Tim I second your concerns about the apps engineered with little concern for security. As everyone understands, applications are acquired by departments on the basis of cost / feature with little regard to non-functional aspects such as security. Often there are few real alternatives, so the HCO is really dependent upon the vendor's willingness to absorb the cost of engineering improved security in its products *and* support.
There is a (very) dominant vendor (probably in every 300+ bed hospital) which remotely supports its product via analog modem. All support personnel share a common password and not a particularly strong one at that! The current gen control module for the product sits on NT; the USR_xxxSUPPORT is a member of the administrators group. This product interfaces (among other things) with the patient accounting system. I actually know this vendor well, there are 'good' reasons for its current setup and even if the vendor was willing to re-engineer its remote support, it still has 10+ years of installed legacy and multiple product generations. I think there are many applications like this that are generally transparent to HCO IT management; they do not participate in the purchase decision nor do they have much to do with the product's maintenance. Further, there is no way that IT will be allowed to disconnect either the phone line or take the box off network. ... so the HCO is left with a mission critical app that provides as easy path around the firewall. This is simply something that the HCO has to live with. I think your IG would do well / better to raise the visibility of these app created vulnerabilities to those with the direct security responsibility. Maybe even by vendor / app name, sort of a healthcare app CVE. Once informed, security persons are able to provide a security solution or not . Either way, the cost of the app (in)security becomes visible to the HCO and better recognized as part of the app's TCO. Once that happens, vendors recognize that their app security or lack thereof will influence their customer value calculation. At that point, vendors can hope to make a business case for implementing more rigorous access / integrity controls. Efforts directed primarily toward vendors risk marginalization if those efforts imply obligation without showing the source of compensating revenue. Re the source of threat, my large health system clients find that their networks are 'constantly' being scanned for vulnerability. Bill To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.