On 2014-01-05 12:25 AM, Marc Hakman wrote: > Hi, > > I am running a professional commercial practice information system, based on > firebird in Germany. The system is certified by the german health agencies. > > > Problem? > The firebird account name and pasword are NOT changed. > The government is rolling out a patient chip card with the possibility to > exchange the basic patients data with their social security health assurance > agency by WAN. Is there a possibility for them to get access to (other) > patient files (so the complete database) through a backdoor, e.g. via the > admin account? Is there another way? As long as Firebird is not accessible from outside your firewall directly, then the risk is reduced. This way someone would have to get the database file from the server and copy it elsewhere to gain access to the patient data.
And that your patient data is accessed from the outside only via webservices or an HL7 server, then I wouldn't worry too much, unless those services are not using secured communication(i.e.: SSL). > Is it a security risk not changing the account name and pw? There is a security risk, but also do make certain that the practice information system is not using it, otherwise the application will stop working. > > I am not paranoia, just concerned about my business and even more the medical > confidentiality. > >
