Knock, knock. Who's there? No one.
Yesterday, I tried to contact [Redacted] Hospital. I went to their
site for contact info, but they had no phone directory or email
directory by department or office. So I called their main number and
asked for IT. I was sent to voicemail. I hung up, called back, and
asked the operator to stay on the line until I got through to a person
in IT or the Privacy Compliance Officer. Eventually, I heard a male
voice, who told me that he was the "service desk." The "service desk"
was not IT. I subsequently learned that they are an outsourced IT
I explained that the hospital had apparently suffered a hack via SQL
injection and I could email him a link to the data so that IT could
investigate and take action to secure the server better. I gave him
my name, email address, and phone number, and told him that I was with
the Open Security Foundation.
He told me didn't have an email address for me to email him the link,
but that he would open a ticket. He had no email address to give me?
Seriously? On the one hand, not accepting an emailed link from a
stranger makes good security sense, but on the other hand, how could I
send them data and details without an email address? I usually paste
some dumped data into the body of the email with the link to the full
paste. So now, not only could I not directly reach the responsible
parties, I could not even send them any data to pursue.
The service desk employee opened a ticket and sent me a copy of it.
That was almost 24 hours ago. The two individuals he directed the
ticket to were the hospital's System Administrator and Technical
Analyst, neither of whom have contacted me by email or phone, even
though my contact details were in the support ticket.
In this case, the data were dumped on the Internet at the beginning of
December 2012, so maybe they know already, but since the data are
still live and in any event, they have no idea what data I called
about, maybe they don't know. The data do not appear to be patient
data, but they are personally identifiable information. And if those
data were vulnerable, what other data might still be vulnerable?
Another staff member from OSF also tried to reach them last night -
through the hospital's on-site contact form. That form doesn't have a
pull-down menu to direct the message to particular subjects or
It shouldn't be so difficult to contact the responsible party when
there's been a breach. So here are some "best practices"
recommendations for HIPAA-covered entities to add to their checklists:
1. Provide a dedicated phone number and email address to report
privacy or security breaches and prominently post those contact
details on the home page of your web site.
2. Ensure that the phone number and email address are monitored
3. Establish a written policy that all such contacts or messages are
to be acknowledged within 1 hour.
4. Follow up and let the individual who reported the problem know what
steps you have taken.
5. If you use a contact form on your web site, have a pull-down menu
for subjects, and have one of them be "Privacy or Security Concern."
Every hospital tells patients that they take the privacy and security
of their information seriously. I wouldn't believe them if they don't
respond to security alerts and make people jump through hoops just to
try to inform them that they may have had a breach involving personal
information. And I certainly wouldn't believe any hospital that
doesn't even return a phone call when you have left them a message
that they may have a security problem with their public-facing server.
Responsible hospitals should facilitate reporting privacy or data
security concerns. So what has your organization done to facilitate
reporting of breaches?
As we mentioned in our last post, trying to contact and confirm
organizations that have reportedly been breached can be time-consuming
and frustrating. When that organization is a hospital and we cannot
reach anyone or get a response, it's especially concerning.
by Anonymous on 2013-02-26 (3 months ago)
by Anonymous on 2013-02-28 (3 months ago)
Most hospitals feel if they do not report, then it simply is not an issue.
I say this from experience, from my years of providing counsel to hospitals, attempting to correct this mistake among others.
by Anonymous on 2013-03-14 (2 months ago)
I think these are a good start, and it's worth discussing what organizations ought to do.
I don't think requiring a phone number is appropriate. It can be difficult to get a good security report over the phone. (Trust me, I've tried.) Second, while from a security researcher perspective, I'm all in favor of 24x365 monitoring, I know the folks who give up their holidays each year to do so for my employer. Most organizations don't receive enough reports to justify that.
One thing that's missing is a safe harbor. I've spent lots of money on legal advice before reporting vulns. Orgs should have a statement that innocent discovery will not be referred to the police or litigated. (Like https://www.facebook.com/whitehat/)