I'm a medical researcher, and I've worked with exactly this sort of data. The number of hoops I had to jump through to even be allowed on the project was insane. Background checks, legal forms of all kinds, trainings on how to keep the data secure. Fingerprint locked rooms. Access control. And most importantly: the data themselves were air-gapped.
If I fucked up on this scale, jail would be the least of my worries. I'd never work again. I'd be professionally shunned forever, with no hope of redemption once my name is attached to the incident in some Google search. No more grants, no more collaborations, no nothing. I'd be ruined. Frankly I'd be begging to be let into prison; where else am I gonna be able to eat?
This is a wild exaggeration. First of all, everyone is insecure. Work as a pentester, and you'll see that the whole world is insecure. After the 30th project with an SQL injection vuln or misconfiguration, you'll never be phased again.
Secondly, this seems to be a straightforward database misconfiguration. The database was set to public with no restrictions. It likely wasn't accessible to anyone who wasn't explicitly looking for it, i.e. security researchers or black hats. Yes, this was horrible, but nothing bad happened here. The database was simply set to private.
Third, my friend, chillax a bit. Yes, it's extraordinarily important to protect people's medical data. But no, you're not personally liable if a fuckup happens. Everyone fucks up. That's why the fuckups are covered by legal protections. You take your job seriously. Good! But you also take your job way too seriously. Bad. You're gonna burn yourself out within a decade with this mindset.
None of this is to say that what happened didn't matter. Of course it matters. But you are literally saying you'd be begging to be let into prison. That's not proportionate, and feels like a reflection of the current social climate of retribution-as-forgiveness.
It isn't. I get that experience as a pentester can make you jaded to security practices, but the healthcare space is extremely regulated and much of what the grandparent said is a direct result of that.
> Secondly, this seems to be a straightforward database misconfiguration. The database was set to public with no restrictions. It likely wasn't accessible to anyone who wasn't explicitly looking for it, i.e. security researchers or black hats. Yes, this was horrible, but nothing bad happened here. The database was simply set to private.
This isn't just a minor misconfiguration. Again, this is a regulated space, with rules. There should be multiple layers in place to make sure that this is not opened to the public. There's risk assessments that needed to be carried out when the database was launched, and on a regular cadence afterwards. "It wasn't accessible to anyone who wasn't explicitly looking for it" isn't reassuring. Look at access logs on any device with a public IP address and it's clear that people are constantly looking.
> But no, you're not personally liable if a fuckup happens.
Under HIPAA, you can be held personally liable. This includes jail time for certain classes of violations.
> But you also take your job way too seriously. Bad.
People working in this space are required to have regular training and undergo audits of their activity, what information they access, risk assessments on how it is stored, and long, drawn out compliance activities just to get access.
>Under HIPAA, you can be held personally liable. This includes jail time for certain classes of violations.
Has anyone ever been actually sent to jail under HIPAA for something comparable to an honest DB config mistake? Has anyone been credibly threatened with it in the court of law? Has anyone come remotely close?
Not even close. The only case I could see it happening was if you purposefully exfiltrated data and sold it, or got some sort of personal gain out of it.
It's the same thing with PCI. They say you can go to jail for violations but exactly 0 people have ever been prosecuted, despite constant negligence in the payment industry.
Suppose you fucked up, and the worst happened: You were the reason the database was misconfigured. What then?
Then you live your life. You think future employers are going to pass on you because of it? Maybe some would. Most don't give a shit. They care about one thing and one thing only: whether you can help them achieve their objectives.
Morals are a fine thing, but the reality is that the original comment was correct: Nothing will happen to these people. As it should be.
They are required under law to notify the affected people. THat's the extent of what will happen. There may be legal repercussions for the company. And I'm sure the engineers will feel pretty awful at this mistake. I know I would. Everyone does.
But that doesn't change the fact that the world is insecure.
> Look at access logs on any device with a public IP address and it's clear that people are constantly looking
Yes, I'd be a bit surprised if this database hadn't already been detected by some automatic IP and port scanning scripts, and the wrong people found out about it
(I don't with exactly these things though do I might be mistaken)
Sorry you're the one wildly exaggerating about its importance. 2.5 million people wouldn't agree with your take on this. This stuff should never be public facing. It should be behind several layers of security not sitting on a public facing server without any protection. The people screwing this should be heavily fined and not be able to work on anything internet facing for several years while they have the time to learn a bit of network security if it does turn out to be gross incompetence/negligence.
If I understood correctly, the database was on a publicly accessible network. Wouldn't the problem be averted by putting the database in a separate VLAN, where only specific IP's from the public VLAN could access it, and not IP's from WWW??
You could secure it in a number of ways, including the way you mention. Unfortunately, it seems like security is no ones top concern unless they are forced to handle it correctly.
That's not really what VLANs are for, you'd probably just use firewall rules to restrict access to certain IPs. VLANs are more for creating virtual-networks-inside-networks, they're more organization-based than security-based.
What's more, it's important to take in the context of the data. It's not mental health, or HIV status, or sexual history, or really of any nature that can do damage other than the privacy aspect. It's people who hurt their neck after a car accident. Not the most sensitive stuff in the world.
Just to be explicit about it, I'm not suggesting the release of this data isn't a problem. Just that as medical data goes this is about an innocuous as it could have been. Even day-to-day visits to your primary care doc would probably have references to much more sensitive health data.
It's more sensitive than you'd think if any claims or settlements were involved. Or employers might want to snoop on their injured employees to find a reason to deny leave.
In contrast here, this data likely came from an insurance company, which got access to the data from their claims. They don't inherently care about these people, because they're all seen as "costs" to the balance sheet profits for the year. Sending their data out for "AI" to try and learn how to predict which claims can be rejected is a rational thing to do, in their eyes, whatever the cost (to those concerned and their data), since it might help improve their bottom line by rejecting claims faster.
At least there's a cynical take on this. They have no inherent interest in protecting this data, absent external pressures or legislation that imposes penalties.
It strikes me the real issue is the lack of negative inventive for people and businesses who screw up with data. If you build something physical that falls down and hurts people, your investor money ends up paying compensation. In tech though, the goal seems to be to make the revenues without ever touching the responsibility.
The story over the weekend of Amazon trying to avoid being deemed liable as a seller for goods they ship, (often) deliver, warehouse, market, dispatch and receive seems to sum this up. A race to the bottom when it comes to protections - Amazon effectively is a shop selling goods from others, as it all happens on their terms. We see similar in physical retail where the manufacturer or reseller has a retention of title over goods in the store, and that doesn't affect the store being responsible. It seems like the "being responsible for what you build" is very much lacking in tech companies, due to lack of external regulation to achieve it. Same here in this case.
We've tried this for a while (companies using customers data) and I see a strong case for governments to start protecting users more strongly, because the current way this is being treated isn't working (medical data needs to be handled with greatest care everywhere else, why not here?).
The user already pays for the insurance (or hardware or service in other cases), so the data collected should only be used for those purposes, e.g., handling the claim and not building AI models without the necessary care. The customer should have the right to sell their own data to a company they see fit to take care of it appropriately and that compensates them for it.
The problem is with ownership I think. I'm not German so I'm really only speaking from what I've seen online (mostly here), but my understanding is that for Germans in particular (maybe EU writ large), you own data about you regardless of how it is collected or who has custody of it. In the US, it seems like the data about people is owned by whoever creates that data (in this case, an insurance company), so they are free to do with that data whatever they like provided it doesn't violate some other non-data-specific law.
When the mantra of a huge swathe of business is "disruption" "move fast and break things" etc, well, we end up with a broken disrupted system.
Innovation is good, but stability is also good. Instead of optimizing only for dynamism we need to optimize for both.
