"Totally exposed" at the doctor's office.
I hurt myself, so I went to the doctor’s office.
And, it was one of these places which sees celebrity clients. Specifically, local sports stars in the Philadelphia area.
You know the routine: Take your shirt off, freeze half to death, then wait twenty minutes for the doctor to finally come in and tell you to take two Advil.
But just before he came in, I took a picture of this computer.
(The red stuff, is obviously mine. And I blurred out a lot as I’ll describe below).
Let’s take a look at what a huge, mega error it was to leave me alone with this computer:
- Item 1: That’s me highlighted in the blue bar in section 1. Then ALSO the FULL NAMES, BIRTHDATES and PATIENT IDs of 10 more clients. Full. Freekin’. Names. Hello HIPPA COMPLIANCE !? Also pointed to in item 1 is MY healthcare plan, so the doctor can determine if he should spring for various tests. The crappier the plan I guess, the less they try to perform tests.
- Item 2: It’s XP. Great. So my medical records are protected by an operating system which will get no patching at all starting in April 2014. Grrrrrrreeeat !
- Item 3: Thanks for the attack vector and giving me the computer name. When I call the nurse’s station pretending to work for IT, it’ll make me look more credible that I have this information in hand. (No no.. I wouldn’t do that.. right?)
- Item #4: This is custom application. And, you can see the menu system: there’s a zillion settings for the Nurse, Doctor, or others.. (like me if I was being naughty) to misconfigure in this application. If they were using PolicyPak to deliver application settings, they could be guaranteed that those settings would be set and maintained. (What am I talking about? Attend my next webinar on application settings management at www.policypak.com) .
- Finally.. The main item is.. the damn keyboard and mouse are just fully unlocked. I had 20 full minutes to poke around here. I didn’t just snap this picture when the Nurse left the room. I took it 20 minutes AFTER she left.
Did I *ACTUALLY* touch the keyboard and move the mouse around?
Look, I’m not 12 years old anymore, so.. no I didn’t.
But I could.
And if this was, instead, an APPOINTMENT for a 12 year old, you KNOW his or hands would be on that keyboard.
Are you doing everything you can at YOUR organization to be more secure? Learn how to ENSURE that the RIGHT settings are delivered so naughty people cannot do things they shouldn’t do.
In my training class, I show you exactly how to use the Group Policy infrastructure you already have to do it.
Next class: Las Vegas, Dec 2 – 6.
Sign up at www.GPanswers.com/training .. And ensure your computers aren’t “totally exposed.”