Daimakaicho, Eater of Souls wrote:
Peimei wrote:
Dread Lörd Kaolian wrote:
The local doctors office chain has computers in each one of their examination rooms, and network ports throughout the buildings. They have ports that appear to be tied to the same switch that is running their pharmacy computers sitting in lightly traveled hallways where someone could easily sit next to a wall with a laptop in hand and no one would think anything of it. They also have at least a few computers that appear to be configured to allow booting to USB and to CD. Don't ask why I know that. Anyways, I sent them a note letting them know about a couple of the issues a few years ago. they never did anything about it. Are there many people out there who could take advantage of that? no. but all it takes is one, and given what theya re running on the desktops and how obsolete some of their OS loads are, I don't have much hope that they have any blocking technologies in place at the network level.
The best part is they have all the computers in the rooms locked in these little acrylic cases that block the air vents, but leave the USB ports and the DVD drives and power buttons wide open.
I think we're just now educating the generation that will take network security seriously.
Pretty much this. While I understand the risks and concerns associated with some of this stuff, it's hard enough as it is to get many doctors to use EMR (electronic medical records); many of them don't even know how to use a computer properly. So they just block out everything having to deal with computers and leave it to somebody else. It's not as big of an issue in a big university hospital like mine, but when you're in private practice and don't have an IT department to rely on, you need to have at least a working knowledge of this stuff or you're risking the theft of a lot of very confidential information.
I do a lot of work with a clinic in town that has four locations and the other day I was working with my PoC for the business on a machine that they needed looked at since it was acting up. I'll interject with some backstory here first. They have a 2k3sb server that runs like 25/30 cals for the clinic with their domain. All the big wigs have admin privs as well as some of the main receptionists (we didn't set this up, we are trying to remedy this fact that no one has those privs) and one other person who is like the clinic ***** and does all the grunt work involved, like when we set up thin clients in the exam rooms he was the one who had to put in the counter tops and did all the tie downs for the wiring. He also does some of the PT stuff they also offer to their patients. Basically this guy is one of those "I USED TO DO SOME FORM OF TECHNICAL WORK SO IM PRETTY SURE I KNOW EVERYTHING."
Back to the story at hand. When we put thin clients into the exam rooms I urged the head doctor to make sure that the providers and doctors always lock the thin clients or log off after every exam because of HIPAA. I set them up to autolock at like 1 minute just because I want them to be within all the regulations. All I had to do is mention that unlocking the thing is a minor annoyance compared to having to deal with a HIPAA violation, he agreed. Now, this previous mentioned computer is used soley by our "tech specialist" that works for the clinic. I remoted into the machine like I would any other day and I'm looking at the desktop and I see this icon I don't really recognize, its green and has a U on it. Derp, its ******* UTorrent. I unleashed a verbal **** storm onto my PoC (luckily I know her personally so its ok!) I searched and found some music that had been illegally downloaded and then I went over to the clinic personally to give them the whats up about how torrenting on a business computer is pretty much the worst idea ever.
Now, explaining how copyright laws work with regards to businesses was quite fun. I sat them down and looked straight into the doctors eyes and was like "So, here is how this will work. Your employee's are downloading music illegally on your business machines. First off they're using your equipment for personal stuff and technically its stealing from you and the company. Secondly, if they were to get caught guess what will happen. The lawyers don't care who is downloading the music, they care that they're doing it on the business computer so here is the fun part. They'll go after whomever has the deeper pockets. Your employee, or the business?" Right about here is where I got the reaction I was looking for. Pure and total horror knowing that a complete idiot of an employee could completely ***** the business into nothing. I mentioned that they should adopt a 0 tolerance policy towards downloading music and I just had to flat out tell them it doesn't matter how awesome the employee is, no employee is worth losing your business over, no matter how much you might like them.
The guy no longer works at the clinic. This is one of the times I'm so glad that a company listened to my wisdom when it comes to their well being and security. So many people are completely unaware of how easy it would be to have just one person ***** their entire operation up because of one minor little security flaw.
PS: I work as that small business IT solution for companies that cannot afford a full time IT staff for their business. I absolutely love doing it because of all the opportunity I get to spend time building relationships with my customers.
