Forgot your password?
typodupeerror
Businesses Medicine Security IT

Ask Slashdot: Dealing With Unwanted But Official Security Probes? 238

Posted by timothy
from the surely-you-have-nothing-to-hide dept.
An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Dealing With Unwanted But Official Security Probes?

Comments Filter:
  • by PNutts (199112) on Saturday April 06, 2013 @03:21PM (#43380493)

    They do know about HIPAA penalties for leaking data, right?

    • Re: (Score:2, Insightful)

      by AK Marc (707885)
      Has there ever been a fine for leaking data? I know of a few for not releasing data when required, but not any for unauthorized access of a computer.

      You do know that HIPAA was more about owning your own records, than having them held hostage by doctors who required bribes to release your records to other doctors, right? And yes, that was common, especially with eye doctors requiring that prescriptions be filled at their office. Lose money on the exam, and make it up with the overpriced treatment was c
      • by Old97 (1341297) on Saturday April 06, 2013 @04:51PM (#43380991)
        I work for a health insurance company. HIPAA fines are not unusual. It's strictly enforced. Our potential liability for a breech due to gross negligence or willful conduct can run 10's of millions of dollars.
        • Re: (Score:2, Flamebait)

          by AK Marc (707885)
          http://www.infosecurity-magazine.com/view/16186/hhs-levies-first-fines-under-hipaa-privacy-rule/ [infosecuri...gazine.com]

          First "privacy violation" about 15 years after it was passed, and for not sharing when required, not for accidental exposure.
          • by Old97 (1341297)
            Different kind of violation. We get fined if we allow unauthorized access to someone else's medical records. That's different from not providing access to the person who the records are about. Obviously we don't publicize it when it happens unless there has been a breach of a system (like in Tennessee in the past year). We do have to notify the individuals whose records were exposed.
            • by Old97 (1341297)
              Let me clarify - the feds only fine you if you really screw up and drag your feet fixing it. Most disclosures are incidental or accidental or an employee or contractor who misuses their position. If the company has policies and training, takes corrective action and cooperated fully, they don't normally get fined. Nevertheless, the threat of fines keeps everyone on their toes. That doesn't mean our systems are nearly as secure as they should be, but at least you know people are worrying.
    • by Sir Holo (531007) on Saturday April 06, 2013 @06:13PM (#43381349)
      Possibly off-topic, but a physician of mine bragged that all of his many patients' data was very handily available to him at all times –– on a 32GB USB stick that he wore around his neck on a lanyard.

      My first thought was, "Dude, what if you lost it?"

      That is: HIPAA violations all over the place if he did.
      • If it's encrypted, it's fine.

        But since it's by a physician, it's likely not encrypted and is a HIPAA violation waiting to happen.

        If you see him again, ask him if he understands the concept of data normalization.

        • by cusco (717999)
          If he works at any of the large hospitals as soon as he sticks a USB drive on any domain member computer an encryption program gets dumped on it, no choice. In some places its up to the end user to run it, but others immediately encrypt the entire thing and then ask you to contribute a password for all future access. Put a USB drive into a security DVR at one hospital (not even a machine that a doctor or administrator would have access to) and ended up with a drive full of encrypted firmware and a complex
    • by billstewart (78916) on Saturday April 06, 2013 @09:35PM (#43382155) Journal

      There are three or four likely possibilities for what's going on here

      * The hospital's lawyers and administration know what the IT guy is doing, and are ok with it. Therefore they'll be ok with you and your doctors' group lawyers talking to them about it, though you're going to have to have a long conversation about why this is not a good idea.
      * The hospital's lawyers and administration don't know what the IT department is doing, but the IT department thinks they're doing something officially useful, and need to get told it's inappropriate.
      * The hospital's IT department is doing this stuff on his own, for evil reasons, and needs to be caught and stopped.
      * Some outsider is masquerading as the hospital's IT department, and the email you contacted to tell them to stop doing stuff is really redirected to the bad guys. In that case, the hospital's in a real mess and needs to know about it.

      . Either way, you've got a responsibility to your doctors and your patients, and you need to go to the top since going to the working-level people didn't get you taken seriously.

  • by Dr. Tom (23206) <tomh@nih.gov> on Saturday April 06, 2013 @03:21PM (#43380497) Homepage

    You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing.
    If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to /.

    • by Gothmolly (148874) on Saturday April 06, 2013 @03:29PM (#43380567)

      Block them anyway; claims it's part of your normal operations. Hint: they're probably stupid enough to use 1 or 2 IPs.

      • by sgt scrub (869860) <<moc.oohay> <ta> <muitnias>> on Saturday April 06, 2013 @04:14PM (#43380797)

        Or NAT their IP addresses to honey pots and watch them get sticky.

        • by Hentes (2461350) on Saturday April 06, 2013 @05:34PM (#43381161)

          Probably not the best idea in a pentest, some of them might think they actually got through and that will be hard to explain later.

          • "Probably not the best idea in a pentest, some of them might think they actually got through and that will be hard to explain later."

            Not really, if it's a halfway well-designed honeypot. All you need to do is keep records that you deliberately left fake records there.

            Much harder than "explaining it later" is making it look real in the first place. Of course, you can always play "April Fool" and make the records obviously fake, with names like Lesions R. Us and maladies like "covered in enormous pustules at extremely high pressure". But the categorizing of illnesses by number these days might preclude doing the latter.

      • by Anonymous Coward on Saturday April 06, 2013 @09:32PM (#43382145)

        I once worked on a team doing such internal audits. After a YEAR we finally had our network looking pretty tight from the disaster it had been - this was a very large network. One day someone asked me to take a look at a WEB app they had created to demonstrate something for me - I couldn't reach the address. Neither could anyone else on my team. I asked friends via IM elsewhere on the network if they could reach the IP and they could. Suspicious I told my boss about it and he confirmed the blockage by attempting access via RDP from a machine we kept remotely on the network - he was able to access it. Suspicions confirmed he twiddled a few things and moved our DHCP IP range to a completely different set of addresses and instructed our team to goto work. We found quite a bit wrong with the network space behind that router! When the network team responsible for that router was drilled they claimed no knowledge of the filtering rule that had been blocking our IP space and no documentation of it's creation existed despite strict rules about such things.

        What you're advocating is akin to stripping off street signs and house numbers so that the fire and police depts can't find your home when soliciting for donations. This has the additional side effect of also making sure they cannot find your home should a fire or robbery occur and is stupidity to say the least!

        Yes, security scans like this can be bothersome. They can even crash machines and applications that aren't coded properly and if you've not locked all your doors and sealed the windows someone might crawl in. My all-time favorite was a NAS that would corrupt multi-TB worth of data every time we scanned it - the vendor's response was to tell us to stop scanning it. Our's was to replace the fucking vendor! Stopping these scans by something as stupid as blocking the traffic is simply going to waste the companies money spent hiring these people and come home to roost when someone else crawls in and steals your shit. The difference between this and thieves or vandals is that if THESE guys get in they will let you know what they found and hopefully help you fix it. Which would you rather have? The fact that they have even been spotted is a plus, most of the folks I went up against never noticed us and the stupidity we uncovered was amazing.

        Sadly, much as I'd like to NOT post this AC I'm going to have to but trust me simply blocking these guys is a really BIG mistake.

        • by Runaway1956 (1322357) on Sunday April 07, 2013 @01:08AM (#43382773) Homepage Journal

          Nice story and all. Good moral, too. Cooperating with your IT department can only help everyone.

          The flaw here, is that the vendor has not been warned that the hospital's IT department is going to be pentesting. Apparently, there is no contract, no new letter, no statement of policy. The vendor simply discovered that someone is testing his defenses, and the IP addresses have led him to believe the hospital is responsible.

          It's possible that bad guys are doing all this testing, and the people at the hospital aren't really aware of what is happening.

          Contacting the hospital's administration seems to be in order here.

    • by PolygamousRanchKid (1290638) on Saturday April 06, 2013 @03:33PM (#43380601)

      My company's "good guys" run security tests once a week. They send me a report afterwards, listing any "findings". And, most importantly, I was informed by them beforehand, that they would be doing these tests.

