I’ve been in the IT industry for many years now and watched as company after company leaks confidential information. Sometimes it’s the result of an attacker, while other times it’s the result of a Google search, clicking on a link and finding your screen is full of what you know is confidential data. What to do? And importantly, what would you do?
I would like to share with you two stories from my career and ask you as IT professionals what you would do.
The first case involves a college professor at City College San Francisco. He’s a colleague of mine and someone I have known and trusted for more than a decade. He’s a CISSP and teaches Internet Security, Ethical Hacking, and Malware Analysis college-level classes. He has spoken at many ethical hacker type conferences such as DefCon on methodologies for keeping data secure and how hackers perform attacks.
As he was preparing a lesson for his students on Google searches, he just happened to click on a random link which happened to be for a medical center at a well-known university. It turns out the page he displayed had thousands of current patients’ confidential data. (If I wanted to rub it in I would say this prestigious university offers degrees in Cyber Security and the month before had a lecture on keeping your information secure and how to not allow a single hacker to ruin organizations reputation. But that would be a cheap shot and I will not stoop that low.) I’ve worked at medical centers that have thousands of servers with well-meaning employees, and sometimes their good intentions result in security compromises. I can’t scold a doctor or a nurse for this, but I can educate them so hopefully it won’t happen again.
Let me interrupt the story here and make sure you understand my colleague was performing a Google search and just clicked on one of the links that came up as the result of his search. He did not attack the medical center's web site and he did not use any hacking tools or exploits. He found the data as the result of a regular Google search.
Before I tell you what my colleague did, I would like to ask what would you do in this situation? What if you discovered it was your medical information, social security number, medical diagnoses etc. This is your private information, and now it’s on the web for anyone who just happens to find it.
My colleague, being a CISSP, a well-respected professor and ethical human did not show the information to anyone but rather sent emails to several addresses at the institution responsible for the server notifying them of his findings. In the email he explains an FTP server had been compromised, and files were added resulting in confidential patient data being made publicly available for well over a year. The confidential data was then copied to other servers by FTP and search engines.
As this was an interesting case study he published what he had found on his web site so others could learn how this was being accomplished. Let me make it perfectly clear, all confidential data was removed, the name of the university wasn’t published nor was the name of the medical center.
The emails he sent to the medical center were not hostile or threating in anyway. What he sent was an email in which he clearly identified himself, his credentials, and a method whereby the recipient could verify the credentials and his identity so they would know this was not some ploy or attack to obtain additional information. In the email he clearly identified the data, how he found the data, and the location of the data. This email did not contain any confidential data and he was careful not to include specific information on how to access this confidential data in the email just in case this email was intercepted by a “bad person.”
There was no reply. He continued to monitor the site and noticed in few hours the data had been removed. Thinking he had done a good deed he didn’t think much of it, and our cyber-security hero moved on to other projects in his attempt to make the web a safer place for our data.
Unbeknownst to our cyber hero the medical center and university launched a public relations attack against our professor. In their PR campaign they claimed he attacked the university’s web site, stole thousands of patient’s records, and published all of this information to the college web site where he teaches. (Let me personally say every one of these PR points is wrong; I know.) The medical center then demanded our college terminate his employment immediately.
Wait a minute. Isn’t the medical center at fault here? Didn’t they violate HIPPA compliance laws for over a year? Wasn’t their IT department derelict in their duties leaking out personal health information (PHI) and not performing scans on their servers to see if any PHI information was being published? If they felt this professor's actions were unlawful, why didn’t they contact law enforcement?
What you would do in this situation?
My second story is a short one, but it’s related. A fellow IT professional came to me a year ago asking me for advice on what he should do about a security assessment he recently completed for a hospital. He was hired by a security company who was performing a security audit and remediation survey for the hospital. One of his tasks was to test the WiFi security. His test was simple, park in the parking lot and using a laptop see if he could connect to the hospital’s network, and if he could, what information could he see. To his surprise the hospital’s WiFi was wide open. No password or credentials of any kind were required. Once on the network, (and yes he had permission to do the following) he used programs such as Message Analyzer, NetMon, and Wireshark to see if the traffic was encrypted. As you might suspect, it wasn’t. He was able to view the traffic of doctors viewing patient records, the pharmacy filling prescriptions, etc., and connect to the Internet.
He wrote his report and submitted it. He was told thank you very much, and he was given his next assignment. But he thought a minute, this was an audit and remediation project, where’s the remediation?
Months passed and he would periodically check to see if they ever implemented any form of WiFi security, as in the form of credentials to join the WiFi or data encryption to protect the traffic.
Let me interrupt for a moment and say this activity is or could be considered illegal. If you are in this situation, don’t do it. I can completely understand his curiosity. But remember, he completed his assignment for this project and had no authorization or permission to join this network or analyze the traffic to see if it was encrypted. He could potentially be prosecuted for his actions.
A year had passed, and he told me the hospital and the security company did nothing to protect the data and asked me what I thought he should do. What would you do in this situation?
My advice to him was simple. First, stop seeing if the hospital has implemented security. What you’re doing might be illegal, and you could wind-up in jail.
The second thing I told him was he performed an audit and his job was done. In your audit, you clearly outlined the issues: they had an open WiFi network and traffic was not encrypted. Anyone in the parking lot could connect to the network and obtain PHI information with minimal effort. You’re done. They know the issues, and you are not in any position to compel them to do something that they have decided not to do anything about.
He argued that innocent people’s lives could be affected if their PHI was made public. And in an extreme case a patient’s medication could be altered, and the patient could be killed. I agreed, he was correct, but I told him you completed your job and let them know they are not in compliance with HIPPA/PHI regulations. That’s the end of your responsibility, and that’s all you can do. To my knowledge, there is no agency where one can report violations or that will force the people at the hospital to comply. The only way they might comply is after a data breach, but then again, they may choose to pay the fine and do nothing.
Did I give my fellow IT professional good advice?