tag:blogger.com,1999:blog-1607204773949651042.post7844845546648806555..comments2024-03-27T05:43:32.280-05:00Comments on John Flucke's Blog - Ramblings from Dentistry's Technology Evangelist: The Number of Data Breaches in Healthcare Doubled in Three Years...John Flucke - Technology Evangelisthttp://www.blogger.com/profile/05713702773441174573noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1607204773949651042.post-79658303010894688812022-12-19T12:42:17.823-06:002022-12-19T12:42:17.823-06:00Hi Aaron, you email didn't come across, but yo...Hi Aaron, you email didn't come across, but you can always DM me that info via Twitter. My handle is @jflucke<br />I think you have a LOT to offer the profession!John Flucke - Technology Evangelisthttps://www.blogger.com/profile/05713702773441174573noreply@blogger.comtag:blogger.com,1999:blog-1607204773949651042.post-83850888939509271902022-12-04T18:06:03.302-06:002022-12-04T18:06:03.302-06:00Thanks John. I've never done an interview bef...Thanks John. I've never done an interview before. I'm an engineer--so I have a face for radio. ;)<br /><br />But I guess I'd be up for one. If blogger doesn't give you my email address when I comment, let me know.Aaron C. de Bruynhttps://www.blogger.com/profile/04898305272010592221noreply@blogger.comtag:blogger.com,1999:blog-1607204773949651042.post-27825552399569801432022-12-04T17:48:24.783-06:002022-12-04T17:48:24.783-06:00Dang, Aaron! These are all great points. It cert...Dang, Aaron! These are all great points. It certainly seems like no one is interested in locking the barn until a thief takes off with all of the horses. <br />Would you be up for an interview in 2023?John Flucke - Technology Evangelisthttps://www.blogger.com/profile/05713702773441174573noreply@blogger.comtag:blogger.com,1999:blog-1607204773949651042.post-79395448270758791492022-12-01T11:09:06.973-06:002022-12-01T11:09:06.973-06:00The whole situation is super frustrating.
On the ...The whole situation is super frustrating.<br /><br />On the smaller side (think dentists, chiropractors, small healthcare offices, etc...) there's this dumb idea that you need to hire the cheapest Managed Service Provider to take care of everything. Those MSPs will promise the moon (we'll handle patching, security, etc...) and then they don't deliver on things the client won't notice.<br /><br />If someone gets breached, they just wave the excuse of "it was an advanced persistent threat" or "it's a new virus that got around the AV software". In other words, "it's not my fault" your network got breached.<br /><br />Most of them are completely incompetent. I ran into one a few years ago that used the password "letmein123" for *all* their domain admin accounts for *all* their clients. To this day, when I take over a healthcare company from them, I can get in without having to call them for an admin password. They even deployed this batch file to every computer:<br /><br />net user /add ITADMIN letmein123<br />net user ITADMIN letmein123<br />net localgroup administrators ITADMIN /add<br />wmic useraccount where "Name='ITADMIN'" set PasswordExpires=false<br />wmic useraccount where "Name='ITADMIN'" set PasswordExpires=false<br /><br />On the side of larger places (hospitals, DSOs, etc...) there's a *huge* amount of economic pressure to reduce costs everywhere coupled with "we want this newfangled thing". IT is told "install this", not "We want to use this, but we need to know if it's secure, how well it will integrate with our network, etc..."<br /><br />Just last month, I dealt with a company that was contracting out insurance stuff to India. It took hours on the phone to communicate with their IT staff only to be told they would be connecting in via RDP and after 30 days of constant prompting, they still refuse to change their default password.<br /><br />Another company I dealt with that handles "patient communication and online reviews" uploads the entire contents of the patient database--including social security numbers, birthdates, credit card numbers, financial history, medical conditions, allergies, etc... It's a ton of info they absolutely don't need...and it's all done through an insecure HTTP connection. When I brought up the security of the patient data I was told "CompanyX brings us around $8,000 in revenue every month. We aren't changing."<br /><br />Thankfully they're "cyber insurance". Just pay a few thousand dollars every month for millions in coverage, and when their dumb decisions end up destroying people's credit or leaking embarrassing information, the insurance company will pay though the nose to buy everyone "credit monitoring".<br /><br />The best part is there are tons of cyber insurance companies out there that basically just check to see if you have any inbound ports open on your router and call it "good". They don't check to see if you're still running Windows 7. They don't care if various programs require you to run as a full-on administrator. They don't care if you're running SQL 2005 (end of life) on a Windows 2008 server (end of life) and it's internet accessible via IIS 5 (end of life).<br /><br />It's like one of the former MSPs I used to work for. I told them we hadn't taken a successful backup in over 30 days and we needed to hire more staff so things like that could be monitored. The reply was "God protects our company, don't worry about it."<br /><br />Great disaster recovery plan.Aaron C. de Bruynhttps://www.blogger.com/profile/04898305272010592221noreply@blogger.com