      If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

      • Re: (Score:3, Interesting)

        by interval1066 (668936)

        If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

        Although annoying its completely within the company's rights to audit their security however they see fit, and I can see a number of reasons to do surprise, anonymous audits. And as another poster pointed out; complaining about it on /. probably isn't the brightest move.

        • by Hizonner (38491) on Saturday April 06, 2013 @05:11PM (#43381081)

          They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            The hospital's network is responsible for the security of the ENTIRE network. If the "independent" practice is connected to their network, they fall under security's purview.

            • by postbigbang (761081) on Saturday April 06, 2013 @06:29PM (#43381425)

              Not so. There may be a contractual relationship allowing this. Otherwise, an unauthorized pentest is a hack attempt. If so, report them to the FBI and do a deny on their IPs.

              If there's a contractual relationship with a clause governing over-arching compliance, then an audit better be agreed upon first, otherwise, see first paragraph.

              I don't care if the address is across town, or across the seas, they get hammered and reported unless they're 1) covered by contract and 2) give us results. Otherwise, we suspect the worst and go for their lunch. Then we eat it.

            • Re: (Score:3, Interesting)

              by brausch (51013)

              Not unless they've got a contract that says so. Their authority stops at my router unless I've given them permission.

              They can ask me to conduct my own testing or they can ask if they can test.

              I'm not a clinic but banks have similar laws.

            • by Jawnn (445279)

              The hospital's network is responsible for the security of the ENTIRE network. If the "independent" practice is connected to their network, they fall under security's purview.

              Perhaps, but probably not. Unless there are specific contractual terms spelling out who is responsible for what on which network, the network that is owned and operated by the private practice. It is their network, not the hospital's. Period. As others have already pointed out, it is not cool to pen test somebody else's stuff without a prior agreement that this will be happening. Simply having a "business relationship" between the two entities does not imply any right to perform things that are criminal in

          • Re: (Score:3, Insightful)

            "They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either."

            I hate to have to tell you this, but no.

            If they are "connected to the hospital network", then the hospital network's security IS their security, and vice versa. You cannot separate the two, because lax security in one can enable entry into the other.

            Having said that: I do think it would have been more professional to at least have informed them that security audits would be carried out, and not to worry about apparent attacks coming from IP addresses X, Y, and Z. As long as they did not pre-block thos

            • Re: (Score:2, Insightful)

              by Anonymous Coward

              "They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either."

              I hate to have to tell you this, but no.

              If they are "connected to the hospital network", then the hospital network's security IS their security, and vice versa. You cannot separate the two, because lax security in one can enable entry into the other.

              This is not entirely true either. If they are attacking a server not owned by the hospital and is owned by the private company, that would be an illegal attack. If you are connected to a network through your ISP you have no right to try to attack some other server on the ISP's network.

            • Having said that: I do think it would have been more professional to at least have informed them that security audits would be carried out, and not to worry about apparent attacks coming from IP addresses X, Y, and Z. As long as they did not pre-block those addresses, that would not affect any of the security audits in the slightest, and would ease any anxiety on the part of these people.

              The testing/auditing is not necessarily only to evaluate the network, evaluating the admin/security team may also be part of the plan. In other words part of the test may be to verify that these folks get worried in a reasonably short amount of time and take appropriate actions.

            • by Hizonner (38491) on Saturday April 06, 2013 @08:21PM (#43381865)

              Yes, the practice's security affects the hospital's. Your security affects mine, too, and in fact the security of everybody on the Internet affects the security of everybody else.

              Nonetheless, it is not legal, ethical, or appropriate to go around attacking somebody else's systems without their explicit permission. It doesn't matter if you provide them with network service. It doesn't matter if you have (perhaps unwisely) given them access that makes them a potential threat to you. It doesn't matter if you're the "big" network, or if you have more to lose than they do. It doesn't matter if you feel you're "responsible for the whole network". It doesn't matter if they're completely incompetent and overrun with malware.

              If you don't have advance permission, and you attack somebody else's system. you're in CFAA violation territory. And if you didn't get that permission in writing, you're an incompetent idiot.

              This isn't the wild, wild west. Your motives do not matter. The effect on your own security does not matter. End of story.

          • by taustin (171655)

            I'll bet the hospital can produce a binding contract in which the doctors ageed to allow this.

      • by TrekkieGod (627867) on Saturday April 06, 2013 @05:02PM (#43381047) Homepage Journal

        If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

        You shouldn't know,and you're supposed to treat them like the bad guys. Isn't that the entire point? How else are they going to know you're prepared against a real attack?

        • by longk (2637033) on Saturday April 06, 2013 @05:41PM (#43381203)

          How is this not a real attack to begin with? Just because they cooperate in the medical business doesn't mean they have the right to penetrate each others IT systems.

        • by Ungrounded Lightning (62228) on Saturday April 06, 2013 @07:24PM (#43381635) Journal

          If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

          You shouldn't know,and you're supposed to treat them like the bad guys.

          How do you know that their machines haven't been hacked, and that ALL of the penetration attempts are actually tests?

          If you talked to them on a phone rather than face-to-face at THEIR office (or even then), how do you know the person you talked to is actually a security guy or I.T. administrator at the hospital and not a freelance cracker, identity thief, spy, or even an assassin going after a patient? If somebody cracked, say, an VoIP. phone system, they could intercept your complaints and tell you it was standard operating procedure and to ignore such attacks.

          Even if they are what they claim to be and ALL the attacks are from them, by telling you it's just a test, you should ignore it, and continuing to "test" you, they've just TOLD YOU TO IGNORE ATTACKS. If you do, you FAIL.

          IMHO (IANAL) you MUST attempt to halt the attacks and treat them as real or you are in violation of HIPAA.

      • by Tom (822) on Sunday April 07, 2013 @06:24AM (#43383395) Homepage Journal

        It depends on the testing. I've run security tests. Most of the time, you do notify the people involved and plan with them, especially if you are testing live systems. You don't want to interrupt service, after all.

        However, sometimes you want to test humans and procedures as well. In those cases, you might notify only management, not the technical people involved. You definitely notify someone, but not necessarily the people who will notice your attack first.

        Friends of mine do social engineering pentesting. That's the best example, because notifying people just that such a thing is going on already changes the results. So they will usually carry a letter signed by the CEO and the security chief that states a) these guys are legit and b) call me to verify. And, btw., people who don't do b) upon seing the letter fail the test because anyone could carry a forgery. But, back to the point, in most cases, the CEO and security chief and maybe two people in legal who handled the contract are the only people within the target company that know about the testing.

        Same, but to a lesser extend, with other security tests. If you want to test the firewall, you can tell the firewall guy. But if you want to test the firewall guy, you can't. You tell his manager or if the corp has a seperate security chain-of-command, the next-higher-up in the security report chain, so he can calm him down and congratulate him when he storms into the office saying "we're under attack". But if you want to find out if he'll notice at all, you obviously can't tell him beforehand.

    • by Smallpond (221300)

      You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing.
      If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to /.

      People whao are "on your side" would ask your permission before trying to break into your servers. These are criminals.

  • by Anonymous Coward on Saturday April 06, 2013 @03:22PM (#43380507)

    Speak with someone at the managerial level and go find the agreement/piece of paper that states said hospital corporation has the right to perform security audits against your customers network. Until that does or does not materialize, take no action past what you're already doing in the name of good security

    • by mythosaz (572040)

      If he's using their network, he signed THEIR NUP.

    • by AK Marc (707885)
      A specialist's office fully within a hospital (and connected to the hospital network) has likely granted permission for this and their firstborn. Block the IPs and ignore it is probably best. Or request notification of tests and results of the tests, but so far, that looks to be ignored.
  • by Anonymous Coward on Saturday April 06, 2013 @03:22PM (#43380509)

    have a lawyer write a letter to the hospital director, explaining how it's against the law in the US to attempt to hack into another company's network, saying, "Of course you'd want to know about this to avoid civil or criminal action.

    • by Skapare (16644)

      First check to see if the medical practice relationship contract with the hospital provides for authorized pentesting in some way. It may well be completely legal. Proper pentesting would let you know that it will be done, though typically without informing you of the time or source IPs (not knowing makes it a more valid test). They should then provide you with a report so you can make corrective action.