The reason you'll get yourself in trouble and these people won't is because you are operating in different moral systems. Where they operate, the moral thing to do is whatever it takes to succeed, it's entirely moral to "fake it until you make it" to buy media articles promoting your product, to sell media space your readers believe is actually curated, to the highest bidder.
You operate in the "ivory tower" they hate, because it's slow and puts up boundaries that limit people from succeeding at all cost, that makes you think about the consequences of your actions. They call it slow and inefficient, I call efficient in the long run.
Universities can be punished by NIH in addition to the feds if they violate privacy rules in clinical studies. Columbia was threatened with losing all their research funding if they didn't get their act together after a big breach a few years ago.
But I know plenty academic researchers with a "move fast and break things" and "ignore all rules" attitude. In any highly-competitive system there will be those that gain an advantage by being amoral while everyone else follows the rules. Healthcare is probably especially vulnerable to this as the rules (and legitimate companies following them) has resulted in healthcare lagging far behind other industries in terms of new technologies.
"The principle with which we are now dealing is that one which is called Expediency. The usage of this word has been corrupted and perverted and has gradually come to the point where, separating moral rectitude from expediency, it is accepted that a thing may be morally right without being expedient, and expedient without being morally right. No more pernicious doctrine than this could be introduced into human life."
I'm not sure that framing makes a lot of sense here. This was a SaaS product for process automation which seems like a perfectly reasonable product. I would argue in fact that having tech companies (meaning companies which have specific expertise in building software products as opposed to companies that have a expertise in something else and also have an "IT department" bolted on) manage sensitive data is likely to make it more secure rather than less. Companies and other institutions which don't have any particular expertise in software engineering and security aren't likely to do a good job. Of course when those companies do screw up they should be held liable though, up to an including criminal liability is the leak is bad enough and the exploited vulnerability is egregious enough.
I was a medical researcher and also a data engineer for a biotech and I've never seen a dataset that required background checks, or "fingerprint locked rooms" (fingerprints are not biometric security). Instead, a partner company (a well-known, multibillion dollar biotech) handed us a pile of hard drives that were encrypted by trivial keys.
I sat down with the CEO and discussed our plans (to upload the data to our S3 buckets with ACLs) along with all our other security plans, pointed out the two of us were professionally and legally on the hook (her more than me, as I was not an executive and had limited liability), and what I was doing to protect the clinical data we had. We looked at our plans, and ultimatley concluded we could both sleep happily at night with what we were doing.
It was definitely a lot of work to maintain the ACLs and monitoring and checking to make sure we weren't leaking data, and a lot of education for our scientists. Even if something negative had happened, we would have been able to foresically detect it, and work with legal authorities with confidence we had done a good-faith, better-than-average practices implementation.
Not true. They may end up putting out a press release explaining how "Here at Company X, we take security very seriously. Securing data is very important, and we will investigate ourselves to understand if we did anything wrong." So yea, consequences!
Somebody has to work for those who collect all the leaked data and use it for whatever is possible. You wouldn't earn fame but money for being a data pirate. Or you create a company and start with a fresh name. On the internet, nobody knows that you are a dog.
Maybe that is why these kinds of projects are picked up by private companies ? I believe currently in the USA a pursuit of profit is allows you make far less mistakes than a pursuit of public good. Sometimes the two overlap but when they dont we frequently see the former being allowed far more mistakes.
This happens because execs are cheap, farm out everything to dev shops, and the beleaguered, underqualified devs power out nonsense code to keep up with the arbitrary point quota for the sprint. No one knows how the whole system works, reqs change constantly so poorly-planned updates degrade the whole thing, and all the while actual patient data gets mixed into the big soupy pot of bullshit. Anyone who raises concerns about the situation gets to be the "compliance officer," thus passing responsibility from the people benefitting from the situation to the people who just want to keep their job.
I wonder what would happen if devs could say to their boss "no, this won't be released until we're confident in it" with legally enforced immunity to consequences.
What you're describing is a professional licensed engineer who has to among other things take out insurance because they are ultimately responsible for their decisions.
Software development is long overdue for a legally professional software engineer license and certification process. I imagine it's going to happen down the road after something important gets burnt.
Every time this comes up, people (some of whom are in this thread) end up talking about how this can't/shouldn't happen for software. After all, what, is every high-schooler or green college grad that ever wants to code their own app for a startup going to have to be professional certification?
I guess I'd argue that those people shouldn't be legally allowed near this kind of thing without that kind of a certification. Looking into all of the other engineering disciplines, that's exactly the kind of thing you see. I have a BSME, but I haven't taken the Fundamentals of Engineering exam to get my FE cert, in part because getting a PE certification requires working underneath a licensed PE for a certain number of years, which isn't the case for my current job.
I also know that by not doing so, there are certain projects that I simply can't work on. I have to imagine that there's a way to create a legally enforceable framework that falls into the same category for software engineers. Want to build a company that creates a digitally-synced notepad? Have at. Want to touch personally-identifiable medical data? Better have a licensed engineer working on that project to sign off, else your company is wide-open to liability claims with teeth. If something unreasonable gets by the signed-off engineer, they're on the hook too.
Obviously, it's a complicated problem, and reducing things to a first-order solution rarely is a catch-all, but there has to be some more professional/personal responsibility taken by the individuals building these systems, and a requirement of licensure is a way of empowering engineers in those positions to the point where it actually matters.
> After all, what, is every high-schooler or green college grad that ever wants to code their own app for a startup going to have to be professional certification?
You answer your own question fairly well, but I'd add the observation that in licensed engineering domains, we don't always require licensed engineers. We have a licensing regime for structural engineers, but we don't require them for minor structures like gazebos or doghouses.
We could have licensed Software Engineers, but only require licensed oversight for software dealing with human lives (avionics, medical devices), PII, elections, and a few other critical cases.
I developed software for medical devices and you have to do a risk analysis, formalize the software development process, declare qualifications of people, make it revision proof, have a formal testing process, ... everything is already accounted for.
Notified bodies ensure compliance. They have the problem that they cannot really evaluate the work of software engineers of course. Not even another software engineer could do that within feasible time limits. No software engineer can make sure there aren't exploits that could endanger user data. You can at most test if due diligence was ensured.
The manufacturer is responsible for ensuring safe operations of devices and yes, that includes keeping personal data safe.
But again, the problem wasn't the engineer at all, the problem is the wish for amassing data like this. Paper license or not, it rarely ensures competency and wouldn't have solved this problem.
Aside from legislative issues that ensures that user data belongs to the user the data is about, ensuring that companies don't sell and share medical data with "friends and family", ... this is probably the last step, if it is even required at all, which I would dispute. There are no guarantees if you amass data like it was done here.
Make it prohibitively expensive to leak data (compliance fines, lawsuits) and the problem will solve itself. Companies that collect data will then be begging for certification and regulation.
It would be even better if people learned to refuse to give data irrelevant to the service that they are seeking and/or if there was some sort of regulation about this (I should not have to give my name and address when returning a product for example).
I've worked in critical infrastructure work and retain an interest in the field. A professional software engineering license should be legally required for certain classes of risk.
Ultimately the answer to an irresponsible feature ask should be:
> I will not approve implementing this feature, because in my professional training and experience, the risk exceeds the acceptable tolerances for a (spaceflight, medical, power systems) delivery. If I implement this and a failure occurs, I will be in court and my career over: I refuse.
We could run a 2 tier system. Anyone can build apps but to build apps handling sensitive PII you need to be registered. Execs need to be liable for this to work.
Guess I should go to jail for daring to make a script for me and my friends that uploads screenshots to my server without having a professional certification, huh? Same for releasing open source software.
While I agree it's overdue, I'm not sure what that event would look like.
When a bridge falls down, building collapses, patients die, people take notice.
Meanwhile, we've had the social insurance numbers and banking history of 165M+ UK, US, and Canadian people leak out of sheer technical negligence [0], and it resulted in a meek settlement and hardly broke through the public consciousness.
