LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-28-2017, 09:46 AM   #1
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,286

Rep: Reputation: 218Reputation: 218Reputation: 218
'Threats to Information Security - Public Health Implications'


Quote:
'In health care, information security has classically been
regarded as an administrative nuisance, a regulatory hurdle, or a
simple privacy matter. But the recent "WannaCry" and "Petya"
ransomware attacks have wreaked havoc by disabling organizations
worldwide, including parts of England's National Health Service (NHS)
and the Heritage Valley Health System in Pennsylvania. These events
are just two examples of a wave of cyberattacks forcing a new
conversation about health care information security. With the delivery
of health care increasingly dependent on information systems,
disruptions to these systems result in disruptions in clinical care
that can harm patients. Health care information security has emerged
as a public health challenge.'
N Engl J Med 2017; 377:707-709 August 24, 2017DOI: 10.1056/NEJMp1707212

http://www.nejm.org/doi/full/10.1056/NEJMp1707212


Even physicians began to sit up and take notice.
 
Old 08-29-2017, 07:09 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
And yet, being ever eager to find the cheapest pools of labor possible, no one seems to sit down and consider that these must be inside jobs.
 
1 members found this post helpful.
Old 08-30-2017, 07:52 AM   #3
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
stealing data is < encrypting data, in terms of "new" emerging attack methods.

and yes, healthcare/pharma are under major attack. there's also a push for cyber attacks on "systems" like aircraft, trains, cars, missiles, drones, etc etc. these "systems" are the areas that have understated attack vectors and thus hackers now hunt them down and exploit them. the lack of security in these "systems" probably stems from the gap between older program managers and newer/younger hackers. the older program manager likely still has the 1960's mentality that attacking a missile via Rf is not so ez and requires massive resources to build the attack Rf system. in 2017 that notion has long passed.

however, there is some hope. i know a few folks in missile system companies (US) who have this "system" security well understood and the security needs are built into the products they make. NIST/NICE is also formulating the requirements/definitions of what a cyber security person has to be and these things will be translated into educational curriculum (already starting).

huge gap between good cyber folks and the mass of cyber hackers, but we have started to close the gap.
 
Old 09-12-2017, 08:01 AM   #4
dave@burn-it.co.uk
Member
 
Registered: Sep 2011
Distribution: Puppy
Posts: 601

Rep: Reputation: 172Reputation: 172
There is a huge problem with information in the healthcare sector.
It needs to be both reasonably freely accessible at any time as well as being secure.
I would imagine you(anyone) would be pretty peeved if emergency medical care was needed but could not be given because your medical records were inaccessible because your records were hidden behind a password.

I don't pretend to know the answer other than removing those who want to abuse the information from the gene pool.
 
Old 09-14-2017, 01:27 PM   #5
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by dave@burn-it.co.uk View Post
There is a huge problem with information in the healthcare sector.
It needs to be both reasonably freely accessible at any time as well as being secure.
I would imagine you(anyone) would be pretty peeved if emergency medical care was needed but could not be given because your medical records were inaccessible because your records were hidden behind a password.

I don't pretend to know the answer other than removing those who want to abuse the information from the gene pool.
although i cant totally disagree with you, ER/doctors/etc need to be educated/experienced enough to provide treatment, and the default is always "we have no other data to look at currently". relying heavily on the IO of digital objects is a bad idea, etc.
 
Old 09-14-2017, 01:36 PM   #6
dave@burn-it.co.uk
Member
 
Registered: Sep 2011
Distribution: Puppy
Posts: 601

Rep: Reputation: 172Reputation: 172
There is a big difference between having to work with no information out in the field, and not being able to access readily available information in the emergency room of a hospital.
 
Old 09-14-2017, 02:13 PM   #7
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by dave@burn-it.co.uk View Post
There is a big difference between having to work with no information out in the field, and not being able to access readily available information in the emergency room of a hospital.
why should such data be "readily available" to a ER doc? "readily available" does not always make sense, lets say as example, for a patient who is not conscious and is j.doe on arrival. perhaps a fingerprint may allow some access? but if you want readily available then you need to move the data to a human carrier, like a chip under the skin, etc.

i provide security oversight to a company who does healthcare data analytics, its more like predictive health modeling using patient historical data. this requires chomping time. a password to get there is insignificant in terms of a time roadblock.

another big risk i am studying is patient data integrity. lets say hackers can manipulate data via a long running 0-day, perhaps like the claimed CVE-2017-9805. that "readily available" data is kinda useless and very dangerous, etc. still same concerns with under skin chip data, but the actual data may be a tad harder to hack.

why do we need not-well-secured big-data systems when i myself can carry and provide security controls to protect my data? the game of a few (like the idiots at Equifax) trying to protect the data of many, vs me trying to protect just my data. i believe this is the upcoming paradigm shift we shall see in near future.

Last edited by Linux_Kidd; 09-14-2017 at 02:15 PM.
 
