SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


The Secure Medical Data Challenge


The Secure Medical Data Challenge

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (109K reputation)SSC Guru (109K reputation)SSC Guru (109K reputation)SSC Guru (109K reputation)SSC Guru (109K reputation)SSC Guru (109K reputation)SSC Guru (109K reputation)SSC Guru (109K reputation)

Group: Administrators
Points: 109551 Visits: 19358
Comments posted to this topic are about the item The Secure Medical Data Challenge

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (155K reputation)SSC Guru (155K reputation)SSC Guru (155K reputation)SSC Guru (155K reputation)SSC Guru (155K reputation)SSC Guru (155K reputation)SSC Guru (155K reputation)SSC Guru (155K reputation)

Group: General Forum Members
Points: 155619 Visits: 41783
The first step for data security actually hasn't been taken by folks that have written most of the medical or even financial software that I've seen. They use clear text SSNs and other PII. I've even consulted for a company that uses SSNs as clear text PKs across multiple databases on multiple systems.
People don't get it until it's their data that has been stolen or spilled. For me, that's the litmus test. How comfortable would I be in having my SSN and PII on a system? The answer is serious negative comfort. I've made that challenge to a couple of supposed "compliance officers" in various companies and, to date, none of them have agreed to add their SSN or even their birthdate to their own systems. These people should be unceremoniously fired and maybe their names should be made available on a public list kind of like sex offenders are. Maybe then, they'd start to take a bit more care with our data.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
patrickmcginnis59 10839
patrickmcginnis59 10839
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3234 Visits: 5773

decided to remove my original post because its just too argumentative and would clutter up a thread that is otherwise worthy of discussion so never mind!




to properly post on a forum:
http://www.sqlservercentral.com/articles/61537/
Gary Varga
Gary Varga
SSC-Insane
SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)

Group: General Forum Members
Points: 23175 Visits: 6534
I think that Jeff highlights the worst reason we have for poorly secured data: poor design and implementation. And it is far too common.

I cannot believe my own memories over the number of times that people have suggested skipping proper authentication, encryption or authorisation. Even worse is the number of times that they went ahead and skipped these.

Saying that these issues will be fixed later is pointless because a) they won't be and b) even if they are there is a window of opportunity for theft etc.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
jay-h
jay-h
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3062 Visits: 2359
Years ago Social Security was the ONLY legal use for a SSN. Now it's college ID, driver's license, medical insurance, car insurance, credit card, home and car rentals, loans, even application for a supermarket discount card. ... etc etc etc. Far more chance (certainty) for exposure. In the electronic world where often the customer and service provider never personally meet, the situation gets even worse. A leak is forever (unlike a credit card number which can be cancelled).

Of course, many people may not even have documentation of their SSN, and if they do it's a simple little paper card which is easily counterfeited. When people don't have convenient proof of ID, especially over electronic media, the next step is personal questions. That's why a compromised social media account password sells for more than a credit card info.

The real world consequences are risky because only a single leak provides complete failure, even if the other 99% of the agencies you deal with are secure. Regardless of one's position on immigration issues, it is a fact that stolen identities are sold for medical and social services. There have been many cases of people who found out that they have recently had medical services paid by their insurance company, or that they've applied for government benefits. Even personal contact doesn't always help, one person posted his story of being admitted to the hospital only to find out 'he had been treated there' only a month ago.

This situation will continue to deteriorate and there is no real way around it. There is no real identity mechanism in this country especially for older folks like myself. Fortunately I got my passport 35 years ago, because my birth certificate was a primitive typed document that wouldn't even be accepted now.

...

-- FORTRAN manual for Xerox Computers --
Eric M Russell
Eric M Russell
SSC-Insane
SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)

Group: General Forum Members
Points: 22187 Visits: 11282
I've wondered for a long time why issues like like digital privacy and identity theft don't get talked about more often by politicians. It's something that 99% of the public care deeply and consistently about. But for whatever reason politicians even during an election season don't seem to want to go there; perhaps because certain segments of the corporate community actually profit from unregulated and friction-less digital transactions, even if it means increased incidences of fraud.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
ZZartin
ZZartin
SSCarpal Tunnel
SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)

Group: General Forum Members
Points: 4703 Visits: 9781
Eric M Russell - Monday, February 27, 2017 8:56 AM
I've wondered for a long time why issues like like digital privacy and identity theft don't get talked about more often by politicians. It's something that 99% of the public care deeply and consistently about. But for whatever reason politicians even during an election season don't seem to want to go there; perhaps because certain segments of the corporate community actually profit from unregulated and friction-less digital transactions, even if it means increased incidences of fraud.

People might care deeply about privacy and identity theft but most people outside of technology simply have no understanding of what the actual risks are enough to have any kind of meaningful discussion about it.

jasona.work
jasona.work
SSCertifiable
SSCertifiable (7.5K reputation)SSCertifiable (7.5K reputation)SSCertifiable (7.5K reputation)SSCertifiable (7.5K reputation)SSCertifiable (7.5K reputation)SSCertifiable (7.5K reputation)SSCertifiable (7.5K reputation)SSCertifiable (7.5K reputation)

Group: General Forum Members
Points: 7491 Visits: 12316

I feel that the biggest problems with the type of data referenced in the article is that data professionals / programmers / etc can only protect it so far. The larger issue is as Jay-h pointed out, in the US we now use SSNs as an identifier for nearly everything. The ONLY way to resolve that requires the Gov to get involved, but I would suspect that no one within the Gov wants to take on that Gordian knot.

As for Jeffs comments on medical and financial applications storing the SSNs in the clear, well, lets just leave it at I worked for a company that was going down that road. At some point, the attitude of "we're secure, we've got firewalls" is going to come back and bit these companies in the behind.
Hard.


Eric M Russell
Eric M Russell
SSC-Insane
SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)SSC-Insane (22K reputation)

Group: General Forum Members
Points: 22187 Visits: 11282
ZZartin - Monday, February 27, 2017 9:08 AM
Eric M Russell - Monday, February 27, 2017 8:56 AM
I've wondered for a long time why issues like like digital privacy and identity theft don't get talked about more often by politicians. It's something that 99% of the public care deeply and consistently about. But for whatever reason politicians even during an election season don't seem to want to go there; perhaps because certain segments of the corporate community actually profit from unregulated and friction-less digital transactions, even if it means increased incidences of fraud.

People might care deeply about privacy and identity theft but most people outside of technology simply have no understanding of what the actual risks are enough to have any kind of meaningful discussion about it.

It's hard to engage the public meaningfully on any topic. But a politician doesn't necessarily have to present the issue to the public from a technical perspective, they simply have to understand the fear, identify a culprit, and propose a solution. For example: "Internet service providers are hoarding details of your private life and selling it to the highest bidder, digital thieves can drain your bank account and use the money to fund terrorist groups (yada yada), and the current administration has done nothing the address the issue." I've never seen that angle ever come up at a political debate, but I think it would be effective, especially coming from an independent candidate. If we're going to demonize a group of people for political gain, then why not hackers and personal data brokers?



"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
jay-h
jay-h
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3062 Visits: 2359
Eric M Russell - Monday, February 27, 2017 1:30 PM

It's hard to engage the public meaningfully on any topic. But a politician doesn't necessarily have to present the issue to the public from a technical perspective, they simply have to understand the fear, identify a culprit, and propose a solution. For example: "Internet service providers are hoarding details of your private life and selling it to the highest bidder, digital thieves can drain your bank account and use the money to fund terrorist groups (yada yada), and the current administration has done nothing the address the issue." I've never seen that angle ever come up at a political debate, but I think it would be effective, especially coming from an independent candidate. If we're going to demonize a group of people for political gain, then why not hackers and personal data brokers?

Well since some of the biggest and dangerous leaks have happened in government (employee info, CIA agent info, military info), they're probably hesitant to go there.


...

-- FORTRAN manual for Xerox Computers --
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search