The Regina Leader-Post Editorial Board echos my concerns over giving the Internet access to patient records. However the editorial focuses mainly on the threat from allowing external access.
By far, the largest threat vector is internal in origin and I’m not just talking about a disgruntled employee. Any employee who brings in their own device, checks email or surfs the web at work, plays facebook games or VPN’s in from home are all potential points of vulnerability.
This just happened.
A hospital in Los Angeles has been operating without access to email or electronic health records for more than a week, after hackers took over its computer systems and demanded millions of dollars in ransom to return it.
Based on the article it looks like the hospital was hit with a version of Cryptolocker software. That means that some employee in the hospital, or someone who has an ‘always-on’ VPN connection to the hospital and has mapped a drive to the data at the hospital became the accomplice.
No matter how hard you lock down a network or a computer the single largest point of failure is always between the keyboard and the seat.

