|
Well, I made a post about losing my job a while back, but now I've secured a long term contract as a network technician at a prestigious local university! Actually a pretty reasonable step up for me. I'll let you know how it goes.
|
#
?
Mar 5, 2016 15:18
|
|
|
|
| # ? Jun 11, 2024 07:13 |
|
|
Japanese Dating Sim posted:http://www.ohgizmo.com/2008/04/28/virtual-console-60-port-usb-flash-drive-duplicator/ A bit late but we use this sorta thing to get critical patient data on usbs in case of fire. (So the patient is accompanied by his data)
|
|
#
?
Mar 5, 2016 16:31
|
|
|
SEKCobra posted:A bit late but we use this sorta thing to get critical patient data on usbs in case of fire. (So the patient is accompanied by his data) The sec gently caress-up thread is that-a-way -> I'm sitting here thinking of all the ways for this rabbit hole to go wrong, and it just doesn't end.
|
|
#
?
Mar 5, 2016 17:26
|
|
|
keseph posted:I'm sitting here thinking of all the ways for this rabbit hole to go wrong, and it just doesn't end.
|
|
#
?
Mar 5, 2016 17:29
|
|
|
keseph posted:The sec gently caress-up thread is that-a-way -> Dont know what you mean, these patients are unlikely to survive without their documentation in another hospital. The drives are physically secure (maybe).
|
|
#
?
Mar 5, 2016 17:30
|
|
|
Vulture Culture posted:"Okay everyone, stay calm and form a single line. If it extends back past the fire door, whoever's in front of it please hold it open for everyone behind you in line. We're going to make an orderly exit from the building as soon as we have your charts copied over"
|
|
#
?
Mar 5, 2016 17:31
|
|
|
SEKCobra posted:Oh no, i said that wrong, the data is synced on at all times. They are also not in the same place as the patients.
|
|
#
?
Mar 5, 2016 17:39
|
|
|
SEKCobra posted:Dont know what you mean, these patients are unlikely to survive without their documentation in another hospital. The drives are physically secure (maybe).
|
|
#
?
Mar 5, 2016 17:48
|
|
|
Vulture Culture posted:Have you all considered that these other hospitals probably have sane policies like not allowing people to plug in random removable media in the first place? Or that using a Replicator means there's more than one identical device, which almost certainly means each device has more than one person's chart (possibly the entire hospital's). And they're handing out hundreds of them. And they can't be encrypted because they can't preshare a key with ever other medical provider.
|
|
#
?
Mar 5, 2016 17:59
|
|
|
google hipaa usb flash comes up with quite a few results that basically say not to do what you are doing.
|
|
#
?
Mar 5, 2016 18:13
|
|
|
anthonypants posted:It looks like you're saying that for each patient at your facility, you keep a continually replicated copy of each patient's critical data on a USB stick, and that you don't think that's a security fuckup waiting to happen. No we keep critical patients data on a usb stick, one patient per stick. This is common practice here, I don't see how you can do this better tbh. The encryption key is in sealed envelopes attached to the fire checklist btw.
|
|
#
?
Mar 5, 2016 18:13
|
|
|
This is amazing 
|
|
#
?
Mar 5, 2016 18:22
|
|
|
SEKCobra posted:No we keep critical patients data on a usb stick, one patient per stick. This is common practice here, I don't see how you can do this better tbh. The encryption key is in sealed envelopes attached to the fire checklist btw. I would love to be in a room with your compliance officer the day this process is audited.
|
|
#
?
Mar 5, 2016 18:27
|
|
|
SEKCobra posted:No we keep critical patients data on a usb stick, one patient per stick. This is common practice here, I don't see how you can do this better tbh. The encryption key is in sealed envelopes attached to the fire checklist btw. You have to be loving kidding me, this isn't real
|
|
#
?
Mar 5, 2016 18:38
|
|
|
DigitalMocking posted:I would love to be in a room with your compliance officer the day this process is audited. Again, this is done by every hospital in the country as a standardised procedure, and I can't see how you'd be able to do it better, since the requirement is to hand out an up to date file during the evacuation. The data has to be transported along with the patient and there is a slight bit of security through the second factor being in another location than the stick. Again, the sticks are locked up unless an evacuation happens. How is this less secure than the data being on a server?
|
|
#
?
Mar 5, 2016 18:38
|
|
|
Which country? E: If you don't understand how data on a server is more secure than data on a USB drive, I don't know what to tell you.
|
|
#
?
Mar 5, 2016 18:40
|
|
|
Colonial Air Force posted:Which country? Austria
|
|
#
?
Mar 5, 2016 18:40
|
|
|
Colonial Air Force posted:Which country? Well of course its harder to get at a singular item, but the server in a server room isnt much different to the usb board in a locked room.
|
|
#
?
Mar 5, 2016 18:42
|
|
|
SEKCobra posted:How is this less secure than the data being on a server? In basically every way.... Why are USB devices even being allowed to plug in??
|
|
#
?
