Probably.
Well, at least one of mine doesn’t. Let me take you through the scene I lived as I completed a routine checkup at my doctor’s office last week.
After arriving and being called back, they did the standard how tall are you (thankfully, I have not shrunk), how much do you weigh (PRE-thanksgiving, thanks!), do you have a pulse, and is your blood pressure somewhere in between dead and explodingly high.
Yep, I said it. Explodingly. It’s a smashup between a gerund and an adverb. An “adverunderb.”
So after all the basic stuff, we sit down and review my medical history as they have it, including any surgeries or medications I have been on prior to my visit. As we’re going through this, I noticed that they listed a medication that I have never been on. After watching the nurse edit my data in the practice’s medical software, I wonder what it would be like if a doctor’s office had a compromise. It’s not too far fetched. Most store patient records electronically now, and many allow internet access right there from their PCs so that the receptionist can update her Facebook between opening and shutting the big sliding glass window.
Electronic medical records can be a good thing. Ask any of the MBAs that made a ton of cash selling computer illiterate MDs on how they can save time and money by investing in this wacky computer fad. But the risks associated with keeping this data electronically are significant.
Now here’s where things get interesting.
So the doctor walks in, and what do you know, she types her FOUR DIGIT NUMERIC PASSWORD to log in. And it was not like she was using the numbers above the QWERTY part of the keyboard, she was using the 10-key numeric pad. Right next to me. Easiest password I ever shoulder surfed.
EVER.
Of course her little numeric password then gave her access to my entire medical history, including things like a copy of my drivers license, social security number, and medical insurance information and card. Think of the identity theft fun you could have with that!
So what are we to do? I will put this in the bucket of corporate responsibility. If your corporation is going to put technology in the hands of your employees, you are responsible for making sure they know how to use it securely and appropriately. Regardless of your company’s size, or the type of technology being deployed.
And if I were a bad guy, this is the type of gold mines I would be going after.
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini