http://www.thetimesonline.com/articles/2004/10/20/news/top_news/87e009eb749c7fd186256f3200836776.txt BY MATTHEW VAN DUSEN Times Staff Writer October 20, 2004 VALPARAISO -- A damning assessment of Porter hospital's computer security never publicly released became a test that Porter County Commissioner Robert Harper posed Tuesday to candidates for the hospital board . Harper read from an April 2004 Deloitte & Touche assessment that identified 30 problems with the hospital's information systems, nine of them classified as "high risk." The assessment concludes, "Porter does not know whether someone could be accessing critical medical, financial and management systems without being detected." Harper asked the candidates, "Do you think the public has the right to know something like that?" He made it clear the right answer was "yes." Hospital Chief Executive Officer Ron Winger did not return a call requesting comment and spokesman Andrew Snyder also did not comment. Harper also read a separate statement from Deloitte, which audits the hospital's finances, that said if the problems weren't fixed the hospital would not meet "appropriate accounting controls," and that Deloitte might not be able to certify the hospital's books. David Schroeder, an associate professor at the Valparaiso University business school, reviewed the PowerPoint presentation at The Times' request. Schroeder said if the hospital made the changes Deloitte suggested, its computer systems are in good shape. If officials had not made the changes, the systems are in poor shape, he said. The assessment, for example, found that some systems were protected by program default passwords, such as "QUSER." A person could access a system with the default password and make changes or learn information and the hospital would not know who they are. This problem would be easy to fix. Other problems with the system were more complicated, such as not knowing what an employee can access and not being able to eliminate those access rights if the employee is fired. The assessment notes that it would not be clear if someone had accessed the systems illegally unless there was a noticeable effect from it. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Oct 22 2004 - 01:51:27 PDT