Don't hesitate, legislate!

[infosecguru2]

Hospitals and other health care agencies in the US have just recently begun complying with HIPAA(Health Insurance Portability and Acountability Act), tightening security controls and creating tougher policies. The goal of this Act was to make insurance providers accountable for the integrity and privacy of medical records. I realized that a similar approach could be helpful in the wider privacy movement. Credit Bureaus keep millions of credit reports in easy to reach databases for clients to tap into. Thousands of other companies keep copies of client records in computer systems to facilitate accessibility by employees (and hackers...).

Wouldn't it be great if the US government(and of course other national/international legislative bodies) could pass legislation governing accountability and integrity of all electronically stored personal information within its jurisdiction? Im talking about basic standards for privacy and security. Personal information would include banking information, credit information, and other personally identifiable information that could be traced to the owner. Basic standards would include intrusion detection, vulnerability assessment and corrolation, encryption, access control, auditing, etc. Enforcement would be brought about by random unanounced inspections by the FCC or other government agency. For home users, inspection could occur during an IRS audit.


But WAIT!! I don't want anyone looking at the private information I have on my computer, especially Big Brother! Well, what if vendors built compliance mechanisms into their operating systems that would send policy reports to government computers on a monthly basis? That way, if a report doesnt come in, the feds knock on your door, and if you have a poor report, they feds can send you an email. Or better yet, if your all good (which should be the default configuration) they don't bother you at all.


This post is open to praise, suggestion, flames, and especially constructive critisism.

[cheyenne1212]

Might I suggest deleting this post, and reposting it in the cosmos, as this has nothing to do with Security.

[infosecguru2]

it has everything to do with security. We are always wondering how to make the internet more secure. This is my idea that might help that.

[Tiger Shark]

Infosec: As an IT manager that has to comply with HIPPA due to the nature of the business I work for I can assure you that basing anything on HIPPA would be dumb......

HIPPA's regulated implementation is all "ass about face". The implementation policy scheduled the three sections, privacy of tha data, confidentiality in the transport of the data and security of the data in that precise order. Now, I dunno about you but I still can't see how, as a sysadmin, I can properly implement their guidelines with any sense of confidence when security guidlines have yet to be written. If I have no clue about this kind of stuff, which describes most social service agencies, I'm going to assure the privacy and confidentiality of the data on an "open" system while I wait for the security guidelines. My agency and the six sister agencies to whom we act as ISP got lucky - they got me - and I already have a clue about the security. I can guarantee you that those agencies would implement the 1st two phases of HIPPA in utter oblivion to how they are wasting thier time - a 9 year old could have entered thier systems thus negating all their hard work.

If you want to improve internet security - have security professionals do it - NOT Gubmint!!!!

[nihil]

Over here in the UK we have had legislation called "The Data Protection Act" since 1984. It governs the holding of personal data and the purposes for which it may be used. It also requires registration of the holding of this information with the government.

It also provides the right of enquiry to individuals as to what data are held on them by organisations (other than the spooks and the cops of course). Narturally there are no penalties for holding and disclosing incorrect information!

I suspect that it is pretty much ineffectual, despite the length of time that it has been around. It certainly has no concept of the existence of "hackers"........."aren't they people who work for the Forestry Department cutting down trees?" (Forestry Commission to us Limeys) And there are no definitive security requirements.

I agree with Tiger Shark that data security is best left to IT professionals. Perhaps the holding and disclosure of such data is best left to constitutional lawyers..........I DO NOT see a role for politicians! or their frequently ill-advised and ineffectual legislation.

I feel that this thread is somewhat relevant, in that security is global and all encompassing. What is the point of me keeping my home computing secure if a hacker can get into my bank, health authority, or whatever and extract the data from source? Perhaps the need for legislation is to penalise those who hold personal data without paying due care and attention to its security?

cheers......just my 2p @ $1.50 = £1

[Mahdi]

In Romania we have no legislation for data protection. For example in our country a hacker, if he is put in jail will be put for private property violation. so.....

[infosecguru2]

well, in an ideal world where the government works quickly, enforces laws, and follows up on its duty to the people. What do you all think the laws governing data protection should be?

[Juridian]

Actually his post has alot to do with computer security, but as it relates to law and government. To say it has nothing to do with it is foolish.

There are actually a few laws and so on that cover security for financial and health data. Each different area has it's own laws and regulations to cover what is required at a higher level while trying not to dictate what technologies are used. An example of related law is the recent disclosure law in california. There is a body currently pushing to get a similar law on the national level.

The European Union has the European Union Data Directive which is an all encompassing set of regulations....the main difference between our set up and theirs is that they have one set of rules to apply to everything and we break it up.

Pushing for a specific technology isn't always the way to go. Look at Utah with their big push for PKI use.

SANS offers an excellent course on the subject (which I just got back from) called "Business Law and Computer Security" that was put together by Ben Wright who has been doing related law for about 15 years. If you are interested in the subject I highly recommend hitting it up.

[nihil]

Infosec. You pose some challenging questions!

My thinking is that those who have custody, must accept total responsibility for safekeeping and protection from theft and abuse. That is a generalisation that includes data. The holders have a duty of trust, and any failure is a breach of that trust?

It really is as simple as that, but as you subtly introduced in the latter part of your first post, what about internationalisation? All I have to do is site a shell in Europe, the West Indies..etc, and I circumvent any local legislation.

I guess we are all not very good internationalists? We have only started to get partial agreement on war crimes, mass murder, and terrorism. Child pornography is still rampant, drug trafficking, money laundering? this gives very little hope for minor issues such as personal data protection I feel. I know I sound very cynical but it reminds me of the line in the song 'Charlie Brown'

"I'd like to help you son but you're to young to vote"

I doubt if the issue is on any politician's most hidden agenda?

Ain't no law west of the internet, or something like that.

[rcgreen]

The goal of this Act was to make insurance providers accountable for the integrity and privacy of medical records.

I have already suffered personally from the stupidity of this new regulation.
It makes it illegal for your doctor to share any info about your medical condition
without your consent. Sounds good, but wait! I had a heart attack back in
December. So, naturally I will miss some days from work (to say the least).
My employer needs a doctor's note to verify that I am sick and not just
lying. Doctor's office refuses to send note (new regulations) unless I sign
papers giving them permission to share my info with my employer.

The rule was based on the assumption that your employer has no business
knowing your medical condition, because they might use the info
against you, but, in practice, you must give permission for the doctor to
share the info, unless you want the catch-22 situation of not having
an excuse for absence from work.

Same holds for insurance company. They will (naturally) refuse to pay
the bills unless you sign the papers authorizing doctor to share info.

In practice, you wind up with less privacy than before because,
not only have they shared your info, they have extorted explicit
authorization from you, because you cannot recieve any meaningful
care without giving that permission.

I haven't yet gone into the endless hours of being bounced back and forth
between the officious bureaucrats (lazy bastards) at doctors office, employer,
and insurance co "you don't seem to have form number..."

I'm driven to the conclusion that they would prefer you to just die.
It's less work for them.

For God's sake there should be a moratorium on new laws, until we
have learned to cope with the existing ones