Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Unwanted But Official Security Probes?

Posted by timothy on from the surely-you-have-nothing-to-hide dept.

An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

2 of 238 comments (clear)

  1. Re:Find someone with a clue to do your job. by AK+Marc · · Score: 1, Flamebait

    Its possible that they are doing something 'wrong', for various definitions of wrong, but the fact that you asked the question here, the way your phrased the question, and the information (or lack of) that you provided lets me know that you don't actually know if what they are doing is wrong even.

    I vote he configures the server to "fail" a check, then call the FBI and report a HIPAA violation from a malicious attack committed by the hospital against him. Likely the Hospital would be convicted for a HIPAA vioaltion, and that might cause them to change their practices.

    He indicates he talked to someone, so he's likely a typical slashdotter where he stated "you are running pen tests against my server." and they responded "yes, we are." He probably didn't officially ask for them to stop, or check whether it's a condition of connecting to the hospital network. So his complaint is "I don't know how to deal with people, how should I deal with people in a professional situation?"

    --
    Learn to love Alaska
  2. Re:Be happy that their data is secure? by AK+Marc · · Score: 1, Flamebait

    http://www.infosecurity-magazine.com/view/16186/hhs-levies-first-fines-under-hipaa-privacy-rule/

    First "privacy violation" about 15 years after it was passed, and for not sharing when required, not for accidental exposure.

    --
    Learn to love Alaska