Tim
I second your concerns about the apps engineered with little concern for
security.  As everyone understands, applications are acquired by
departments on the basis of cost / feature with little regard to
non-functional aspects such as security.  Often there are few real
alternatives, so the HCO is really dependent upon the vendor's
willingness to absorb the cost of engineering improved security in its
products *and* support.

There is a (very) dominant vendor (probably in every 300+ bed hospital)
which remotely supports its product via analog modem.  All support
personnel share a common password and not a particularly strong one at
that! The current gen control module for the product sits on NT; the
USR_xxxSUPPORT is a member of the administrators group.   This product
interfaces (among other things) with the patient accounting system.  I
actually know this vendor well, there are 'good' reasons for its current
setup and even if the vendor was willing to re-engineer its remote
support, it still has 10+ years of installed legacy and multiple product
generations.   

I think there are many applications like this that are generally
transparent to HCO IT management; they do not participate in the
purchase decision nor do they have much to do with the product's
maintenance.  Further, there is no way that IT will be allowed to
disconnect either the phone line or take the box off network.  ... so
the HCO is left with a mission critical app that provides as easy path
around the firewall.   This is simply something that the HCO has to live
with.

I think your IG would do well / better to raise the visibility of these
app created vulnerabilities to those with the direct security
responsibility.  Maybe even by vendor / app name, sort of a healthcare
app CVE.  Once informed, security persons are able to provide a security
solution or not .  Either way, the cost of the app (in)security becomes
visible to the HCO and better recognized as part of the app's TCO.  
Once that happens, vendors recognize that their app security or lack
thereof will influence their customer value calculation.   At that
point, vendors can hope to make a business case for implementing more
rigorous access / integrity controls.   Efforts directed primarily
toward vendors risk marginalization if those efforts imply obligation
without showing the source of compensating revenue.

Re the source of threat, my large health system clients find that their
networks are 'constantly' being scanned for vulnerability.

Bill


To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to