Health Care Security: Serious Business

3:32 PM -- RSnake yesterday shed some light on the upcoming audit of hospitals by PriceWaterhouseCoopers and the Center for Medicare and Medicaid Services. I'm hoping that the audit takes a look at more than just hospitals, though -- otherwise this will end up being another story of "too little, too late." (See Hospitals Go Under the Microscope.)

Insider attacks are potentially harmful to any company, but they are especially dangerous in the health care field, where a system failure could affect lives. Yesterday, the courts threw the book at Yung-Hsun Lin, a former sysadmin who attempted to delete data from approximately 70 servers at Medco Health Solutions Inc.

Had Lin's attack succeeded, it might have prevented Medco prescription cardholders from being able to get the medicine they needed. The U.S. Attorney’s office took that threat seriously -- the 30-month federal prison sentence may be one of the longest sentences ever given for intent to damage a company’s computer network.

Will Lin's tough sentence be a wake-up call to insiders who threaten corporate computer assets, particularly in health care? Optimistically, we can hope that it will serve as a deterrent for disgruntled employees looking to take out their anger on their employer because they didn’t get the promotion they deserved.

Unfortunately, there’s another side of the coin -- employees will smarten up and recognize that they need to be more thorough at disguising their efforts to harm and defraud their employers. Even Lin attempted to disguise his attack by spreading the malicious code across several scripts, but his first attempt failed because of a flaw in his programming, according to court documents.

Someone should have told Lin about Roger Duronio, who was sentenced to 97 months in prison for successfully taking down more than 2,000 servers at UBS PaineWebber. Duronio's sentence showed that the courts aren't going to go easy on insiders who damage their companies' systems.

It’s time for health care companies -- hospitals, prescription card providers, and health insurance companies -- to sit up and take notice. Leaking or tampering of medical data could have a serious, even lethal impact on those affected.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading