Opinari - Latin term for Opinion. Opinari.net is just what it seems: a cornucopia of rants, raves and poignant soliloquy.
Wednesday, October 04, 2006
Adventures in IT Security:
So you think you want electronic medical file systems? Make sure the developer is competent first:
Georgetown University Hospital suspended a trial program with an electronic prescription-writing firm last week after a computer consultant stumbled upon an online cache of data belonging to thousands of patients, Wired News has learned.
The leaked information included patients' names, addresses, Social Security numbers and dates of birth, but not medical data or the drugs the patients were prescribed, says Marianne Worley, a spokeswoman for the Washington, D.C.-based hospital known for providing emergency care to the nation's most powerful political figures.
The hospital had securely transmitted the patient data to e-prescription provider InstantDx. But an Indiana-based consultant accidentally discovered the data on InstantDx's computers while working to install medical software for a client.
The consultant responsible for the discovery, Goshen, Indiana-based Randall Perry, says bad security practices contributed heavily to the incident. Perry says he accessed the data using a password he discovered hard-coded into a popular medical practice application, where any moderately skilled user could retrieve it.
"This is just security through obscurity," says Perry. "My home network is probably 10 times more secure than what they have set up over there."
Our IT shop has strict rules about hard-coding any connection strings, DSNs, etc. DON”T DO IT. Period. Everything must be contained in a config file, whether it’s the web.config file in ASP.NET or an ini file for a Windows-based application.
Of course, this applies only to future development, as we recently discovered a client/server app that pushed the admin passwords out as ASCII text to the client PCs. Obfuscation? Nah. Encryption? Pshaw. Who needs it? This is the attitude of many developers. Fortunately, our in-house dev group is paranoid about such things. Apparently, the medical records industry could use a dose of such paranoia.
.: posted by