Network World - From the No Good Deed Goes Unpunished Department: Security experts trying to tell a Pennsylvania hospital that a pile of its sensitive data belonging to staff -- and possibly patients -- was sitting exposed on the Internet were stymied for five days recently by the fact that no one at the medical facility would respond to their repeated warnings.
Moreover, says one of the experts, this kind of situation happens with alarming regularity.
"This is more commonplace than you might suspect," says a healthcare professional who volunteers for the Open Security Foundation and blogs about privacy issues under the pseudonym Dissent Doe. "I've gone through hoops trying to notify various city agencies at times, and have gotten no responses to attempts to alert a major Canadian newspaper, a major U.S. health insurer where patient info was available on the web if you knew where to look, and a number of small businesses. And those are just the ones I can recall offhand."
In the case of the hospital, Dissent Doe and another OSF member made multiple phone calls, filled out a formal (outsourced) service desk ticket addressed to the hospital's systems administrator and technical analyst, and even sent an email to the hospital's CEO.
They got no response. (She was keeping the name of the hospital confidential out of concern that the vulnerability responsible for the data breach remained unaddressed.)
"The data were dumped on one of the ever-popular paste sites for hackers. Some of the data appear to be from their physician directory, which is no big deal. But there are other databases dumped that contain personally identifiable info such as contact details. One of the databases might be of newsletter subscribers. The other one... well, I have no clue. There are also a few names with email addresses, usernames, and encrypted passwords. I don't know whether those are admin passwords to the server."
Finally she tried a back-channel approach to get the hospital's attention.
"I did speak with a reporter local to them," she says. "My hope is that they'd take a phone call from a reporter if they won't respond to us. At least that way they'll find out they have a problem."
Contacting the local press is always an excellent idea, no matter the issue involved.
Dissent Doe also wrote about the episode on her blog:
"Every hospital tells patients that they take the privacy and security of their information seriously," she wrote. "I wouldn't believe them if they don't respond to security alerts and make people jump through hoops just to try to inform them that they may have had a breach involving personal information. And I certainly wouldn't believe any hospital that doesn't even return a phone call when you have left them a message that they may have a security problem with their public-facing server."
Eventually, the local reporter managed to make contact with a hospital administrator who told him that they were already aware of the breach and had rectified it earlier.
Even if that's true, Dissent Doe notes: "That doesn't explain why they didn't have the courtesy to respond when they could see that we were trying to alert them."
General incompetence probably explains that part.
Have a different take? The address is firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Apple has assembled an all-star team featuring some of the world's most proficient and well-connected biosensor engineers. Is this extensive investment entirely dedicated to an iPhone app called Healthbook and an accessory called an iWatch?
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Patient Portals: A Platform for Connecting Communities of Care
- Connecting patient health data across the care continuum is essential to achieve improved care, increased access to personal health records and lowered costs.
- 3 Ways Clinicians Can Leverage a Patient Portal to Craft a Healthcare Community
- With a bevy of vendors offering patient portal solutions, it can be challenging for a hospital to know where to start. Fortunately, YourCareCommunity...
- Case Study: Healthcare Firm Ramps Up for Claims Processing Spikes
- Huge increases in claims processing loads and stringent SLAs for Medicaid patients prompted Molina Healthcare to enhance their IT infrastructure with VCE.
- Acxiom Case Study
- This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data
- With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate... All Healthcare IT White Papers
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control.
Enhance Your Virtualization Infrastructure With IBM and Vmware
Date: Wednesday, May 14, 2014, 1:00 PM EDT
Virtualization technology is now expanding beyond the server compute elements to encompass networking and storage...
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- All Healthcare IT Webcasts