Trust us, we're from the government.

[Ishmael]

You bet ya sparky.

Now that it's patently clear that the government can't even protect itself from the hackers just how much of your personal information do you really want to trust the government with?

Well, like it or not you are going to be trusting them with EVERYTHING!!!!!! 'ShuckNJive' care requires that all of your medical information be digitized and stored in a central data repository. And that information is the Holy Grail of hackers. Everything that anyone can use to wreck your life is going to be in that data base.

Are they going to offer you free LifeLock for life? Or indemnify you from any malicious activity on the part of a hacker using your personal information? Don't hold your breath.

The government has offered ALL current government employees free LifeLock like
services for a 18 mos., but the web site where you sign up is crashed, and has been since a few hours after it was set up. (Any of this sounding familiar?)

Of course none of us former employees/service members/clearance holders have been notified and none of us are holding our breaths in anticipation of being so.

Just another red flag letting anyone who wants to pay attention just how incompetent, unsecure, and unjustifiably intrusive government is. But all you big government cheerleaders come on in and tell us how even more will be better. How they will clean this whole mess up in a timely manner. Of course the horse is already out of the barn so who the fuck cares what they do tomorrow?

Then again perhaps essentially forcing everyone to subscribe to a LifeLock like service might just be their backdoor way of spurring the economy, but I doubt it. It falls more in the category of just one more hidden tax.

Ishmael

 

[Sean]

Jesus Christ, you're a whiney, scared little impotent bitch.

 

[phrodeau]

And somebody at the lunch counter stole my danish while I was in the john.

What kind of government permits things like that to happen?

 

[Saint Peter]

The lifelock is free.

 

[BotanyBoy]

Just another red flag letting anyone who wants to pay attention just how incompetent, unsecure, and unjustifiably intrusive government is. But all you big government cheerleaders come on in and tell us how even more will be better. How they will clean this whole mess up in a timely manner. Of course the horse is already out of the barn so who the fuck cares what they do tomorrow?

Ishmael

^^ Regularly cheers big government invasions of privacy.......

 

[Skiddles2015]

http://d35brb9zkkbdsd.cloudfront.net/wp-content/uploads/2012/03/govt-spending-per-capita.jpg

 

[Ishmael]

The lifelock is free.

For some, for a finite period of time. It's as if they're going to get the Chinese(?) to dive all the data back. A modified 'Witness Protection Program' is the only thing that's going to save anyone's ass.

Ishmeal

 

[Saint Peter]

For some, for a finite period of time. It's as if they're going to get the Chinese(?) to dive all the data back. A modified 'Witness Protection Program' is the only thing that's going to save anyone's ass.

Ishmeal

The OFPM is on the radar over this one. Nobody is happy. It will be even more embarrassing if or when the dirty details of it come out.

 

[Solitaryman54]

It wasn't hacking, OPM just outsourced their background investigations to China...

 

[Colonel Hogan]

You bet ya sparky.

Now that it's patently clear that the government can't even protect itself from the hackers just how much of your personal information do you really want to trust the government with?

Well, like it or not you are going to be trusting them with EVERYTHING!!!!!! 'ShuckNJive' care requires that all of your medical information be digitized and stored in a central data repository. And that information is the Holy Grail of hackers. Everything that anyone can use to wreck your life is going to be in that data base.

Are they going to offer you free LifeLock for life? Or indemnify you from any malicious activity on the part of a hacker using your personal information? Don't hold your breath.

The government has offered ALL current government employees free LifeLock like
services for a 18 mos., but the web site where you sign up is crashed, and has been since a few hours after it was set up. (Any of this sounding familiar?)

Of course none of us former employees/service members/clearance holders have been notified and none of us are holding our breaths in anticipation of being so.

Just another red flag letting anyone who wants to pay attention just how incompetent, unsecure, and unjustifiably intrusive government is. But all you big government cheerleaders come on in and tell us how even more will be better. How they will clean this whole mess up in a timely manner. Of course the horse is already out of the barn so who the fuck cares what they do tomorrow?

Then again perhaps essentially forcing everyone to subscribe to a LifeLock like service might just be their backdoor way of spurring the economy, but I doubt it. It falls more in the category of just one more hidden tax.

