OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: HISAC News
From: Jeffery Stutzman (henrybassetchesapeake.net)
Date: Sat Apr 22 2000 - 10:18:20 CDT

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Welcome t o this weeks edition of the Healthcare ISAC news. For those of
you unfamiliar with the ISAC concept, ISAC stands for Information
Sharing and Analysis Center. ISACs are intended to facilitate sharing of
information between concerned parties within a sector of industry for
the common good. We at the Healthcare ISAC (HISAC) are currently
involved in building a template job description for a Healthcare INFOSEC
Project Manager. Next will be a job description for an Information
Security Manager and Administrator.

For more information, please view our website at www.info-security.net

 Now, on to the news:
===========================================================
Impersonator raises concerns over security at UCLA Med Center
===========================================================
Comments: Here is an example of a not so obvious security issue. One
would want to believe that every employee working in a hospital would
have had a background check completed PRIOR to employment. Especially in
an area where lives are at stake. Now, let me give you something to
think about.

This 27-year-old impostor could easily have carried have carried out
potentially several millions of dollars worth of data, and probably
would not have been caught until it was too late. There were over 50
physical entry points into this facility. How many access points were
there to their information systems? Let's not forget all of the
communications leaving the building --how many unguarded computers
would have lent themselves to the unscrupulous endeavors of a computer
savvy 27-year-old that needed money, drugs, or both. Now, how would your
security system handle such a threat? You probably have policies in
place to deal with the theft of narcotics on the third shift, but what
about theft of data by a 27-year-old with access to the system granted
under false pretenses? How long could your company survive? Have you
considered the PR damage?
-----------------------------------------------------------
April 13, 2000
Impersonator raises concerns over security at UCLA Med Center
By Kiyoshi Tomono, Daily Bruin
U. California-Los Angeles

Adam Litwin is not a doctor, but for six months early last year, he
allegedly impersonated one at UCLA Medical Center.

Despite a continuing effort to improve security at the medical center,
Litwin was reportedly able to move freely through the hospital,
including areas
like the operating room and the emergency room, posing as a surgical
resident who had just transferred to UCLA.

"My understanding is that UCLA did an investigation into this and did
not find that he had any contact with patients," Deputy City Attorney
Mark
Lambert said.

"There's evidence that he was there almost six months before he was
apprehended, but whether he was there constantly or once and a while is
still not
clear," he said.

Los Angeles City Attorney Jim Hahn, in the meantime, charged the
27-year-old with nine counts of criminal charges on Friday, including
two counts
of forging a prescription, and one for false use of a medical title.

Litwin's attorney was unavailable for comment on Wednesday and Litwin's
grandfather, Emil Litwin, and his father, Stanley Litwin, declined to
comment.

Starting in January of last year, Lambert said, Litwin was able to ease
his way through the medical center reportedly wearing a laboratory coat
with
his picture and name silk-screened on the pocket and a forged and stolen
identification badge that he partially hid behind a meal ticket.

The combination was unusual enough, though, to arouse suspicion in a
supervising physician in June 1999, who went to the personnel office to
investigate further, according to medical center officials.

"She was suspicious because, knowing medical terminology, she felt he
didn't know enough," said David Langness, director of health sciences
communications. "She went to the surgery residency program coordinator
and asked who the person was. When she found out there was no such
person, she called the police."

Litwin was eventually arrested in June, when, according to Lambert,
Litwin once again showed up at the medical center and the supervising
physician
called the police.

Throughout the period, UCLA Medical Center security had been on alert
for Litwin, who often frequented the cafeteria and a doctor's lounge,
which
he accessed with a stolen key, according to Lambert.

The alleged impersonation comes in the midst of several major changes in
medical center security. Medical Center officials recently began a
campaign to replace current hospital IDs with new counterparts that
double as BruinCards.

The center is also installing access devices, similar to those currently
being used in UCLA dorms, to limit entry to medical areas.

"The Center for Health Sciences comprises 3.1 million square feet and
the UCLA Medical Center is part of that. There are over 50 entrances,"
said
Scott Martin, director of medical center security.

"It is impossible to provide access control system for the entire
complex. But, we do have access control systems in place in the 200 and
300 Medical
Plazas, and our goal will be to attempt to introduce access control
systems in sensitive areas."

