Why does everybody keep data hanging around forever? It's easier. You don't have to think about it. Just keep kicking the files onto new media every few years / at a new server refresh.
I did some IT work for a plastic surgery practice in the US many years ago. I was adding some storage to an existing server. I was shocked to see that the practice was keeping all their before / after photos online going back years. Not encrypted. Hanging out in Windows file shares with lax permissions.
It certainly gave me pause.
Maybe some software providers in this space will think about handling this better.
It seems that Windows SMB file sharing is still the go-to universal storage system in a lot of organisations. I imagine because it's built in, easy to configure, and works out the box with the ability to map drives so it's transparent to users.
In contast, anything more secure tends to add inherent friction (since just blindly giving access due to some potentially replayed hash of a user's likely weak password isn't exactly going to be appropriate in a secure setup). And if it adds complexity, people still go for the old solution.
I hope they had backups - I've often caught out the same Windows SMB-using orgs out when checking their backups and discovering both of their weekly-cycled drives are empty and devoid of backups, despite having been diligently swapped out according to the schedule!
Why does a software engineer keep old git-repo branches around, including their history? The engineer can compare the before-and-after especially as they relate to experiments, successful, and failed approaches.
A plastic surgeon might want to look at before-and-after for a few of their "branches" (specific plastic surgeries or repeated applications of a technique). "When I did celebrity-A I notice they sag too much in location-X, whereas for celebrity-B where I changed the procedure location-X looks much better." "Celebrity-P has the same odd nose Celebrity-K had ... let me consult my notes and the before/after for Celebrity-K."
I didn’t let my plastic surgeon take before and after photos for this exact reason. I asked him whether it was necessary for the procedure and what they were used for and he couldn’t really give me an answer beyond it’s nice to be able to compare the finished product. So I told him when I came back in for my post-op I’d be more than happy to pull up a before picture on my phone for him to use to admire his work. I even let him take the “before” photo on my phone. I’m sure he thought I was a paranoid tinfoil hat type but he really didn’t seem to mind.
This is one of the rare pieces of advice few people get. You can tell the professional in the room "Your idea is stupid and I as a paying customer do not want that." It's amazing how many people concede to the request.
The only place I can't get away with it is a dentist. They love giving x-rays...because apparently that helps with scaling.
if its in the US, its probably that once you have the machine, and the tech, the cost of time and materials is probably less than 5 dollars, but they can bill the insurance $50-100. So they do it as often as they can, which under most insurance is covered one or twice a year. I could imagine it helping plan treatment for cavities, but for scaling? I doubt it...
They can feel cavities with their scaling tools. That's like half the reason why they train in school. They don't need a damn x-ray to do that. And they all say "We will not continue unless we do an x-ray" which just floors me. How is shooting x-rays in my skull even remotely healthy for my brain? I get we can tolerate x-rays, but jesus every damn time I switch dental practices or minimum once per year?
Its like when I went for a broken tooth... The dentist insisted on a panoramic xray of my head/jaw... Then he came back and said: yep you have a broken/chipped tooth... And the funny thing is that he protected my chest from the xray with a lead cover but not my brain... And the tooth broke because it was repaired from a previous cavity
Because they are lazy, incompetent and indifferent. But they might be against a very powerful and public group of people who can sue them out of existence, so maybe that will scare other health providers into better security practices.
You hinted at it but didn't mention it explicitly: greedy. It simply costs more to have somewhat better security practices, and they don't want to pay unless they have to.
Lazy indifference probably explains it more than greed I think. If they cared, a doctor could add "burn a CD and put it in the filing cabinet with the other patient records" to the job duties of their secretary without increasing their compensation. It would only take a few more minutes, and would only slightly detract from the time they spend idly chatting with each other.
More accurately, they are NOT tech professionals, the type of people who do IT for small private practices are not that good either and they really just don't know for the majority of it. You really can't expect these people to understand the full consequences of stuff like encryption, offline vs online media and more. To them, if it has a user name and password, that is safe right? Use the HIPPA lockbox software and it should be good right?
In the past before computers they would be putting these in files on a large file folder shelving units with colored folder tabs behind a counter and the only real security was a receptionist that would stop you if you tried to interact with it, and they locked the door to the office when they left. If someone broke into the office back then too, your medical records would've been stolen & unencrypted (beyond the illegibility of most doctor's handwriting) and as a society, we were ok with that security level.
You're probably right that ignorance is the root of their apathy. Hopefully with this event making the news, doctors at least in the same specialty will hear about it and do something. Unencrypted offline records physically secured in the office building seems more than adaquate in all but the most exceptional scenarios though. Maybe it wouldn't be good enough for doctors of high-value targets (celebrities, politicians, etc.) Burglars targetting medical records seems uncommon.
Harsh fines are probably the best way to make doctors care though. If they know they risk financial ruin for not securing their records, they'll have a strong personal incentive to remediate their ignorance.
I'd think it specifically of doctors who specialize in human bodies, not computer stuff. SolarWinds on the other hand could not possibly be excused for ignorance.
One of my first jobs out of college was working at a medical school. Doctors in general think computers are magic and that compared to their actual medical expertise programming is easy. I neither expect nor, to be honest, want them worrying about computer stuff. I won't try to tell them how to cure sick people.
I don't want them to be tech professionals. I want them to use the best in class tools they can get, which it turns out are also the easiest to use and often the cheapest. If this surgery practice had just kept their photos on Google Drive with GSuite admin policy enforcing 2FA, they would have been most of the way to gold standard infosec and also would have dramatically better real-world durability and availability. Any consultant could have set them up that way in an hour.
That doesn't protect against the kind of attack that compromises the end point (wait for logged in 2FA state, interact with browser in the background with exact same state in a headless mode and download), and you do not know when they set up their systems where Gsuite, 2FA & HIPPAA / UK Equivalent agreements were even available back then.
For all you know, they could have had that system too, the article does not say what it was.
There's a one-time purchase of bigger/more disks. Figure 1GB (50 20MB pictures) per customer. Just add another 2TB, then 4TB, now 8TB or bigger drive. That's about $250 or $300 each time. Double that for a sync'd drive somewhere in the office.
Now they should be doing 3-2-1 backups. With S3 they'd be paying $160/month (for storage, not counting other costs) for 8TB or $40/month for BackBlaze B2. That's 8,000 customers.
They're in England so some variance in pricing. But it would be relatively inexpensive to buy big drives, sync them to a set in the office, and back them up online. Where the doctors or whoever is running the clinics can SEE the data is still there whenever they want.
I agree that there should be increasing worry about keeping information that you don't need, whether it's intimate pictures of your surgical clients or people who bought from you 5 years ago and not since. But it seems like keeping things handy will be an impulse that's hard to overcome.
TBH DVDs / Blu-Rays are too low density, expensive and labor intensive, and tape drives start at $1000 and most non tech professionals don't know they even exist. 2.5TB of 25 100GB writable BDXL disks cost about $250. A 4TB drive costs $80 and a computer to throw in 3.5" HDDs pretty cheap too.
Maybe. Sounds like their incentive will be primarily to keep _some_ records more safe. Eg i'm skeptical that this would propagate to poor people, without legislation at least.
(which isn't to say that they'd purposefully choose two different implementations. Rather, just that if i'm using poor person doctors i'm unsure they'd rise to the new "standard" of security practices)
The patient can come for a checkup or a related thing and they want to be able to easily retrieve these if they want to check something (or in case there's an issue of sorts). Having it all in a single system is the easiest way to do that.
