Bloodthirsty data parasites hungrily eye up healthcare sector The healthcare industry sees 340 per cent more security incidents and attacks than the average market segment, according to a new study by Raytheon|Websense. Raytheon|Websense also warns that healthcare organisations are more than 200 per cent more likely to encounter data theft. Carl Leonard, principal security analyst at …
Plus the data *will* be stolen. I am coming around to the view that any organisation which stores sensitive personal data in a computer database should have a published plan of what they will do *when* it is stolen. Not if. When.
If the OPM had stored their records on paper instead of computer, then at least the Chinese would have had to physically turn up at the premises with several dozen inconspicuous lorries.
"should have a published plan of what they will do *when* it is stolen"
I like it (apart from the fact that "stolen" isn't the legally correct term). It should extend to loss from anyone they've sold it on to and anyone they in turn sold it on to ad inf. - which would place an obligation on purchasers to report back. It would at least concentrate the minds.
"Claim from our insurance" wouldn't be a satisfactory complete answer although it might be a good thing to include. Insurers need to start thinking what they might be on the hook for and start dictating precautions.
And the plans should apply when someone downstream combines anonymised data with a data set capable of de-anonymising it.
I believe that care.data has been "paused" yet again. Meanwhile the boss of IT I Kelsey has a new job in Australia with Telstra Healthcare. Would you trust BT with your health data? No I thought not.
Bet he took a few copies of care.data with him - to show off of course in his interviews.
I really really hate what this govt are doing to the NHS, every day a new story puts the boot into the underfunded and understaffed NHS.
It's not just you Brits that have the problem... we have here in the States also. Since it's hitting critical mass, those TLA's and FLA's created to "protect us" should be leading the way to stopping it. Instead we get fed about how by snooping on world+dog they're making the world safer. Sorry... slurping my personal data by the miscreants doesn't make my world safer. Stop them, and I'll buy that the world+dog snoop is a benefit... maybe.
"You can rest assured that we are deeply commited to keeping your data safe and that we apply sophisticated, cutting-edge technology measures to prevent this from happening".
This is what they DO / say, when your data IS stolen.
"You can rest assured that we are deeply commited to keeping your data safe and that we apply sophisticated, cutting-edge technology measures to prevent this from happening"
Yes, it's a bit like saying "we don't need a fire escape in this building because we are trying really hard not to have a fire".
"should have a published plan of what they will do *when* it is stolen." - well obviously they will have an investigation, an internal one (for they best understand the context, and the myriad of jolly awkward problems securing any data). A most rigorous investigation too, leaving only a very few stones unturned, ruthlessly and relentlessly seeking out the reason why the theft/loss was discovered.
... and will say it again. Care.data's plan to make a centralised duplicate copy of all our health data is bound to expose it to significant risk. It would be only a matter of time before it is plundered.
For research purposes there should be no reason why the data can't be processed locally, at the GP surgery, hospital or clinic, with only the essentially anonymous results being passed on to the body doing the work. If there are also requirements that research programs which analyse the data have to be open source, all results are published, and access to data is logged, this should make things more secure rather than open to vandals.
Wow, lots of finger pointing going on here.
As the IT Director for a rather large US healthcare facility I can tell you we are definitely aware of the risk and challenges in keeping EPhi safe. I can't speak for everyone, of course, and I have no idea how it's done across the pond, but for me the biggest problem is legislation is moving so fast regarding regulation changes while at the same time government and industry demands to have your EHR comply with specific requirements (the latest is moving from the 30 year old ICD9 standard to the new ICD10 coding), however if you want some light reading on what we deal with pick up the over 1500 page 2014 Omnibus rule or the over 2500 page 2007 HITECH act or the 3000+ pages of the original HIPAA act and then remember all of that anytime you apply changes to your systems. Oh, after making said changes, don't forget that regulations require a new security risk assessment has to be performed on your changes.
It's a big problem without an easy solution. We encrypt our hard drives and have remote wipe and locate features on all mobile devices but there's always the risk of someone just printing out a chart and sticking that in their bag as they head to a patient's residence (which is how they used to do everything). Is electronic records more secure than carrying paper copies? Yes, in some ways, but not in others (hard to remotely access paper). At least in electronic format we have a way to track and know when information is mishandled. The unfortunate part of that is that when a leak happens now, it usually is a lot more information than can fit on a few sheets of paper.
It's the world we live in and it's only going to get worst. If you want my opinion, you could stop >90% of hacking breaches if the western hemisphere would simply drop internet traffic coming from China, Russia and any country whose name ends in "via" or "kia" (and maybe N. Korea). When I look at IDS or firewall logs almost everything illegitimate is coming from those areas of the world. I know that's probably not very reasonable, but if you aren't already blocking those subnets on your perimeter firewall, you should.
Well said. Have an upvote. Isn't it nice that the government dumps the bulk of the regulation on you yet does nothing to assist until after the attack? Usually involving fines and maybe some work by a TLA to fix a small part of the blame or for political reasons?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
