Hackers and Your Medical Information

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,629
Dark Reading has a discussion about Why Hackers Love Healthcare. The top three on their list includes: Highly Valuable Data, Lack of IT Investment and Training, and Highly Connected Systems. In totally unrelated news, KrebsOnSecurity points out that MEDantex, a company that supplies medical transcription services, allowed access and even editing and deleting of thousands of doctors' patient records if you had a web browser.


What’s more, numerous online tools intended for use by MEDantex employees were exposed to anyone with a Web browser, including pages that allowed visitors to add or delete users, and to search for patient records by physician or patient name. No authentication was required to access any of these pages.
 
And you could have the best security practices in designing your services. Wouldn't matter. Doctor's are smarter than you despite not understanding how the technology they disdain works. To them it's an interruption to their work that's beneath them and shouldn't even be there, except it is also absolutely necessary to their work and they couldn't do it without it. They are about the easiest bunch to socially engineer that I have ever seen. Even if medantex was running their shit right, the doctors, nurses, etc would be handing out their credentials left and right.
 
As someone who works in IT for a healthcare company, I'm not sure it's due to lack of IT investment. The company throws money at IT like mad. However, the problem is that they let the business side run things. They force us to setup machines a certain way, to allow certain connections, password policies, etc...all of which are insecure. We tell them. We escalate it. But it always gets rolled up to the higher up management. The higher up management team sees the cost of making something highly available, and secure then they decide against it. And force it down through management to do it the cheapest way, despite being public facing and allows users to sign up.

Then when things break, as they do, they go crazy and blame IT for not setting things up correctly so it would never go down. Then they throw more money at outside vendors to bring in software to do things we already have software doing in our environment. So much waste to deploy things to solve problems we've already got stuff to take care of those issues at no additional cost.

Short version... management that knows nothing of IT forcing decisions without doing any research.
 
carlbme said:
As someone who works in IT for a healthcare company, I'm not sure it's due to lack of IT investment. The company throws money at IT like mad. However, the problem is that they let the business side run things. They force us to setup machines a certain way, to allow certain connections, password policies, etc...all of which are insecure. We tell them. We escalate it. But it always gets rolled up to the higher up management. The higher up management team sees the cost of making something highly available, and secure then they decide against it. And force it down through management to do it the cheapest way, despite being public facing and allows users to sign up.
Click to expand...


So you're saying IT investment isn't the problem. The problem is lack of IT investment?
 
carlbme said:
version... management that knows nothing of IT forcing decisions without doing any research.
Click to expand...

Yea, not just IT. Anything technical. Management should have to sign something that says that they are knowingly overriding the advice of their technical staff/advisors. That way, if shit hits the fan, everyone knows exactly who to blame AND they should get penalized based on the severity of the shit.

Oh wait that's totally common sense and will never fly.
 
U-238 said:
So you're saying IT investment isn't the problem. The problem is lack of IT investment?
Click to expand...

Nope, it's lack of knowledge and wasting money where it isn't needed in IT. They invest a TON. But most of it is for stuff that is to solve problems that don't exist, and in the end create problems. Or to try to solve a problem by bringing in an outside vendor and their product, spending millions on something that we already have a solution in place to do the exact thing. Or worse, already DOING that exact thing, but they don't realize it.
 
carlbme said:
Nope, it's lack of knowledge and wasting money where it isn't needed in IT. They invest a TON. But most of it is for stuff that is to solve problems that don't exist, and in the end create problems. Or to try to solve a problem by bringing in an outside vendor and their product, spending millions on something that we already have a solution in place to do the exact thing. Or worse, already DOING that exact thing, but they don't realize it.
Click to expand...

And that's why you keep all of this info in writing. Make sure all issues/security concerns are in the email, and don't do anything until management gives written approval. Then when they come after you for 'not setting it up right' you forward that email chain. In fact there should be policies in place, and anything outside of that requires a written/approved exception.
 
Don't companies like these have to comply with HIPAA? IIRC, you can be fined just for not properly securing data covered by HIPAA, even if there is no actual exposure of said data to a non-authorized party.
 
How many times have I seen my doctor run out of the room, to get something, and not come back for 20 minutes. I could download a lot of data onto a USB stick in that time. At least they should have auto logout...but hey that would inconvenience the doctors and nurses. Though I have to say the nurses do usually log out...better training I guess...or more worried about job security (there's an MD shortage around here).
 
You must log in or register to reply here.
Back
Top