Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Dealing With Unwanted But Official Security Probes?

timothy posted about a year and a half ago | from the surely-you-have-nothing-to-hide dept.

Businesses 238

An anonymous reader writes "I manage a few computers for an independent private medical practice connected to a hospital network. Recently I discovered repeated attempts to access these computers. After adjusting the firewall to drop connections from the attacking computers, I reported the presumed hacker IP to hospital IT. I was told that the activity was conducted by the hospital corporation for security purposes. The activity continues. It has included attempted fuzzing of a web server, buffer overrun attacks, attempts to access a protected database, attempts to get the password file, etc. The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

cancel ×

238 comments

Sorry! There are no comments related to the filter you selected.

Be happy that their data is secure? (4, Insightful)

PNutts (199112) | about a year and a half ago | (#43380493)

They do know about HIPAA penalties for leaking data, right?

Re:Be happy that their data is secure? (1, Insightful)

AK Marc (707885) | about a year and a half ago | (#43380947)

Has there ever been a fine for leaking data? I know of a few for not releasing data when required, but not any for unauthorized access of a computer.

You do know that HIPAA was more about owning your own records, than having them held hostage by doctors who required bribes to release your records to other doctors, right? And yes, that was common, especially with eye doctors requiring that prescriptions be filled at their office. Lose money on the exam, and make it up with the overpriced treatment was considered unethical.

Re:Be happy that their data is secure? (3, Informative)

Old97 (1341297) | about a year and a half ago | (#43380991)

I work for a health insurance company. HIPAA fines are not unusual. It's strictly enforced. Our potential liability for a breech due to gross negligence or willful conduct can run 10's of millions of dollars.

Is this not your local net police? (5, Insightful)

Dr. Tom (23206) | about a year and a half ago | (#43380497)

You can always run denyhosts, block any IP that attacks you, but it sounds like these guys are on your side, doing penetration testing.
If they are not, block the addresses. If they are local staff, call the IT dept. and talk to them, don't post to /.

Re:Is this not your local net police? (5, Interesting)

Gothmolly (148874) | about a year and a half ago | (#43380567)

Block them anyway; claims it's part of your normal operations. Hint: they're probably stupid enough to use 1 or 2 IPs.

Re:Is this not your local net police? (4, Insightful)

sgt scrub (869860) | about a year and a half ago | (#43380797)

Or NAT their IP addresses to honey pots and watch them get sticky.

Re:Is this not your local net police? (5, Informative)

PolygamousRanchKid (1290638) | about a year and a half ago | (#43380601)

My company's "good guys" run security tests once a week. They send me a report afterwards, listing any "findings". And, most importantly, I was informed by them beforehand, that they would be doing these tests.

If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

Re: Is this not your local net police? (0)

Anonymous Coward | about a year and a half ago | (#43380727)

Completely likely to be in your contract with them.

Re:Is this not your local net police? (2, Interesting)

interval1066 (668936) | about a year and a half ago | (#43380823)

If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

Although annoying its completely within the company's rights to audit their security however they see fit, and I can see a number of reasons to do surprise, anonymous audits. And as another poster pointed out; complaining about it on /. probably isn't the brightest move.

Re:Is this not your local net police? (5, Interesting)

Hizonner (38491) | about a year and a half ago | (#43381081)

They're not auditing their security. They're auditing somebody else's security. "Independent private medical practice" means a separate corporation that happens to have a network link. Not "within their rights", and not legal, either.

Re:Is this not your local net police? (4, Insightful)

TrekkieGod (627867) | about a year and a half ago | (#43381047)

If you weren't informed about it, how are you supposed to know that they are the good guys . . . ?

You shouldn't know,and you're supposed to treat them like the bad guys. Isn't that the entire point? How else are they going to know you're prepared against a real attack?

Re:Is this not your local net police? (0)

Anonymous Coward | about a year and a half ago | (#43380745)

it sounds like these guys are on your side, doing penetration testing.

No, it doesn't.

Unless you are incompetent... (0, Troll)

Anonymous Coward | about a year and a half ago | (#43380503)

Unless you are incompetent, you have nothing to worry about. Just ignore them.

Re: Unless you are incompetent... (2, Informative)

Anonymous Coward | about a year and a half ago | (#43380739)

...said by someone who doesn't have to specifically allow probes from the scanning hosts, and has to deal with the DoSing when the port scans cause a couple of the services to go haywire. (lock up, start sucking down all available memory on the machine)

We put in new checks to watch for these things, but who knows what new tests they're going to run on the next scan.

The memory one was particularly nasty, as machines w/ lots of memory available didn't start showing problems 'til up to 2 days later. (and everyone loves getting alerts at 2am)

Re: Unless you are incompetent... (1)

hawguy (1600213) | about a year and a half ago | (#43380979)

...said by someone who doesn't have to specifically allow probes from the scanning hosts, and has to deal with the DoSing when the port scans cause a couple of the services to go haywire. (lock up, start sucking down all available memory on the machine)

We put in new checks to watch for these things, but who knows what new tests they're going to run on the next scan.

The memory one was particularly nasty, as machines w/ lots of memory available didn't start showing problems 'til up to 2 days later. (and everyone loves getting alerts at 2am)

If the hospital doesn't run the scans, Chinese hackers will. Better to fix the services that can't handle it than to wait until the bad guys decide it's fun to execute a DoS attack against those services, or figure out the right attack to get past your security.

My company has thousands of port scans, website fuzzing, and all sorts of known vulnerability scans every day, and 90% of them originate overseas (and since our company has a global reach we can't block entire countries, and can't even block known Tor exit nodes or our customers can't reach us).

We use good IDS/IPS to detect and ward off the attacks and try to stay one step ahead of the hackers. (not always successfully, but so far they've only gotten into our webserver, which was easy to restore).

Establish authorization first (5, Informative)

Anonymous Coward | about a year and a half ago | (#43380507)

Speak with someone at the managerial level and go find the agreement/piece of paper that states said hospital corporation has the right to perform security audits against your customers network. Until that does or does not materialize, take no action past what you're already doing in the name of good security

Re:Establish authorization first (1)

Anonymous Coward | about a year and a half ago | (#43380765)

Hope they have such a piece of paper saying they were allowed to conduct penetration testing on your network (or to outsource that same thing to someone else), since they're crossing an organisational boundary and thus they may well be outside their remit.

I don't know who exactly is liable but that assumption of authorisation may not be valid, and then you can sue them. Whether you do is something else again, of course.

Though, as suggested, the person in charge of keeping the systems and networks aloft is supposed to understand how this works. Time to have a chat with the lawyers and whoever is in charge of the contract with them. After asker has done his homework so that he now does understand what part of the network is actually his responsibility.

In the meantime I'd just log the intrusions and otherwise block them. It's evidence.

same place as 3rd party venders in medical places (1)

Joe_Dragon (2206452) | about a year and a half ago | (#43381141)

same place as 3rd party venders in medical places. Lot's of them are on there own but they need to be on the hospital network or they may just be stand alone systems that mainly do not go on line but they may of been hooked up to the network by some one.

Also some of them can't even AV or use windows updates and at times stuck on XP and or IE6.

Re:Establish authorization first (1)

mythosaz (572040) | about a year and a half ago | (#43380775)

If he's using their network, he signed THEIR NUP.

Re:Establish authorization first (0)

Anonymous Coward | about a year and a half ago | (#43380883)

He may not have signed anything.

Re:Establish authorization first (1)

AK Marc (707885) | about a year and a half ago | (#43380961)

A specialist's office fully within a hospital (and connected to the hospital network) has likely granted permission for this and their firstborn. Block the IPs and ignore it is probably best. Or request notification of tests and results of the tests, but so far, that looks to be ignored.

SPEAK in their own language (3, Informative)

Anonymous Coward | about a year and a half ago | (#43380509)

have a lawyer write a letter to the hospital director, explaining how it's against the law in the US to attempt to hack into another company's network, saying, "Of course you'd want to know about this to avoid civil or criminal action.

Re:SPEAK in their own language (0)

Anonymous Coward | about a year and a half ago | (#43380963)

have a lawyer write a letter to the hospital director, explaining how it's against the law in the US to attempt to hack into another company's network, saying, "Of course you'd want to know about this to avoid civil or criminal action.

This is exactly the correct action to take. Inform them that you have no way to tell the difference between one of their "security probes" and an actual hack attack. By law (HIPAA) you are REQUIRED to report the attempted illegal access to federal authorities and to prosecute any perpetrators. Otherwise YOU become libel if it was an actual attack and not a test and medical information was leaked.

Write a VB app... (0)

Anonymous Coward | about a year and a half ago | (#43380513)

...and trace their IP address.

Hack back. (0)

girlintraining (1395911) | about a year and a half ago | (#43380517)

Since what you seem to be dealing with is someone who's incompetent, because the attacks are not only totally ineffective, but high profile as well. I suggest you trace back the IP address, do some digging, and come up with a name.

And then do something innocent like editing that person's host file so all his attacks and scans are redirected to 127.0.0.1. I have found when dealing with corporate stupidity that going through official channels will get you nowhere. You need to make a statement, but it needs to be about as harmful as dropping a dummy bomb 50 miles from the border of an upstart country that thinks its being cool. I'm sure you can come up with other things to do to this person to get the message across that your systems need to be left alone.

Re:Hack back. (3, Insightful)

PhamNguyen (2695929) | about a year and a half ago | (#43380551)

That would be responding to a company whose only fault is having a bad policy and poor training, by committing a serious crime!

Re:Hack back. (2)

Shavano (2541114) | about a year and a half ago | (#43380645)

The hospital may also be committing a serious crime. But you're right that responding in kind would be a very bad idea.

Re:Hack back. (2)

PhamNguyen (2695929) | about a year and a half ago | (#43380723)

The hospital may also be committing a serious crime.

That was my point :-) There is a double standard where these companies get a slap on the wrist in a civil court, while if this guy did exactly the same thing back, he would get criminal charges. But as you say, even without this double standard it would not make any sense to respond by hacking the hospital.

Re:Hack back. (1)

isorox (205688) | about a year and a half ago | (#43380855)

The hospital may also be committing a serious crime. But you're right that responding in kind would be a very bad idea.

How about if you put a nat rule that turns the packet back at them? They end up port scanning themselves.

Re:Hack back. (2)

Holistic Missile (976980) | about a year and a half ago | (#43380613)

Tar pit their IP addresses.

Each time they connect, disallow connections for x*2 seconds, where x is the amount of time their connections were disallowed the last time.

Re:Hack back. (0)

Anonymous Coward | about a year and a half ago | (#43380803)

Why not completely block their IP addresses?

Re:Hack back. (1)

Holistic Missile (976980) | about a year and a half ago | (#43380931)

And pass up the opportunity to have some fun with them? :-)

They seem pretty incompetent - it sounds from the OP like they are doing Christmas tree scans. Why not mess with them and waste their time?

Re:Hack back. (2)

ndrw (205863) | about a year and a half ago | (#43380819)

This is a terrible idea. You can go to jail for doing this. Don't do it.

As horrible as it sounds, this is something that a lawyer can help with. I'm sure the medical practice can afford to hire a couple of hours of legal assistance to draft a "very friendly" letter to the hospital administration warning them that their actions may be a violation of HIPAA in addition to other computer security regulations.

Flash burn. (0)

Anonymous Coward | about a year and a half ago | (#43380877)

You need to make a statement, but it needs to be about as harmful as dropping a dummy bomb 50 miles from the border of an upstart country that thinks its being cool. I'm sure you can come up with other things to do to this person to get the message across that your systems need to be left alone.

Well that certainly leaves out redirects to Goatse.cx.