It seems to me that until someone dies in a way that is very clearly linked directly to a woefully negligent and under-trained software engineer messing up in a very public way, the needle is not going to budge at all.
Perhaps autonomous cars? Even then I doubt it, to be honest.
This reminded me of Therac-25 [0] wherein people died or were seriously harmed by software malfunctions in a radiation therapy machine, and standards were introduced [1] to help mitigate future incidents.
I would guess it's about 20 years out, honestly. The sequential and interconnected weight & cost of software failure will have to be well beyond the capacity of conventional errors & omissions insurance to tolerate; settlements will have to be business-crashing - Knight Capital level crashing - to drive this.
Today, it's well under that.
It is, of course, long overdue; Therac25 should have really gotten the effort going, but, ce la vie with a irresponsible economy. It's plausible the EU legal systems will develop this effort first. I would not be surprised to see France or Germany fully develop the idea, probably in connection with Airbus or Siemens. Anyway. Idealism around quality....
If I remember history correctly, there wasn't one boiler explosion that caused us to start regulating who was allowed to design boilers. It's just that as boilers became more and more popular at the end of the 19th century, people started being maimed and killed more often, and at some point we just as a society decided enough was enough.
A huge number of security vulnerabilities are due to production mis-configuration rather than flaws in the development of the actual software. Software Engineers generally aren't trained in managing these production environments so you would probably want at least two different legal licenses to cover your bases.
The two are not orthogonal. I used to do some work in financial services and some of the systems were designed not to run risks in case of misconfiguration.
There's no chance of this happening in my view. There's way too many vested interests in the "democratisation of development" especially the likes of "coding bootcamps", limitless frameworks and tools for "code-free" development, and extremely blurred lines on things like WordPress where a "developer" could be anything from someone who can only install plugins through the front-end to crack PHP developers.
I think there's more to it than this. In traditional engineering, you only need to be licensed to sign off.
You can still effectively do exactly the same job as a licensed engineer without being licensed, you just can't sign off on work (And thus be held responsible).
The way I see it, creating a license for Software Engineers doesn't really fix the issue. It just creates a scapegoat to blame when things go wrong.
> It just creates a scapegoat to blame when things go wrong.
That's just how it works for other engineering disciplines; with the license, the scapegoat has the legal power to refuse responsibility until they're confident things won't go wrong.
Who is ever really going to be confident in signing off on complicated software systems when in effect, it's saying, "Yes this system will absolutely not break/be breached/have something happen to it". Given the complexity of modern software, it doesn't seem like a feasible solution.
Even top software companies have things break or go wrong very frequently compared to traditional engineering.
I don't see this as a good solution in the software world.
I don't think it would demand that the software be infallible. If a "new type of earthquake" happens, the Civil engineers won't be responsible for their bridges failing. In the same way, if there is reasonable effort made to ensure the system is secure by standards of the time, I don't think these theoretical individuals would be blamed for particularly novel (zero day) or unpreventable (social engineering, to at least some extent) attacks.
I learned that protected data is probably safe for a finite timescale with all currently known forms of encryption under the assumption there isn't technological advancement that severely restricts the first assessment.
Then you say "no". Business "needs" are important for replaceable serfs with no power to say otherwise; when the business needs engineering sign-off, you tell them what they needs to do.
You are willing to pay the costs of "professionalizing" software development and installing expensive gatekeepers, certifications, signoffs, and processes at every step, right?
Most of that is already in play already after about 30 people are in a group, we as an industry haven't formalized it, and there's no legal teeth around it.
Equifax also comes to mind... amongst others, but you know.
I don't see anything changing as long as it's in money's interest to stay where it is (money rules this country point blank). Right now it's in too many business's interest not to change. There are also slews of developers earning quite a bit who might be forced into career changes depending on how licensing could be implemented.
Yep. And how is this not a standard errors and omissions insurance policy that tech agencies like mine should (are required) be carrying?
We spend about 15k per year for about 10mm in coverage (we are a small shop). This sort of oversight is not just an engineering one but it’s fundamental to the core ops of the business. If we are rushing under client pressure (or just running late) to the extent we take on risk to trigger liability, it’s full stop.
https://cense.ai/about
Guy number two here had the background to know better. Just didn’t make it a priority. It’s unfortunate. The only way things change is when we start seeing data warehousing/collection as a liability (not an asset) and manage it accordingly. And making the penalty for error unforgivable.
Working as a contractor in the UK, most contracts stipulate you have Professional Indemnity insurance, which is for exactly this. I doubt anyone has actually made a claim for it though, the amount of other people I've worked with (who are also contractors earning £500+/day) who I wouldn't trust to even watch my laptop is atrocious.
AFAIK, this only really covers gross negligence or outright sabotage. I don't recon anyone trying to pin bad business decisions on their devs are likely to succeed in court.
When I have done independent IT ops and software work I have carried professional liability insurance, and I would recommend that everyone does.
The irony is, of course, that PL/E&O insurance for software work runs pretty cheap, presumably because liability on the part of developers of software is quite rare!
In Australia we're all insured. The only developers who aren't are employees for the companies they're writing code for. The worst thing that can happen to them is they'd be fired. The company still owns the blame.
> Medical data is the most valuable and it is bought and sold daily on the Dark Web. The infosec company Trustwave published a report that valued medical records at $250 per record on the black market, while credit cards sold for $5.40 per record.
Why can medical records be sold for so much? What value do they provide to the buyers?
Billing records in particular are highly sought after as they allow existing identity theft schemes, like tax return fraud, to be amplified to a much higher level. If you can find individuals who have undergone expensive treatments that will result in large tax refunds and you have access to their SSN, you can file for the tax return before they do and cash in.
And when you get caught, you lose your medical license.
Can you really fake bill enough before getting caught to be worth burning an M.D.?
I never really understood this angle. Say the insurers use a phone call to verify 1% of treatments with the patient. Say 20% of those calls are answered and produce a coherent reply. That ought to be enough to make the expected payoff negative.
Either way, this problem isn't unique to the medical world. Every other industry has to prevent fraudulent invoicing.
Then you'd be surprised to hear about the income tax return scam back in the day where even lay people were able to achieve just that, for 2 million bucks specifically ^.^
And they didn't need any medical records to do it!
... which was pretty much my point.
If they can steal money out of doctors' bank accounts, or redirect it on its way in, they don't need patient data. The doctors already have patients. And payments coming in. This isn't like income tax refunds where the payer pays each individual.
In fact, if they have patient data, it's stupid to use it. What insurer isn't going to notice some doctor suddenly getting a thousand new patients all in the course of one week?
Sorry man, it still doesn't add up. If you're equipped to do this at all you're equipped to do it without needing patient data.
The issue with such highly sensitive data is that it's just data. Probably a few GB. Many AAA game downloads nowadays are much bigger than that. Even if they protected their database (article says they didn't), it's easy to break into a place that has all the data collected compared to collecting it yourself from doctors all over the country. There's an easy solution to this: don't concentrate highly sensitive data.
With nuclear material, the IAEA has set up a sophisticated surveillance regime to make sure that countries use nuclear technology for peaceful purposes. Everything that contains nuclear material is video surveilled. They collect probes and check composition to prevent someone taking, say 1%, replacing it with filler material, and then mixing it again.
If we concentrate data, we should employ such surveillance regimes for highly enriched sensitive data as well.
Decentralization and self-sovereign identity are the only way to solve this, IMO. I'll sing the praises of Estonia on this one: their X-Road system for storing sensitive data is brilliant.
I'm working on a team writing an in-depth whitepaper on this topic right now, I'd love to link it. Perhaps when it's published.
