Transcribed Medical Records Exposed on the Web
Experts Offer Insights on How to Avoid Similar Security Blunders
…”Due to changes and upgrades to systems, a system that is secure today could become vulnerable with the next change – thus the need to repeat the vulnerability scan periodically,” says Mark Dill, former longtime CISO at the Cleveland Clinic who is now a principal consultant at tw-Security.
… “Accidental misconfigurations of internet-facing systems is always a possibility,” notes Keith Fricke, a principal consultant at security consultancy tw-Security. “System administrators can reduce that risk by testing access after changes are made to ensure the expected controls are active. Criminals continue to scan the internet for targets of opportunity; they can stumble upon web servers that are missing security patches or are misconfigured.”
Penetration testing, vulnerability assessments and secure configuration practices are necessary to prevent and discover this type of problem before it leads to a breach, Dill adds.
In addition, the incident affecting patients at Children’s National is a reminder of the importance of scrutinizing the security procedures of business associates.
“It is incumbent on every provider to go beyond a BA contract signature to vet the security profile of each partner,” Dill says. “In this case, asking the BA to provide evidence that they securely configure public-facing servers, patch them, manage their changes, scan them for vulnerabilities, fix critical flaws quickly and [schedule] periodic penetration tests by a qualified third party would have been prudent.”