Follow the chain of command. (0)

Anonymous Coward | about a year and a half ago | (#43380519)

Find out the official procedure of the hospital involving IT matters, your country's laws surrounding medical data (doctors as well as patients).

build up a social network with the hospital IT staff.

etc....

really ?

honeypot (0)

Anonymous Coward | about a year and a half ago | (#43380523)

put an interactive honeypot and see

It's a free security audit (1)

Anonymous Coward | about a year and a half ago | (#43380525)

These sorts of probes occur on the Internet by less-than-friendly attackers all the time, and there's usually nothing that the legal system can do about it. If your machines are vulnerable, sooner or later, you'll get hacked anyway. You might as well treat this as a free security audit.

Key words for me: independent practice (5, Insightful)

Anonymous Coward | about a year and a half ago | (#43380531)

Unless there are contractual terms which allow the hospital to pentest the independent medical practice, the hospital IT staff are probably violating the law. Get your legal counsel involved ASAP and let the lawyer deal with it.

Re:Key words for me: independent practice (3, Interesting)

cdwiegand (2267) | about a year and a half ago | (#43380769)

Yes - this! Just because they don't want to rock the boat, doesn't make it not a federal crime! And if they decide they don't want to follow up on the legal violation, I would tell me boss that the hospital may not be pentesting officially - it could be a corrupt IT (or even non-IT) person testing their clients w/o the hospital management's knowledge. If it's a major hospital (which most seem to be, these days), there are serious repercussions for doing that to the hospital employee. I would probably block the IP at the firewall and if they complain let them know that, per YOUR standard operating policy, the IP was perm-banned due to a large number of attacks coming from an unauthorized source. I do at my place of business (of course, I'm the CTO and a business partner to boot, so I can make those decisions).

Find someone with a clue to do your job. (0, Troll)

BitZtream (692029) | about a year and a half ago | (#43380537)

Seriously.

Whats the contract between the two firms say? Are they causing you harm? Are you just being uppity about log entries?

The obvious answer to your question is that if you want to continue the relationship with the hospital, you will shut the fuck up and be happy they continue to outsource things to your firm.

Its possible that they are doing something 'wrong', for various definitions of wrong, but the fact that you asked the question here, the way your phrased the question, and the information (or lack of) that you provided lets me know that you don't actually know if what they are doing is wrong even.

I would advise the doctors to seek outside consul by a qualified IT professional who can manage their network appropriately for the needs of medical facilities. Hell, you haven't even clarified if what they are doing is testing your HIPAA data security requirements or something other, which means you probably haven't even considered how HIPAA plays into this.

Just because you can run a Linux box and configure iptables doesn't make you qualified to do IT everywhere.

Find a clue yourself (3, Interesting)

Anonymous Coward | about a year and a half ago | (#43380655)

He had enough clue to figure out the hospital corporation was attempting to hack his system, and even did something to protect himself. That's more than most 'qualified IT professionals' can handle in their lifetime.

Just because you can boot Windows and hold a Windows Certified Administrator certificate in your hand doesn't make you qualified to do IT anywhere.

Re:Find someone with a clue to do your job. (1)

TubeSteak (669689) | about a year and a half ago | (#43380677)

Whats the contract between the two firms say? Are they causing you harm? Are you just being uppity about log entries?

Fuzzing is something you do in a lab.
If someone is fuzzing a live server, they can cause it to crash.
You shouldn't wait for that to happen before telling them to stop.

If they want to fuzz your webserver, they should ask for an image that they can test in a VM.
They should not be attacking production hardware.

Re:Find someone with a clue to do your job. (2)

w_dragon (1802458) | about a year and a half ago | (#43380903)

Fuzzing should not cause a crash - a crash would be an indication that there may be a vulnerability since something isn't validating input properly. A non-production system would be worthless since there's no guarantee it would mirror the production setup. Any Internet accessible server should be able to handle any security threat that comes in. Especially a server with medical data. So long as they aren't pushing enough traffic to be a DOS attack there shouldn't be a problem with the server if it's properly programmed and configured.

Re:Find someone with a clue to do your job. (3, Insightful)

pla (258480) | about a year and a half ago | (#43380687)

Are they causing you harm? Are you just being uppity about log entries?

Flooding the logs with false positives does cause harm, in that he may miss real attacks in the flood of "test" ones.

Not to mention, who bears the liability if this testing actually manages to get in and cause data loss? The FP poster specifically mentions fuzzing inputs to the web server - That works great in a test environment; if it succeeds on a production system, god only knows what effects it will have.

My recommendation? Aggressively block this shit until your actual boss (not some random schmuck from "corporate") directly orders you to let it get through; and if ordered to let it continue, get it in writing (email would suffice).

Re:Find someone with a clue to do your job. (0)

Anonymous Coward | about a year and a half ago | (#43380989)

You don't have to be such a dick about it.

Re:Find someone with a clue to do your job. (1, Flamebait)

AK Marc (707885) | about a year and a half ago | (#43380995)

Its possible that they are doing something 'wrong', for various definitions of wrong, but the fact that you asked the question here, the way your phrased the question, and the information (or lack of) that you provided lets me know that you don't actually know if what they are doing is wrong even.

I vote he configures the server to "fail" a check, then call the FBI and report a HIPAA violation from a malicious attack committed by the hospital against him. Likely the Hospital would be convicted for a HIPAA vioaltion, and that might cause them to change their practices.

He indicates he talked to someone, so he's likely a typical slashdotter where he stated "you are running pen tests against my server." and they responded "yes, we are." He probably didn't officially ask for them to stop, or check whether it's a condition of connecting to the hospital network. So his complaint is "I don't know how to deal with people, how should I deal with people in a professional situation?"

Re:Find someone with a clue to do your job. (0)

Anonymous Coward | about a year and a half ago | (#43381059)

Seriously.

You don't have to be such an arrogant asshole when you reply.

Re:Find someone with a clue to do your job. (3, Interesting)

Kjella (173770) | about a year and a half ago | (#43381085)

Seriously. Whats the contract between the two firms say? Are they causing you harm? Are you just being uppity about log entries? The obvious answer to your question is that if you want to continue the relationship with the hospital, you will shut the fuck up and be happy they continue to outsource things to your firm.

I wonder if you're the one who needs a clue since if shit hits the fan because there was a real attack from someone on the hospital network that goes ignored because it's assumed to be an authorized pen test it's his ass on the line. From the summary:

The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship.

I would assume that if they're even thinking about calling in law enforcement, they've done the obvious and checked if they gave permission somewhere. I think you're giving the hospital far too much benefit of the doubt here, just because corporate IT think they have permission to pen test anything connected to their network doesn't mean that it's been appropriately regulated in the agreement between the private practice and the hospital. Surely they have some from of legal representation I'd ask:

1) The hospital is doing penetration testing on us. Assuming they should succeed, is it acceptable that they may gain control of our systems or access our practice's data? If no, then take it up with the hospital's compliance officer
2) Even if this penetration testing is permitted, how can the private practice be sure this is authorized activity and not unauthorized activity. Again, get whatever legal council you have to take it up with the compliance officer.

Getting law enforcement involved is only useful if you want to punish someone for what has happened, what you want here is to find a solution going forward. Just because you're both in the health business, doesn't make you the same entity. If you can get your lawyer to say that these pen tests could be a HIPAA violation of the private practice, then their IT will listen to their legal telling them to stop. Or they might stonewall and say that if they can't do security testing, you can't be on the network. Either way you're raising the flag and saying if this happen again, we can't just ignore it.

what to do next? (0)

Anonymous Coward | about a year and a half ago | (#43380543)

so far you appear to have passed the tests. upgrade your vigilance, your doctors' association with the hospital may hinge on your network security. do not complain, they are looking for something you have overlooked that could open up to the exposure of confidential records. ask your doctors for increased funding and a pay raise.

Have you tried all these? (5, Informative)

Anonymous Coward | about a year and a half ago | (#43380547)

You've told them that they don't have authorization to access your computers, and are (or would be) in violation of the law if they succeed?
You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?
You're reasonably comfortable that you indeed run a tight ship?
You've configured your firewall to drop their packets?

Re:Have you tried all these? (5, Insightful)

Dan Dankleton (1898312) | about a year and a half ago | (#43380671)

You've asked for a meeting with their security people so that you can jointly plan to do whatever is needed?

I never have mod points when there's something I want to moderate! This is the thing to do. Get in touch with the hospital's security people. If the scans are causing any problems with IT operations then arrange with them to schedule the scans differently. Otherwise, explain that you've picked up the scans and blocked them per procedure. Ask if they want you to unblock their specific scan so that they can find any issues which would reveal weaknesses you could defend against in more depth.

All this may be unwelcome but it doesn't sound like there's much you can do about it, so treat it as an opportunity.

Is this over LAN or WAN links? (0)

Dryanta (978861) | about a year and a half ago | (#43380555)

Unless this is over a WAN link, you are smoking way better dope than me if you think a crime is being committed here. If your clients are connecting to the internet through the hospital's lan and utilizing their infrastructure - they can do whatever they want on a network they administer. Solution: have your clients order their own circuit from a carrier and throw up their own routers/switches.

Re:Is this over LAN or WAN links? (1, Informative)

AK Marc (707885) | about a year and a half ago | (#43381027)

Not under HIPAA. Anyone without a medical need who accesses a medical record is breaking the law (and billing is considered a medical need). If they succeed in accessing a system during a pen test, it's a crime, even if the lease gives them "ownership" of the system, they still have no right to access anyone's medical records.

Talk to the Intrusion Crew. (4, Insightful)

darkonc (47285) | about a year and a half ago | (#43380557)

One thing to note: If they manage to get in, the it's a good thing to know about how they did it.

In the meantime, you want to talk to the crew that's doing the intrusion testing and make sure that they'll be keeping anything they find confidential, and that you'll get the results of the work that they're doing. What they're doing is annoying, but it's better to have it done by friendlies than to have someone truly hostile find some day-0s that they can use against you (presuming that you're willing to close any holes that they find).

Re:Talk to the Intrusion Crew. (1)

ttucker (2884057) | about a year and a half ago | (#43380637)

One thing to note: If they manage to get in, the it's a good thing to know about how they did it.

In the meantime, you want to talk to the crew that's doing the intrusion testing and make sure that they'll be keeping anything they find confidential, and that you'll get the results of the work that they're doing. What they're doing is annoying, but it's better to have it done by friendlies than to have someone truly hostile find some day-0s that they can use against you (presuming that you're willing to close any holes that they find).

I do not even understand how it is annoying. Is Timothy concerned that his network will be found insecure? Maybe if they were mistakenly denying service during their testing, but surely he would have mentioned that! Personally, I would love to get free security testing and auditing. From that lens, this article sounds like troll/flame bait.

Re:Talk to the Intrusion Crew. (1)

EmperorArthur (1113223) | about a year and a half ago | (#43381009)

See this comment: http://ask.slashdot.org/comments.pl?sid=3622269&cid=43380739 [slashdot.org]

It looks like some exposed services are vulnerable in a crashing two days later sort of way.

While it's nice that the problem was found, the goal isn't to dos the hospital. I would definitely let someone know about that problem. No one wants to be the guy who ignored the warning.

Actually, I would make sure everything is documented. Especially your conversation with the higher ups and lawyers.

Re:Talk to the Intrusion Crew. (0)

Anonymous Coward | about a year and a half ago | (#43381017)

I do not even understand how it is annoying.

What is annoying is that he doesn't know if this is a security test or an actual attack. Companies conducting legitimate security probes inform the IT department ahead of time. If I was running such a system with potentially confidential information on it I would simply have called in the appropriate law enforcement agency and let them deal with the corporate staff responsible.

req more info / logs / etc (0)

Anonymous Coward | about a year and a half ago | (#43380573)

Sounds like you need to demand more information from them, even if they have commissioned an intrusion test, what if their commissioned team hadn't even started yet? you have no proof it is them.

