Medical Office Insecurity – HIPPA Gone Wild
I had to take a relative out of town to see a specialist at a “more modern and up to date” medical facility. Apparently the local award winning hospital was just not good enough. And you can tell he was a specialist, because the hour wait to get into an examination room was followed by another hour waiting to be actually seen by the doctor for 5 minutes.
While I was there I was shocked by the lengths that they went to enforce HIPPA privacy. No longer do you wait in a cattle line to check in. No way, you waited in a lobby with your hands folded gently in your lap for your number to be called. And when the glorious bank teller like receptionist finally called you, you hesitantly approached the exalted one and waited behind a line painted on the floor ten feet from the desk.
Just in case you missed the bright yellow line and the painted feet showing you where to stand, signs posted everywhere stated in a draconian font, “For patient safety, stand behind the painted line until called, or you will be shot.” Or something like that. I guess they didn’t want you to see that the receptionist was on Facebook before they were ready for you.
Each receptionist Window had wide blinds installed so that you couldn’t see anything going on at the next receptionist window. And each computer monitor had a privacy screen to protect that classified patient data.
Once in the exam room all seemed to change though. The nurse dutifully checked my relative’s vitals, logged into the Windows XP computer in the room and entered all the information into their online system. She then told us the doctor would be in to see us within the next month or so and left the room.
Sitting there pondering life for what seemed like an eternity, I noticed several things. One, she seemed to stay logged into the patient database when she left the room. Two, no password protected screen saver kicked on. Three, she left the logged in system unattended in a room with patients for literally about an hour. Four, when the Doctor finally graced us with his presence, he did not log in, just moved the mouse to turn off the screen saver and started viewing my relatives file.
Finally when we left, we had to go the the billing window. Again, the wait behind the line nonsense. Then the billing window with the privacy dividers and screens. As I stood there as my relative paid the co-pay, I looked at the wall beside the checkout clerk. In plain site was a note that stated:
Wireless Password: (And it listed a Password)
John XXXXX – IT Tech Support guy
XXXXXXXX – Tech Support Company Name
XXX-XXXX – Tech Support Phone Number
Okay, noticing that the Billing workstations seemed to be connected wirelessly, one could assume that the listed password was indeed the password used to connect to the wireless network. Also, the listing of the tech support personnel name, company and phone number is a social engineer’s dream.
The Bible verse, “Strain at a gnat, but swallow a camel” really came to mind when we left. They went to exorbitant levels to protect individual patient privacy, but then left the keys of the kingdom out in plain view. Hopefully this isn’t an example of every doctor’s office, but a little knowledge about how a social engineer attacks a network would come in a long way in not just protecting one patient’s privacy, but the security of the whole patient database.
~ by D. Dieterle on January 10, 2012.