There is actually a silver lining in the brouhaha over the hacking of Sony. Forget about the right to free speech. That is only pertinent in some countries. The fact that the backlash to the intended release of The Interview was so swift should make people realize that every organization is vulnerable to having their IT security systems compromised. This hacking wasn't done by some smartass kid or by someone who is bitter about not being gainfully employed or by someone who can prove that he can get into a system. This was a foreign government that authorized the hacking and, thus, already had in place people who were trained to infiltrate systems. If Korea can hack into one company, it can get into the financial exchanges and the U.S. government websites and databases. The implications are horrendous.
Recently, Richard Beales wrote about the idea of having cyberinsurance for banks. It's an interesting idea, and there are insurance companies that offer some form of it. Right now, I would imagine that it's still hard to figure out the cost of premiums. A few years ago I reported the cost of a security breach by account at a health care organization. It was about $350 per account. Assuming that number is still accurate, what would cost in premiums to a company such as JPMorganChase, which was already hacked>What's the premium to pay some $29 billion? What would be for the defense department? For Social Security?
http://dealbook.nytimes.com/2014/12/23/the-need-for-bank-cyberinsurance/?module=BlogPost-Title&version=Blog%20Main&contentCollection=Breakingviews&action=Click&pgtype=Blogs®ion=Body
There is another aspect to hacking for a company such as Sony. In addition to the usual security measures that every company has to take in order to protect HR and bank information, there is the constant battle to prevent people from distributing its content on the Internet. You may think that just because can't copy a DVD that it's not an issue, but it is. You see, content is shared for editing and approval and everyone who plays that content is vulnerable to having his or her computer or mobile device hacked. It's a managerial problem when content is leaked before a series' ending is shown on TV, and it's an insult to the unsung heroes who construct sets and design costumes. Piracy is not a victimless crime.
But back to insurance. Everyone complains about insurance companies, but they're not made up of greedy, evil people who just want to take your money and shell out nothing if there's a claim. I'm confident that as cyberinsurance becomes standard, companies will be able to reduce their premiums with the guidance of insurers. This would include upgrading firewalls and hiring people to do daily penetration testing. As for piracy of content, that's a matter, I think, of being able to trace paths and fingerprints.
Note: This image was taken from en.wikipedia.org.
Today's edition of The New York Times featured a topic in its Room For Debate column that's near and dear to my heart: security breaches. The title was: "Keeping Credit Cards and Bank Account Data from Hackers." http://www.nytimes.com/roomfordebate/2014/10/04/keeping-credit-cards-and-bank-account-data-from-hackers?ref=opinion
While some made good points such as stressing the adoption of E.M.V. technology for credit cards, none of the four experts could even scratch the surface of how to do it. Even if you gave up your credit cards, as suggested by Jose Pagliery, and use one-time virtual numbers via smartphones, there are other areas for potential security breaches.
Take health care for example. Whether medical records are still on paper or electronic, hackers love them. They don't care if you have an infectious disease or a clean bill of health. They just want four pieces of vital information: your name, your address, your date of birth and your Social Security number. Bingo! They have what they need for identity theft (read: steal your money).
Another example is content. Piracy is a huge issue for the entertainment business. It's not just about preventing someone from posting a spoiler on Youtube. There are people who are trying to sell movies and shows overseas without paying for it. If you stole the hot dog vendor's food to sell to someone else, you've committed a crime. It's the same thing with content.
At the risk of sounding paranoid, there is always someone who wants something of yours for nothing. Who is watching out for hackers? Sadly, companies do not hire enough of people like me who are trained to detect intrusions and vulnerabilities. In the end, we are all at risk.
At this point, it almost sounds like the name of a rock band. China and The Hackers.
The news of the March hacking of the security at the Office of Personnel Management wasn't so bad because employee and contactors' personal data wasn't stolen is still disturbing. The point is that even though hackers are usually unsuccessful when trying to breach security in the public and private sectors, sometimes they are. It's irrelevant whether they are out to steal the data they need for identity theft, for blackmail or for government secrets. There should be accountability at multiple levels within an organization.
Everyone who knows me knows I am cheap. Not just frugal, but outright cheap. Just ask my wife every time I see a grocery bill. But I know we need food. And, guess what, folks? Computer systems need security. They need new firewalls. They need updated software to detect malware and to protect attacks. Above all, they need experienced, reliable people who can do penetration testing to check for vulnerabilities. The CIO needs to know not just how to hire IT security people, but how to fight for a bigger budget because, folks, the threats are nonstop. Nonstop.
About 15 years ago, my mother-in-law, now retired, used to work for a self-made multimillionaire whose son was allegedly part of a loose ring of people that was caught hacking into a large corporation. His son was a teenager who, by then, had some 10 years of computer experience. He was always bright and even early on, he would love to see what a computer could do besides load games. He knew he wanted to program his computer to turn on the lights in his room. When he was frustrated that his computer was too slow, "something happened" to it. It would fall down the stairs in school and break. One part of it would catch fire. Yeah, right, but his parents bought his lies hook, line and sinker and simply buy him a new one each time. Oh, and he had memorized his parents' credit card numbers so he would rack up unauthorized charges on their accounts. And at that time the term identity theft had not yet been in popular use.
