Another Reason to Put Everyone's Confidental Medical Information Into Today's Massively Secure (Surely They Are, No?) EHR systems

Office of Inspector GeneralDepartment of the Treasury Oct. 17, 2013Audit report INFORMATION TECHNOLOGY: OCC's (Office of the Comptroller of the Currency) Network and Systems Security Controls Were DeficientPDF available at: http://www.treasury.gov/about/organizational-structure/ig/Audit%20Reports%20and%20Testimonies/OIG-14-001.pdf Highlights:... To accomplish our objective, we performed a series of internal and external vulnerability assessments and penetration tests on OCC’s workstations, servers, network-attached peripherals (such as cameras and printers), infrastructure devices, and Internet websites.... We determined that OCC’s security measures were not sufficient to fully prevent and detect unauthorized access into its network and systems by internal threats,or external threats that gained an internal foothold. Also, OCC’s security measures were not adequate to fully protect personally identifiable information (PII) from Internet-based threats. We found that default factory-preset administrative usernames and passwords were present in OCC’s systems. In one test we conducted, we discovered a default username and password of an internal service account on an OCC server which had local administrator privileges. We used those privileges and deployed our penetration test tool’s agents to the host server. That server contained password hashes for local and domain administrator accounts. Using these hashes, we obtained a domain administrator’s password, which we th...
Source: Health Care Renewal - Category: Health Medicine and Bioethics Commentators Tags: computer security medical record confidentiality medical record privacy Office of the Comptroller of the Currency Source Type: blogs