Comment Re:Wrong issue (Score 3, Interesting) 137
The private sector indeed is just as capable at screwing this up. In my own experience doing some moonlighting systems/network consulting, I have come across a Doctor's office that had a wide open network hanging off of a cable modem connecting with a Comcast business account, no firewall, Windows desktops completely open. The home-based DLink router they had as a central hub did actually have some base firewall capabilities, but was a previous consultant thought it was interfering with a software capability to talk to the insurance company, and so thoughtfully turned it off completely.
You would think a hospital with their own full time technical staff might rank better. A prominent Boston area hospital was building out a branch location in the suburbs. I visited to install an Oracle server, and noticed that because of constraints on network cabling at the time, they were using Linksys wireless through-out the office for connectivity, with no encryption. I raised this concern immediately with the director of the office, but was told not to worry, as this was only a "temporary" solution until they could get a cabling vendor in to run something more formal. My largest concern was that this office was still directly tied into the back-end of the main hospital data network, and thus, from the parking lot, it was trivial at best to get onto the hospital network.
I understand these are only two limited examples, but their still lacks any real capabilities to be able to keep medical records secure through-out the chain. Until something akin to PCI for medical records really takes place, complete with audit controls, etc, I don't see the situation changing all that much. PCI itself has flaws, but it is an attempt to actually place controls on credit card data from swipe to credit card company.
You would think a hospital with their own full time technical staff might rank better. A prominent Boston area hospital was building out a branch location in the suburbs. I visited to install an Oracle server, and noticed that because of constraints on network cabling at the time, they were using Linksys wireless through-out the office for connectivity, with no encryption. I raised this concern immediately with the director of the office, but was told not to worry, as this was only a "temporary" solution until they could get a cabling vendor in to run something more formal. My largest concern was that this office was still directly tied into the back-end of the main hospital data network, and thus, from the parking lot, it was trivial at best to get onto the hospital network.
I understand these are only two limited examples, but their still lacks any real capabilities to be able to keep medical records secure through-out the chain. Until something akin to PCI for medical records really takes place, complete with audit controls, etc, I don't see the situation changing all that much. PCI itself has flaws, but it is an attempt to actually place controls on credit card data from swipe to credit card company.