Not too long ago I ran accross an article that talked about Ohio University’s server being hacked and in a hackers hands for a long period of time. I honestly don’t think this is really all that common. In fact, after working with a friend of mine in college who was excellent at hacking I think this happens a lot more than we ever realize and definitely more than ever gets published. Not that the practices of this article are acceptable, but I don’t think we should be naive.
Many may be wondering what a University getting hacked is doing on an EMR and HIPAA blog. Well, read this quote from the article:
How a server could be left open to intruders is still under investigation. But this much is known: A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn’t receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.
The culprits who broke into the other two servers made off with health records belonging to students treated at the university’s health center, as well as Social Security numbers of an additional 60,000 people.
Does this really make sense to any rational person? What is a student’s health record doing on a server supportint the alumni relations department? Not to mention on a server that someone isn’t updating. At the rate that Windows puts out updates I think we are all guilty of sometimes being a bit lazy in our updating policy. However, to forget about the machine and think it is shutdown is ridiculous. That has HIPAA violation and HIPAA lawsuit written all over it.