Microsoft blamed for million-plus patient record theft at US hospital giant American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen – and claimed a former employee at a Microsoft subsidiary is the likely culprit. Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft- …
For 25 years, Microsoft pushed the most commonly abused malware engine as Internet Explorer, at its core ActiveX as part of their own dotnet programming languages, ever to be unleashed on the populace, and only then begrudgingly admit to defeat in killing it off having found better adware and tracking in Google's Chrome engine now. Exchange servers are still a constant liability people misuse and abuse, and Active Directory every time remains the common denominator at the heart of most infections due to it's ubiquitous presence in 99% of enterprises today.
If people haven't learned by now to mistrust Microsoft products, they impose their own blissful ignorance.
A friend used to use NTL and he said their network used to put the modems on a class C so you could browse "your" network to see who didn't have SMB locked down...
This was in Cambridge, where I assume the average level of technical knowledge was higher than most places...
>While this snafu doesn't seem to be Geisinger's fault...
I can't work out if Nuance manage all Geisinger's IT, including patient databases, or just the Voice comms.
If the perp had database privileges, then game over. Otherwise layered security should have prevented network access becoming "access all areas"
It appears that Nuance provides systems that allow doctors to dictate medical notes and otherwise interact with medical record systems using their voice. There seems to be a growing number of areas in which the enthusiasm for automating medical processes perhaps hasn't sufficiently considered the possible risks.
What? No! The DB should be encrypted so casual access is not permitted. Anyway, having voice to text'd, why would you continue to store? Those notes should go to the patient or doctor's DB, not to Nuance's. Have they not heard of HIPAA? https://www.nuance.com/about-us/trust-center/privacy/hipaa.html Hmmm, they have... they just don't give a shite. Executives at these companies need to be jailed, pour encourager les autres.
Also who were the cheapskates not investing in privilege credential management… which would have meant withdrawal of the employees staff login and phone would also have blocked access to other systems…
It is time consuming and irritating, working through an excel spreadsheet of nearly a hundred sets of credentials and changing them from former.employee@mycompany.com to new.user@mycompany.com, along with the password, phone and secondary email etc. … and along the way discovering the list is incomplete and also doesn’t cover key subscriptions set up on personal bank cards, reclaimed via expenses and thus until now invisible…
If you choose to keep data, it is your responsibility to keep it secure. If you choose to store it on a computer, it is still your responsibility to keep it secure. If you choose to use an external IT service, it is still your responsibility to keep the data secure. Notice the pattern here? As flawed as Microsoft is, this is solely Geisinger's responsibility.
They could have chosen to keep the data carved into 100kg stone tablets in a dark, remote archaeological site patrolled by a sabre-toothed tigers, scorpions, rats and all manner of Indiana Jones-esque traps. Could you imagine the disgruntled ex-whoever carrying the tablets out, one at a time, while having their legs chewed off?
Instead Geisinger chose Microsoft.
I didn't know Nuance was owned by Microsoft. I have been considering buying Nuance's Dragon recently (Pro, local install -- only distantly related to their Medical offerings), but the price is a bit steep. I looked into previous versions and found some on Amazon, from at least 10 years ago -- much, much cheaper, as long as they come with actual original license keys and are not used or cracked. Knowing those years are also pre-Microsoft ownership certainly aids that decision.
For any organization (not just "companies") that wants to store the personal data of users, make them post a bond, whose size is related to the value and quantity of the data, before even beginning to collect the data. Something like this (per entry/user):
Full name: $1
Address: $2
Birthdate: $20
Social security number: $50
So having 500 people's names and addresses would only be $1500 (names and addresses are often publicly findable). But storing 1,000,000 people's name, address, birthdate, and SSN: $73,000,000 bond before you start collecting it.
However much data gets lost/stolen from the company, that's how much they owe in fines. Can't afford that size bond? Don't collect so much info!
The idea is that it's a bond - they're effectively insured against the loss. Insurance companies try not to have to pay claims, so they'd be requiring reasonable protections for this data, with proof. Overall, digital security would tend to get much better in a hurry.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
