N Engl J Med 2017; 377:707-709 August 24, 2017DOI: 10.1056/NEJMp1707212

http://www.nejm.org/doi/full/10.1056/NEJMp1707212


Even physicians began to sit up and take notice.

And yet, being ever eager to find the cheapest pools of labor possible, no one seems to sit down and consider that these must be inside jobs.

1 members found this post helpful.

stealing data is < encrypting data, in terms of "new" emerging attack methods.

and yes, healthcare/pharma are under major attack. there's also a push for cyber attacks on "systems" like aircraft, trains, cars, missiles, drones, etc etc. these "systems" are the areas that have understated attack vectors and thus hackers now hunt them down and exploit them. the lack of security in these "systems" probably stems from the gap between older program managers and newer/younger hackers. the older program manager likely still has the 1960's mentality that attacking a missile via Rf is not so ez and requires massive resources to build the attack Rf system. in 2017 that notion has long passed.

however, there is some hope. i know a few folks in missile system companies (US) who have this "system" security well understood and the security needs are built into the products they make. NIST/NICE is also formulating the requirements/definitions of what a cyber security person has to be and these things will be translated into educational curriculum (already starting).

huge gap between good cyber folks and the mass of cyber hackers, but we have started to close the gap.

There is a huge problem with information in the healthcare sector.
It needs to be both reasonably freely accessible at any time as well as being secure.
I would imagine you(anyone) would be pretty peeved if emergency medical care was needed but could not be given because your medical records were inaccessible because your records were hidden behind a password.

I don't pretend to know the answer other than removing those who want to abuse the information from the gene pool.

although i cant totally disagree with you, ER/doctors/etc need to be educated/experienced enough to provide treatment, and the default is always "we have no other data to look at currently". relying heavily on the IO of digital objects is a bad idea, etc.

There is a big difference between having to work with no information out in the field, and not being able to access readily available information in the emergency room of a hospital.

why should such data be "readily available" to a ER doc? "readily available" does not always make sense, lets say as example, for a patient who is not conscious and is j.doe on arrival. perhaps a fingerprint may allow some access? but if you want readily available then you need to move the data to a human carrier, like a chip under the skin, etc.

i provide security oversight to a company who does healthcare data analytics, its more like predictive health modeling using patient historical data. this requires chomping time. a password to get there is insignificant in terms of a time roadblock.

another big risk i am studying is patient data integrity. lets say hackers can manipulate data via a long running 0-day, perhaps like the claimed CVE-2017-9805. that "readily available" data is kinda useless and very dangerous, etc. still same concerns with under skin chip data, but the actual data may be a tad harder to hack.

why do we need not-well-secured big-data systems when i myself can carry and provide security controls to protect my data? the game of a few (like the idiots at Equifax) trying to protect the data of many, vs me trying to protect just my data. i believe this is the upcoming paradigm shift we shall see in near future.

Yet another problem unnecessarily foisted upon us all by mandatory EHR implementation. How would you like going in for an emergency and not having the diagnostic equipment, for example the EKG machine, inaccessible because it now runs Win 10 and is either (a) non functional because of the legendary reliability of Windows, (b) inaccessible because some IT cretin thought it was a good idea to implement or change password protection on the system? And why do we need ultrasounds and EKG machines hooked up to the internet? Talk about a bad choice of relative risks and benefits...

Or simply inside incompetence.

+1

what, you saying the Music Composition degree Susan Mauldin has is not good enough to be a CISO of a company who needs to protect very sensitive data of millions of people?

we have crossed a bridge, on bow side are all the smart sec folks, on the aft side are all these "exec" folks who have biz degrees, music degrees, degree in Russian language, degrees of all sorts, but little education or real experience in info or cyber security, and they are the folks in CISO/CSO/CIO positions! but now we need to ask why/how do these idiots get such positions? because they wiggle there way up and can sweet talk their exec team that they know what they are doing. Susan's career path is dismal and jumpy, 2-2+yr stints here & there, different roles, etc etc = super bad choice for CISO !!! very poor decision making by the Equifax execs to hire Webb and Mauldin into those positions ! hence why the board there needs to fire Webb and CEO immediately, Susan is already gone, hopefully never to be seen again in any C level position, maybe she can teach music at here apartment now.

Because without it he may make a bad decision.
I have certain differences in my body that would make a big difference to the way - for example - that my chest should be openned for surgery - my major blood vessels are on the wrong side and my heart is out of position. I also have to take drugs that can interfere with the affects of other drugs. I do carry notification at all time, but that could easily get lost in an accident or emergency. I hope that my medical records are available to any surgeon that might have to operate on me or he could end up doing more harm than good.

That is a awful lot to attribute to my simple comment!

Honestly I know none of the names or resumes of the people involved, so no, that is not what I was saying.

My comment was intended to say that no intent may be necessary (as implied by the term "inside job"), but that the filling of human resource requirements from "cheapest pools of labor" inevitably results in a growing "pool of incompetence" within an organization. The incompetence is visible without knowing the personalities involved.

The responsibility may lie in the hands of some particular CISO/CSO/CIO, or of a whole Board of Somesort, but the incompetence permeates such operations from top to bottom, and is all too common.

Every time you go to a medical office they still ask you for your SSN.

I think the worst part is the systems are connected to the internet. Almost every company thinks that each system has to be connected to the internet for some reason.

funny though, they can perhaps run a dark web search and find your SSN before you arrive, saving me time when i get there

SS, CC, DL #'s are in my opinion, already in the wild. its just a matter of who is trying to use it.