(Thanks to Mickey for this one!)
People are fighting back by “battling large, remote-controlled herds of hacked personal PCs, also known as “botnets”” and –according to the Washington Post— HIPAA is turning out to be a potent weapon:
Albright spied one infected PC reporting data about the online activities of its oblivious owner — from the detailed information flowing across the wire, it was clear that one of the infected computers belongs to a physician in Michigan.
“The botnet is running a keylogger, and I see patient data,” Albright said. The mere fact that the doctor’s PC was infected with a keylogger is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which requires physicians to take specific security precautions to protect the integrity and confidentiality of patient data. “The police need to be notified ASAP to get that machine off the network.”
HIPAA seem to be one of the only legal tools available:
March 22, 2006
Albright said that while federal law enforcement has recently made concerted efforts to reach out to groups like Shadowserver in hopes of building a more effective partnership, they don’t have the bodies, the technology, or the legal leeway to act directly on the information the groups provide.
“Our data can’t be used to gather a warrant,” Albright said. “Law enforcement has to view the traffic first hand, and they are limited on what and when they can view.”