Included in that list of sensitive areas are the pharmacy, the
department of labor and delivery, and pediatrics. Martin said the latter
two areas are of
high priority because they contain patients who need protection.

"We are also able to include with the badge a special icon or bit map
for sensitive areas, like a baby bear for labor and delivery," Martin
said. "Part of
the education piece for our patients in labor and delivery will be that
if someone is not wearing an ID badge, then never hand over your baby.
If they
do not have the baby bear, do not surrender your baby and question who
it is."

Despite the recent allegations against Litwin, Martin said the medical
center will continue with its updated security plan as they had before.

"Immediately, we will continue with what has proven to be the best form
of dealing with this type of incident, and that is education," Martin
said.

"As far as the level of crimes and incidents that are occurring, we are
right where we should be, and better than other hospitals who don't have
the
unique protection of having a police department right on campus."

As high-tech as the medical center might get, it was human beings and
not electronic security devices that eventually alerted the police to
Litwin.
Though security may have been aware of Litwin's movements in the
hospital, they played a limited role in apprehending him, according to
Martin.

"The UCLA Medical Center Security department's involvement was minimal
in having been aware that a person was impersonating a doctor. We
received a description, and kept an eye out for that individual," Martin
said. "There was a doctor who recognized him, and when she saw him
again,
UCPD was notified."

After arresting Litwin in the doctor's lounge, UCPD officers searched
Litwin's car, which was parked in a lot at the medical center reserved
for
physicians.

In the vehicle, officers allegedly found a parking pass which had been
reported stolen in March by a medical center physician. Officers also
found
medical paraphernalia and doctor's orders for medications that had
allegedly been signed by Litwin.

"We have evidence that prescriptions were delivered to the pharmacy and
there's evidence that others might have been involved in trying to pick
up
the prescriptions," Lambert said. "Whether that person was a patient of
his, a friend of his, or whether they were for Mr. Litwin himself, we
don't
have conclusive evidence of that."

While there continues to be several facts that the city attorney's
office has yet to sort out about the case, Lambert said it's clear to
him Litwin wanted
to be recognized.

"It's unusual that somebody would be able to impersonate a medical
doctor for that long a period of time," Lambert said. "Another thing
that's
unusual is that he was not trying to keep himself hidden. He clearly
wanted people to notice him."

Litwin is scheduled to be arraigned May 3 in Los Angeles Superior Court.

========================================================
More Headlines from the week:
(Compiled by http://hackerwhacker.com/
========================================================
 Cisco IOS Software TELNET Option Handling Vulnerability
  Hacker Case Arrest Belies Real Challenge
  Instant Messenger, or Instant Security Risk?
  'Mafiaboy' Charged in DoS Attacks
  Author put back door in popular shopping cart software
  Web sites of Falun Gong hit
  Hacker Guilty in Federal Web Intrusions
  Doomsday Cult's Military Ties
  Security Company Applies a Human Touch
  MS admits planting secret password
  Threats from cyberterrorists
  Data Spill Causes De Beers Site Security Leak
  WebTV hit by Melissa-like bug
  Army on hacker alert
  Here is a virus that could bring down an international infrastructure!

  I Call It Spyware. So Sue Me!
  Let's Review: How Secure Is Your System?
  Bill Gates Among Victims of Hackers
  A Brick Through a Window - Opinion by John C.Dvorak
  Berkeley man indicted, charged with hacking government computers
  Computer crime in US surges to $17 billion
=======================================================
Who got hacked this week? (compiled by
http://www.attrition.org/mirror/attrition/)
=======================================================

Comments: Be advised, these links go directly to the mirror of the site
after the attack. Rated R. One thing you should note... Each of these
sites were running Windows NT -the most common system in the industry.
Probably each of these defacements were made through previously known
vulnerabilities. As a matter of fact, most intrusions are due to either
a missing security patch, or other simple fixes such as passwords left
as default, or easily guessed.

Department of Health and Human Services (BTW, who is writing the HIPAA
security standard)
http://www.attrition.org/mirror/attrition/2000/04/21/www.foh.dhhs.gov/

Superstition Mountain Medical Health Center
http://www.attrition.org/mirror/attrition/2000/04/20/www.smmhc.org/

Alabama State Nursing Board
http://www.attrition.org/mirror/attrition/2000/04/19/www.abn.state.al.us/

So, until next week,

Jeff Stutzman
Heathcare ISAC
www.info-security.net