Dutch MP must cough €750 for hacking into medical lab A Dutch MP has been fined €750 (£650, $1,000) after he was convicted of illegally accessing the systems of a Dutch medical laboratory. Henk Krol claims he only accessed the systems of Diagnostics for You in order to expose sloppy security practices. The MP, who is the leader of Dutch minority pensioners party, 50plus, used a …
This post has been deleted by its author
The patient got a suspended fine, so he isn't going to pay the fine unless he is stupid enough to make the same mistakes again.
The ruling (i've read it) is actually very balanced. This is, in short, what happened. The patient overheard a (weak 4 digit) password accidentally. He didn't take this up with the owner of the password, nor the organisation, nor the software builder. Instead he tried if it worked at home. The judge ruled this normally illegal but acceptable(!) in this case up to the point where it was required to prove he got access to the system. The judge fully acknowledged the bigger interest of the security of a system storing patient data there.
The patient then called Krol, and together they again tried if it worked. He was fined (again, a suspended fine) because he didn't try to contact any of the relevant parties but instead choose to show the password to somebody else. The judge explicitly acknowledged this would have acceptable if the issue wouldn't be fixed after reporting it in a relevant place.
Krol went a bit further (and got a higher fine as a result). After being told about the issue he tested it together with the patient. He downloaded a few files to prove he could actually access the system, which again was deemed acceptable by the judge. He then printed some of those files, anonymized them and called the Diagnostics for You, got a receptionist on the line who asked him to report this in writing so they could look into it. But he didn't, he also didn't push on or try calling somebody else but instead he called the local television station. They came over and filmed him logging in to the system and download patient data again, effectively showing sensible information to journalists instead of getting the issue fixed. This is what got him the fined, illegally accessing and sharing sensitive files even though there was no reason to do so.
This ruling actually provides a nice legal framework for responsible disclosure, it boils down to, it's OK to access systems when there is a bigger interest at stake, but report i at the right places, and keep the breach of privacy to a minimum. And if you go a bit out of your way there, you'll get a slap on the wrist.
Krol go fined, not for hacking but because he didn't do responsible disclosure properly. I've got no issues with that, most of it is common sense really.
If it was just username and password, all they had to do was change the password after he informed them (if this is the case, it boggles the mind why the judge though that he didn't give the lab enough advance warning to fix the problem).
All in all though, looks like the judge had an uncommon amount of common sense. my feeling is that something similair in UK / US would have prosecuters baying for his blood (or at least for a dozen years or so of porridge)
If a system that contains confidential medical records is accessible from the internet with just a username and password then that is incredibly lax security. For a system of this kind offsite connection should only be via an encrypted VPN with token access. I'm amazed some script kiddie hasn't already brute-forced the system and taken them to the cleaners.
"If a system that contains confidential medical records is accessible from the internet with just a username and password then that is incredibly lax security."
Yes, you're right.
Is it? The article doesn't say. Like I said, the article is a bit light on detail.
You're guessing, as am I, as to what was available where.
"Is it? The article doesn't say.
The article does say that he gave an on-air demo for local television."
And that means it was on the internet does it? Because he did a demo on TV?
Sorry if this sounds pedantic, but if he's exposing the weak security, presumably he, well, said what was weak about the security explicitly when he went on TV, and that could be reported?
The article states that a patient overheard the username and password - that is the lax security. What is there to not understand? You should not be telling someone your username and password at all let alone within earshot of patients, hence lax security.
You can guess that as this was the information that was given it was accessible via the internet and the password and username were easy enough to remember ... but this is speculation the patient could've had a photographic memory, or a pen an paper in his hand just as it was being said.
This post has been deleted by its author
Perhaps not clear from the summary but it was about getting credentials not only to access the medical files of thousands of people but also the authorization to modify any of them, so clearly no sign of any ACL in place. Records were authoritative and included information on HIV, drugs abuse and so on. The scandal in my view is that information of this nature should require more than some username and password to protect it from any random access from the Internet.
Fining this guy, let alone fining the patient who gave him the information is ridiculously stupid and counter-productive because the only thing it's going to deter is someone else exposing completely inadequate security procedures!
These are people's health records, they should be kept completely confidential and only be individually accessible to those who have a need to view them for a specific purpose, not "log in and cruise around until you find something you like"!
He wasn't punished for whistle-blowing, he got a slapped for excessively accessing confidential data. He was explicitly acquitted for the first time he accessed data which the judge deemed acceptably because he needed prove he could actually access the data. But once that was clear there wasn't a reason to access more files, especially not in the presence of others. A €750,- fine for reading and showing other confidential patient data doesn't seem especially harsh to me. Had he done no more then he needed to and had he reported it properly he would have gotten away with it. But he choose to make a show out of it instead of dealing with it responsibly.
And the patients fine was a suspended sentence, something the article fails to mention.
AFAIR, he accessed 15 or so files, while the judge thought about 10 would be enough or something.
Compared to the fact that he's not the guy who is responsible for the appalling security but wanted to report the problem, I think sentencing him for that is just vindictive.
As for the fact that he didn't give the provider enough time to fix things: as others said, IT'S JUST A PASSWORD - fix it! (Oh and password complexity requirements, set up a VPN etc but first plug the obvious leak).
They been prosecuted for being sloppy so-and-sos yet? Especially the staff that got overheard? Assuming these are proper medical records and it isn't' just jornalisitic hysteria, How the hell did they get away without 2 factor auth or similar? The bit the judge isn't considering is that he wasn't giving notice of a minor coding issue in the security or a recent obscure vuiln. This was insecure by design.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
