Tuesday, September 9, 2008

Online Security in the World of Health 2.0

It is now the year 2020 and you have control of your complete health record through an online personal health record (PHR) when you receive an email from your local hospital asking you to update the link for their computer system. Before you know it, your medical insurance is exhausted and someone has posted your complete health record on the web for other would be hackers to use and abuse. You've been the victim of a social engineering scam. Sound far fetched?

Take a read of a round table discussion put on by Scientific American. This is a who's-who of industrial internet security;

The Participants
Rahul Abhyankar: Senior director of product management, McAfee Avert Labs,
McAfeeWhitfield Diffie: Vice President and Fellow, chief security officer, Sun Microsystems
Art Gilliland: Vice president of product management, information risk and compliance, Symantec
Patrick Heim: Chief information security officer, Kaiser Permanente
John Landwehr: Director, security solutions and strategy, Adobe Systems
Steven B. Lipner: Senior director of security engineering strategy, Microsoft
Martin Sadler: Director, systems security lab, HP Labs, Hewlett-Packard
Ryan Sherstobitoff: Chief corporate evangelist, Panda Security US, Panda Security

These world experts identify social engineering as one of the major threats to internet security. The reality is that more and more business will be conducted through 3rd party vendors over the internet. That's because other companies will be able to do "it" better, faster and cheaper than any single enterprise. As long as humans are involved, however, security is at risk.

What do the guru's propose? Some of it is extremely high tech stuff. Secured hardware, RF tags and encrypted email. Some of it is ridiculous; an internet driver's license or not opening email from anyone you don't know. But most are pragmatic; encrypting high sensitivity documents, liability for 3rd party vendors, limiting data from public email accounts and USB keys and greater enforcement of internet fraud.

I have good faith that the major players of today will protect my data. I also believe that the 'bad guys' will become more imaginative and progressive with social engineering schemes. The round table was an eye-opener to me. When the head of a one of the biggest anti-virus software companies in the world is advising me not to open any email from people I don't recognize there is a huge problem. More than 90% of our own email is SPAM and we've been brought down more than once by Trojan horses. This problem is not going to go away in the next 10 years so buyer beware before sharing your medical record.

No comments: