Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Unwanted But Official Security Probes?

Posted by timothy on from the surely-you-have-nothing-to-hide dept.

An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

5 of 238 comments (clear)

  1. Establish authorization first by Anonymous Coward · · Score: 5, Informative

    Speak with someone at the managerial level and go find the agreement/piece of paper that states said hospital corporation has the right to perform security audits against your customers network. Until that does or does not materialize, take no action past what you're already doing in the name of good security

  2. Have you tried all these? by Anonymous Coward · · Score: 5, Informative

    You've told them that they don't have authorization to access your computers, and are (or would be) in violation of the law if they succeed?
    You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?
    You're reasonably comfortable that you indeed run a tight ship?
    You've configured your firewall to drop their packets?

  3. Get it in writing by Antique+Geekmeister · · Score: 4, Informative

    I've been on both sides of such security probes, professionally. A legitimate organization will be willing to identify itself and name the most obvious penetration test vectors, because they will show up in the logs of someone competent. It's also especially interesting to conduct a penetration a month _before_ any announced test, and a month or two _after_, to see what has actually been changed.

    But as the target of a penetration test, you should be be _encouraged_ to report the attempts to the upstream provider or administration, and you should be notified of the test results. You don't indicate if you've spoken to anyone in hospital IT who has any actual authority or responsibility: a simple letter, _preferably on real paper with a real name of someone who can verify the letter_, identifying that such tests occur and where you can report them, can help protect you, and the hospital, from liability for other attacks that go unnoticed while the penetration test occurs.

    I also urge you to review the regulations or laws on confidentiality of patient data. Penetration against secure data where the recovered data is not handled safely can be illegal, and a careful talk with the hospital's legal counsel can help set some guidelines. And this is just the situation where a paper trail, _on paper and kept offsite_, can protect you and your group from lawsuit or from a manager who tries to shift blame. This is especially true when the penetration succeeds, and a mid level manager uses it as ammunition to replace IT staff with a different "big vision" of how security works, even when the IT staff were prohibited from that manager from taking effective steps against the very vulnerabilities used by the penetration test. (I've seen this several times.)

  4. Re:Is this not your local net police? by PolygamousRanchKid+ · · Score: 5, Informative

    My company's "good guys" run security tests once a week. They send me a report afterwards, listing any "findings". And, most importantly, I was informed by them beforehand, that they would be doing these tests.

    If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  5. The only answer. by ebrandsberg · · Score: 4, Informative

    Is the hospital allowed to access records without a release based on HIPPA regulations since it is an independent practice? If not, then report them to the police. Apologize to the hospital, but explain, you have NO CHOICE. HIPPA is not something to mess with, and it doesn't matter who is trying to access the records, it IS a crime if accessing this data is not permitted. Remember the guys that got sent away for accessing the public data for AT&T? Yea... That but worse. Based on the fact that they were sentenced, even if they gained no data, the attempt itself was the crime. Failure to report a crime is a crime itself: http://www.law.cornell.edu/uscode/search/display.html?terms=misprision&url=/uscode/html/uscode18/usc_sec_18_00000004----000-.html. Report it. If they gain access to records, and then data from it leaks out, say because someone notable was a patient, then it will be on YOU. If the local police decide not to follow up, it is NOT on you.