[rolph]

waiting rooms are a gaping hole. nobody seems to see a problem with blabbing out your final 4 and first,last name when thier at a desk in a room full of whoever walked in and sat down.

un protected desktops are another issue, there is a tide of duties and an attacker can pattern the staff and get a good idea when they will have time to do an inside job of some sort.

[Scoundreller]

As with most environments, there’s a lot of trust based in a hospital running successfully.

At least they have their own on-site security that’s experienced in taking people down.

I continue to believe the real threats are actual insiders and remote attacks.

Dunno how far someone will get with a USB key versus sending everyone a plausible email.

[JBlue42]

In my org's environment, not very far with USB key. Email = very much yes.

We had one user who called after filling in every email address she had into a very plausible looking O365 login page. She admitted she initially distrusted the email/link that led her to this page and had replied saying so. The hackers on the other end told her to go ahead and do so. I mean, who she to question when it's coming directly from the hospital's lawyer?

[ohithereyou]

>Dunno how far someone will get with a USB key versus sending everyone a plausible email.

Insiders still can be threats. There was a machine that was deployed in a hospital for clinical imaging that some rad tech who guessed the administrator password put folding@home on without telling anyone which crippled that machine's ability to perform its function.

[wutbrodo]

> some rad tech who guessed the administrator password put folding@home on without telling anyone which crippled that machine's ability to perform its function.

How incredibly bizarre to do something that dumb for no personal benefit.

[Scoundreller]

F@H had value!!!

I do remember an IT admin day that said he ran SETI@Home at a low priority on all machines because detect any problems with a machine (e.g. spyware, crashing, heat problems, etc.)

But 2002 thinking wouldn’t fly in 2019.

[Bnshsysjab]

BTC miners occur more than F@H these days, but they happen plenty.

[ohithereyou]

This incident occurred before crypto mining was a thing many knew about. He thought that since the machine was unused overnight that someone should get some benefit from it.

[pharrington]

You plug in the USB key, then you pull out the USB key.

The physical security layer at alot of hospitals is almost entirely absent, sadly.

[Scoundreller]

What I meant was that sending everyone an email will get you further with less time/effort than actually going.

[chapium]

USB keys are blocked mostly these days. There are other huge vulnerabilities if you have physical access and are motivated.

[Bnshsysjab]

From experience in plenty of industries, your statement is incorrect. Most places suck at security and blocking removable storage, but likewise suck at far more important controls (eg application whitelisting) for it to really mitigate much in the first place

[rolph]

or you swap keyboards with a special keyboard [maybe a pineapple?] , or you can swap ethernet patches around.

[Scoundreller]

Given how terrible a lot of low-end Dell keyboards get after years and years, most people would cheer :)

With the main apps being virtualized, workstations are refreshed less often than they used to be.

[newnewpdro]

These aren't mutually exclusive vectors of attack, they all need to be addressed.

[nitwit005]

The big threat used to be the paperwork (and still is sometimes due to fax machines). There were people who broke in after hours, and stole boxes of paperwork to use for medical billing fraud.

[weka]

Same thing for picking up prescription at CVS/Walgreens.

They make you verify your phone number and address. Every. Single. Time. In public.

It's a shame how silly it all is.

[Avamander]

I actually feel kinda sad for you, seems so cumbersome, yet I can't relate at all. Really bizarre to me as an Estonian, I've only had to show my ID-card to the pharmacist and get my prescription, because my doctor has entered it into the e-prescription[1] system. Reading this thread definitely made me appreciate it a lot more.

[1]: https://www.eesti.ee/eng/services/citizen/tervis_ja_tervisek...

[ta999999171]

Specialist I went to attempted to collect a photograph in the waiting room, as well - "please hold still a second while I take your picture for the doctor", with a webcam sitting atop the counter between us.

[rolph]

these are times when i say no thankyou thats not medically necessary, and obsruct the cam or turn around if its unobstructable.

[ta999999171]

> attempted

:)

[cmurf]

We're past time for simple challenge response for this, if not something better. Computer picks two digits, maybe they are part of your SSN sequence, or not, you have to parse that and say true or false. Then last three of your SSN. The current strategy is b.s.