Also, you may have a relationship with them, but it seems you/your company/your IT heads did not sanction pen testing of your network. They are breaking the law, you not reporting it is being kind, but they need to offer you far more information so you can be assured it's not actually a black hat operation in disguise.

Simple And Straightforward. (1)

Anonymous Coward | about a year and a half ago | (#43380575)

If your computers are directly attached to the hospitals property/network then they can do as they wish. There is no place for law enforcement in the matter and it is probable that your company signed an agreement that authorized this prior to you attaching to the network. If you don't like it, and politely asking them to stop has not worked, then you can remove your equipment from their property or STFU.

That being said, having a firewall and configuring it as you have claimed should have completely eliminated their ability to reach your computers at all. If they are still probing your ports, you have failed to do your job properly. The same would be true if you were outside the hospital and had the entire global internet probing your ports.

Speculation: The scanning is probably an automated system that constantly tests all hospital network resources. from the sound of it, they're running Nessus or something very much like it. Presuming that they report to you any found weaknesses, they're doing you a favor by providing a penetration testing service and saving you lots of money.

This speculation should be confirmed rather than simply assuming that they will act in your interest.

Re:Simple And Straightforward. (1)

AK Marc (707885) | about a year and a half ago | (#43381041)

If your computers are directly attached to the hospitals property/network then they can do as they wish. There is no place for law enforcement in the matter and it is probable that your company signed an agreement that authorized this prior to you attaching to the network.

If any of the tests are successful in exposing a medical record, then they violated HIPAA, regardless of whether they own the server. Having worked on medical systems, one usually installs a test database and multiple test records in the real database for testing that will never reveal a real person's records. An IT person working on a database problem who sees real user records is breaking the law, even if they own the system and are being paid to administer it.

Get it in writing (4, Informative)

Antique Geekmeister (740220) | about a year and a half ago | (#43380585)

I've been on both sides of such security probes, professionally. A legitimate organization will be willing to identify itself and name the most obvious penetration test vectors, because they will show up in the logs of someone competent. It's also especially interesting to conduct a penetration a month _before_ any announced test, and a month or two _after_, to see what has actually been changed.

But as the target of a penetration test, you should be be _encouraged_ to report the attempts to the upstream provider or administration, and you should be notified of the test results. You don't indicate if you've spoken to anyone in hospital IT who has any actual authority or responsibility: a simple letter, _preferably on real paper with a real name of someone who can verify the letter_, identifying that such tests occur and where you can report them, can help protect you, and the hospital, from liability for other attacks that go unnoticed while the penetration test occurs.

I also urge you to review the regulations or laws on confidentiality of patient data. Penetration against secure data where the recovered data is not handled safely can be illegal, and a careful talk with the hospital's legal counsel can help set some guidelines. And this is just the situation where a paper trail, _on paper and kept offsite_, can protect you and your group from lawsuit or from a manager who tries to shift blame. This is especially true when the penetration succeeds, and a mid level manager uses it as ammunition to replace IT staff with a different "big vision" of how security works, even when the IT staff were prohibited from that manager from taking effective steps against the very vulnerabilities used by the penetration test. (I've seen this several times.)

Check their contracts etc. (1)

rdunnell (313839) | about a year and a half ago | (#43380589)

You say that you are "connected to" the network but you don't say what this relationship actually is. If you are hosted by the hospital (i.e. actually part of their network), then they may have an information security department who is checking all the hosts that are on their network. This may or may not be part of the contract, either as a service provided or something that is required by the contract or hosting arrangement.

If you are not actually part of their network or hosted by them, there may still be something in the contracts that says that they can do this sort of penetration testing with partner companies. It isn't the best idea to accept this as a contract term, but I have seen it requested before and it may have been in there with nobody to notice it.

I would say that whoever handles the arrangement with the hospital should probably talk with their counterpart on the hospital's side about this and learn more about why it is happening and what is done with the information.

With respect to the various posts that have/will happen about HIPAA, I would say that it's totally possible (and desirable) to have a proactive information security policy that can still comply with regulations. Proactive penetration testing is not prohibited.

Re:Check their contracts etc. (1)

Patrick In Chicago (1571139) | about a year and a half ago | (#43380715)

I have to second this reply. The hospital may be authorized to do this by the contracts mentioned above, and there may even be permission granted in the contract affiliating the physican's group with the hospital. Even if there's no contract, if you're directly connected to a hospital-managed LAN, I think they're well within their rights to attempt to penetrate any device on their network. Most concerning on your end would be if it's just a separate office not on the hospital campus network, your own internet pipe, and the hospital is attempting to penetrate your network simply because you're affiliated. Without language in the affiliation contract, that kind of action is clearly against the law.

ignore it (1)

rknop (240417) | about a year and a half ago | (#43380599)

Is it actively causing trouble? Or do you just notice if?

If it's not DOSing you, I'd just ignore it.

Points at Security Probes (0)

Anonymous Coward | about a year and a half ago | (#43380623)

Hideki!

Send them a Thank You card (2)

rgbrenner (317308) | about a year and a half ago | (#43380625)

It appears you're unfamiliar with a common practice: regularly scanning and auditing computers on your internal network to catch comprised hosts.

Since they are doing part of your job for you, send them a nice Thank You card for helping you out.

REBEL WITH A CAUSE (1)

b4upoo (166390) | about a year and a half ago | (#43380631)

The funny thing is that when law makers create a sack of new laws they never consider the effects. We have had people nailed to the cross for rather innocent computer activity. So why not make a point. Any laws that apply to individuals should also apply to large organizations. Sue them into the weeds. If your employer will not then try suing them yourself. They are making your life a living hell as you are are forced to keep ahead of their hacking to keep your job. What suits the goose should certainly suit the gander. With a bit of luck you might be able to retire from the proceeds of the suits. Make no mistake. They would have you for lunch if you hacked them.