      Under the theory that multiple layers of protection are a good idea, actual pentesting might need to b

      • by Benaiah (851593)
        Pretty sure this is the most likely. When a private practice moves into a hospital they have to sign many cohabitation agreements. One of them will cover I.T. governance and likely will be written in such a way that you have no recourse, "our network our rules". As such if you want these official probes to stop then talking to them face to face may be your only option. Then they may just tell you that its a legal requirement that they take every action available to ensure patient data is safe and penetratio
  • by Anonymous Coward on Saturday April 06, 2013 @03:24PM (#43380531)

    Unless there are contractual terms which allow the hospital to pentest the independent medical practice, the hospital IT staff are probably violating the law. Get your legal counsel involved ASAP and let the lawyer deal with it.

    • by cdwiegand (2267) <chris@wiegandfamily.com> on Saturday April 06, 2013 @04:08PM (#43380769) Homepage

      Yes - this! Just because they don't want to rock the boat, doesn't make it not a federal crime! And if they decide they don't want to follow up on the legal violation, I would tell me boss that the hospital may not be pentesting officially - it could be a corrupt IT (or even non-IT) person testing their clients w/o the hospital management's knowledge. If it's a major hospital (which most seem to be, these days), there are serious repercussions for doing that to the hospital employee. I would probably block the IP at the firewall and if they complain let them know that, per YOUR standard operating policy, the IP was perm-banned due to a large number of attacks coming from an unauthorized source. I do at my place of business (of course, I'm the CTO and a business partner to boot, so I can make those decisions).

  • by Anonymous Coward on Saturday April 06, 2013 @03:26PM (#43380547)

    You've told them that they don't have authorization to access your computers, and are (or would be) in violation of the law if they succeed?
    You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?
    You're reasonably comfortable that you indeed run a tight ship?
    You've configured your firewall to drop their packets?

    • by Dan Dankleton (1898312) on Saturday April 06, 2013 @03:45PM (#43380671)

      You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?

      I never have mod points when there's something I want to moderate! This is the thing to do. Get in touch with the hospital's security people. If the scans are causing any problems with IT operations then arrange with them to schedule the scans differently. Otherwise, explain that you've picked up the scans and blocked them per procedure. Ask if they want you to unblock their specific scan so that they can find any issues which would reveal weaknesses you could defend against in more depth.

      All this may be unwelcome but it doesn't sound like there's much you can do about it, so treat it as an opportunity.

  • by darkonc (47285) <stephen_samuel@b ... m ['ree' in gap]> on Saturday April 06, 2013 @03:27PM (#43380557) Homepage Journal
    One thing to note: If they manage to get in, the it's a good thing to know about how they did it.

    In the meantime, you want to talk to the crew that's doing the intrusion testing and make sure that they'll be keeping anything they find confidential, and that you'll get the results of the work that they're doing. What they're doing is annoying, but it's better to have it done by friendlies than to have someone truly hostile find some day-0s that they can use against you (presuming that you're willing to close any holes that they find).

  • Get it in writing (Score:5, Informative)

    by Antique Geekmeister (740220) on Saturday April 06, 2013 @03:31PM (#43380585)

    I've been on both sides of such security probes, professionally. A legitimate organization will be willing to identify itself and name the most obvious penetration test vectors, because they will show up in the logs of someone competent. It's also especially interesting to conduct a penetration a month _before_ any announced test, and a month or two _after_, to see what has actually been changed.

    But as the target of a penetration test, you should be be _encouraged_ to report the attempts to the upstream provider or administration, and you should be notified of the test results. You don't indicate if you've spoken to anyone in hospital IT who has any actual authority or responsibility: a simple letter, _preferably on real paper with a real name of someone who can verify the letter_, identifying that such tests occur and where you can report them, can help protect you, and the hospital, from liability for other attacks that go unnoticed while the penetration test occurs.

    I also urge you to review the regulations or laws on confidentiality of patient data. Penetration against secure data where the recovered data is not handled safely can be illegal, and a careful talk with the hospital's legal counsel can help set some guidelines. And this is just the situation where a paper trail, _on paper and kept offsite_, can protect you and your group from lawsuit or from a manager who tries to shift blame. This is especially true when the penetration succeeds, and a mid level manager uses it as ammunition to replace IT staff with a different "big vision" of how security works, even when the IT staff were prohibited from that manager from taking effective steps against the very vulnerabilities used by the penetration test. (I've seen this several times.)

  • You say that you are "connected to" the network but you don't say what this relationship actually is. If you are hosted by the hospital (i.e. actually part of their network), then they may have an information security department who is checking all the hosts that are on their network. This may or may not be part of the contract, either as a service provided or something that is required by the contract or hosting arrangement.

    If you are not actually part of their network or hosted by them, there may still

  • Is it actively causing trouble? Or do you just notice if?

    If it's not DOSing you, I'd just ignore it.

  • by rgbrenner (317308) on Saturday April 06, 2013 @03:37PM (#43380625)

    It appears you're unfamiliar with a common practice: regularly scanning and auditing computers on your internal network to catch comprised hosts.

    Since they are doing part of your job for you, send them a nice Thank You card for helping you out.

  • The funny thing is that when law makers create a sack of new laws they never consider the effects. We have had people nailed to the cross for rather innocent computer activity. So why not make a point. Any laws that apply to individuals should also apply to large organizations. Sue them into the weeds. If your employer will not then try suing them yourself. They are making your life a living hell as you are are forced to keep ahead of their hacking to keep your job. What suits the goose should cert

    • by cdwiegand (2267)

      Lawsuit wouldn't happen - he lacks legal standing. Unless it's his PRIVATE network. If it's the company's network (which the article rather implys), then they company has standing, but not him (the employee).

    • by Lehk228 (705449)
      career suicide to make a political point? how about noooo
    • by tqk (413719)

      Any laws that apply to individuals should also apply to large organizations.

      Dreamer.

      Sue them into the weeds. If your employer will not then try suing them yourself.

      The judge, if s/he's in a good mood, is going to laugh that out of court. These aren't his systems. They're his employers' systems. He has no standing.

      Make no mistake. They would have you for lunch if you hacked them.

      True enough.

  • by mysidia (191772) on Saturday April 06, 2013 @03:39PM (#43380633)

    "The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

    Drop the issue, and secure their network, so the hospital, or anyone else outside their practice's internal LAN is not capable of probing or making unapproved connections; insert an IDS, and ensure offending IP addresses are blocked from access.

  • Our ITers are doing the same thing; they claim HIPAA regulations require them to. Although I suspect they're a bit overzealous, it's really not worth getting into trouble with them over this. The same thing probably goes for you; they can argue your presence on their network automatically makes you subject to the same checks (which I believe is actually true). The only thing you can do is make sure that all your services are secure and up-to-date and that everyone with access to your computers has taken bas

    • HIPPA is pretty broadly written it does not require a lot. But if they put scanning into the written policy then it's required by HIPPA as HIPPA required they comply with there own written policy.

      Much like PCI you higher an auditing company the larger the better they act as the get out of jail free card if anything happens.

  • In principle, penetration testing is a useful service. However, they need to keep you informed, because if they don't, you can't distinguish an actual attack from their penetration testing. There also need to be clear procedures spelled out for what they do if they succeed and what the consequences are.

    If there is no contractual basis for them to do this, they are likely breaking the law.

  • If your clients are connecting to the hospital network they most probably agreed to this as part of those terms of service. Blocking the attacking IP's most probably violates those terms as well.

    Even if it's not baked into the TOS HIPPA pretty much requires this sort of thing 164.312 covers a lot of it. The specific policy is up to the hospital pretty much letting hospital policy override other local laws if they conflict.

    Have fun calling the cops it will probably get them laughed at and there contracts t

  • Two things (Score:5, Insightful)

    by gman003 (1693318) on Saturday April 06, 2013 @04:00PM (#43380731)

    First, as far as the network goes, treat it the same way you would treat any attack. Block IPs, add filters, whatever you normally do. If they are simulating an attack, you should simulate a defense.

    Second, the human response. Make sure that this is actually an authorized security test. Tell them that if you cannot get confirmation that this is an authorized attack, you will have to treat it as an unauthorized one, which means contacting law enforcement, as per standard protocols for dealing with health information. This is "cover your ass" stuff here - if it actually isn't authorized, and you get hacked, you're likely to take the blame for it. And if it is authorized, well, you look like you're doing your job by detecting and responding to the threat.

  • Unless they have written permission, they are violating the law by probing these systems. Not only that, but they are actively trying to do something that might crash vital infrastructure and possibly injure or kill patients. Probing equipment inside a hospital without very specific knowledge of what is what and very explicit permissions and waivers is asking for very expensive lawsuits and (insurance) claims. Tell them to stop scanning your life support systems since they crash all the time when they do so
  • Legally they should have informed you of their intention and gained permission before they started conducting testing...

    Aside from that, they are wanting to ensure that those they do business with are doing their due diligence and not doing anything stupid that would leak their data out to the world. So long as your systems are appropriately configured the attacks will amount to nothing, and its likely you receive similar attacks from random hosts on a daily basis anyway.

  • These seems to be a divide in how to interpret this article.

    1) A third of the responses seem to conclude that these are friends and any and all attacks are simply a standard IT security test.
    2) The other third seem to interpret this article as, these are separate, but connected, companies. Where one is actually trying to hack into some small time competition.
    3) Then there's the few others that inexplicable seem to be saying "So What".
    4) Hack them back.

    The article clearly points out that these are separate c

    • by Firethorn (177587)

      The article clearly points out that these are separate companies. Even if these are just security tests it is highly illegal and if they are ever successful even more so (and letting their patient data be compromised opens up the hacked company to legal issues as well).

      I work information assurance for the government. To my mind the description screamed 'subcontractors'. IE while not direct employees of the hospital in question, they'd be in serious financial trouble if they lost their association with the hospital. Not necessarily friends, but they DO need to keep a good working relationship.

      Now, I can't say what the exact details of the connections, agreements, and such are, I do know that in order to hook up to one of MY networks you have to agree to meet all the req

      • Yes, but if these subcontractors have data that they are responsible for, they legally cannot just say, well I don't really care, hack away. Even if they signed a contract that permitted this for all computers they hooked up to the network.

        It is possible that this employee is just not aware they they signed away this right, but this is a hospital with doctors and theoretically with patient data. Which makes it a whole lot different from a regular company that owns outright all data that it holds.

        I have work

        • by Firethorn (177587)

          Yes, but if these subcontractors have data that they are responsible for, they legally cannot just say, well I don't really care, hack away.

          Did you read my post completely? Did I EVER suggest doing nothing or not caring?

          It is possible that this employee is just not aware they they signed away this right, but this is a hospital with doctors and theoretically with patient data. Which makes it a whole lot different from a regular company that owns outright all data that it holds.

          Government work. Multiple networks. I have to worry about privacy act, FOUO, HIPAA, and more. Let me point out that I conduct penetration testing. I do the equivalent of cracking a safe, yes. But I don't take the contents.

          As bad as it might sound, in general its considered better for me, who's under a NDA from heck, to test security on shit that, frankly, I don't want to know, than it is to NOT make the attempt and only la

  • by Opportunist (166417) on Saturday April 06, 2013 @04:24PM (#43380845)

    Do I get this right? You are working for company A, but company B, with whom you have some kind of relationship, but are not a part of, tests your security?

    First, make sure you have EVERYTHING in writing. At the very least as emails, but paper would be better. Make sure that everything you inform your IT superiors of is documented, and make sure every order you get from them is documented as well. Else selective amnesia might set in when the shit hits the fan. Tell your doctors to get in touch with the hospital CIO/CISO (or whoever is directing the tests), and make sure that they inform them that they want to cooperate to make sure the test makes sense. Else, what would you logically do? Right. Block the offending IP(s) until the storm is over. That's not really in the interest of the auditor either, since it's trivial to make something "secure" when I don't allow access to it by default and have every kind of access die at the front door (even though others might be allowed further in).

    Personally I think it's highly unusual to conduct a pen test "against" a cooperating company. At the very least you should be informed that this has to happen (likely due to HIPAA or similar regulations), else the auditors are on VERY thin (juridical) ice. Essentially, they are conducting a hostile attack.

    Tell your docs what the auditors do here is pretty much like performing an operation without the patient's consent, they'll immediately get that. It may be in the patient's interest, but cutting him open without immediate lethal danger and without consent is STILL a big nono.

