Network World - From the No Good Deed Goes Unpunished Department: Security experts trying to tell a Pennsylvania hospital that a pile of its sensitive data belonging to staff -- and possibly patients -- was sitting exposed on the Internet were stymied for five days recently by the fact that no one at the medical facility would respond to their repeated warnings.
Moreover, says one of the experts, this kind of situation happens with alarming regularity.
"This is more commonplace than you might suspect," says a healthcare professional who volunteers for the Open Security Foundation and blogs about privacy issues under the pseudonym Dissent Doe. "I've gone through hoops trying to notify various city agencies at times, and have gotten no responses to attempts to alert a major Canadian newspaper, a major U.S. health insurer where patient info was available on the web if you knew where to look, and a number of small businesses. And those are just the ones I can recall offhand."
In the case of the hospital, Dissent Doe and another OSF member made multiple phone calls, filled out a formal (outsourced) service desk ticket addressed to the hospital's systems administrator and technical analyst, and even sent an email to the hospital's CEO.
They got no response. (She was keeping the name of the hospital confidential out of concern that the vulnerability responsible for the data breach remained unaddressed.)
"The data were dumped on one of the ever-popular paste sites for hackers. Some of the data appear to be from their physician directory, which is no big deal. But there are other databases dumped that contain personally identifiable info such as contact details. One of the databases might be of newsletter subscribers. The other one... well, I have no clue. There are also a few names with email addresses, usernames, and encrypted passwords. I don't know whether those are admin passwords to the server."
Finally she tried a back-channel approach to get the hospital's attention.
"I did speak with a reporter local to them," she says. "My hope is that they'd take a phone call from a reporter if they won't respond to us. At least that way they'll find out they have a problem."
Contacting the local press is always an excellent idea, no matter the issue involved.
Dissent Doe also wrote about the episode on her blog:
"Every hospital tells patients that they take the privacy and security of their information seriously," she wrote. "I wouldn't believe them if they don't respond to security alerts and make people jump through hoops just to try to inform them that they may have had a breach involving personal information. And I certainly wouldn't believe any hospital that doesn't even return a phone call when you have left them a message that they may have a security problem with their public-facing server."
Eventually, the local reporter managed to make contact with a hospital administrator who told him that they were already aware of the breach and had rectified it earlier.
Even if that's true, Dissent Doe notes: "That doesn't explain why they didn't have the courtesy to respond when they could see that we were trying to alert them."
General incompetence probably explains that part.
Have a different take? The address is email@example.com.
Read more about wide area network in Network World's Wide Area Network section.
Apple does more to ensure its solutions are accessible to a wide range of users than any other platform, in spite of any drivel suggesting otherwise.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Security, Privacy and Trust in Email Management
- This white paper discusses a SaaS-based email management solution that delivers the security, continuity and archiving capabilities your organization demands.
- The Total Cost of Email
- In this white paper, we'll explore the true costs of fragmented email management and uncover how to reduce those costs with a cloud-based...
- Balancing Security, Compliance and Cost: the Prescription for Healthcare Email Management: Move to the Cloud
- Learn how cloud-based technologies for core productivity tools such as email and collaboration can help healthcare organizations be more efficient with IT dollars...
- Email Security Checklist: Eight Steps for Healthcare Organizations
- Don't let fear of violating Healthcare Insurance Portability and Accountability Act (HIPAA) codes prevent you from using email to communicate sensitive information.
- Seven questions you must ask before choosing your patient portal solution
- By asking the right questions and connecting the right stakeholders, you can ensure that you implement a true community solution that will improve... All Healthcare IT White Papers
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer...
- Charting Your Analytical Future - "Making predictive analytics part of your business processes" Webinar This session will show how predictive analytics can be used throughout the organization by anyone looking for answers and how organizations can make...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt.
- All Healthcare IT Webcasts