February 24, 2017 at 6:22 pm
Comments posted to this topic are about the item The Secure Medical Data Challenge
February 25, 2017 at 2:43 pm
The first step for data security actually hasn't been taken by folks that have written most of the medical or even financial software that I've seen. They use clear text SSNs and other PII. I've even consulted for a company that uses SSNs as clear text PKs across multiple databases on multiple systems.
People don't get it until it's their data that has been stolen or spilled. For me, that's the litmus test. How comfortable would I be in having my SSN and PII on a system? The answer is serious negative comfort. I've made that challenge to a couple of supposed "compliance officers" in various companies and, to date, none of them have agreed to add their SSN or even their birthdate to their own systems. These people should be unceremoniously fired and maybe their names should be made available on a public list kind of like sex offenders are. Maybe then, they'd start to take a bit more care with our data.
--Jeff Moden
Change is inevitable... Change for the better is not.
February 26, 2017 at 11:09 am
decided to remove my original post because its just too argumentative and would clutter up a thread that is otherwise worthy of discussion so never mind!
February 27, 2017 at 2:38 am
I think that Jeff highlights the worst reason we have for poorly secured data: poor design and implementation. And it is far too common.
I cannot believe my own memories over the number of times that people have suggested skipping proper authentication, encryption or authorisation. Even worse is the number of times that they went ahead and skipped these.
Saying that these issues will be fixed later is pointless because a) they won't be and b) even if they are there is a window of opportunity for theft etc.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 27, 2017 at 8:00 am
Years ago Social Security was the ONLY legal use for a SSN. Now it's college ID, driver's license, medical insurance, car insurance, credit card, home and car rentals, loans, even application for a supermarket discount card. ... etc etc etc. Far more chance (certainty) for exposure. In the electronic world where often the customer and service provider never personally meet, the situation gets even worse. A leak is forever (unlike a credit card number which can be cancelled).
Of course, many people may not even have documentation of their SSN, and if they do it's a simple little paper card which is easily counterfeited. When people don't have convenient proof of ID, especially over electronic media, the next step is personal questions. That's why a compromised social media account password sells for more than a credit card info.
The real world consequences are risky because only a single leak provides complete failure, even if the other 99% of the agencies you deal with are secure. Regardless of one's position on immigration issues, it is a fact that stolen identities are sold for medical and social services. There have been many cases of people who found out that they have recently had medical services paid by their insurance company, or that they've applied for government benefits. Even personal contact doesn't always help, one person posted his story of being admitted to the hospital only to find out 'he had been treated there' only a month ago.
This situation will continue to deteriorate and there is no real way around it. There is no real identity mechanism in this country especially for older folks like myself. Fortunately I got my passport 35 years ago, because my birth certificate was a primitive typed document that wouldn't even be accepted now.
...
-- FORTRAN manual for Xerox Computers --
February 27, 2017 at 8:56 am
I've wondered for a long time why issues like like digital privacy and identity theft don't get talked about more often by politicians. It's something that 99% of the public care deeply and consistently about. But for whatever reason politicians even during an election season don't seem to want to go there; perhaps because certain segments of the corporate community actually profit from unregulated and friction-less digital transactions, even if it means increased incidences of fraud.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 27, 2017 at 9:08 am
Eric M Russell - Monday, February 27, 2017 8:56 AMI've wondered for a long time why issues like like digital privacy and identity theft don't get talked about more often by politicians. It's something that 99% of the public care deeply and consistently about. But for whatever reason politicians even during an election season don't seem to want to go there; perhaps because certain segments of the corporate community actually profit from unregulated and friction-less digital transactions, even if it means increased incidences of fraud.
People might care deeply about privacy and identity theft but most people outside of technology simply have no understanding of what the actual risks are enough to have any kind of meaningful discussion about it.
February 27, 2017 at 9:33 am
I feel that the biggest problems with the type of data referenced in the article is that data professionals / programmers / etc can only protect it so far. The larger issue is as Jay-h pointed out, in the US we now use SSNs as an identifier for nearly everything. The ONLY way to resolve that requires the Gov to get involved, but I would suspect that no one within the Gov wants to take on that Gordian knot.
As for Jeffs comments on medical and financial applications storing the SSNs in the clear, well, lets just leave it at I worked for a company that was going down that road. At some point, the attitude of "we're secure, we've got firewalls" is going to come back and bit these companies in the behind.
Hard.
February 27, 2017 at 1:30 pm
ZZartin - Monday, February 27, 2017 9:08 AMEric M Russell - Monday, February 27, 2017 8:56 AMI've wondered for a long time why issues like like digital privacy and identity theft don't get talked about more often by politicians. It's something that 99% of the public care deeply and consistently about. But for whatever reason politicians even during an election season don't seem to want to go there; perhaps because certain segments of the corporate community actually profit from unregulated and friction-less digital transactions, even if it means increased incidences of fraud.People might care deeply about privacy and identity theft but most people outside of technology simply have no understanding of what the actual risks are enough to have any kind of meaningful discussion about it.
