::: nBlog :::
Since last Thursday, the press in Finland has been glowing hot about a massive data leak from a psychotherapy clinic. Records of up to 40.000 people, including patient case summaries, were hacked. A blackmailer soon emerged, threatening to release 100 records every day until paid some 40 bitcoins, that is 450.000€ with current ratio. When the clinic apparently did not pay, the blackmailer turned to individuals and demanded a few hundred Euros each. A couple of these people, my friends, contacted me and I decided to support them with all the means I have at my disposal.
I can only conclude that the blackmailer is psychopathic, given how much grief is being caused to the patients, many of them already in a vulnerable state, hence having sought therapy in the first place.
A lot has been written about the vulnerabilities of the clinic’s patient data system, and its outsourcing and audit partners. Yes, they should have had more penetration testing, encryption, audit logs, monitoring, alerting, intrusion detection.. the list goes on.
I postulate that there were two main reasons which led to this catastrophic event: Monolithic systems architecture and lack of federated security culture. What comes to government regulations, this clinic’s systems belonged to so-called ‘class B’ designation which do not require government auditing nor have clear architectural guidelines, as opposed to ‘class A’ which is being used in hospitals and e.g. workplace healthcare centers. I’m sure these classifications will be updated in the coming months.
Federated and inherent security is more of a mindset; everything and everybody must have authorization, auditing, accounting, encryption and things must be tested and hardened all the time. At the end it’s all about situational awareness, also what comes to security; always know what the heck is going on everywhere in your infrastructure. No modern system is complete without a proper situational awaress plan and architecture.
We have now seen first hand what kind of cyber damage a psychopath can inflict towards innocent people, many of whom didn’t even realize that their deepest secrets were so stringently recorded and could ever leak.
Security can also be lost almost by accident, when critical services are outsourced without proper analysis. The Cloud, lo-and-behold, is the new black even for government services, but the dependencies and risks with foreign powers under which those services operate don’t usually get much attention, and the data between a citizen (and hence public servant too) and his/her government may suddenly traverse 5 or more countries..via those respective intelligence services.
When the latter scenario materializes, it gradually deprives a country from independence. Much slower than a conventional war, but certainly. Even when it’s your union friends who know your every move before you make them. That is not a good path for any sovereign nation. In most critical things, stay away from Other People’s Computers.
//Pasi