Featured Post

Musing on the Interaxon Muse Meditation Headband

"For this calibration, find a comfortable position and take a deep breath". The computer brain interface world is getting int...

Wednesday, November 21, 2012

Ethical hacking to prevent health records held for ransom




A story about hacking that had a different angle was of interest to our privacy and security group. In this scenario, the hackers did not maliciously penetrate a system to cause chaos and destruction, but to virtually hold for a ransom a huge store of health records and personal health information.



Hacker holds patient health information for ransom

A Virginia hacker is asking for $10 million in exchange for the safe return of the personal health and prescription drug information of 8.3 million patients, HealthLeaders Media reported on May 5.

The hacker allegedly stole the information from the Virginia Prescription Monitoring Program’s (VPMP) Web site, which tracks prescription drug abuse and contains 35.5 million prescriptions in addition to enrollees’ personal information, including names, social security numbers, and addresses.

The hacker, who replaced the VPMP site with a ransom note, claims to have deleted the original back-up file for the information and created a new password-protected back-up file.

The VPMP site and the Virginia Department of Health Professions site are both temporarily disabled and the incident is under federal investigation.

This is when I realized that healthcare institutions need certified ethical hackers. These are the "white hat" hackers, who have a code of ethics, who know how to find the flaws in system security and work to prevent the "black hat" hackers from gaining admission.  In fact one in our group who works in healthcare said "oh, we do that." It is good to know there are ethical hackers in healthcare.  One of my earlier posts on this blog was about a computer security expert who hacked his way into an insulin pump, which fortunately was his own.

The White Hat Ethical Hacker Code of Ethics:


This CODE OF ETHICS expresses the consensus of the profession on ethical issues and is a means to educate both the public and those who are entering the field about the ethical obligations of all e-commerce consultants. By joining EC-Council each member agrees to:
Privacy:
Keep private any confidential information gained in her/his professional work, (in particular as it pertains to client lists and client personal information). Not collect, give, sell, or transfer any personal information (such as name, e-mail address, Social Security number, or other unique identifier) to a third party without client prior consent.
Intellectual Property:
Protect the intellectual property of others by relying on her/his own innovation and efforts, thus ensuring that all benefits vest with its originator.
Disclosure:
Disclose to appropriate persons or authorities potential dangers to any e-commerce clients, the Internet community, or the public, that she/he reasonably believes to be associated with a particular set or type of electronic transactions or related software or hardware.
Areas of Expertise:
Provide service in their areas of competence, being honest and forthright about any limitations of her/his experience and education. Ensure that she/he is qualified for any project on which he/she works or proposes to work by an appropriate combination of education, training, and experience.
Unauthorized Usage:
Never knowingly use software or process that is obtained or retained either illegally or unethically.
Illegal Activities:
Not engage in deceptive financial practices such as bribery, double billing, or other improper financial practices.
Authorization:
Use the property of a client or employer only in ways properly authorized, and with the owner’s knowledge and consent.
Disclosure:
Disclose to all concerned parties those conflicts of interest that cannot reasonably be avoided or escaped.
Management:
Ensure good management for any project he/she leads, including effective procedures for promotion of quality and full disclosure of risk. 
Knowledge Sharing:
Add to the knowledge of the e-commerce profession by constant study, share the lessons of her/his experience with fellow EC-Council members, and promote public awareness of benefits of electronic commerce.
Confidence:
Conduct herself/himself in the most ethical and competent manner when soliciting professional service or seeking employment, thus meriting confidence in her/his knowledge and integrity.
Extreme Care:
Ensure ethical conduct and professional care at all times on all professional assignments without prejudice.
Malicious Activities:
Not associate with malicious hackers nor engage in any malicious activities.
No Compromise:
Not purposefully compromise or cause to be compromised the client organization’s systems in the course of your professional dealings.
Legal Limits:
Ensure all penetration testing activities are authorized and within legal limits.

Involvement:
Not partake in any black hat activity or be associated with any black hat community that serves to endanger networks.
Underground Communities:
Not be part of any underground hacking community for purposes of preaching and expanding black hat activities.