Posted on April 16, 2013 12:45 pm

Dealing With Unwanted But Official Security Probes?

from the surely-you-have-nothing-to-hide dept.

I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?

 

There are three or four likely possibilities for what’s going on here

* The hospital’s lawyers and administration know what the IT guy is doing, and are ok with it. Therefore they’ll be ok with you and your doctors’ group lawyers talking to them about it, though you’re going to have to have a long conversation about why this is not a good idea.
* The hospital’s lawyers and administration don’t know what the IT department is doing, but the IT department thinks they’re doing something officially useful, and need to get told it’s inappropriate.
* The hospital’s IT department is doing this stuff on his own, for evil reasons, and needs to be caught and stopped.
* Some outsider is masquerading as the hospital’s IT department, and the email you contacted to tell them to stop doing stuff is really redirected to the bad guys. In that case, the hospital’s in a real mess and needs to know about it.

. Either way, you’ve got a responsibility to your doctors and your patients, and you need to go to the top since going to the working-level people didn’t get you taken seriously.

Not really, if it’s a halfway well-designed honeypot. All you need to do is keep records that you deliberately left fake records there.

Much harder than “explaining it later” is making it look real in the first place. Of course, you can always play “April Fool” and make the records obviously fake, with names like Lesions R. Us and maladies like “covered in enormous pustules at extremely high pressure”. But the categorizing of illnesses by number these days might preclude doing the latter.

Just make it look official and let everybody know you’re using all the most modern coding tools. For example, your mythical patient could suffer from a burn due to water skis being on fire (ICD 10 code V91.07XA). Or he could have been attacked by a turtle (W5921XA).

Real codes, but it would be rather unlikely to find such traumatic incidents in actual medical practice.

The vulnerability testers are probably using something like HP WebInspect (which I represent in my day job) or IBM AppScan.

In the vulnerability testing business, it is considered pretty poor form to scan someone’s live app without permission first.

If the hospital doesn’t own the doctors’ website, what they are doing might be technically illegal in the US – it hasn’t been tested in law to my knowledge.

In any case, a brief chat with these professionals should illuminate the situation.

All of these scanners have settings choices to NOT screw up sites. And in the worst “assault” mode, they will ruin almost anything.

TL;DR you are a jerk. And OP needs to make a phone call.