Knock, knock. Who's there? No one.

2013-02-22 by Dissent

As we mentioned in our last post, trying to contact and confirm organizations that have reportedly been breached can be time-consuming and frustrating. When that organization is a hospital and we cannot reach anyone or get a response, it's especially concerning.

Yesterday, I tried to contact [Redacted] Hospital. I went to their site for contact info, but they had no phone directory or email directory by department or office. So I called their main number and asked for IT. I was sent to voicemail. I hung up, called back, and asked the operator to stay on the line until I got through to a person in IT or the Privacy Compliance Officer. Eventually, I heard a male voice, who told me that he was the "service desk." The "service desk" was not IT. I subsequently learned that they are an outsourced IT partner.

I explained that the hospital had apparently suffered a hack via SQL injection and I could email him a link to the data so that IT could investigate and take action to secure the server better. I gave him my name, email address, and phone number, and told him that I was with the Open Security Foundation.

He told me didn't have an email address for me to email him the link, but that he would open a ticket. He had no email address to give me? Seriously? On the one hand, not accepting an emailed link from a stranger makes good security sense, but on the other hand, how could I send them data and details without an email address? I usually paste some dumped data into the body of the email with the link to the full paste. So now, not only could I not directly reach the responsible parties, I could not even send them any data to pursue.

The service desk employee opened a ticket and sent me a copy of it. That was almost 24 hours ago. The two individuals he directed the ticket to were the hospital's System Administrator and Technical Analyst, neither of whom have contacted me by email or phone, even though my contact details were in the support ticket.

In this case, the data were dumped on the Internet at the beginning of December 2012, so maybe they know already, but since the data are still live and in any event, they have no idea what data I called about, maybe they don't know. The data do not appear to be patient data, but they are personally identifiable information. And if those data were vulnerable, what other data might still be vulnerable?

Another staff member from OSF also tried to reach them last night - through the hospital's on-site contact form. That form doesn't have a pull-down menu to direct the message to particular subjects or departments.

It shouldn't be so difficult to contact the responsible party when there's been a breach. So here are some "best practices" recommendations for HIPAA-covered entities to add to their checklists:

1. Provide a dedicated phone number and email address to report privacy or security breaches and prominently post those contact details on the home page of your web site.
2. Ensure that the phone number and email address are monitored 24/7/365.
3. Establish a written policy that all such contacts or messages are to be acknowledged within 1 hour.
4. Follow up and let the individual who reported the problem know what steps you have taken.
5. If you use a contact form on your web site, have a pull-down menu for subjects, and have one of them be "Privacy or Security Concern."

Every hospital tells patients that they take the privacy and security of their information seriously. I wouldn't believe them if they don't respond to security alerts and make people jump through hoops just to try to inform them that they may have had a breach involving personal information. And I certainly wouldn't believe any hospital that doesn't even return a phone call when you have left them a message that they may have a security problem with their public-facing server.

Responsible hospitals should facilitate reporting privacy or data security concerns. So what has your organization done to facilitate reporting of breaches?

/Dissent