Wow, let's just say from their website I'm impressed they got anyone to give them data at all. That site just screams "Take some programming tasks that require a minimum of data analysis and call it AI." From their product page I'd take they easy bet that they're just wrapping some cloud providers bot SDK and calling it their chatbot. Given the lack of professionalism on this site I am unsurprised about their security issues.
I'm not surprised in the least. I've sat in multiple meetings with execs whose boards have told them, "We need to get into this AI game, it could solve all our scaling problems!" Often both the board and the exec are clueless as to what AI is capable of or can offer their business specifically, they begin talking with vendors.
The execs feel they need to show they at least made an effort, and these companies branding themselves AI are easily able to take advantage. They market their products as these complex decision-making/analytical systems, but most of them are either glorified reporting dashboards or just an integration point/pipeline builder for a set of services.
The business buying this stuff doesn't need any of it to become more efficient, they are effectively spending the money to be able to generate the hype of saying, "We're in the AI space".
Jail is on the table if you purposefully steal the data. I was interested so searched for examples of actual HIPAA jail time, and in all the cases I could find the conduct was egregious and with clear intent (e.g. https://mazarsusa.com/ledger/jail-time-for-a-hipaa-violation... ). Misconfiguring your S3 buckets isn't going to hit that level, though that could still result in a hefty fine. This of course all assumes that the AI company got access to the data legally to begin with.
The article is about auto accident claims data, which is a great clue that HIPAA actually doesn't apply. From a different part of the Internet[1]:
"There are certain gaps [in HIPAA coverage], like if a person meets with an accident on a car; the health insurer as well as the auto insurer shall receive the medical bills of that person. The health insurer is responsible for protecting the health data of this person under HIPAA; the auto insurer on the other hand does not hold that duty."
In the context of this and ignoring the insurance loophole mentioned (which probably applies here as another poster pointed out) I don’t see how this company wouldn’t be covered as a business associate where HIPAA would extend to them even though, as you point out, they aren’t a coveted entity.
HIPAA has a ton of limitations. It doesn't just apply to everybody handling medical data. For example I worked for a biotech and we processed clinical records, HIPAA didn't apply to us but we complied with the regulations anyway.
> This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
> there were multiple references to an artificial intelligence company called Cense. The records were labeled as staging data and we can only speculate that this was a storage repository intended to hold the data temporarily while it is loaded into the AI Bot or Cense’s management system.
We need some kind of monetary punishment for not protecting user data. Simultaneously, we need to give tax breaks for companies that have had a streak of many years of taking security seriously without leaks.
Increasing bug bounties doesn't happen when the executives do not have a culture of security in their company. That's a loss cost center for them. We need a different incentives that go beyond just rewarding hackers with bug bounties.
And in this scenario of technical and political incompetence, more so in some places than others, the Indian government has recently proposed to compile the medical data of ALL it's 1.3 billion citizens into a single database.
It's only a matter of time before the whole thing gets leaked out, not to mention that compiling such data in the first place ought to be none of the govt's business. Such data is simply too powerful to be entrusted into the hands of any single party, political or corporate.
I'm reposting a dead comment by photon12 which was probably killed for using too many profanities. I agree with this part:
> It's a collective action problem that needs collective action. Individual incentive changes aren't going to cut it. Unfortunately many thought leaders in the industry have tried to build a culture of suggesting that the solution to collective action problems is individual iteration.
Well somehow PCI compliance seems to work well enough for credit card payment processing. But what happens is, the payment handling is passed off to a vendor, so not every company has to get things right in house.. I wonder if that can be a solution here.. medical data is handled by external vendors.
PCI compliance works because of the aligned financial interests of the actors.
Most kinds of compliance are linked to legal costs as the ultimate source of consequences, not so for PCI.
The ultimate costs for failing to comply with PCI are the actual costs of card fraud which don’t depend on anything in the legal system. When your regulations are designed and enforced by the entity that actually loses money when they aren’t followed, motivation lines up and they work better.
This is the other side of the coin of "everyone can be a coder after a few months of self-study". We eschew the idea of licensing and the result is the general public suffers under technical incompetence.