Ishmael

Here's a clue: For as long as there have been computers, the Social Security Administration has kept your Social Security Number in a computerized database. The same is true for information held by the IRS, HHS, DoD, FBI and every other government agency you can name.

Vulnerability is not a new phenomenon. Computer security, like ALL security, is attacked or fortified by engineers dedicated to gaining an advantage for their private enterprise or government stakeholders.

I am shocked that you are shocked.

 

[Sean]

Here's a clue: For as long as there have been computers, the Social Security Administration has kept your Social Security Number in a computerized database. The same is true for information held by the IRS, HHS, DoD, FBI and every other government agency you can name.

Vulnerability is not a new phenomenon. Computer security, like ALL security, is attacked or fortified by engineers dedicated to gaining an advantage for their private enterprise or government stakeholders.

I am shocked that you are shocked.

It's cos it's a Democrat president. If there was a white, god fearing Republican president in power nothing like this could possibly happen. Just like no sensitive information held by private companies is ever hacked.

 

[BotanyBoy]

It's cos it's a Democrat president. If there was a white, god fearing Republican president in power nothing like this could possibly happen. Just like no sensitive information held by private companies is ever hacked.

http://rs1img.memecdn.com/nailed-it_o_1391147.webp

 

[Ishmael]

The OFPM is on the radar over this one. Nobody is happy. It will be even more embarrassing if or when the dirty details of it come out.

So far the leaked details are that ALL current government employees and approx. 2 million former employees, everyone that holds or has held a security clearance along with ALL of the background info, and all current and former service members. Incredibly NONE of the SS numbers were encrypted.

Ishmael

 

[Ishmael]

Here's a clue: For as long as there have been computers, the Social Security Administration has kept your Social Security Number in a computerized database. The same is true for information held by the IRS, HHS, DoD, FBI and every other government agency you can name.

Vulnerability is not a new phenomenon. Computer security, like ALL security, is attacked or fortified by engineers dedicated to gaining an advantage for their private enterprise or government stakeholders.

I am shocked that you are shocked.

Please embolden where I expressed 'shock?'

Ishmael

 

[Colonel Hogan]

Please embolden where I expressed 'shock?'

Ishmael

So far the leaked details are that ALL current government employees and approx. 2 million former employees, everyone that holds or has held a security clearance along with ALL of the background info, and all current and former service members. Incredibly NONE of the SS numbers were encrypted.

Ishmael

"Incredibly" and the upper case emphasis on "NONE" would seem to indicate shock. Moreover, what would be the purpose of informing us of the government's incompetence if it wasn't at least mildly surprising and we weren't already aware of it?

And just btw, Computer Security 101 sez that information within a database is not typically encrypted. Sensitive information within a database is typically protected by firewalls, and the passwords granting access through the firewall should obviously be secured, including encryption, but encryption generally is reserved for information transmitted across an open (or even presumably "secured") communication channel.

Perhaps the biggest surprise surrounding identity theft is its lessening impact upon individual victims due to its massive growth as a criminal enterprise. The dominant strategy today seems to be that it is far less risky, and just as easy, to steal $1 from a million people than to steal $1 million from one person or even $1,000 from 1,000.

According to 2012 statistics from the U. S. Department of Justice, 7% of U. S. residents aged 16 or over were victims of identity theft that year. Only 14% of ALL identity theft victims experienced out-of-pocket losses of $1 or more. Of this 14%, about half suffered losses of less than $100.

At that scale, current financial losses due to identity theft are easily insurable by the majority of individuals and institutions who will almost certainly never be victimized by the crime. (http://www.bjs.gov/content/pub/pdf/vit12.pdf)

 

[sr71plt]

Of course none of us former employees/service members/clearance holders have been notified and none of us are holding our breaths in anticipation of being so.

Yep, a former employee with clearances and intell work up the wazoo. Nope they haven't notified me. Nope, I don't anticipate they will. Those of us in intell said this would happen when our records were turned over to OPM for administration.

 

[eyer]

Suckers...

 

[NeverEndingMe]

first, we need to face reality that those which support obama, and hillary are slaves. they really don't care about much, as long as their welfare check clears the bank.

