Knock, knock. Who's there? No one.

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://datalossdb.org/incident_highlights/57-knock-knock-who-s-there-no-one

2013-02-22 by Dissent
As we mentioned in our last post, trying to contact and confirm
organizations that have reportedly been breached can be time-consuming
and frustrating. When that organization is a hospital and we cannot
reach anyone or get a response, it's especially concerning.

Yesterday, I tried to contact [Redacted] Hospital. I went to their
site for contact info, but they had no phone directory or email
directory by department or office. So I called their main number and
asked for IT. I was sent to voicemail. I hung up, called back, and
asked the operator to stay on the line until I got through to a person
in IT or the Privacy Compliance Officer. Eventually, I heard a male
voice, who told me that he was the "service desk." The "service desk"
was not IT. I subsequently learned that they are an outsourced IT
partner.

I explained that the hospital had apparently suffered a hack via SQL
injection and I could email him a link to the data so that IT could
investigate and take action to secure the server better. I gave him my
name, email address, and phone number, and told him that I was with
the Open Security Foundation.

He told me didn't have an email address for me to email him the link,
but that he would open a ticket. He had no email address to give me?
Seriously? On the one hand, not accepting an emailed link from a
stranger makes good security sense, but on the other hand, how could I
send them data and details without an email address? I usually paste
some dumped data into the body of the email with the link to the full
paste. So now, not only could I not directly reach the responsible
parties, I could not even send them any data to pursue.

The service desk employee opened a ticket and sent me a copy of it.
That was almost 24 hours ago. The two individuals he directed the
ticket to were the hospital's System Administrator and Technical
Analyst, neither of whom have contacted me by email or phone, even
though my contact details were in the support ticket.

In this case, the data were dumped on the Internet at the beginning of
December 2012, so maybe they know already, but since the data are
still live and in any event, they have no idea what data I called
about, maybe they don't know. The data do not appear to be patient
data, but they are personally identifiable information. And if those
data were vulnerable, what other data might still be vulnerable?

Another staff member from OSF also tried to reach them last night -
through the hospital's on-site contact form. That form doesn't have a
pull-down menu to direct the message to particular subjects or
departments.

It shouldn't be so difficult to contact the responsible party when
there's been a breach. So here are some "best practices"
recommendations for HIPAA-covered entities to add to their checklists:

1. Provide a dedicated phone number and email address to report
privacy or security breaches and prominently post those contact
details on the home page of your web site.
2. Ensure that the phone number and email address are monitored 24/7/365.
3. Establish a written policy that all such contacts or messages are
to be acknowledged within 1 hour.
4. Follow up and let the individual who reported the problem know what
steps you have taken.
5. If you use a contact form on your web site, have a pull-down menu
for subjects, and have one of them be "Privacy or Security Concern."

Every hospital tells patients that they take the privacy and security
of their information seriously. I wouldn't believe them if they don't
respond to security alerts and make people jump through hoops just to
try to inform them that they may have had a breach involving personal
information. And I certainly wouldn't believe any hospital that
doesn't even return a phone call when you have left them a message
that they may have a security problem with their public-facing server.

Responsible hospitals should facilitate reporting privacy or data
security concerns. So what has your organization done to facilitate
reporting of breaches?

/Dissent
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.