Mar 5, 2016 18:43
|
|
|
SEKCobra posted:Again, this is done by every hospital in the country as a standardised procedure, and I can't see how you'd be able to do it better, since the requirement is to hand out an up to date file during the evacuation. The data has to be transported along with the patient and there is a slight bit of security through the second factor being in another location than the stick. Again, the sticks are locked up unless an evacuation happens. The normal, sane way to do this is live replication across an encrypted link to a remote location. Data is always stored securely in at least two sites so disaster can't (easily) take it out, and sensitive data is never on a removable media.
|
|
#
?
Mar 5, 2016 18:44
|
|
|
CLAM DOWN posted:In basically every way.... These arent random usb devices, these are our usbs associated with patient beds in the critical care station?
|
|
#
?
Mar 5, 2016 18:44
|
|
|
nielsm posted:The normal, sane way to do this is live replication across an encrypted link to a remote location. Data is always stored securely in at least two sites so disaster can't (easily) take it out, and sensitive data is never on a removable media. This isnt a backup, this is data that is needed to sustain these patients lifes (Dont ask me what the medical reason is, they claim to need it and it seems legit), it is taken to the designation hospital in case of an evacuation. The data in our hospital isnt destroyed by a fire.
|
|
#
?
Mar 5, 2016 18:46
|
|
|
SEKCobra posted:These arent random usb devices, these are our usbs associated with patient beds in the critical care station? Have you ever heard of USB firmware malware?
|
|
#
?
Mar 5, 2016 18:55
|
|
|
CLAM DOWN posted:Have you ever heard of USB firmware malware? Again, these are never removed unless there is an evacuation and never returned, and if they get infected from us, nothing else wouldnt be susceptible as well.
|
|
#
?
Mar 5, 2016 19:03
|
|
|
SEKCobra posted:Again, these are never removed unless there is an evacuation and never returned, and if they get infected from us, nothing else wouldnt be susceptible as well. The malware angle is a red herring for your hospital, but the receiving hospital shouldn't blindly trust some unknown person off the street and plug in the USB drive to a hospital computer. It's a classic case of "a uniform and confidence will get you into any facility in the world" just that the "uniform" is this case is a hospital gown. You're holding up the hospital as an authority on security by mere virtue of being in the medical industry but that is just wildly unfounded. Spitballing some alternative ideas: The hospital should have a web-like service hosted somewhere not inside the building so it's not susceptible to local disasters (pick your favorite cloud provider here). Each patient gets assigned a smartcard at check-in, their records on the web service are encrypted via the public key of the smartcard so even if someone guesses or pulls those charts they can't decrypt them; this would be *extremely* comparable to the old paper method of just handing the patient their own chart and is roughly as good as you're going to get without the patient choosing a secret like a password which is just not going to fly with a lot of patients (read: elderly, mental disorder, speech/hand impediments, etc). Except it'd be electronic because Thou Shalt EMR.
|
|
#
?
Mar 5, 2016 19:32
|
|
|
Webservice isnt compliant  One of the requirements is, that the data clmes with the patient, because coordination is likely to fail during this sorta evacuation scenario where the patients get jugled to all the surrounding hospitals, and they(medical decision makers) are worried the data might not be associated or transported in time otherwise. In regards to your attack vector, while it applies several times over in hospitals, this whole evacuation plan involves all receiving hospitals being pre alerted and the patients arriving alongside Paramedics and nurses. This cant easily be faked, but if you were really trying to exploit it, you could probably pose as one of those arriving evacuation teams. Youd have to leave a patient tho. I am genuinely curious what you guys see as possible security threats here, and since it is neither my implementation, concept or responsibility, I'm not worried about it either way. But I am not really seeing a better way of doing it so far.
|
|
#
?
Mar 5, 2016 19:44
|
|
|
SEKCobra posted:Webservice isnt compliant I'm not going to waste too much time on it, since you stated you don't really care or seem interested in any kind of risk analysis. The USB is the vector towards compromising a hospital's records systems during patient evacuation. There was a Black Hat presentation last year (I think, maybe it was 2014), on a firmware level attack that is no OS dependent and not detectable by AV systems. Since and evac sounds like it would fairly chaotic in nature, I can't think it would be too challenging to get a device swapped out. What do I care if a patient's data is lost, my goal is to get into your system. The patient data is collateral damage at that point. Honestly, healthcare should take a page out of financial network operations. Monies are moved electronically in vast sums every day. They absolutely do not introduce a physical vector if they can avoid. Of course deposits need to be transferred from branches and ATMs, but those involve strict chains of custody with multiple layers of physical security. I'm hearing nothing securing the patient data other than "encryption" (which is only as good as the implementation) and "patient holds on to it". The fact that device needs to be plugged into a system that obviously accesses a medical complex's central healthcare database is a scary risk.
|
|
#
?
