In before some company pops up to “centrally manage” all this data that 90% of the hospitals start using then said company gets hacked. There is exactly zero chance this gets stored securely and a minuscule chance it gets stored locally.
It probably is already a contracted service, and not installed and managed by local IT.
Partly because no one has the IT resources to do it all to start with, secondly it’s probably how it’s sold (vendors love getting their foot in with installations, then have a years-long contract for maintenance). Third, it’s a typical business move to offset risk by contracting a service - since they’re paying someone else to install and manage the system, if something goes sideways the vendor eats it.
It’s also financially useful - business doesn’t own the hardware or anything, so the cost of the contract comes out of your profit column, reducing tax liability. While ownership it’s part of assets. Bean counters really like contracted services.
Source: worked in enterprise IT for some time, this is SOP for these kinds of systems.
Also, this is a crock of shit, because we know it will get messed with.
The only orgs I’d have any faith in making such systems would be the data or physical security orgs within companies. Their whole reason for being is to reduce risk to the company. For example - to even get a sql script from/to a vendor, we create an sftp box specifically for that purpose/vendor. But setting up the dropbox requires multiple levels of approvals, from different internal orgs, with all of us attached to the risks.
Then the password is provided through a checkout system, with a limited lifespan (depending on the dropbox), which is tracked, along with accesses to the box, and what’s transferred and to where. Every few months everyone has to re-approve the box (you’re really re-approving permitting a known risk).
In before some company pops up to “centrally manage” all this data that 90% of the hospitals start using then said company gets hacked. There is exactly zero chance this gets stored securely and a minuscule chance it gets stored locally.
It probably is already a contracted service, and not installed and managed by local IT.
Partly because no one has the IT resources to do it all to start with, secondly it’s probably how it’s sold (vendors love getting their foot in with installations, then have a years-long contract for maintenance). Third, it’s a typical business move to offset risk by contracting a service - since they’re paying someone else to install and manage the system, if something goes sideways the vendor eats it.
It’s also financially useful - business doesn’t own the hardware or anything, so the cost of the contract comes out of your profit column, reducing tax liability. While ownership it’s part of assets. Bean counters really like contracted services.
Source: worked in enterprise IT for some time, this is SOP for these kinds of systems.
Also, this is a crock of shit, because we know it will get messed with.
The only orgs I’d have any faith in making such systems would be the data or physical security orgs within companies. Their whole reason for being is to reduce risk to the company. For example - to even get a sql script from/to a vendor, we create an sftp box specifically for that purpose/vendor. But setting up the dropbox requires multiple levels of approvals, from different internal orgs, with all of us attached to the risks.
Then the password is provided through a checkout system, with a limited lifespan (depending on the dropbox), which is tracked, along with accesses to the box, and what’s transferred and to where. Every few months everyone has to re-approve the box (you’re really re-approving permitting a known risk).
I don’t see how that could happen. /s