Yet another incident where a firewall was disabled during maintenance and never restored. And although that’s bad enough, it’s a concern that it took 9 months to spot the problem. Where are the regular routine checks on security or don’t they include checking the firewall?
Officials with Pocatello Family Medicine have sent letters notifying patients that the firewall protecting computerized records was inadvertently left inactive for several months.
Amy O’Brien, medical practice director of Pocatello Family Medicine, said Monday an investigation has produced no evidence that any records were compromised.
Pocatello Family Medicine serves as the Idaho State University residency clinic and stores files on a server owned and operated by ISU. In August 2010, the firewall protecting the ISU server was taken down for maintenance. O’Brien said Information Technology staff discovered the wall wasn’t active on May 18 while assisting an employee who was having trouble accessing records on the server. The information was removed from the server for protection two days later.
[…]
An electronic medical record for the clinic stored on the server was never accessed, O’Brien said. The investigation has produced no evidence that other records on the server, including scanned images of drivers licenses and insurance cards, were viewed, accessed, downloaded, printed or otherwise used without authorization.
The only indication that someone took advantage of the absence of the firewall was a person who downloaded a couple of commercial movies and a television program on the site to take advantage of the storage space, apparently seeking to illegally sell access to programming.
Read more on Idaho State Journal