How Safe Are Your Medical Records?
BEYOND BREAKING INTO a hospital network, what did we accomplish? Throughout the experiment, we experienced the joy and fear of teaching students about IT security. Did we pick students who would turn around and use the knowledge against a company? Against the school? Or would they understand the heaviness and responsibility of their knowledge and use it to make CIOs aware of vulnerabilities in their security? Happily, our student collaborators understood their roles and acted responsibly. At the conclusion, Thayer and Leader presented the findings of the network security project at SU to President L. Jay Lemons, Provost Linda McMillin and Huber in a closed meeting.
We also wanted our students to learn (a little) about defending a network. With this in mind, we arranged for Thayer and Leader to go to California and meet with the heads of IT security at Sutter Health and Intel and with a senior consultant at SAIC (Science Applications International Corporation) who was previously the CSO (chief security officer) at Wells Fargo Bank. The executives Thayer and Leader met with shared their approaches to securing their institutions, and some of the headaches they have encountered in doing so. As a follow-up to these discussions, the head of IT security at Intel, Malcolm Harkins, is joining Susquehanna this spring in teaching a Business IT Security course. This course will expand on the discussions we had while visiting him last spring, and will then culminate in war games to be played by the students in the war game room at Intel.
The findings on the hospital assessment were presented at DefCon this summer. DefCon is perhaps the most respected underground IT security conference. We were heartened to speak to executives and security people in the health care industry and government policymakers. It is our goal and hope that the security tenets of HIPAA are strengthened and that those in positions to influence policies and the general care and transmission of medical records will take heed of just how vulnerable our information is. In the meantime, we are pleased to say that Thayer and Leader both took it upon themselves to hunt down Internet-facing vulnerabilities in government and corporate Web sites and to write letters to the respective CIOs.
An intruder impersonates either a victim computer on the network or a router on the network.
The encrypted headers of data packets are removed, leaving only the plain-text message, thereby allowing access to the data.
Internet-facing vulnerabilities (specifically the search highlight function):
These are vulnerabilities that enable attackers to access internal servers or to mask their location and cover their tracks as they attack some other network.
Shana Dardan is assistant professor of information systems at Susquehanna University.
Eric Smith is assistant director for information security and networking at Bucknell University.