 

[Ishmael]

"Incredibly" and the upper case emphasis on "NONE" would seem to indicate shock. Moreover, what would be the purpose of informing us of the government's incompetence if it wasn't at least mildly surprising and we weren't already aware of it?

And just btw, Computer Security 101 sez that information within a database is not typically encrypted. Sensitive information within a database is typically protected by firewalls, and the passwords granting access through the firewall should obviously be secured, including encryption, but encryption generally is reserved for information transmitted across an open (or even presumably "secured") communication channel.

Perhaps the biggest surprise surrounding identity theft is its lessening impact upon individual victims due to its massive growth as a criminal enterprise. The dominant strategy today seems to be that it is far less risky, and just as easy, to steal $1 from a million people than to steal $1 million from one person or even $1,000 from 1,000.

According to 2012 statistics from the U. S. Department of Justice, 7% of U. S. residents aged 16 or over were victims of identity theft that year. Only 14% of ALL identity theft victims experienced out-of-pocket losses of $1 or more. Of this 14%, about half suffered losses of less than $100.

At that scale, current financial losses due to identity theft are easily insurable by the majority of individuals and institutions who will almost certainly never be victimized by the crime. (http://www.bjs.gov/content/pub/pdf/vit12.pdf)

Bzzzzzzzzt. You get no points for my using 'incredible', especially considering I used it AFTER you told me I was "shocked."

As far as encryption is concerned you might want to go to infolawgroup.com and educate yourself as to what has to be encrypted, even within the DB. Especially the two operative federal regs. re. how HITECH amends HIPPA and the FACTA regs.

Obviously the government doesn't seem to believe that any of that applies to them, just us.

Ishmael

 

[Colonel Hogan]

Bzzzzzzzzt. You get no points for my using 'incredible', especially considering I used it AFTER you told me I was "shocked."

I see. You only became “incredibly” incredulous (which by your implication is nothing like being “shocked’) AFTER I suggested it? Is that right? Okay. I’ll repeat my original question. If you’re not shocked, what are you? If, as you observed in your OP, “the government can't even protect itself from the hackers,” do you find that fact outrageous, criminally negligent, irresponsible, mildly disappointing or merely somewhat surprising but not necessarily objectionable?

Since you seem intent on denying the very premise of why you authored the thread to deprive me of debating “points” I don’t need or want from you or anyone else, then by all means correct my mischaracterization of your state of mind with respect to being “shocked.” How well or poorly did the government meet whatever expectations or standards of performance you may choose for protecting personal information. After you’ve done that, I suspect most observers here would not find my previous assertions as a mischaracterization at all.

To clarify my own state of mind, and assuming this thread was provoked by the recent data breach within the Office of Personnel Management (OPM), I am BOTH “not the least bit surprised” AND “shocked beyond belief.” I am not the least bit surprised that the Chinese have stolen and continue to attempt to steal information from U. S. government and private sector computer systems. I am shocked beyond belief that our government would expose personal information of those employees holding security clearances to an arguably vulnerable OPM database after having had the same information previously enjoying a far higher degree of security in the intelligence and military agency systems in which it was originally stored.

As far as encryption is concerned you might want to go to infolawgroup.com and educate yourself as to what has to be encrypted, even within the DB. Especially the two operative federal regs. re. how HITECH amends HIPPA and the FACTA regs.

Obviously the government doesn't seem to believe that any of that applies to them, just us.

Ishmael

Wait a minute. If HITECH requires Electronic Health Records (EHR) as defined by HIPPA to be encrypted within all relevant medical databases, as you’ve suggested, why do you fear for the vulnerability of ‘ShuckNJive’ care records? What else would you have the government do to protect them? HIPPA regs apply to ALL medical records, not just those generated by government run healthcare programs. Thus, the vulnerability of EHRs has nothing to do specifically with Obamacare. Go ahead. Try to argue otherwise.

Oh, I also did exactly what you suggested I do. Went to infolawgroup.com and read Scott Blackmer’s four part series Code or Clear? Encryption Requirements under Information Privacy and Security Laws. I was not at all surprised to find that he began his argument by embracing the EXACT PRINCIPLE I suggested in my last post that “reasonable” information security is defined BOTH by the degree of sensitivity of information to be protected and the circumstances under which the information is handled, i.e. accessed, stored, or transmitted. Those three states of information handling necessitate DIFFERENT levels of security apart from the nature of the information itself. He wrote, in part:

Legal and IT personnel are generally familiar with a traditional pattern in privacy laws: Security is always mandated, but the statutory language is usually limited to generalities, stating that a company must develop and implement “reasonable” or “appropriate” security measures proportional to the risk of harm if the information at issue is lost, altered, or obtained by unauthorized persons. This sort of language is found, for example, in HIPAA and GLBA, FTC guidance on fair trade practices, SEC internal control rules under Sarbanes-Oxley (SOX), the EU Data Protection Directive, and the personal information security laws of Canada, Japan, Australia, and other jurisdictions. Some laws (or regulations issued under those laws) emphasize that these safeguards must include technical, organizational, and physical security measures, but they typically do not specify what those measures must be.

****************************************

There is clearly a trend toward requiring encryption of sensitive personal data (particularly the identifiers used commonly in ID theft, as well as medical information), especially when that information is transmitted over public networks or wirelessly, or when that information is stored on laptops, USB drives, smart phones, PDAs, and other portable devices. These are precisely the circumstances in which most large-scale personal data security breaches have occurred. So far, companies have not normally been required to routinely encrypt all such data on secure servers or in data centers and storage media located on their premises (or those of their contractors), behind firewalls and internal network or VPN controls. Some companies have chosen to do so, however, to further reduce their risks of noncompliance or litigation exposure.

http://www.infolawgroup.com/2009/10/articles/encryption/code-or-clear-encryption-requirements-under-information-privacy-and-security

Exactly what I said previously.

I also followed his links to the HIPPA regs as mandated by HITECH and discovered that you were, not surprisingly, wrong about your implication that HIPPA defined EHRs WITHIN a database are REQUIRED to be encrypted even if behind a firewall. The relevant section of federal law is Title 45 – Public Welfare, Subtitle A → Subchapter C → Part 164 → Subpart C → §164.312 (Technical Safeguards). The safeguards discussed in this section, including encryption, are either “required” or “addressable” as defined earlier in §164.306. Suffice it to say, encryption must be “addressed” in a medical provider’s security plan, but is not “required” by a specific statutory formula.

Further evidence is supplied herewith by a recent article describing New Jersey’s new encryption law, one of the toughest state laws in the nation:

New Jersey's New Encryption Requirement May Reach Beyond Health Insurers
posted on: Friday, February 27, 2015

Effective August 1, 2015, health insurance carriers that issue health insurance in New Jersey must use encryption or other technology that renders personal information unreadable, undecipherable, or unusable by unauthorized persons when compiling or maintaining computerized records that include personal information. Mere password protection is inadequate to comply with this law, known as Senate Bill 562 or S562. The New Jersey legislature unanimously enacted S562 in response to heightened public concern about privacy and cybersecurity issues.

Unlike most state cybersecurity and data breach laws that require businesses to take certain actions in response to a data security breach, including notifying persons whose personal information has been subject to unauthorized disclosure, S562 aims to prevent data security breaches, or at least make breaches less likely. As one of the first of its kind among state data security laws, it is anticipated that New Jersey's law will serve as a model for other states as they struggle to protect personal information while preventing data breaches.

Under S562, "personal information" is defined as a person's first name or first initial and last name linked with at least one of the person's (1) Social Security number, (2) driver's license number or other State identification card number, (3) address, or (4) identifiable health information. Failure to encrypt personal information under S562 constitutes a violation of New Jersey's consumer fraud statute and subjects violators to the Attorney General's enforcement powers as well as treble damages. Encryption provides greater security than password protection because it alters the protected data, rendering it indecipherable until the correct "key" is applied.

Whereas data protected by a password can be accessed in its original form if a hacker or other unauthorized user gains access to or circumvents the password, encrypted data will be indecipherable and unusable unless the proper key is used to unlock the code. Encryption is not ironclad protection, as a hacker could steal the key or potentially decipher the code. Encryption also can add costs and make the protected data more difficult to access and use.

In some respects, S562 requires health insurance carriers to employ greater measures to protect personal information than is required under the federal Health Insurance Portability and Accountability Act (HIPAA), which requires health insurance carriers to protect personal information but does not establish a baseline means of protection. HIPAA regulations merely encourage encryption, but do not require it.

http://www.natlawreview.com/article/new-jersey-s-new-encryption-requirement-may-reach-beyond-health-insurers

 

[Ishmael]

I see. You only became “incredibly” incredulous (which by your implication is nothing like being “shocked’) AFTER I suggested it? Is that right? Okay. I’ll repeat my original question. If you’re not shocked, what are you? If, as you observed in your OP, “the government can't even protect itself from the hackers,” do you find that fact outrageous, criminally negligent, irresponsible, mildly disappointing or merely somewhat surprising but not necessarily objectionable?

Since you seem intent on denying the very premise of why you authored the thread to deprive me of debating “points” I don’t need or want from you or anyone else, then by all means correct my mischaracterization of your state of mind with respect to being “shocked.” How well or poorly did the government meet whatever expectations or standards of performance you may choose for protecting personal information. After you’ve done that, I suspect most observers here would not find my previous assertions as a mischaracterization at all.

To clarify my own state of mind, and assuming this thread was provoked by the recent data breach within the Office of Personnel Management (OPM), I am BOTH “not the least bit surprised” AND “shocked beyond belief.” I am not the least bit surprised that the Chinese have stolen and continue to attempt to steal information from U. S. government and private sector computer systems. I am shocked beyond belief that our government would expose personal information of those employees holding security clearances to an arguably vulnerable OPM database after having had the same information previously enjoying a far higher degree of security in the intelligence and military agency systems in which it was originally stored.




Wait a minute. If HITECH requires Electronic Health Records (EHR) as defined by HIPPA to be encrypted within all relevant medical databases, as you’ve suggested, why do you fear for the vulnerability of ‘ShuckNJive’ care records? What else would you have the government do to protect them? HIPPA regs apply to ALL medical records, not just those generated by government run healthcare programs. Thus, the vulnerability of EHRs has nothing to do specifically with Obamacare. Go ahead. Try to argue otherwise.

Oh, I also did exactly what you suggested I do. Went to infolawgroup.com and read Scott Blackmer’s four part series Code or Clear? Encryption Requirements under Information Privacy and Security Laws. I was not at all surprised to find that he began his argument by embracing the EXACT PRINCIPLE I suggested in my last post that “reasonable” information security is defined BOTH by the degree of sensitivity of information to be protected and the circumstances under which the information is handled, i.e. accessed, stored, or transmitted. Those three states of information handling necessitate DIFFERENT levels of security apart from the nature of the information itself. He wrote, in part:


Exactly what I said previously.

I also followed his links to the HIPPA regs as mandated by HITECH and discovered that you were, not surprisingly, wrong about your implication that HIPPA defined EHRs WITHIN a database are REQUIRED to be encrypted even if behind a firewall. The relevant section of federal law is Title 45 – Public Welfare, Subtitle A → Subchapter C → Part 164 → Subpart C → §164.312 (Technical Safeguards). The safeguards discussed in this section, including encryption, are either “required” or “addressable” as defined earlier in §164.306. Suffice it to say, encryption must be “addressed” in a medical provider’s security plan, but is not “required” by a specific statutory formula.

Further evidence is supplied herewith by a recent article describing New Jersey’s new encryption law, one of the toughest state laws in the nation:

I see you dodged FACTA.

Be that as it may,"advised" vs mandated is a moot point under tort law. Any litigator worth his/her salt is going to drive a bus through that. Especially in a class action situation. Even I could argue that case.

Essentially we are witnessing the potential for a class action suit the likes of which this nation has never seen before, and remember.......all those federal judges are part of the plaintiff pool.

When are you going to start thinking about the ramifications?

Ishmael

 

[Colonel Hogan]

I see you dodged FACTA.

Be that as it may,"advised" vs mandated is a moot point under tort law. Any litigator worth his/her salt is going to drive a bus through that. Especially in a class action situation. Even I could argue that case.

Essentially we are witnessing the potential for a class action suit the likes of which this nation has never seen before, and remember.......all those federal judges are part of the plaintiff pool.

When are you going to start thinking about the ramifications?

Ishmael

Dodge? Is that what you honestly think? Do you really want me to research FACTA and prove that you were just as wrong about those regulations as you were about HITECH and HIPPA?

You made a very specific allegation about what encryption was required for electronic health records, even within a stored database, under federal law. You did that without checking your facts. That is a very common failing among folks today, even the "professional" news media. I loathe it. It frankly pisses me off. It is a great disservice to our society because people just repeat the last thing they heard that sounded authoritative and thus substitute popular ignorance for easily discernible facts.

It took me a mere fraction out of my evening to discern those facts. Why didn't you?

As for thinking about ramifications, when are you going to start thinking about the ramifications I previously pointed out to you -- that of the roughly 7% of people who are victimized by identity theft each year, fully half of those suffer financial loss less than $100? That info is from the DoJ.

Damages and the need to restore a victim to "wholeness" are at the very heart of a breach of contract duty or tort duty. They are literally what tort law is all about. You can squawk about tort law all you want, but unless you and your litigator can produce some far more dramatic recoverable damages from the other half of identity theft victims, any paralegal intern worth his/her salt will piss all over your class action suit.

 

[Sean]

It took me a mere fraction out of my evening to discern those facts. Why didn't you?

.

The facts are what Ish says they are, dumbass!

 

[BotanyBoy]

It took me a mere fraction out of my evening to discern those facts. Why didn't you?

http://media.giphy.com/media/YYRkVlmqo11MA/giphy.gif
http://stream1.gifsoup.com/view5/2300164/get-em-how-high-o.gif
http://media.giphy.com/media/YYRkVlmqo11MA/giphy.gif
http://stream1.gifsoup.com/view5/2800827/get-em-o.gif

The facts are what Ish says they are, dumbass!

AND ANYTHING ELSE IS SOCIALISM!!

 

[sigh]

You bet ya sparky.

Now that it's patently clear that the government can't even protect itself from the hackers just how much of your personal information do you really want to trust the government with?

Well, like it or not you are going to be trusting them with EVERYTHING!!!!!! 'ShuckNJive' care requires that all of your medical information be digitized and stored in a central data repository. And that information is the Holy Grail of hackers. Everything that anyone can use to wreck your life is going to be in that data base.

Are they going to offer you free LifeLock for life? Or indemnify you from any malicious activity on the part of a hacker using your personal information? Don't hold your breath.

The government has offered ALL current government employees free LifeLock like
services for a 18 mos., but the web site where you sign up is crashed, and has been since a few hours after it was set up. (Any of this sounding familiar?)

Of course none of us former employees/service members/clearance holders have been notified and none of us are holding our breaths in anticipation of being so.

Just another red flag letting anyone who wants to pay attention just how incompetent, unsecure, and unjustifiably intrusive government is. But all you big government cheerleaders come on in and tell us how even more will be better. How they will clean this whole mess up in a timely manner. Of course the horse is already out of the barn so who the fuck cares what they do tomorrow?

Then again perhaps essentially forcing everyone to subscribe to a LifeLock like service might just be their backdoor way of spurring the economy, but I doubt it. It falls more in the category of just one more hidden tax.

Ishmael

It's risk versus benefit, Ish, like everything else in healthcare. There is NOTHING in healthcare that doesn't involve risk, so it's always a matter of acknowledging the potential risk and weighing it against the benefit of a positive outcome.

Risk is somebody hacking into the healthcare database and finding out you have a history of hypertension, bunions, two bouts of bronchitis when you were young, a brush with syphilis in your college years, whether or not you've received all the recommended vaccines, and have been moderately obese for the last two decades. The benefits can be enormous when that obesity and hypertension finally catch up to you when you're in your fifties and you wind up in ER, then the ICU, and your doctors have access to your entire medical history, a clear picture that can guide them through treatments that can literally save your life, or keep them from accidentally killing you themselves.

Most errors in healthcare are born of ignorance. Knowledge saves lives, especially in an emergency.

Besides, for decades you've been entrusting the same information to corporations that once sent them overseas to foreign countries where you have no protection, and no recourse if the transcriber to a similar digitized (and vulnerable) database accepts a small bribe to simply make a copy. Why is it that there is only outrage against the sloppiness of the government but not that of corporate healthcare? I share my outrage. i'm an equal opportunity outrager.