Domestic piracy-- a new twist

Hacking into website? Sure, that's easy (so I heard) on an unsecured site.

Stealing patients' info? Other personal info has been stolen, so it's possible.

Deleting backup? Unless he can magically log into a non-connected machine, there is no way he can do this. I call bull. And if this is bull, point number two is probably bull, too.

 

Hijacking of web sites for ransom appears to be a standard sort of crime nowadays. Also (though very different) hijacking of cargo trucks. So domestic piracy is very much a real problem.

 

+1. For anything sensitive, backups are the name of the game. A number of years ago my university lost one of it's mail servers - poof, the hard drive was unrecoverable. As luck would have it, so was the 1st tier backup... but that's ok, because they stored everything on tape in an offsite location.

The only problem was scraping together enough machines to read all that data off the tapes in time for all of the grant proposals that needed to happen.

You can be sure that someone storing confidential medical records have secure backups like that as well.

 

If this was a successful hack of confidential patient data, they are in violation of HIPAA (Health Insurance Portability and Accountability Act). Specifically Title II HIPAA

They are also in violation of the proposed HITECH (Health Information Technology for Economic and Clinical Health act)

Generally, HHS has standards like 45 CFR 160, 162, and 164. Violation of the mentioned rules will result in very stiff fines and legal action

 

People who hijack web sites and demand ten million dollars ransom don't usually care about stuff like HIPAA. I doubt if HHS will even get involved. Probably falls more in the jurisdiction of the FBI, if they're not too busy spying on peace protesters and taking pay-offs from organized crime.

 

Yeah, good point. These regulations are supposed to protect us, but more often they're used as CYA for those involved

The few projects I've had that recently touched on these issues, I had to CYA (Document my nice person off) to "prove" the system was compliant

 

Couldn't you simply use WOM (Write-Only Memory). I find that WOM is excellent for use in high security applications.

Tom

 

It was a civillian project, not a military one. Trust me, concepts like wom would fly right over their heads.

Actually, I recall that pretty much the entire project sailed over the heads of the stakeholders. Kind of scary actually. For that reason, I no longer offer any consulting to the private sector health industry.

The primary stakeholders/decision makers are bean counters, not engineers