Old 09-14-2017, 02:35 PM   #8
mostlyharmless
Senior Member
 
Registered: Jan 2008
Distribution: Arch/Slackware/Knoppix
Posts: 1,799
Blog Entries: 14

Rep: Reputation: 280Reputation: 280Reputation: 280
Quote:
There is a huge problem with information in the healthcare sector.
It needs to be both reasonably freely accessible at any time as well as being secure.
I would imagine you(anyone) would be pretty peeved if emergency medical care was needed but could not be given because your medical records were inaccessible because your records were hidden behind a password.
Yet another problem unnecessarily foisted upon us all by mandatory EHR implementation. How would you like going in for an emergency and not having the diagnostic equipment, for example the EKG machine, inaccessible because it now runs Win 10 and is either (a) non functional because of the legendary reliability of Windows, (b) inaccessible because some IT cretin thought it was a good idea to implement or change password protection on the system? And why do we need ultrasounds and EKG machines hooked up to the internet? Talk about a bad choice of relative risks and benefits...
 
Old 09-14-2017, 02:44 PM   #9
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,221
Blog Entries: 11

Rep: Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172
Quote:
Originally Posted by sundialsvcs View Post
And yet, being ever eager to find the cheapest pools of labor possible, no one seems to sit down and consider that these must be inside jobs.
Or simply inside incompetence.
 
Old 09-14-2017, 03:15 PM   #10
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by astrogeek View Post
Or simply inside incompetence.
+1

what, you saying the Music Composition degree Susan Mauldin has is not good enough to be a CISO of a company who needs to protect very sensitive data of millions of people?

we have crossed a bridge, on bow side are all the smart sec folks, on the aft side are all these "exec" folks who have biz degrees, music degrees, degree in Russian language, degrees of all sorts, but little education or real experience in info or cyber security, and they are the folks in CISO/CSO/CIO positions! but now we need to ask why/how do these idiots get such positions? because they wiggle there way up and can sweet talk their exec team that they know what they are doing. Susan's career path is dismal and jumpy, 2-2+yr stints here & there, different roles, etc etc = super bad choice for CISO !!! very poor decision making by the Equifax execs to hire Webb and Mauldin into those positions ! hence why the board there needs to fire Webb and CEO immediately, Susan is already gone, hopefully never to be seen again in any C level position, maybe she can teach music at here apartment now.

Last edited by Linux_Kidd; 09-14-2017 at 03:16 PM.
 
Old 09-14-2017, 04:43 PM   #11
dave@burn-it.co.uk
Member
 
Registered: Sep 2011
Distribution: Puppy
Posts: 601

Rep: Reputation: 172Reputation: 172
Quote:
why should such data be "readily available" to a ER doc
Because without it he may make a bad decision.
I have certain differences in my body that would make a big difference to the way - for example - that my chest should be openned for surgery - my major blood vessels are on the wrong side and my heart is out of position. I also have to take drugs that can interfere with the affects of other drugs. I do carry notification at all time, but that could easily get lost in an accident or emergency. I hope that my medical records are available to any surgeon that might have to operate on me or he could end up doing more harm than good.
 
Old 09-14-2017, 04:56 PM   #12
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,221
Blog Entries: 11

Rep: Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172Reputation: 3172
Quote:
Originally Posted by Linux_Kidd View Post
+1

what, you saying...
That is a awful lot to attribute to my simple comment!

Honestly I know none of the names or resumes of the people involved, so no, that is not what I was saying.

My comment was intended to say that no intent may be necessary (as implied by the term "inside job"), but that the filling of human resource requirements from "cheapest pools of labor" inevitably results in a growing "pool of incompetence" within an organization. The incompetence is visible without knowing the personalities involved.

The responsibility may lie in the hands of some particular CISO/CSO/CIO, or of a whole Board of Somesort, but the incompetence permeates such operations from top to bottom, and is all too common.
 
Old 09-14-2017, 05:09 PM   #13
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,217

Rep: Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926Reputation: 2926
Every time you go to a medical office they still ask you for your SSN.

I think the worst part is the systems are connected to the internet. Almost every company thinks that each system has to be connected to the internet for some reason.

Last edited by jefro; 09-14-2017 at 05:11 PM.
 
Old 09-14-2017, 09:23 PM   #14
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by jefro View Post
Every time you go to a medical office they still ask you for your SSN.

I think the worst part is the systems are connected to the internet. Almost every company thinks that each system has to be connected to the internet for some reason.
funny though, they can perhaps run a dark web search and find your SSN before you arrive, saving me time when i get there

SS, CC, DL #'s are in my opinion, already in the wild. its just a matter of who is trying to use it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security implications of a partitioning scheme ktandel Linux - Security 2 05-14-2014 02:03 PM
how to get harddisk health information. aggrishabh Linux - Newbie 2 08-08-2012 07:00 PM
Security Threats Dmcoder123 Linux - Newbie 2 08-02-2008 01:33 AM
LXer: CodeWeavers, WorldVistA Collaborate on Linux Edition of Public Domain VistA Health Information Software LXer Syndicated Linux News 0 02-20-2006 12:16 PM
security threats ? farhan Linux - Security 4 12-06-2004 06:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration