Australia Post Ransomwared Its Own Staff
-
@Dashrender said in Australia Post Ransomwared Its Own Staff:
Wow - I don't know if that is awesome or cruel and unusual punishment.
Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.
-
@scottalanmiller said in Australia Post Ransomwared Its Own Staff:
@Dashrender said in Australia Post Ransomwared Its Own Staff:
Wow - I don't know if that is awesome or cruel and unusual punishment.
Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.
yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.
-
@Dashrender said in Australia Post Ransomwared Its Own Staff:
@scottalanmiller said in Australia Post Ransomwared Its Own Staff:
@Dashrender said in Australia Post Ransomwared Its Own Staff:
Wow - I don't know if that is awesome or cruel and unusual punishment.
Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.
yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.
Although most places, security doesn't matter. Like where you are... is there any data that any one would actually want to steal?
-
@scottalanmiller said in Australia Post Ransomwared Its Own Staff:
@Dashrender said in Australia Post Ransomwared Its Own Staff:
@scottalanmiller said in Australia Post Ransomwared Its Own Staff:
@Dashrender said in Australia Post Ransomwared Its Own Staff:
Wow - I don't know if that is awesome or cruel and unusual punishment.
Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.
yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.
Although most places, security doesn't matter. Like where you are... is there any data that any one would actually want to steal?
Exactly.
-
@scottalanmiller said in Australia Post Ransomwared Its Own Staff:
@Dashrender said in Australia Post Ransomwared Its Own Staff:
@scottalanmiller said in Australia Post Ransomwared Its Own Staff:
@Dashrender said in Australia Post Ransomwared Its Own Staff:
Wow - I don't know if that is awesome or cruel and unusual punishment.
Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.
yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.
Although most places, security doesn't matter. Like where you are... is there any data that any one would actually want to steal?
That's a joke right? medical data is highly valuable for fraud purposes, and other types of manipulation. Warren Buffet lives in Omaha, let's assume he was a patient - his data would possibly be good for blackmail reasons, or causing his stock to get hurt, etc... so yeah, medical data is valuable.
-
@Dashrender said in Australia Post Ransomwared Its Own Staff:
That's a joke right? medical data is highly valuable for fraud purposes, and other types of manipulation. Warren Buffet lives in Omaha, let's assume he was a patient - his data would possibly be good for blackmail reasons, or causing his stock to get hurt, etc... so yeah, medical data is valuable.
Not a joke and I can't figure out how this would be useful in the real world. Let's assume Warren Buffet lives in Omaha, how much would it cost to track him to your systems and guess that something that could be used for blackmail is there? How would someone use medical data that can't be verified for blackmail in the first place? Medical data is nearly useless for fraud on any cost effective scale.
Instead of assuming the one richest man scenario, talk about the real world. Unless you have Warren Buffet or Bill Gates as clients, you've pointed out how absurd the belief that medical data is valuable - it's like saying "this datacenter isn't reliable because a meteor could hit it!"
If you have to go to that extreme to come up with a case where theft might be valuable, you know it's not a real threat.
-
In the real world, medical data is useless. Knowing someone's social security number and address is not super useful and can be found from any number of sources. Targeted people will have this compromised without needing to get into medical systems. Non-targeted people are worth essentially zero. What possible use would someone have with random healthcare data. Knowing someone's healthcare record has about zero value.
The standard calculation for stealing data comes down to value of the theft vs. cost to commit the crime. With medical data, the value of the data is insanely low and the cost of the crime is moderately high. Because you can't effectively target an individual nor can you know if there is even any data worth a penny and because the criminal penalties are so high, it makes for an essentially worthless target. The only crimes of this nature I've ever heard of come from the medical facilities themselves, not outside actors. All reasonable threats are internal, from people who already have access to the data and can determine the value of a crime before committing it.
-
@Dashrender said in Australia Post Ransomwared Its Own Staff:
...so yeah, medical data is valuable.
Valuable in data theft terms means millions of dollars. Are you telling me that you, right now, could take the data in your systems and sell it for millions of dollars? You have data that someone would give you that kind of money for today on the black market?
-
OK I see where you're going with that - the actual medical data itself isn't valuable - maybe... but the identity stuff definitely is. Huge amounts of medical fraud in Florida where stolen identities are used to file fake insurance claims. It's definitely true that much of this is committed by those who already have legal access to the the EHR.
I guess the reason the government cares about this is all FUD then? just a way to waste tax payer money? Not saying that's not possible or even likely...
-
@Dashrender said in Australia Post Ransomwared Its Own Staff:
I guess the reason the government cares about this is all FUD then? just a way to waste tax payer money? Not saying that's not possible or even likely...
No, the government cares because it's reckless and negligent not to have a minimum about of security and takes essentially zero effort. The industry was so careless across the board with this stuff that they had to do something. HIPAA is such a trivial, minimal level of security that you can't think of it as the government making anything happen, it doesn't even require that medical offices do as much as they should have been doing anyway. So not one penny is being wasted, meeting HIPAA requirements is so basic that not meeting it is really a problem.
Is the purpose of HIPAA largely just to make people feel better? Of course, I'm shocked that there is a feeling that it was ever anything else. The only thing that makes medical data special is that the government controls your medical access and therefore doctors are government representatives and if they lose your data there is a responsibility that goes worlds beyond that of a private business doing it. Because it is data that is essentially "taken from you by force" all responsibility for its safety falls to the medical businesses. It's not like your data that you share with the bank or store that you do so voluntarily. So while the data has little value, it carries high risk.
It's not that it is valuable to steal, it is risky in case it is lost. The damage done is not to the patient, but to the government and medical institution.
-
@Dashrender said in Australia Post Ransomwared Its Own Staff:
I guess the reason the government cares about this is all FUD then?
Why else did you think that HIPAA has no real value. It doesn't require that things be even remotely secure and doesn't create any security practices that good IT and management would have been worlds beyond already. So given that its purpose clearly wasn't to secure data but to pretend to secure data, what else could it be for?