Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Change Healthcare is the worst company I've worked for when dealing with IT and security. Lots of security theater getting in the way of the developer's machine because IT is scared of what can happen in dev and staging, whereas competent companies firewall development environments properly so it shouldn't be an issue getting root on your machine. IT monitors every single application that gets installed and scrutinizes you when it's obviously needed to do software work. Just a major pain in the ass. Inability to get root access to the machine. Overly dependent on username/password pairs to communicate between back-ends. Barely any integration testing. Mandatory drug tests.

Can't say I'm surprised that despite all this security theater, Change Healthcare still fails in many spectactular ways.



It seems like healthcare has a few tough security issues. IMHO one of the largest is that staff require immediate and transparent access and will go out of their way to subvert your effort if it restricts them, and they're correct to do so.

From a finTech perspective, the nüMedical people I've dealt with act like they won't be held liable for their lack of planning. I see funding in general at levels that require noncompliance with all kinds of regulations, and it would be easy to demonstrate the disconnect between demands given and resources provided in almost every domain by just walking through each step of a process.


I think a lot of organizations think that security is about going through the motions, or something that you can bolt on after the fact, but it's really a state of mind that needs to exist from the beginning.


UHG/Optum is just as bad...the M&A due diligence has never been decent, more of a checkmark than anything. There is a bad legacy of hiring unqualified people who are not even US citizens. The M&A should have caught the obvious control gaps, it didn't because it's a political mess with nothing but a bunch of people needing CISO or VP titles. With all the CISOs, VPs and Distinguished Engineers, any one of them or their teams should pull together a decent risk assessment for M&As.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: