Hospital Breach by Job Applicant

During a bond hearing Thursday in Superior Court, Wheeler’s Macon attorney Reza Sedghi described his client’s actions as a job application gone awry with “no criminal intent or compromise of sensitive patient information.” Sedghi said Wheeler had obtained access to the database with a password and access codes obtained while working on a Macon physician’s connectivity problems with the hospital.

The attorney said Wheeler uncovered seven flaws in the hospital’s system and sought to use the discovery to land a job with the countywide medical complex, spending several hours with Rhodes and David Griffin, the hospital’s security chief.

“They asked for and received a copy of his resume and a written report of his findings,” Sedghi reported in court. “Then they walked out of the conference room and returned with two Warner Robins police officers.”

Wheeler’s acts were stupid, the Macon attorney conceded, but “he had no malicious intent. He was the one exposing the flaws.” –source

I must admit that I’m a bit torn by the story of this kid who I believe didn’t have any malicious intent when he breached the hospitals security system. The crazy thing is that if he’d had malicious intent they wouldn’t have likely known that there were these security holes and that he had breached them.

Certainly the kid is dumb to have done it, but the reaction by the hospital system is terrible. Here’s a quote from the same article excerpt above:

“I condemn any effort of any party to justify his acts,” Rhodes [CIO] said in an exclusive Warner Robins Patriot interview. “This is a criminal act and he did not do Houston Healthcare or its patients any favors. His actions were illegal and we will support the authorities in prosecuting this to the full extent of the law.”

Talk about a major overreaction. Of course his condemnation of efforts to justify his acts makes people more interested in doing so. Honestly, Robert Rhodes, chief information officer for Houston Healthcare, just sounds like an angry CIO whose security efforts were torn to shreds by a 21 year old. I’d be angry too if I were Robert Rhodes. Mostly because Robert Rhodes is the one that should be fired for having such porous security and they should hire Christopher Wheeler to help them actually implement some real security.

Of course, the CIO is quick to point out that “He did not breach our internet security. He got in through a stolen pass word. He didn’t discover a breach. He was the breach.”

This is just wrong. It wasn’t stolen, but given to him as part of his duties to help the doctor connect to the hospital. That’s not a breach. What’s insane is that a doctor’s password would have the ability to create all these back doors and expose seven flaws in the hospital’s IT systems. The CIO should be held accountable for that. So much for only giving users the access that they need. Or maybe the doctors at Houston Healthcare need that ability. Yeah, right.

I don’t want to give the impression that security isn’t important. It is and what this guy did was wrong and he’ll be punished in the legal system for what he did. Although, it does seem that it wasn’t with malicious intent and so some leeway should be given there. However, the CIO accepting a c-level executive salary with responsibility over a network with so many security flaws that could be exposed by a 21 year old using a doctor’s password sounds much more inappropriate to me.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

3 Comments

  • It’s obvious the hospital is simply trying to make him the scapegoat of their own security flaws. The kid isn’t as dumb as you think, things like this happen in the hacker world all the time. Most of the time the white hat hackers get jobs in the fallout of situations like these.

    The hospital should truly hope that this story doesn’t go viral.

  • Yeah, the kid made poor judgments. But I agree that Rhodes should be fired and is embarrassed
    by all the flaws this boy found. It would be a shame to make a scapegoat from this kid. Depending how
    you hack, it’s not necessarily illegal. If he did not compromise any patient information, then I hope that
    he will be off the hook. An investigation should be made with Rhodes and his team.

  • Oh yeah… I read that they are trying to blame their $100,000 third party expenses on this kid some where else. haha it’s ridiculous.. they could have just hired him 30k a year and he could have fixed the flaws and maintained their system.

Click here to post a comment
   

Categories