We received an email from a reader, Bettie, who commented on our last post. Here it is, along with comments. It makes some good points about IT security in general:
“You know you are a geek when - you are on vacation, but you read an IT blog that gets you thinking. Some right - some wrong. You try to leave it, but it haunts you. Eleven at night, your whole family is asleep in the hotel room, and you are freezing in the bathtub with your laptop typing your response. Thank God for wireless or this post could have had much more dire consequences.I agree totally with your point that is it is regulation, examination and forced accountability which make banks be more security conscience. Like a poised whip, looming consequences can make even the most errant industries play nice and do right. However, my disagreement comes with what it would take to have other sectors become equally fastidious. The scenarios you mentioned, while perhaps disturbing to the consumer, do not seem to be enough to provoke federal intervention on a large scale.
Enron, et al, produced Sarbanes-Oxley, but at least a day late and a dollar short. That regulation, like current airline safety regulation, attempts to safeguard the public against previous threats. It has no fore-sight factor - looking at the future from a consumer's perspective. And, I agree that it is d&*^ expensive. By default, we Americans are paying huge antes for oversights which may do little to protect us.
But the threat of spilled data and lawsuits is not going to force healthcare, or any other industry, to fully institute best practices when it comes to infosec. Lawyers will sue - some will win - some will lose. Most doctors already feel forced to have huge liabilty policies; adding a techie clause or two is not going to dramatically change things. Interestingly, this is where healthcare has lucked into brilliance. While a few insurance companies might really control healthcare, there is still the mindset of a mom-and-pop doctor shop who is the keeper of each patient's data. People rarely see their own GP as part of an industry, particularly a menacing one.
Finally, health is still mysterious while money concrete. In 1929, people were worth X and then were worth 1/10th X. Provable, therefore able to regulate. Health still is perceived as a bestowed gift and information related to such does not change the fact that eventually you die. Wealth - on the other hand - do not mess with wealth. We all may die, but we want to die rich.
IT folks like you and Tony realize shared information is insidious, but Joe public is not there yet. Hospitals and the like will attempt to cover their asses should regulations change, but I believe they still have a wait. Security is still only supremely valued where the transactions directly involve currency, not white cell counts.”
Good points, Bettie, but keep in mind what we were saying, it's not the medical information alone that's the issue, it's the VALUE of the information that will lead to attempts to hack and grab it. When bad guys go after banks, it's generally not the money (despite movies like "Firewall") that they're after, it's the identities. Examinations have forced banks to adhere to good basic security procedures in order to pass the exam, regardless of any real perception on management's part as to the actual value of the security measures taken. Other industries, such as health care, are not examined, so the threat remains abstract.
And, your mention of the "mom and pop" doctor shop is more accurate than you know...According to a 2003 report by the U.S. Small Business Administration, there are 296,000 medical firms with under 500 employees in the U.S. All of them store patient data. So, until the perception that patient data is vulnerable and worth protecting better is created, either by a sudden, global cosmic revelation, or by legislated examinations, the medical industry will, by and large, be seen by ID thieves as a giant repository of vulnerable, valuable patient IDs.
Remember, this being the U.S., EVERY decision in EVERY industry boils down to money. This one is no exception. My point was that the Bank IT examinations have forced the compliance, whereas the other regulated, unexamined industries will merely react in a businesslike manner to a vaguely perceived threat, which means, for the most part, little reaction at all, until something happens that raises the value of the loss above the cost of preventing it.
Sarbanes-Oxley (SOX) was designed to combat about 5,000 things and was designed in the post-Enron/WorldCom hysteria. Despite the noble thoughts, the fact remains that, if someone wants to cheat, it's hard to stop them, laws or not. And, most SOX threats originate from the inside. There is no way to legislate against stopping fraud, any more than you can expect a law against murder to stop murder. It can only provide remediation (OK, maybe a little deterrence).
Remember the first corollary to Kramer's first law of bureaucracy..."Success is judged by the amount of inconvenience caused to the target". Public company compliance to SOX is unimaginably expensive and generally provides the public with about as much relevant information as was given to them by any ethically run company before SOX.
The accounting part of SOX works because public companies have to provide third party certified accounting audits. Many of these audits now contain a cursory IT audit, conducted by the accounting company. Most public companies are worried about getting through the audit certification, not the security implications of the IT portion, done by a junior accounting clerk. Great, that works. Next time I need my taxes filed, I'll call a geek.
I agree that security is valued relative to currency, but I think that it's the perception of the relative cost of not providing it that drives business. It's not the type of data that matters, it's the cost of losing it, whether it's money, medical records or some company's next quarter projections. When the ability to continue to conduct business is at stake, the data "currency" type is moot.
Thanks for the thoughts, hope you get an account and hope you've warmed up (I know I have).