Massive data breach. Time for sports analogies?

David Harlow

Health Care and Med Tech Innovation // Compliance & Privacy Leader // Advisor

Published Aug 20, 2014

In reading an account of the recent attack on Community Health Systems that netted the bad guys 4.5 million patient records and earned CHS a prominent spot on the Wall of Shame, I was struck by the notion put across in the article that all we have to do is work harder to patch vulnerabilities, that with a better defense we can win the game against a skilled quarterback.

I think that we have to come to terms with the notion that privacy is a thing of the past, and that it is not a question of if, but a question of when, any particular system may be hacked. As in the case of the Heartbleed exploit, a back door may be propped open for years before anyone notices, and some exploits may leave no fingerprints.

Update 8/21/2014: Today's installment of the CHS saga includes statements that CHS had not done a complete job of applying Heartbleed patches. See: FBI warns healthcare firms they are targeted by hackers | Reuters – http://shrd.by/6sbqtJ (The original FBI warning is linked to in my Heartbleed post, which is linked to above.)

What is to be done?

We need to stop using the social security number in medical records and insurance records because, linked with other medical record data, it enables identity theft.
We need to do a better job with authentication of users of systems, so that it becomes harder to use stolen identities to set up new accounts or exploit existing ones.
We need to do a better job of enforcing anti-discrimination laws, because then the release of certain private information will no longer be so devastating.
We need to be honest with ourselves about the limits of privacy and security in the connected world we've built, because otherwise we will all continue to live with unrealistic expectations.
We need to have better systems in place to deal with breaches when -- not if -- they happen, because we aren't likely to accomplish the first four jobs on this list anytime soon.

What do you think?

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Read my award-winning blog, HealthBlawg

You should follow me on Twitter

Massive data breach. Time for sports analogies?

David Harlow

Health Care and Med Tech Innovation // Compliance & Privacy Leader // Advisor

More articles by this author

Insights from the community

Explore topics

Large Language Models and Generative AI: Exciting Progress and Thorny Problems (#TBT)

Mar 14, 2024

#TBT - Federal Health Care Cybersecurity Task Force Issues Recommendations for Industry (June 2017)

Jun 16, 2022

#TBT - Accountable Care Organization Regulations – The ACO is a Camel, Not a Unicorn

Oct 28, 2021

What Milton Friedman Missed: Social Responsibility and the Meaning of Success

Oct 12, 2021

The Zen of Compliance

Sep 14, 2021

HealthBlawg's Video Postcards from #HIMSS19

Aug 10, 2021

#TBT - Of Borges and Big Data, Or: Is Big Data Too Big?

Aug 5, 2021

#TBT - HIPAA enforcement by state attorneys general: The shape of things to come

Jan 9, 2020

HealthBlawg's Video Postcards from #HIMSS19

Feb 26, 2019

Micky Tripathi’s glass-half-full view of EHR interoperability – #HarlowOnHC

Sep 28, 2018

Insights from the community

Explore topics