Mar 5, 2016 20:22
|
|
|
flosofl posted:I'm not going to waste too much time on it, since you stated you don't really care or seem interested in any kind of risk analysis. Are most Black Hat presentations posted online? Or only the flashy ones like the guy that made the ATM from the lobby spew out all it's bills. Unrelated, a Text Conversation came in today him posted:CT, please come into the office today, you'll get OT. me posted:hey I'm not CT, it's turtlicious him posted:Oh, hahaha sorry, its a new nickname I'm trying out. Can you come in? me posted:Let me check with the family to make sure nothing's planned. him posted:I need to know by 2, it's important, can't text it So, two things I don't like about this, A.) I am not going to respond to everyone calling me CT. That's dumb. and B.) I do not want to set a precedent for coming in on my off days. I trust my boss to a certain extent, but mostly in a "He screws me in predicatable ways" B.) I feel like coming in on my off days sets a bad precedent.
|
|
#
?
Mar 5, 2016 21:10
|
|
|
Call him and ask what it's about. Normal adults don't do the "Come here, I have a secret to show you. Hah, it's poop!" game.
|
|
#
?
Mar 5, 2016 21:12
|
|
|
Does the patient have access physical access to the device during this scenario? If so it would be pretty easy to get through it. Black hat gets self admitted to hospital, either through some underlying condition that can be exploited or just convincing malingering, engineers an evacuation (bomb threat called in by accomplice for instance), and during the chaos swaps his own device for the real one. If done intelligently the loss of records in the short term could be anywhere from totally meaningless to a minor inconvenience.
|
|
#
?
Mar 5, 2016 21:21
|
|
|
flosofl posted:I'm not going to waste too much time on it, since you stated you don't really care or seem interested in any kind of risk analysis.
|
|
#
?
Mar 5, 2016 21:27
|
|
|
flosofl posted:They absolutely do not introduce a physical vector if they can avoid. Healthcare has a much lower tolerance for loss of availability. If I can't issue a wire transfer right now (active refusal), or it gets stuck in a queue for a few hours, or I have to go to a different ATM/branch to retrieve some bills it's annoying but not the end of the world. If a doctor can't retrieve a patient's records, she can't tell the last time he's been dosed with $lifeaffectingdrug and timing on those can be critical. Identity and authentication becomes much trickier, too, because an ER can't turn away someone who can't or won't identify truthfully himself -- whether that's because he's unconscious/can't speak or he's got a gunshot and gives a false name the result is the same. You also can't force the person to choose a secret like a password if he's unconscious. That means you're left with assigned physical tokens like a smartcard or biometrics (hah). The smartcard option lets you build in self-destruct functionality (on the database side) so that a patient dropping his USB stick in a garbage can or parking lot doesn't lead to his data being exposed weeks/months/years later because that card was only valid once and with an expiration date of a couple days.
|
|
#
?
Mar 5, 2016 22:05
|
|
|
On the advice of this thread, and my girlfriend, and my landlord, I went to see my boss. Apparently he was testing my response time in-case of an emergency. I pointed out that if he had said it was an Emergency, I probably would have been less leisurely, which got a reply of "Excellent, just what I wanted to hear." gently caress. Still, got comped OT for 3 hours and all I did was show up for 15 -> 20 minutes. I have no idea what is going on in my professional life.
|
|
#
?
Mar 5, 2016 22:49
|
|
|
Turtlicious posted:On the advice of this thread, and my girlfriend, and my landlord, I went to see my boss. Apparently he was testing my response time in-case of an emergency. I'd get a resume updated and start hunting if I were you 
|
|
#
?
Mar 5, 2016 22:55
|
|
|
air- posted:I'd get a resume updated and start hunting if I were you Do you think I could, on the interview, hand them the business card my boss wants to get from Vista-Print and say, "I was given this title, un-ironically, without any change in my contract."???
|
|
#
?
Mar 5, 2016 23:01
|
|
|
Your boss sounds completely loving insane and staying around will not help you personally or professionally.
|
|
#
?
Mar 5, 2016 23:14
|
|
|
Wow. gently caress that poo poo.
|
|
#
?
Mar 5, 2016 23:15
|
|
|
The title is cool and all, but your coworkers are going to hate your guts as it sounds like a big part of your job is snooping around workstations during off hours and looking at people's browser histories. Hope the $2 raise is worth the inevitable damage to your car. It reads like you're being patronized and hosed with from here. I would not use the phrase internet terrorism in any interviews.
Roargasm fucked around with this message at 23:46 on Mar 5, 2016 |
|
#
?
Mar 5, 2016 23:43
|
|
|
Does your boys watch CSI: Cyber by any chance?
|
|
#
?
Mar 5, 2016 23:53
|
|
|
|
| # ? Jun 11, 2024 07:13 |
|
|
Roargasm posted:The title is cool and all, but your coworkers are going to hate your guts as it sounds like a big part of your job is snooping around workstations during off hours and looking at people's browser histories. Hope the $2 raise is worth the inevitable damage to your car. It reads like you're being patronized and hosed with from here. I would not use the phrase internet terrorism in any interviews. I am more then aware, it was not a serious suggestion, nor a choice. It's just a thing I'm scheduled to do now. Obviously this is going to suck, but until I find another job, I'm going to have to work at it. Until I find another job, I'm screwed.
|
|
#
?
Mar 6, 2016 00:30
|
|