Re:REBEL WITH A CAUSE (1)

cdwiegand (2267) | about a year and a half ago | (#43380781)

Lawsuit wouldn't happen - he lacks legal standing. Unless it's his PRIVATE network. If it's the company's network (which the article rather implys), then they company has standing, but not him (the employee).

Re:REBEL WITH A CAUSE (2)

Lehk228 (705449) | about a year and a half ago | (#43380907)

career suicide to make a political point? how about noooo

Re:REBEL WITH A CAUSE (1)

tqk (413719) | about a year and a half ago | (#43381037)

Any laws that apply to individuals should also apply to large organizations.

Dreamer.

Sue them into the weeds. If your employer will not then try suing them yourself.

The judge, if s/he's in a good mood, is going to laugh that out of court. These aren't his systems. They're his employers' systems. He has no standing.

Make no mistake. They would have you for lunch if you hacked them.

True enough.

Consider a change to your network architecture (2)

mysidia (191772) | about a year and a half ago | (#43380633)

"The doctors want to maintain a relationship with the hospital and are worried that involving law enforcement would destroy the relationship. What would you advise the doctors to do next?"

Drop the issue, and secure their network, so the hospital, or anyone else outside their practice's internal LAN is not capable of probing or making unapproved connections; insert an IDS, and ensure offending IP addresses are blocked from access.

What are they doing? (0)

Anonymous Coward | about a year and a half ago | (#43380643)

I read a lot of comments from people that may not understand what could occur. Make a lot of noise and use that noise to cover actual penetration. Start looking in the logs for something not related to that noise.

Secure your machines, nothing else (1)

OneAhead (1495535) | about a year and a half ago | (#43380649)

Our ITers are doing the same thing; they claim HIPAA regulations require them to. Although I suspect they're a bit overzealous, it's really not worth getting into trouble with them over this. The same thing probably goes for you; they can argue your presence on their network automatically makes you subject to the same checks (which I believe is actually true). The only thing you can do is make sure that all your services are secure and up-to-date and that everyone with access to your computers has taken basic securty training (how to create and maintain safe passwords, how to identify phishing e-mails,...) That and installing a fail2ban (or something like that) and blacklisting the IP address(es) they use for scanning. Although the latter could be interpreted as bypassing "necessary" safety checks, you can just claim ignorance: "oh, I thought that was a compromised machine, and knowing how important security is, I dutifully blacklisted it." If the attacking machine is on the hospital network, don't forget to drily report it as "probably compromised" at the time of blacklisting, else pleading ignorance does not sound realistic. They'll probably answer "don't worry, we're testing", but that doesn't mean "lower your shields, we're testing"; the latter would be pretty weird. It's up to them to change IP address if they want to play cat-and-mouse.

Here's hoping our ITers aren't reading this ;)

Re:Secure your machines, nothing else (1)

silas_moeckel (234313) | about a year and a half ago | (#43380735)

HIPPA is pretty broadly written it does not require a lot. But if they put scanning into the written policy then it's required by HIPPA as HIPPA required they comply with there own written policy.

Much like PCI you higher an auditing company the larger the better they act as the get out of jail free card if anything happens.

Re:Secure your machines, nothing else (1)

aix tom (902140) | about a year and a half ago | (#43380747)

Well, after reading all the "just blacklisting the IP addresses" I just want to point that the "other guys" are running the network he is connected to. They *know* that a box is on the network. If it doesn't reply to their security audit, they might "assume" it's compromised and blacklist it right back.

they need to inform you (1)

stenvar (2789879) | about a year and a half ago | (#43380653)

In principle, penetration testing is a useful service. However, they need to keep you informed, because if they don't, you can't distinguish an actual attack from their penetration testing. There also need to be clear procedures spelled out for what they do if they succeed and what the consequences are.

If there is no contractual basis for them to do this, they are likely breaking the law.

Re:they need to inform you (0)

Anonymous Coward | about a year and a half ago | (#43380917)

You should also act as if it is an actual attack and act accordingly. You yourself are also responsible for security, not just the systems you put in place. Sometimes the best security you can get is looking at your logs periodically.

Let the games begin... (0)

Anonymous Coward | about a year and a half ago | (#43380673)

Handle it just as you would a real external attack. If the "attack" continues, ramp up the defenses. Report everything to the hospital's IT Security people, just like you would, presumably, in the case of a real situation.

Due Diligence (0)

Anonymous Coward | about a year and a half ago | (#43380699)

Consider this: if they can access your data, theoretically anyone can. However, if they can access your data, you're also liable for HIPAA law violations. This is akin to having legal guns pointed at you already. Also, consider that white hat penetration testers _do_ use black hat tools such as Metasploit.

I would highly suggest covering your ass while allowing them to do their job. Consider a legal agreement where penetration testing itself is allowed (especially to prevent future problems), but patient data copying is NOT allowed - with the same caliber of penalties as HIPAA law. Due to the fact that the stakes are high, and you know who the attacker is, it's also due diligence to make sure that audits (for both security hole disclosure and patient data) are done on them. Yes, this is ahead of the government law, but it's the Right Thing to do, and the law will catch up with technology. If possible, incentiveize the proper disclosure of findings.

Also, to further cover your ass, consider a limited disclosure agreement of findings. This would allow the penetration testers to say "we found X problem in Y% of these computers, and Z% have been addressed" - which is good for the penetration testers. Word it such that you want to promote openness of the process - not opaqueness, with a high regard for security.

I am not a Lawyer. Patient records are Intellectual Property. I would suggest you get the counsel of an Intellectual Property lawyer (or team of lawyers). Criteria for this include:
Familiarity with the hospital, the hospital HR policies, and the data sharing process used by the hospital.
Familiarity with Intellectual Property sharing agreements, including auditing and enforcement.

Yes, this costs a little bit of money to do. No, it doesn't have to be sunk cost, especially if you can convince the lawyer that it's pretty much an open market here. If this is the lawyer's first time with this issue, the experience gained in doing this pro bono is more important than the time.