It's hard to engage the public meaningfully on any topic. But a politician doesn't necessarily have to present the issue to the public from a technical perspective, they simply have to understand the fear, identify a culprit, and propose a solution. For example: "Internet service providers are hoarding details of your private life and selling it to the highest bidder, digital thieves can drain your bank account and use the money to fund terrorist groups (yada yada), and the current administration has done nothing the address the issue." I've never seen that angle ever come up at a political debate, but I think it would be effective, especially coming from an independent candidate. If we're going to demonize a group of people for political gain, then why not hackers and personal data brokers?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 27, 2017 at 1:34 pm
Eric M Russell - Monday, February 27, 2017 1:30 PMIt's hard to engage the public meaningfully on any topic. But a politician doesn't necessarily have to present the issue to the public from a technical perspective, they simply have to understand the fear, identify a culprit, and propose a solution. For example: "Internet service providers are hoarding details of your private life and selling it to the highest bidder, digital thieves can drain your bank account and use the money to fund terrorist groups (yada yada), and the current administration has done nothing the address the issue." I've never seen that angle ever come up at a political debate, but I think it would be effective, especially coming from an independent candidate. If we're going to demonize a group of people for political gain, then why not hackers and personal data brokers?
Well since some of the biggest and dangerous leaks have happened in government (employee info, CIA agent info, military info), they're probably hesitant to go there.
...
-- FORTRAN manual for Xerox Computers --
February 27, 2017 at 1:58 pm
Eric M Russell - Monday, February 27, 2017 1:30 PMZZartin - Monday, February 27, 2017 9:08 AMEric M Russell - Monday, February 27, 2017 8:56 AMI've wondered for a long time why issues like like digital privacy and identity theft don't get talked about more often by politicians. It's something that 99% of the public care deeply and consistently about. But for whatever reason politicians even during an election season don't seem to want to go there; perhaps because certain segments of the corporate community actually profit from unregulated and friction-less digital transactions, even if it means increased incidences of fraud.People might care deeply about privacy and identity theft but most people outside of technology simply have no understanding of what the actual risks are enough to have any kind of meaningful discussion about it.
It's hard to engage the public meaningfully on any topic. But a politician doesn't necessarily have to present the issue to the public from a technical perspective, they simply have to understand the fear, identify a culprit, and propose a solution. For example: "Internet service providers are hoarding details of your private life and selling it to the highest bidder, digital thieves can drain your bank account and use the money to fund terrorist groups (yada yada), and the current administration has done nothing the address the issue." I've never seen that angle ever come up at a political debate, but I think it would be effective, especially coming from an independent candidate. If we're going to demonize a group of people for political gain, then why not hackers and personal data brokers?
Well digital security issues did come up several times in the course of the last presidential election in the US and despite potentially serious issues it ended up not being a critically important factor for either side despite putting pretty heavy emphasis on them. If anything as technology becomes more mainstream people are just getting desensitized to digital security issues instead of more savvy when it comes to thinking about them.
February 27, 2017 at 2:28 pm
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 27, 2017 at 7:12 pm
jay-h - Monday, February 27, 2017 8:00 AMYears ago Social Security was the ONLY legal use for a SSN. Now it's college ID, driver's license, medical insurance, car insurance, credit card, home and car rentals, loans, even application for a supermarket discount card. ... etc etc etc. Far more chance (certainty) for exposure. In the electronic world where often the customer and service provider never personally meet, the situation gets even worse. A leak is forever (unlike a credit card number which can be cancelled).Of course, many people may not even have documentation of their SSN, and if they do it's a simple little paper card which is easily counterfeited. When people don't have convenient proof of ID, especially over electronic media, the next step is personal questions. That's why a compromised social media account password sells for more than a credit card info.
The real world consequences are risky because only a single leak provides complete failure, even if the other 99% of the agencies you deal with are secure. Regardless of one's position on immigration issues, it is a fact that stolen identities are sold for medical and social services. There have been many cases of people who found out that they have recently had medical services paid by their insurance company, or that they've applied for government benefits. Even personal contact doesn't always help, one person posted his story of being admitted to the hospital only to find out 'he had been treated there' only a month ago.
This situation will continue to deteriorate and there is no real way around it. There is no real identity mechanism in this country especially for older folks like myself. Fortunately I got my passport 35 years ago, because my birth certificate was a primitive typed document that wouldn't even be accepted now.
I still have my original card from 1967 or so. It's a cool antique because it's one of those that said the card could not be used for identification,
--Jeff Moden
Change is inevitable... Change for the better is not.
February 28, 2017 at 7:03 am
In a world with 7 billion people, most of whom have (or soon will have) digitized records, we need some type of unique universal identifier, like a SSN. My only problem with SSN is that it can't be used universally. We simply can't rely on name + date of birth for bank transactions and such; that's so Mayberry 1962. The problem today is a lack of face-to-face transactions. When people open bank accounts, request large transfers, or request/submit documents from a the government, it should be done via a teleconferencing app like Skype. If someone doesn't have access to a device, then they can use a kiosk at the nearest post office or just go to the bank in person. Even if the account representative isn't personally familiar with the person making the request, a photo ID can be pulled up from the state database for use as reference, and if the requester turns out later to be a criminal, then the police have a convenient up close video/audio sample of the event for evidence.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 28, 2017 at 7:52 am
Eric M Russell - Tuesday, February 28, 2017 7:03 AMIn a world with 7 billion people, most of whom have (or soon will have) digitized records, we need some type of unique universal identifier, like a SSN...
It just isn't practical. If solely in the US you lot couldn't manage to keeps SSNs unique do you think you'll do any better when the rest of us join in? Each of our countries probably have the same horror stories. Definitely here in the UK we have had the same, or at least similar, problems with our National Insurance numbers (a.k.a. NI Number or NIN).
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 15 posts - 1 through 15 (of 62 total)
You must be logged in to reply to this topic. Login to reply