that's what a senior campus informatics tech told me, regarding a corporate meeting they attended a couple of months ago. "corporate doesn't care about [information] security. if they lose half the entire billion-plus annual earnings to a cyberattacks, they'll still have sick & injured assets, and they'll still have a billion-plus in earnings annually."
after our conversation, i was in utter disbelief. it wasn't that nobody in the IT department didn't care about security, it was more that the people running the hospital didn't care - nor had any reason to care. morality means nothing in the name of the cheapest possible dollar. so as nobody in corporate management cared, it gradually got tiresome for those actually running things in IT to keep reminding them of the constant flaws and dangers. so, it got even more stressful for IT folk to care, so they stopped complaining and started complying. after all, they'd still get paid at the end of the day.
i first won a contract to do simple campus information support for one of the largest hospital networks in the US roughly a month ago. in the interview process, i was told by multiple people in the network that i was vastly overqualified for the position - and that the lack of security would likely drive me crazy. i took the contract anyways, and began my shift the following week.
as i approached the main building, i immediately noticed the lack of security cameras. i spotted two cameras - one was pointed straight up towards the sky, the other propped in a low-action corner of the hospital office building. going inside i noticed a massive lack of physical security - no cameras, one [unarmed] security guard for the entire multi-campus facility (turns out there was a grand total rotating shift of three guards), and nobody realizing i didn't have a security badge yet. i walk into the IT office, and it is absolute chaos. nobody knows what's happening. it appeared that in addition to contractors like myself being hired, the corporate office also sent their native IT employees to "help" us out.
due to all the chaos, i wasn't assigned any user account for the computer network. so, i was assigned to a corporate IT fellow to aid with the day's tasks. the first task i was assigned was to go solo to radiology storage and take note of how voip phones are in the room. i wasn't told anything about the layout of the hospital, and there weren't any blueprints. i assumed it wasn't going to be in the office building, but rather the main hospital, so i went on my journey.
i went into the main building, and asked a front desk lady where radiology storage was. she wasn't sure, but told me how to get to radiology. she asked me to follow her to the elevator. just as we were getting in, another front desk lady yelled for her to ask for my badge. finally, some security! i told them both it was my first day, then mentioned the name of the regional director of IT. they then both let me on my way, with one lady showing me exactly where radiology was. apparently if you're in a hospital with business casual clothes & a swiss gear backpack on, you can do anything with enough confidence.
i walk to the door for radiology. it was one of those large "crash" doors, where - when activated by a magnetic unlock - both doors open outwards. i walked up to the large doors marked with the radiation trefoils, and knocked. a nice lady opened the door for me, i said i was with IT. she looked at my laptop, then let me in. i asked where their main storage was, and she kindly pointed it out. i opened the unlocked door, took my inventory, then walked back to the IT office.
it's wild, but that was an average occurrence in the span of the contract. being nice & confident let me into some extremely sensitive areas, from the pharmacy to the psych ward. i was constantly in view of patients where i shouldn't've been, i was able to gain roof access with little effort, and the majority of locks in the building could easily be breached with a credit card swipe through the crack. every locked entrance with a keycard lock always had another entry into the area which would always be unlocked, without a special lock. then there was the hospital storage area...
hidden in plain view in an easily-accessible basement hallway lies a storage room with a relatively-secure eight-pin office door lock. an opposite door to the lockable one is seen usually unlocked, allowing for easy bypass if you take off a hinged steel plate and force the bolt forwards with a flat head screwdriver. upon entry lies a small warehouse-esque room, full of steel cages. upon closer inspection, the cages are simply made of fence material, on no foundation at all, held in place by bolts [that can be easily unscrewed]. the cage fence only goes to a certain height, and one of reasonable mobility could simply climb over, and unlock the door leading into the entry of each cage. not that the doors are particularly hard to go past, either! i have pretty skinny fingers, so i was able to simply reach past the fence and unlock the gate through it. if you're morbidly obese and unable to lift yourself, i suppose the cages are secure against you, provided you don't know how to use a wrench.
of course, this room didn't need to be breached. in the dedicated rooms of every department in the hospital laid a small aluminum box - which would always be unlocked, or with its key in it - with master keys to every building and room. if a bad actor wanted to, they could grab a key from the box, go to the storage area (or really any hospital area), and have fun!
anyhow, aside from the miscellaneous medical equipment surplus and technical equipment, the storage room also had the hard paper copies of the medical records of every patient that had been to any of the campuses in the hospital network in the past fifty years. they laid in clearly-marked cardboard boxes, against the walls of one of the unsecure cages. pretty bad, right? it gets worse.
in this room of poorly-kept sensitive documents & millions of dollars in technical / medical equipment, the only fire safety were the reinforced concrete walls. while there were a couple of sprinklers, none of them covered anything. the nearest firefighter water access was on the stairwell 300ft away, and because of poorly-kept tech waste, there were leaking batteries aplenty & a constant risk of electric shock (it happened nearly once a week). i could care less of the safety of it, it's the risk of losing the medical data of patients that got me! don't worry, it gets much worse.
to re-iterate, the storage room is located in a basement. that means at the very least, it should be well-protected against whatever may be outside on the upper levels of the complex. in periods of medium to heavy rain (extremely common for the area), the rainwater would easily leak through the crevices of the ceiling! it'd completely soak the walls, and sometimes drip from the ceiling itself onto wiring & computer equipment. apparently engineering was in charge of fixing that, but corporate management figured it wasn't worth the cost of repair.
higher-level order dysfunction was a common occurrence. i completely understand cost-saving measures, but management would constantly allow for contractors of the most expensive bid to complete small projects that would ultimately leave the hospital in the red, but would allow for greater presence of the network. convenience, security, privacy? mere suggestions, so long as the public was aware of the hospital network.
perhaps the most egregious byproduct of this mismanagement and red tape was in a certain biomedical department. while it'd be a breach of privacy to say the specific department, we'll just say... wound care. anyhow, in the employee lounge of wound care laid three switches, a router, multiple NAS enclosures, two blade servers, and three LTO-5 tape decks. this was all being powered by a hard line into the wall, without the use of a UPS or surge protector, and all being laid on the floor. when i asked a supervisor in the department what it all was, their reply shocked me. "oh, that's a storage setup for our patient records since the 90s. we were told you were going to fix it." i assured them i'd ask one of the IT directors. when i did, i got an even worse reply. "yeah, [corporate] management won't let us move that until we get approval from wound care, and they have to move it all."
i want to say that was the worst thing i've seen at the hospital (IT-wise). through daily mismanagement, terrible resource allocation, dogshit security, and awful work attitudes, it wasn't over yet. i was called to an emergency regarding a power issue in the ICU network closet. see, typically this would be re-directed to engineering. unfortunately, all medical equipment (from x-ray machines to life support equipment) is connected via wifi! so if a power issue arises in a network closet, then it could get really, really, really bad. so, i go up to check on it. i open the closet (none of them are locked), and see that someone had unplugged the UPS array. i plugged it back in, reported it, and left.
see, i was the only employee in the entire IT department to keep logs of what I do, what I install with what equipment, etc. i did this for "insurance" reasons - so that both electronically & analog, anyone could see where i was, doing exactly what when, using what to do what. there wasn't any cameras near that closet, no guards noticing what happened, and the nearby front desk ladies told me they assume anyone that enters that closet is maintenance. while the logical thing to think would be a major bad actor in the area, i couldn't prove it, so it was assumed that it was just a maintenance worker or electrician.
from the credit card readers that would send data in plaintext over unprotected wifi, to overly-friendly & trusting hospital staff, hospitals are a dangerous place to be & trust with your data. while i definitely can't say to boycott hospitals (emergencies exist, and you have no choice), i ask for anyone reading this to call to hospital executives to pay attention to what they choose to ignore. to say this hospital network had poor security would be to say that it had any notion of security at all. if i were a bad actor, i could effortlessly walk into the hospital with nothing more than a flash drive, and walk out with hundreds of millions of sensitive data & destroyed machines, within an hour, and with no traces back to me. physical security, social engineering, and digital security - please make them pay attention!