Key words connect to hospital network (1)

silas_moeckel (234313) | about a year and a half ago | (#43380705)

If your clients are connecting to the hospital network they most probably agreed to this as part of those terms of service. Blocking the attacking IP's most probably violates those terms as well.

Even if it's not baked into the TOS HIPPA pretty much requires this sort of thing 164.312 covers a lot of it. The specific policy is up to the hospital pretty much letting hospital policy override other local laws if they conflict.

Have fun calling the cops it will probably get them laughed at and there contracts terminated as they do not understand and thus are not following hippa requirements. Your best next step is to get a hippa auditor to go over there setup, as the only way they do not fall under hippa is if they are on the other side of the firewall and never access any patient data pretty doubtful if they do more than play minesweeper on them.

It's no problem at all. (0)

Anonymous Coward | about a year and a half ago | (#43380711)

Do what you can to put yourself in charge of the situation by scheduling them, and collecting, reacting to and reporting the results of the scans. Regular penetration testing is a good thing, and you're getting it for free. And like someone else said, try getting acquainted with the Hospital Corp. IT folks who are doing this. They probably have a schedule and a strategy with what they test, and you can too.

Make hay.

Honeypot (0)

Anonymous Coward | about a year and a half ago | (#43380717)

Put up a honeypot. Wait a while, then laugh.

Re:Honeypot (1)

Opportunist (166417) | about a year and a half ago | (#43380869)

Please, give some good advice or none at all, that's about the WORST thing you can do!

Two things (5, Insightful)

gman003 (1693318) | about a year and a half ago | (#43380731)

First, as far as the network goes, treat it the same way you would treat any attack. Block IPs, add filters, whatever you normally do. If they are simulating an attack, you should simulate a defense.

Second, the human response. Make sure that this is actually an authorized security test. Tell them that if you cannot get confirmation that this is an authorized attack, you will have to treat it as an unauthorized one, which means contacting law enforcement, as per standard protocols for dealing with health information. This is "cover your ass" stuff here - if it actually isn't authorized, and you get hacked, you're likely to take the blame for it. And if it is authorized, well, you look like you're doing your job by detecting and responding to the threat.

Unless they have written permission (1)

dutchwhizzman (817898) | about a year and a half ago | (#43380733)

Unless they have written permission, they are violating the law by probing these systems. Not only that, but they are actively trying to do something that might crash vital infrastructure and possibly injure or kill patients. Probing equipment inside a hospital without very specific knowledge of what is what and very explicit permissions and waivers is asking for very expensive lawsuits and (insurance) claims. Tell them to stop scanning your life support systems since they crash all the time when they do so. Maybe then they'll figure out that scanning every IP they can reach might not be a very smart idea....

HIPPA? (0)

Patrick In Chicago (1571139) | about a year and a half ago | (#43380755)

However you feel about the OP, let's all agree that the people quoting HIPPA regulations in the replies are idiots. It's HIPAA. Not HIPPA or HIPA or HIPPO. In a field where a single letter makes one hell of a difference (SMP or SNMP? DNS or DSN? NTP or NNTP), if you're going to give legal advice, you could at least cite the NAME OF THE FUCKING LAW correctly.

Legality (1)

Bert64 (520050) | about a year and a half ago | (#43380795)

Legally they should have informed you of their intention and gained permission before they started conducting testing...

Aside from that, they are wanting to ensure that those they do business with are doing their due diligence and not doing anything stupid that would leak their data out to the world. So long as your systems are appropriately configured the attacks will amount to nothing, and its likely you receive similar attacks from random hosts on a daily basis anyway.

I wouldn't be surprised if the hospital had compro (0)

Anonymous Coward | about a year and a half ago | (#43380825)

About 10 years ago I worked in IT for a University we had many PCs in research rooms connected to a hospital network. It was pretty common knowledge that the Hospital network was filthy and poorly maintained.

Read you companies IT policy (0)

Anonymous Coward | about a year and a half ago | (#43380827)

And do what it tells you; if it does not, talk to your manager.

Divide in Interpretation. (1)

wisnoskij (1206448) | about a year and a half ago | (#43380837)

These seems to be a divide in how to interpret this article.

1) A third of the responses seem to conclude that these are friends and any and all attacks are simply a standard IT security test.
2) The other third seem to interpret this article as, these are separate, but connected, companies. Where one is actually trying to hack into some small time competition.
3) Then there's the few others that inexplicable seem to be saying "So What".
4) Hack them back.

The article clearly points out that these are separate companies. Even if these are just security tests it is highly illegal and if they are ever successful even more so (and letting their patient data be compromised opens up the hacked company to legal issues as well).
So I really I do understand where #1 is coming from at all. As for #3, these people should not be allowed on /. Since when has it taken an incompetent IT manager to allow hacking to be successful? Any system can be compromised, and not caring about the security of the data that you were hired to protect is insane.
As for #4, I hope you are all joking. This is, theoretically, a legal law abiding institution and no IT person should be engaging in illegal activities on the job, using the companies equipment, if he values his job.

Re:Divide in Interpretation. (2)

Firethorn (177587) | about a year and a half ago | (#43381001)

The article clearly points out that these are separate companies. Even if these are just security tests it is highly illegal and if they are ever successful even more so (and letting their patient data be compromised opens up the hacked company to legal issues as well).

I work information assurance for the government. To my mind the description screamed 'subcontractors'. IE while not direct employees of the hospital in question, they'd be in serious financial trouble if they lost their association with the hospital. Not necessarily friends, but they DO need to keep a good working relationship.

Now, I can't say what the exact details of the connections, agreements, and such are, I do know that in order to hook up to one of MY networks you have to agree to meet all the requirements and be subject to all the tests as a government owned machine needs to meet. If you are unable/unwilling to meet this standard, you're free to not hook anything up to said networks, order your own internet service, etc...

