"I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
Lots to unpack here:
- Libertarians are, of course, deeply conflicted. On the one hand, blackmailers are despicable criminals. On the other hand, the practice of monitoring legal adults to make sure they don't get high without permission is also despicable, and results in widespread undertreatment of severe pain.
- How did he get at the backups? Tech people want to know. Several possible answers:
- It's an inside job
- He hacked the backup routine
- He didn't--it's a big lie. (But if so, why no denial?)
- Then there's the question of how he gets the money. Kidnapping is hard to get away with in these days of electronic transfers and high-tech surveillance of physical drops.
- This has unpleasant implications for the future of electronic medical records systems.
What does VA need the records for? Is it strictly compliance with drug laws? If so, why not just take a big (data) bath, and tell the crooks to piss off and enjoy their stay at FCC Butner?
Theft of medical records is less of a big deal than theft of more money-centric information like your credit history, credit card numbers, and other financial identity information. Of course inasmuch as medical records are indexed by social security number, and carry information such as your name and address, this threat of identity theft remains.
However, I don't really see much that thieves can do with the medical data itself. Perhaps you could blackmail people and threaten to release sensitive information to their employer, but while most people are fairly private about their medical history I'd guess that they'd also be reluctant to pay ransom to maintain that privacy.
The real risk is the destruction of data, and that's a much easier problem to solve than data security. I'm tempted to say that it's really inexcusable that Virginia didn't have a better backup regime in place, but give my views on the importance (or lack thereof) of the data they were holding perhaps it wasn't worth the expense.
I'd argue that the real risk is more the alteration of the data (which we have to assume is possible), which would go undetected if they didn't post a ransom.
Changing prescriptions can literally kill.
This has unpleasant implications for the future of electronic medical records systems.
Not really. Just require that they be encrypted, with the patient having (or allowed to have) copies of the keys. Require that they only be decrypted on access, and decrypted locally. The way ATMs are supposed to work. Require good access controls (pin+card or similar).
I'm a programmer, none of this is hard to do. Heck, it's not hard to do if a cell phone or other handheld device is the terminal. AES crypto is built into the .Net APIs, and many others.
Then start requiring financial data be treated the same way. I'm still surprised that companies (and individuals) that mishandle data don't get sued and/or criminally sanctioned. If you start requiring Good Data Practices, with financial penalties for not following them, then they will come. Come up with something like a UL listing for data security products and practices.
That's the problem...you can bet that it is required. I can vouch that it's required in every financial firm I've been with. However, in practice, this is rarely done.
Until you see class action lawsuits for negligence against firms (and in this case state agencies), there will be no improvement in the situation.
I don't want to be flip about this, even though I think this is not that big a deal, for the reasons Peter gives.
But I can't help reading the ransom note in this voice:
http://www.youtube.com/watch?v=563QNm_A7WI
For those wondering why VA keeps such a database, let me explain. We were led to believe that we had a plague of rogue Oxycontin freaks devouring our commonwealth. So the previous Gov put this stupid database into place. If you want to know what kind of foolishness has been going on here just google Cecil Knox.
As for the backups, anyone can pretty much safely assume that there are no working backups of any given database. The reason is that the state of IT management is very poor, and "running the backups" tends to be tacked on as an auxillary responsibility or relegated to the less experienced, despite being a very difficult task. Every IT organization with more than a few employees absolutely needs a dedicated backup department but few actually have one.
So yeah, if I were going to try holding some data hostage, I'd certainly claim that I got the backups too. Most likely they victims will run to the tapes to find their backup system has been trying to back up the same file for the last three months but nobody noticed (or one of 100 other potential problems) and I'll seem like a genius. If I'm wrong, there's no risk in claiming to have deleted the backups, anyway.
Agree, almost every time I have had to go to the backups, it fails to restore. Backups are a joke, usually automated systems that are never tested properly. You can bet that is doubly true for lowest bidder gov systems. However, there has been a rash of break ins at corporate sites recently where the hackers have successfully deleted backups. The automatic backups are usually stored online and in at least one case, you hacker was able to move through several firewalls to remove all the backups. One of the reasons we store our backups off line although it has been a while since we restored one.
Yeah, I chortled when I saw the "backups" were destroyed. I see on an update that they think they are still good. I'd love to know how they can verify that the backups haven't been tampered with...
The story needs updating; there has been a denial which is pretty clear at least that the backups are fine.
Unless I misunderstand the purpose of the database, whether the backups have been destroyed is beside the point. It's no great loss if the government's ability to spy on the citizens of Virginia is slightly inhibited. The real issue is the data leak.
On the one hand, blackmailers are despicable criminals.
I have a great deal of trouble working up any negative feelings for someone who is threatening to expose a criminal, cheating spouse or stupid government program.
How do the hackers know they have 8,257,378 medical records, and 35,548,087 prescriptions? In my sixteen years of IT experience, I've never seen a large database where real-world entities like "medical records" and "prescriptions" can be easily isolated. Records are often split among multiple tables, sometimes across databases. Also if the database has versioning (and at that size, it should), there can be many versions of each record. Just doing a "SELECT COUNT(*)" won't tell you the real story.
I think there's a small chance the hackers are lying, but the system is so complex not even the IT admins can verify their claims. Or the admins are lying low, waiting to smoke out the perps.