    • by Lehk228 (705449)
      I'm guessing it's a sloppy network and there is little or no distinction between hospital and other company networks, automated scans are run on entire network address ranges.
  • Set up a honeypot. If you see crap coming from that IP send it against a server that has a front that looks like yours but has nothing in it and nothing to do. That way they might tie up some bandwidth but they will waste the capacity of one useless server. You could probably set up the server on some old pile of junk seeing that nobody will actually care about its performance or reliability.

    Also put the server in a bit of a DMZ so that if they do compromise it that they can't get any further. If you want
  • If Hospital IT speak the truth then you have a game on your hands. Win it.
  • You might want to check the small print in whatever contract the independent practice has with the hospital. There's a chance hospital IT has hired a security firm to do a security assessment of their network, and that would include you in the scope as well.

    Even if you aren't necessarily *in* the scope of the assessment, you are an attack vector into the hospital's own network and as such you will probably be probed and poked at.

    Step 1 would be to ask hospital IT for the paperwork on the security assessment

  • and make friends. Tell them what you are seeing and express your concern for live confidential data being exposed and ask if they are seeing similar probes on their side. See what they say. Maybe they say "oh, that is just us" and you have one response. Or maybe they say "we are seeing that too" but we have been told it is some contractor we hired to do penetration testing. Then you have another response. Or maybe they don't know a thing in which case you report what you are seeing up your channels and across to their senior IT guys.

    But first start by making friends.

  • There is no reason they can't give you a list of any IP addresses used to pen test your network. As long as you don't block those addresses, that would make absolutely no difference in their security audits, PLUS you would know who it was and avoid panic.

    In my opinion, their failure to do so was rather unprofessional.
  • The only answer. (Score:5, Informative)

    by ebrandsberg (75344) on Saturday April 06, 2013 @06:27PM (#43381415)

    Is the hospital allowed to access records without a release based on HIPPA regulations since it is an independent practice? If not, then report them to the police. Apologize to the hospital, but explain, you have NO CHOICE. HIPPA is not something to mess with, and it doesn't matter who is trying to access the records, it IS a crime if accessing this data is not permitted. Remember the guys that got sent away for accessing the public data for AT&T? Yea... That but worse. Based on the fact that they were sentenced, even if they gained no data, the attempt itself was the crime. Failure to report a crime is a crime itself: http://www.law.cornell.edu/uscode/search/display.html?terms=misprision&url=/uscode/html/uscode18/usc_sec_18_00000004----000-.html. Report it. If they gain access to records, and then data from it leaks out, say because someone notable was a patient, then it will be on YOU. If the local police decide not to follow up, it is NOT on you.

  • I work in IT in hospital. The day I "just decided" to do things like that to somewhere else would be the one before the day when I started trying to find out about unemployment benefits.
    This will not be actual workers doing this by choice. It will be caused by someone whose job activities do not actually include IT. Their main job functions will be attending planning meetings and wearing a suit.

    The thing to do would be to meet up with the people who actually do the work there. You should be doing this

  • by Bartles (1198017) on Saturday April 06, 2013 @06:39PM (#43381469)
    It seems to me these "attacks" are being conducted in good faith, as a security test. I think this is good practice and it should be commonplace.
  • by Tom (822) on Sunday April 07, 2013 @06:13AM (#43383353) Homepage Journal

    Seriously, you are asking the wrong question on the wrong forum. Your legal department or your lawyer should handle this.

    The issue is not technical. The question is which laws and contracts bind you and the other side, and which of these regulate their activities towards you.

    For example, their security tests could be a part of their HIPAA or SOX implementation, and your contract states that you are included. Or there might be a seperate clause in the contract, SLA or other document.

    Find out or better - let someone who is a professional in this field find out - where this is written down and what it does and doesn't allow. You might find out that you are already breaking your contract by blocking their probes. Or you might find out that they aren't allowed to probe and are thus in breach of several cybercrime laws. But you won't know until someone who knows the legalese has checked.

    Disclaimer:
    I used to be the Senior Manager IT Compliance for a mid-sized corporation. I now run my own company.

There are never any bugs you haven't found yet.

Working...