One of my duties is to perform the mentioned scanning/hacking attempts. There are separate teams that attempt to do more detailed hacking, up to and including coming on location and attempting to access unlocked unattended computers and doing social engineering attacks. They usually win, the question is normally how easily they win.

Anyways, many here seem to think that the penetration testing company is going to be doing something more than generate a report. It's theoretically possible they'll do more, but if the hospital has hired a legitimate company, it's unlikely. Thus all the suggestions to 'set up a honeypot' will do nothing more than generate a dirty report with false vulnerabilities and give the hospital in question cause for enough alarm to possibly cut off the doctor's connections to their network.

I'd say his best option is to get involved with the scanning. Ask to sit in on any meetings. A copy of the scan reports. IP addresses that they're coming from so you can filter them out of your logs when looking for real hacking attempts. Find out what they're going to do with said reports, etc...

In addition, lawyers are expensive and can make things complicated, I'd try to avoid involving them unless you hit a barrier you can't work around otherwise, or there's no better option. A smile and a friendly question can get you a lot more for a lot less than a lawyer.

Re:Divide in Interpretation. (1)

wisnoskij (1206448) | about a year and a half ago | (#43381071)

Yes, but if these subcontractors have data that they are responsible for, they legally cannot just say, well I don't really care, hack away. Even if they signed a contract that permitted this for all computers they hooked up to the network.

It is possible that this employee is just not aware they they signed away this right, but this is a hospital with doctors and theoretically with patient data. Which makes it a whole lot different from a regular company that owns outright all data that it holds.

I have worked with Psychiatrists in the past. And worked alongside data that legally could not leave a certain, specific, room; Without opening up the department to whoever wanted to sue them from a group of a few thousand people (let alone the government, who might also of gotten involved). They were just employees of a larger branch of a far bigger company. But that company could not even remotely scan these specific files without breaking the law.

Do I get that right? (3, Insightful)

Opportunist (166417) | about a year and a half ago | (#43380845)

Do I get this right? You are working for company A, but company B, with whom you have some kind of relationship, but are not a part of, tests your security?

First, make sure you have EVERYTHING in writing. At the very least as emails, but paper would be better. Make sure that everything you inform your IT superiors of is documented, and make sure every order you get from them is documented as well. Else selective amnesia might set in when the shit hits the fan. Tell your doctors to get in touch with the hospital CIO/CISO (or whoever is directing the tests), and make sure that they inform them that they want to cooperate to make sure the test makes sense. Else, what would you logically do? Right. Block the offending IP(s) until the storm is over. That's not really in the interest of the auditor either, since it's trivial to make something "secure" when I don't allow access to it by default and have every kind of access die at the front door (even though others might be allowed further in).

Personally I think it's highly unusual to conduct a pen test "against" a cooperating company. At the very least you should be informed that this has to happen (likely due to HIPAA or similar regulations), else the auditors are on VERY thin (juridical) ice. Essentially, they are conducting a hostile attack.

Tell your docs what the auditors do here is pretty much like performing an operation without the patient's consent, they'll immediately get that. It may be in the patient's interest, but cutting him open without immediate lethal danger and without consent is STILL a big nono.

Re:Do I get that right? (2)

Lehk228 (705449) | about a year and a half ago | (#43380925)

I'm guessing it's a sloppy network and there is little or no distinction between hospital and other company networks, automated scans are run on entire network address ranges.

The title is unhelpful (0)

mustafap (452510) | about a year and a half ago | (#43380895)

If this is official, then it's official. If you dont like it, change jobs ( or change jobs and report it if illegal )
If it's official and you don't like it, then grow up and learn to communicate with people. The organisation is bigger than your personal view point.

Honeypot (1)

EmperorOfCanada (1332175) | about a year and a half ago | (#43380919)

Set up a honeypot. If you see crap coming from that IP send it against a server that has a front that looks like yours but has nothing in it and nothing to do. That way they might tie up some bandwidth but they will waste the capacity of one useless server. You could probably set up the server on some old pile of junk seeing that nobody will actually care about its performance or reliability.

Also put the server in a bit of a DMZ so that if they do compromise it that they can't get any further. If you want to keep it extra interesting set up a few VMs on the machine with different OSs. One Linux, one BSD, One MS server, and if you are looking for a laugh something like QNX. The best part is if they ever cobble together some kind of report about how insecure you are you can point out that the "BSD" system they found is for the sole benefit of crappy hackers. For that purpose your honeypot should not be the same OS as your real servers; that way if their report makes no mention of your real OS you can say "I am 100% sure you didn't penetrate a real machine as we use OS X which you don't list in your report."

Keep in mind you won't be judged by technical people but by non-technical people. So if these security types ever make an accusation making them look like simpletons is a great defense.

Game on (1)

ewrong (1053160) | about a year and a half ago | (#43380957)

If Hospital IT speak the truth then you have a game on your hands. Win it.

So simple (0)

Anonymous Coward | about a year and a half ago | (#43381069)

That I can't believe no one else here has mentioned this. Clarify if the medical practice you are working for is subject to the IT policies of the hospital they are affiliated with. If your computers are on the hospital's network, chances are you are subject to their policies since they own the network and are responsible for its security.

If you are not subject to their IT policies, then just block them at your firewall and be done with it.

No need to go full retard and involve law enforcement or the hospital's upper management.

Might just be a pentest (1)

MadCat (796) | about a year and a half ago | (#43381113)

You might want to check the small print in whatever contract the independent practice has with the hospital. There's a chance hospital IT has hired a security firm to do a security assessment of their network, and that would include you in the scope as well.

Even if you aren't necessarily *in* the scope of the assessment, you are an attack vector into the hospital's own network and as such you will probably be probed and poked at.

Step 1 would be to ask hospital IT for the paperwork on the security assessment and see what's in scope and what's not, and if you aren't in scope, a firm statement to the effect of "get the f*ck out of my machines" would hopefully do the trick.

Following it up with some better agreements on who notifies who when things like this go down would also be a good step.

If hospital IT stays unresponsive involve law enforcement.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>