I was at a doctors appointment this week with someone. While waiting in the room, for an incredibly long time, I noticed that the nurse left the computer logged in. Actually, not just logged in but with the EMR system open. We could look through the medical record on the screen or pull up any one else's name we wanted. Free reign! No Restrictions! Even worse, we were in there for an hour and no lock screen ever appeared. I couldn't believe this. This was at an office of the largest healthcare group in Charlotte, NC.
I am curious what the plan for companies is for mitigating risks. With all of the attacks we hear about nothing ever changes. There also does not appear to be any increase in the training of the employees or contractors. To add to it, I heard recently that the priority for security in corporations has dropped. They are throwing in the towel.
This healthcare company obviously has no fear. They are the biggest and no one will punish them, but a small doctors office...smack them with a fine. There is a bad trend setting in for companies. They are starting to not focus on the basic security of their networks let alone the prevention of attacks. The majority are concerned with three things. Does it work? Will it work a little longer? What can we do to reduce costs? Then if something does happen they will deal with it, after all won't the banks pay and if not that's why they have insurance. Meanwhile individuals are put through hell trying to clean up the ID theft.
This is much like it is with celebrities and regular people. We punish the average guy who breaks the law, but a celebrity gets probation. Small and medium sized companies will go under from an attack. But JP Morgan is "Too Big to Fail" so they get propped up and smacked on the wrist.
I think it is time to level the playing field and apply fines and punishments equally. Maybe them we can finally get someone's attention. It is okay to let a few of the big guys go through the hell small businesses do when an attack happens.