Even well-trained engineers engage in brazen acts of insecurity and data-harvesting because a lot of money can be made doing it. Just look at Facebook’s business model and breaches. They probably have more Stanford grads than boot campers.
Of course you can have data breaches even if you do everything right. But it takes incompetence to do everything wrong, especially when it involves medical records. The fact that this low hanging fruit of data leaks keeps happening is telling.
In this instance the company can declare bankruptcy and the founders and investors can move on to their next gig - perhaps even throw a hapless developer to the authorities. Unless hippa somehow has special provisions. They need to go after the personal wealth of founders and investors to make this a serious crime.
If HIPAA could pierce the corporate veil, this could no longer occur. Wanna dick around and not do your job as a founder / investor? Your personal assets are on the line.
I don't think this is the case. Last I read up you are personally liable for HIPAA violations. If you do something, knew it wasn't something you should do, and refused to fix it, stuff gets really bad.
To stay safe with medical data, however, you basically just need to hit whatever standard you think is reasonable. There's no established standards other than:
1. "PII" encrypted during storage/transfer.
2. Customers can request a download of their data.
3. Customers can request you delete ALL their data.
4. Fast track sec fixes above all other company goals.
My guess is the blame lies with insurers, probably keen to automate detection of "fraudulent whiplash claims" based on "the data". They'd get access to the records via their claims. This incident should show why sharing of data needs to be on a "need-to-share" basis by default if we want to have any hope of trying to stop this kind of thing in future.
It's insane that medical data has become so highly valued on the black market (I guess because of the amount of information stored with a single patient such as SSNs, maybe billing info, addresses, etc). Yet, it seems that the healthcare industry is not well prepared to deal with a huge amount of sensitive data (and doesn't seem to be obfuscating it when sharing with vendors). Ironically, I feel that the most secure way of doing patient record keeping is keeping everything physical.
The healthcare industry is prepared just fine. Regulations exist for how you can share data with vendors, when you are required to remove identifiable information, and how to share unredacted information with legal agreements, audits, etc.
When this doesn’t happen right there are penalties and notifications. If correct, a breach of this magnitude is entirely possibly a death penalty for the businesses involved, and criminal liability.
If it isn’t, then it isn’t the business sector being unprepared or the regulations being missing but the legal system failing to follow through.
The significance of medical records - and the importance of maintaining their privacy - is often overlooked. This is far different than leaked password hashes or addresses or credit numbers - it's information that cannot be changed or effectively de-identified. Any company that accumulates medical records on that scale must be very careful. I'm biased (as a co-founder of a major healthcare secure cloud software compnay), but it is hard work and all-too-often neglected work.
Question for devs working in the medical industry: what are the regulations and standards that you have to follow when storing and handling patient data in your country/region?
If this sort of incompetence bothers you, I suggest sending a CCPA (if you're in California) or a GDPR (EU) deletion request to this company. This will protect you from the next time it happens (and it will), as well as incur some not-insignificant cost of handling you're request.
Minor nitpick: It does not actually guarantee that the data is deleted, but they could face a very high fine, if it turns out that they didn't respect your request.
This could be somewhat prevented if companies acquiring the data are legally barred from sharing it to other entities without getting a written statement from that entity that they have a secure mechanism to store and use it. Right now the company that did the shitty job is going to get a slap on the wrist at best. But the company that shared that data with this one is going free and even got to keep the money they got from this.
That’s not true at all for medical data. There are very strict data sharing agreement requirements in HIPPA, and there will likely be millions of dollars worth of fines for both parties, and it’s not inconceivable that someone could go to jail. HIPPA violations are taken really seriously.
If I fucked up on this scale, jail would be the least of my worries. I'd never work again. I'd be professionally shunned forever, with no hope of redemption once my name is attached to the incident in some Google search. No more grants, no more collaborations, no nothing. I'd be ruined. Frankly I'd be begging to be let into prison; where else am I gonna be able to eat?
Nothing will happen to these people.