'Threats to Information Security - Public Health Implications'
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
'Threats to Information Security - Public Health Implications'
Quote:
'In health care, information security has classically been
regarded as an administrative nuisance, a regulatory hurdle, or a
simple privacy matter. But the recent "WannaCry" and "Petya"
ransomware attacks have wreaked havoc by disabling organizations
worldwide, including parts of England's National Health Service (NHS)
and the Heritage Valley Health System in Pennsylvania. These events
are just two examples of a wave of cyberattacks forcing a new
conversation about health care information security. With the delivery
of health care increasingly dependent on information systems,
disruptions to these systems result in disruptions in clinical care
that can harm patients. Health care information security has emerged
as a public health challenge.'
N Engl J Med 2017; 377:707-709 August 24, 2017DOI: 10.1056/NEJMp1707212
stealing data is < encrypting data, in terms of "new" emerging attack methods.
and yes, healthcare/pharma are under major attack. there's also a push for cyber attacks on "systems" like aircraft, trains, cars, missiles, drones, etc etc. these "systems" are the areas that have understated attack vectors and thus hackers now hunt them down and exploit them. the lack of security in these "systems" probably stems from the gap between older program managers and newer/younger hackers. the older program manager likely still has the 1960's mentality that attacking a missile via Rf is not so ez and requires massive resources to build the attack Rf system. in 2017 that notion has long passed.
however, there is some hope. i know a few folks in missile system companies (US) who have this "system" security well understood and the security needs are built into the products they make. NIST/NICE is also formulating the requirements/definitions of what a cyber security person has to be and these things will be translated into educational curriculum (already starting).
huge gap between good cyber folks and the mass of cyber hackers, but we have started to close the gap.
There is a huge problem with information in the healthcare sector.
It needs to be both reasonably freely accessible at any time as well as being secure.
I would imagine you(anyone) would be pretty peeved if emergency medical care was needed but could not be given because your medical records were inaccessible because your records were hidden behind a password.
I don't pretend to know the answer other than removing those who want to abuse the information from the gene pool.
There is a huge problem with information in the healthcare sector.
It needs to be both reasonably freely accessible at any time as well as being secure.
I would imagine you(anyone) would be pretty peeved if emergency medical care was needed but could not be given because your medical records were inaccessible because your records were hidden behind a password.
I don't pretend to know the answer other than removing those who want to abuse the information from the gene pool.
although i cant totally disagree with you, ER/doctors/etc need to be educated/experienced enough to provide treatment, and the default is always "we have no other data to look at currently". relying heavily on the IO of digital objects is a bad idea, etc.
There is a big difference between having to work with no information out in the field, and not being able to access readily available information in the emergency room of a hospital.
There is a big difference between having to work with no information out in the field, and not being able to access readily available information in the emergency room of a hospital.
why should such data be "readily available" to a ER doc? "readily available" does not always make sense, lets say as example, for a patient who is not conscious and is j.doe on arrival. perhaps a fingerprint may allow some access? but if you want readily available then you need to move the data to a human carrier, like a chip under the skin, etc.
i provide security oversight to a company who does healthcare data analytics, its more like predictive health modeling using patient historical data. this requires chomping time. a password to get there is insignificant in terms of a time roadblock.
another big risk i am studying is patient data integrity. lets say hackers can manipulate data via a long running 0-day, perhaps like the claimed CVE-2017-9805. that "readily available" data is kinda useless and very dangerous, etc. still same concerns with under skin chip data, but the actual data may be a tad harder to hack.
why do we need not-well-secured big-data systems when i myself can carry and provide security controls to protect my data? the game of a few (like the idiots at Equifax) trying to protect the data of many, vs me trying to protect just my data. i believe this is the upcoming paradigm shift we shall see in near future.
Last edited by Linux_Kidd; 09-14-2017 at 02:15 PM.
There is a huge problem with information in the healthcare sector.
It needs to be both reasonably freely accessible at any time as well as being secure.
I would imagine you(anyone) would be pretty peeved if emergency medical care was needed but could not be given because your medical records were inaccessible because your records were hidden behind a password.
Yet another problem unnecessarily foisted upon us all by mandatory EHR implementation. How would you like going in for an emergency and not having the diagnostic equipment, for example the EKG machine, inaccessible because it now runs Win 10 and is either (a) non functional because of the legendary reliability of Windows, (b) inaccessible because some IT cretin thought it was a good idea to implement or change password protection on the system? And why do we need ultrasounds and EKG machines hooked up to the internet? Talk about a bad choice of relative risks and benefits...
what, you saying the Music Composition degree Susan Mauldin has is not good enough to be a CISO of a company who needs to protect very sensitive data of millions of people?
we have crossed a bridge, on bow side are all the smart sec folks, on the aft side are all these "exec" folks who have biz degrees, music degrees, degree in Russian language, degrees of all sorts, but little education or real experience in info or cyber security, and they are the folks in CISO/CSO/CIO positions! but now we need to ask why/how do these idiots get such positions? because they wiggle there way up and can sweet talk their exec team that they know what they are doing. Susan's career path is dismal and jumpy, 2-2+yr stints here & there, different roles, etc etc = super bad choice for CISO !!! very poor decision making by the Equifax execs to hire Webb and Mauldin into those positions ! hence why the board there needs to fire Webb and CEO immediately, Susan is already gone, hopefully never to be seen again in any C level position, maybe she can teach music at here apartment now.
Last edited by Linux_Kidd; 09-14-2017 at 03:16 PM.
why should such data be "readily available" to a ER doc
Because without it he may make a bad decision.
I have certain differences in my body that would make a big difference to the way - for example - that my chest should be openned for surgery - my major blood vessels are on the wrong side and my heart is out of position. I also have to take drugs that can interfere with the affects of other drugs. I do carry notification at all time, but that could easily get lost in an accident or emergency. I hope that my medical records are available to any surgeon that might have to operate on me or he could end up doing more harm than good.
That is a awful lot to attribute to my simple comment!
Honestly I know none of the names or resumes of the people involved, so no, that is not what I was saying.
My comment was intended to say that no intent may be necessary (as implied by the term "inside job"), but that the filling of human resource requirements from "cheapest pools of labor" inevitably results in a growing "pool of incompetence" within an organization. The incompetence is visible without knowing the personalities involved.
The responsibility may lie in the hands of some particular CISO/CSO/CIO, or of a whole Board of Somesort, but the incompetence permeates such operations from top to bottom, and is all too common.
Every time you go to a medical office they still ask you for your SSN.
I think the worst part is the systems are connected to the internet. Almost every company thinks that each system has to be connected to the internet for some reason.
Every time you go to a medical office they still ask you for your SSN.
I think the worst part is the systems are connected to the internet. Almost every company thinks that each system has to be connected to the internet for some reason.
funny though, they can perhaps run a dark web search and find your SSN before you arrive, saving me time when i get there
SS, CC, DL #'s are in my opinion, already in the wild. its just a matter of who is trying to use it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.