way they'll find out they have a problem."
Contacting the local press is always an excellent idea, no matter the issue involved.
Dissent Doe also wrote about the episode on her blog:
"Every hospital tells patients that they take the privacy and security of their information seriously," she wrote. "I wouldn't believe them if they don't respond to security alerts and make people jump through hoops just to try to inform them that they may have had a breach involving personal information. And I certainly wouldn't believe any hospital that doesn't even return a phone call when you have left them a message that they may have a security problem with their public-facing server."
Eventually, the local reporter managed to make contact with a hospital administrator who told him that they were already aware of the breach and had rectified it earlier.
Even if that's true, Dissent Doe notes: "That doesn't explain why they didn't have the courtesy to respond when they could see that we were trying to alert them."
General incompetence probably explains that part.
Have a different take? The address is firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.
- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
- Slideshow: 5 ways to lock down your mobile device
- Slideshow: 10 mistakes companies make after a data breach
- How to rob a bank: A social engineering walk through
- Which smartphone is the most secure?
For the love of Jiminy Cricket, how much cybersecurity incompetence are American citizens expected to accept and excuse while also footing the $660 million bill? Online security experts say the “new and improved” Healthcare.gov site may actually be more insecure now than before it was fixed!
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Healthcare Firm Ramps Up for Claims Processing Spikes
- Huge increases in claims processing loads and stringent SLAs for Medicaid patients prompted Molina Healthcare to enhance their IT infrastructure with VCE.
- The Telemedicine Revolution: Patients Can't Wait
- How high bandwidth, low latency ethernet communications is changing the practice of medicine. Comcast Ethernet offers the robust, scalable backbone for telemedicine for...
- Escape Plan: How Integrated IT Portfolio Management Helps Organizations Clear the Chaos
- Meaningful Use, ICD-10 compliance, EMR Implementation--do you feel lost in this ever-growing jungle?
- BYOD Invasion: A Computerworld Report on the Consumerization of IT
- We profile three companies that aren't just coping, but learning valuable lessons. If, like them, you're thinking about mobile device management our definitive...
- Review: Box beats Dropbox - and all the rest - for business
- Box trumps Dropbox, Engyte, Citrix ShareFile, EMC Syncplicity, and OwnCloud with rich mix of file sync, file sharing, user management, deep reporting and... All Healthcare IT White Papers
- Video: 5 Secrets To Scaling Enterprise Apps Watch this video to learn how to successfully scale enterprise apps>>
- Collaboration 2013: Where Mobility Meets Connectivity Mobility and collaboration are quickly converging and users are demanding more capabilities. It's no longer enough to enable file sharing. This Webcast dives...
- Modernizing SAP environments with minimum risk - a path to Big Data Hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the benefits...
- The Power of the Citrix Mobility Solution, XenMobile Does everything become a smartphone? Or does the smartphone begin to do everything? How can we afford to support BYOD? Rather, how can...
- BYOD Happens: How to Secure Mobility How to navigate the journey of securing mobility, including the BYOD corruption of IT, the top ten mobility strategies, and the mobility management...
- All Healthcare IT Webcasts
Johns Hopkins, OhioHealth, Kaiser Permanente and other top healthcare organizations each won a place on Computerworld's Best Places to Work in IT 2013 list. Honorees say the distinction helps them both recruit and retain top talent.
Want to join this elite group? Nominate your organization for our 2014 list.