In reading an account of the recent attack on Community Health Systems that netted the bad guys 4.5 million patient records and earned CHS a prominent spot on the Wall of Shame, I was struck by the notion put across in the article that all we have to do is work harder to patch vulnerabilities, that with a better defense we can win the game against a skilled quarterback.
I think that we have to come to terms with the notion that privacy is a thing of the past, and that it is not a question of if, but a question of when, any particular system may be hacked. As in the case of the Heartbleed exploit, a back door may be propped open for years before anyone notices, and some exploits may leave no fingerprints.
Speaking of Heartbleed, it now appears that CHS may not have done a thorough job of applying the relevant patches. See: FBI warns healthcare firms they are targeted by hackers | Reuters (The original FBI warning is linked to in the Heartbleed post linked to above.)
What is to be done?
- We need to stop using the social security number in medical records and insurance records because, linked with other medical record data, it enables identity theft.
- We need to do a better job with authentication of users of systems, so that it becomes harder to use stolen identities to set up new accounts or exploit existing ones.
- We need to do a better job of enforcing anti-discrimination laws, because then the release of certain private information will no longer be so devastating.
- We need to be honest with ourselves about the limits of privacy and security in the connected world we've built, because otherwise we will all continue to live with unrealistic expectations.
- We need to have better systems in place to deal with breaches when -- not if -- they happen, because we aren't likely to accomplish the first four jobs on this list anytime soon.
What do you think?