[ISN] Hospital's computer security given poor grade in April report

InfoSec News isn at c4i.org
Fri Oct 22 02:08:50 EDT 2004 

http://www.thetimesonline.com/articles/2004/10/20/news/top_news/87e009eb749c7fd186256f3200836776.txt

BY MATTHEW VAN DUSEN
Times Staff Writer
October 20, 2004 

VALPARAISO -- A damning assessment of Porter hospital's computer
security never publicly released became a test that Porter County
Commissioner Robert Harper posed Tuesday to candidates for the
hospital board .

Harper read from an April 2004 Deloitte & Touche assessment that
identified 30 problems with the hospital's information systems, nine
of them classified as "high risk."

The assessment concludes, "Porter does not know whether someone could
be accessing critical medical, financial and management systems
without being detected."

Harper asked the candidates, "Do you think the public has the right to
know something like that?"

He made it clear the right answer was "yes."

Hospital Chief Executive Officer Ron Winger did not return a call
requesting comment and spokesman Andrew Snyder also did not comment.

Harper also read a separate statement from Deloitte, which audits the
hospital's finances, that said if the problems weren't fixed the
hospital would not meet "appropriate accounting controls," and that
Deloitte might not be able to certify the hospital's books.

David Schroeder, an associate professor at the Valparaiso University
business school, reviewed the PowerPoint presentation at The Times'
request.

Schroeder said if the hospital made the changes Deloitte suggested,
its computer systems are in good shape. If officials had not made the
changes, the systems are in poor shape, he said.

The assessment, for example, found that some systems were protected by
program default passwords, such as "QUSER." A person could access a
system with the default password and make changes or learn information
and the hospital would not know who they are.

This problem would be easy to fix.

Other problems with the system were more complicated, such as not
knowing what an employee can access and not being able to eliminate
those access rights if the employee is fired.

The assessment notes that it would not be clear if someone had
accessed the systems illegally unless there was a noticeable effect
from it.

More information about the ISN mailing list