Back to China and The Hackers. The hackers of the People's Liberation Army Unit 61398 the Shanghai-based Unit 61486 are not the only ones who are involved in cyber attacks. Hacking is not exclusive to China. Don't think for one nanosecond that there are hackers in other countries who are trying to break into U.S. government and corporate servers. They're after the military, education, banks, news, online gaming, dating, law enforcement and e-commerce. The world is crawling with hackers. Everyone needs to be concerned.
Several months ago I heard the exciting news that a doctor invented an iPad app to replicate an electrocardiogram at a fraction of the cost of its being done in a doctor's office. I'm trying to understand why the use of this hasn't accelerated. Doctors' offices are often busy. Insurance companies are always trying to control costs. And, of course, this could help prevent heart attacks and strokes. So what gives?
I can't answer that part, but I can remind health care providers and insurance companies of one thing: security on mobile devices must not be overlooked. This app is an awesome idea. Someone holds the iPhone in his hands and it can replicate the measurements of an ECG and send it to the doctor. But that also means tracing the patient's name, address, date of birth and electronic medical records, which often have the Social Security number as well. No pun intended, but you don't want a patient to have a heart attack because he found out that his identity was stolen while doing an anywhere ECG via an app!
I am completely apolitical, so I have not done much hand wringing about the government shutdown. However, I just read that the furloughs at the Veterans Affairs Department means stopping software development.
That sounds sort of harmless, but what is under the radar here is that the processing of veterans' claims will be affected. And then what? The VA Office of Information and Technology sent 2,754 employees home. That's the size of an impressive corporation.
During the many years I've been working, I've experienced several layoffs. Once it was because the financial meltdown five years ago caused a company I worked for to lay off 20 percent of its personnel six months later. At other times, the contracts I had expired and the end client wanted someone cheaper. At many companies, the thinking is flawed. You need all hands on deck in certain departments. You need toll collectors, even though many drivers have transponders. It's like the Emergency Department of a hospital. You need doctors and nurses, a phlebotomist to draw blood, a technician to perform CT scans and MRIs, and a radiologist to read the results -- 24/7. Just because the CEO may not be prone to getting kidney stones doesn't mean that others may not suffer attacks and need medical care urgently.
Trying to save money by cutting personnel, either with furloughs or permanently, is a temporary stop gap measure. It's like taking out an uninfected appendix in order to lose a few ounces. The decision makers at the top need to see in the future and realize that there may be consequences down the road. You don't need a crystal ball for that. You can be sure that the VA is going to have a huge backlog because a few politicians can't decide on the budget.
Hey, you, on Photoshop! Yes, you. I know you bought Photoshop Elements to enhance photos of your kids. Or maybe you bought Adobe InDesign in order to create your own marketing materials. Or you want the full-blown version of Adobe Acrobat because the free reader isn't enough for your needs.
Better check your credit card statements. Brad Arkin, Adobe's chief security officer, admitted in a blog post that hackers removed company data. Adobe has been shifting to the business model of pay as you go. Instead of buying the software in disk form, customers will be forced into leasing it and constantly updating it.
My wife and I don't upgrade with every version of any software we use for personal use because the changes are usually minor and the cost is unnecessary. So when Adobe started this shift, my security antenna went up. We use one-time credit card numbers for our online purchases. If we had an open number on file, the hackers who tapped into Adobe would have our credit cards numbers, even though the data was encrypted. Adobe claims that they don't believe that any decrypted numbers were taken, but I wouldn't count on that. By the way, 2.9 million Adobe customers are at risk. The hackers have their credit or debit card numbers, expiration dates and even information pertaining to their orders.
And I hate to break it to you, but all your fancy artwork isn't nearly as creative as some hackers.
A report from Frost and Sullivan called U.S. Patient Portal Market for Hospitals and Physicians: Overview and Outlook, 2012-2017 predicts that patient portal use will increase by 221.1 percent. (For those who like dollar signs, that's an expected growth to $898.4 million in 2017.)
I tend to request my medical records on CD, but my wife uses patient portals extensively. They're terrific. She prints out the vaccination records for the kids to give to the school nurses. She can verify the dosage of medication the kids may have if they get sick. She can check appointments.
So what's the problem? There isn't any as long as the system she uses is secure. Her physician's practice requires every patient to pay for their patient portal. (Mine doesn't, so it is not a requirement for patients to pay a fee for it.) He told her that the practice has to pay extra insurance costs to prevent hacking.
That's the concern I always have. The patient portal she uses does not have our home address or Social Security numbers, but just the name and date of birth are two critical pieces of information need for identity theft. The rest is not hard to find. My wife found her late father's Social Security number on a government website. Is it any wonder that identity theft is an ongoing concern?
www.healthcareIT.frost.com
