Hacker News new | past | comments | ask | show | jobs | submit login

It makes me wonder. For several years the US government, Medicare, and private insurers have been pushing hard for health care providers to adopt Electronic Health Record systems. Now in the current phase "interoperability" of EHR systems is the catchword.

A question to ask is how secure is a large network of EHRs going to be? I don't know of data showing the frequency or severity of EHR security breaches but it would be surprising if there were not at least some. In any case, this kind of info would probably not be made available to the public, even though it should be.

Anthem's poor job of keeping confidential info private is especially distressing given the fact that many health insurers are also health care providers (e.g., hospital systems). Computer systems are very hard to operate securely, and after what happened, it's hard to trust these corporations will take the task seriously.

I've been quietly predicting that security of health information is going to become the Next Big Privacy Issue as the Internet of Medical Records grows ever larger.




This is why, increasingly, my view is that people should be in charge of their own data, and only what is specifically required to complete a transaction should be disclosed.

How to implement that technically becomes an interesting question, but between pocket spies with storage measured in tens of GB to TB, and various forms of key authentication, it seems that there are several possible options.

The whole discussion above regarding the false crime of "identity theft" (it's impersonation fraud facilitated by the data holder's negligence) is another point of increasing frustration for me.

I've been having a few related discussions with David Brin (a data cornucopian) on Google+. Brin, hardly to my surprise, responds with extreme derision.


Ultimately, the web is an attack vector that no one is immune to. Did you read the Syria hack recently? Just a skype chat with an attractive opposite-gender is enough to download a piece of malware masquerading as a picture you really want to see. While the human aspect has always been a key element of getting hacked, products that claim to distinguish the good vs. bad are failing big time. And this has been the pillar of enterprise security (classifying good against bad) for the last 20 years and is starting to show its age.


"A question to ask is how secure is a large network of EHRs going to be?"

LOL, everyone 'on the inside' (by that I mean: at least anyone who works on computers, software or networks professionally) knows the answer to that question: it's going to be a train wreck. There is not a single person on this planet who really understands just 1% of the software, hardware and network infrastructure they/we work on every day; let alone how all of these interact. Computers, in 2015, are so complex, and our 'engineering' is so shoddy, that there is no way to safeguard networked data for anyone but the most determined and resourceful parties (by which I mean organizations of which there are but a handful in the whole world, and even those can't seem to keep secrets really secret.) Either way, there is no way at all that a non-IT focused organization like a healthcare insurer or provider will be able to keep data secure, and it's only a matter of time before incidents like this will become commonplace.

Consider: I have an in-law who is a partner in a largish practice in my area. We talked a bit about the business aspects of the practice when she became a partner because she had to put up with all the management crap all of a sudden and it was nice for her to vent to people who had similar issues. Anyway, point being I know a bit about the finance and management of a rather typical organization like that. These people will in the next 5 years somehow get access to our, by then, country-wide EHR system. They work on computers they buy from the local computer shop because the prices 'seem reasonable' and Jimmy who works there dates the secretary or whatever; so Jimmy (whose training was in swapping out hard disks and reinstalling Windows) is the one who 'maintains' their systems, too. Their cash flow is so precarious that some months they can't pay full wages to the partners. How will an organization like that ever be able to secure their network? Their 'security' consists of the cable guy setting a non-default WPA key on their wireless router.

And of course, they're required by the organization that maintains the EHR system to have 'regular auditing of their systems' to ensure security. Which consists of a couple of big 4 consultants who interview the management, tick some boxes on their checklist and make a 50-page CYA report out of that, without ever having touched a server or network.

I got out of the security game 10 years ago, and it was already scary back then. Maybe somebody who still works there will feel otherwise, but computer security (on the blue team) is like FEMA sending two guys with a shovel and a Walmart plastic bucket to a dike breach. (whereas on the red team it's shooting fish in a barrel, of course.) We are truly fucked, because too few people understand the magnitude of the problem and as long as there are no problems and you don't look too closely at the robustness of things, using computers is much cheaper than the alternatives.


No, you're about right. On the bigger corporate side, security is at least the big buzzword. The VP- and C-level positions want to be sure that action is being taken to improve security, but day to day requests to poke holes in the walls come in. That is not to even mention the huge, ancient systems that are in the middle of multi-year replacement processes that began before security was so important. That means at best the replacement will have the security best practices of the last few years stapled on awkwardly, but more likely nothing will change given the millions poured in already.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: