|
Avenging_Mikon posted:Question time! Potentially, it would have to be enforced differently and the laws wouldn't work exactly the same. But also no because computer stuff is a magical mystery tour for most people, including people who would draw up the laws and decide how it would be enforced. And the consultant experts who they'd bring in would have it in their interests to make it impossible to do this because it would affect ~operating margins~ too much
|
# ? Jan 25, 2018 10:27 |
|
|
# ? Jun 5, 2024 03:11 |
|
Oh and also it works in the govt's interest to have insecure software that isn't publicly disclosed because they get to use them. Until someone else leaks their exploits and uses them: https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/
|
# ? Jan 25, 2018 10:30 |
|
https://twitter.com/cloutboyjojo/status/955666868739682304
|
# ? Jan 25, 2018 16:31 |
|
MORE CURLY FRIES posted:Potentially, it would have to be enforced differently and the laws wouldn't work exactly the same. the law would just say "software has to be secure" and there would be an FDA equivalent w/ subject matter experts for determining what constitutes secure. the reality is its kind of a stupid idea because theres no possible way they could get enough people to survey all the code. A better idea is to penalize the results of bad security. Basically take hipaa and apply it to all personal data stored anywhere in any form. You can adjust the penalties as needed over time.
|
# ? Jan 25, 2018 16:47 |
|
hippa is like 25% of why all medical software everywhere in every way sucks
|
# ? Jan 25, 2018 16:55 |
|
bob dobbs is dead posted:hippa is like 25% of why all medical software everywhere in every way sucks Ehhhhh. HIPPA is like SOX: IT uses it to justify what they wanted to do and to shut down the possibility of complaining about it.
|
# ? Jan 25, 2018 16:56 |
|
bob dobbs is dead posted:hippa is like 25% of why all medical software everywhere in every way sucks The other 75% is because the poo poo doesn't get supported by an on-site development team like it's supposed to to make the software conform to the environment, rather than forcing medical personnel to conform to the software.
|
# ? Jan 25, 2018 16:57 |
|
bob dobbs is dead posted:hippa is like 25% of why all medical software everywhere in every way sucks idk where you're getting that from. hipaa doesn't do anything more than tell you not to send PHI insecurely or give access to unauthorized parties.
|
# ? Jan 25, 2018 16:58 |
|
hipaa is also pretty useless as anyone who says they comply, don't same as pci really
|
# ? Jan 25, 2018 17:02 |
|
that's not the point. the point is if they do fail to secure data and something happens they're liable for it. if the government fails to enforce penalties that's on them but its a fine framework for discouraging the most egregious problems.
|
# ? Jan 25, 2018 17:03 |
|
Lysidas posted:long ago i put a decent amount of effort into reducing the english alphabet into a version that could not encode any common profanity, i think with 0-9 and a subset of A-Z i ended up with 29 characters, to map integer database PKs to short strings and make sure that "gently caress" would not be one of them the pwgen command has a no-accidental-cursewords feature but all it does is remove all the vowels because who cares that much
|
# ? Jan 25, 2018 17:05 |
|
Schadenboner posted:Ehhhhh. HIPPA is like SOX: IT uses it to justify what they wanted to do and to shut down the possibility of complaining about it. when we had to start complying with PCI audits here I definitely used that as leverage to make our security practices go from "abysmal" to "just regular bad" so that's good i guess
|
# ? Jan 25, 2018 17:06 |
|
Shaggar posted:the law would just say "software has to be secure" and there would be an FDA equivalent w/ subject matter experts for determining what constitutes secure. britain has the data protection law which is enforced by a toothless org which fines you like £5 if your website leaks unsecured password information
|
# ? Jan 25, 2018 17:07 |
|
ate all the Oreos posted:when we had to start complying with PCI audits here I definitely used that as leverage to make our security practices go from "abysmal" to "just regular bad" so that's good i guess for us it was "make sure we can prove we aren't storing CC data anywhere" which I think is also good.
|
# ? Jan 25, 2018 17:08 |
|
HIPAA is a lot like PCI: Its to cover the asses of the middle man and make sure the blame for leaks falls on others.
|
# ? Jan 25, 2018 17:10 |
|
the middlemen have generally always been better than the endpoints at security. providers are the worst by far and if hipaa provides a formalized process to prove the provider hosed up then that's great.
|
# ? Jan 25, 2018 17:13 |
|
Schadenboner posted:Ehhhhh. HIPPA is like SOX: IT uses it to justify what they wanted to do and to shut down the possibility of complaining about it. this doesn't disprove anything i said CommieGIR posted:HIPAA is a lot like PCI: Its to cover the asses of the middle man and make sure the blame for leaks falls on others. nor this Avenging_Mikon posted:The other 75% is because the poo poo doesn't get supported by an on-site development team like it's supposed to to make the software conform to the environment, rather than forcing medical personnel to conform to the software. nor this current state of medical software: sucking hard, leaking like a sieve don't copy medical software's badness
|
# ? Jan 25, 2018 17:14 |
|
bob dobbs is dead posted:this doesn't disprove anything i said ....it wasn't intended to disprove anything you said?
|
# ? Jan 25, 2018 17:14 |
|
medical software being bad has absolutely nothing to do with hipaa beyond hipaa can point out ways in which it is bad. hipaa doesn't create the problems though
|
# ? Jan 25, 2018 17:15 |
|
CommieGIR posted:....it wasn't intended to disprove anything you said? yeah, sure. other peeps sure seemed like it tho
|
# ? Jan 25, 2018 17:16 |
|
unless its like "this software asks for a username and password now! this is bullshit!" which ok yes hipaa might have caused that.
|
# ? Jan 25, 2018 17:16 |
|
Shaggar posted:for us it was "make sure we can prove we aren't storing CC data anywhere" which I think is also good. my favorite thing so far is when i asked why we don't pay for slack or run our own slack server and was told "well this way the messages automatically become inaccessible after a certain amount of time due to the usage limits" and i'm like "they're still there you just can't see them without paying" and was told "yeah but the auditors can't see them so they don't exist "
|
# ? Jan 25, 2018 17:21 |
ate all the Oreos posted:my favorite thing so far is when i asked why we don't pay for slack or run our own slack server and was told "well this way the messages automatically become inaccessible after a certain amount of time due to the usage limits" and i'm like "they're still there you just can't see them without paying" and was told "yeah but the auditors can't see them so they don't exist " lmao we have the opposite problem, we don't pay for slack and use it to discuss everything important with the it so there basically is no paper trail because are programmers are imbeciles who find email to be too difficult to operate
|
|
# ? Jan 25, 2018 17:23 |
|
bob dobbs is dead posted:yeah, sure. other peeps sure seemed like it tho No, I was pretty much on board. Programmers make something generic due to HIPAA, and it sucks because they don't want to get fancy and accidentally violate it. Then it continues to suck because it doesn't get continuing support in the field.
|
# ? Jan 25, 2018 17:32 |
|
ate all the Oreos posted:my favorite thing so far is when i asked why we don't pay for slack or run our own slack server and was told "well this way the messages automatically become inaccessible after a certain amount of time due to the usage limits" and i'm like "they're still there you just can't see them without paying" and was told "yeah but the auditors can't see them so they don't exist " lol that rules.
|
# ? Jan 25, 2018 17:53 |
|
ate all the Oreos posted:my favorite thing so far is when i asked why we don't pay for slack or run our own slack server and was told "well this way the messages automatically become inaccessible after a certain amount of time due to the usage limits" and i'm like "they're still there you just can't see them without paying" and was told "yeah but the auditors can't see them so they don't exist "
|
# ? Jan 25, 2018 17:58 |
|
i'm pretty sure this still counts as a sec fuckup: https://www.washingtonpost.com/loca...097e_story.htmlquote:After his arrest last Jan. 31, Wertkin returned to Washington to clean out his Akin Gump office near Dupont Circle, where he removed and destroyed electronic and paper copies of other stolen cases “that I knew could further incriminate me,” he said in plea papers.
|
# ? Jan 25, 2018 18:00 |
|
Wiggly Wayne DDS posted:i'm pretty sure this still counts as a sec fuckup: https://www.washingtonpost.com/loca...097e_story.html He announced at his arrest "My life is over"
|
# ? Jan 25, 2018 18:09 |
|
Avenging_Mikon posted:No, I was pretty much on board. Programmers make something generic due to HIPAA, and it sucks because they don't want to get fancy and accidentally violate it. Then it continues to suck because it doesn't get continuing support in the field. Isn't the problem with hipaa and software that once the software is "hipaa compliant" you can no longer change it without having to get it "re-certified" which costs real money. Thus the software is never touched again and has to run on windows 95/ie6 or whatever.
|
# ? Jan 25, 2018 18:15 |
|
ate poo poo on live tv posted:Isn't the problem with hipaa and software that once the software is "hipaa compliant" you can no longer change it without having to get it "re-certified" which costs real money. Thus the software is never touched again and has to run on windows 95/ie6 or whatever. It might be, but I've read in the Nursing thread, and a couple hospitals do have actual teams constantly working on their implementation of EPIC.
|
# ? Jan 25, 2018 18:20 |
|
ate poo poo on live tv posted:Isn't the problem with hipaa and software that once the software is "hipaa compliant" you can no longer change it without having to get it "re-certified" which costs real money. Thus the software is never touched again and has to run on windows 95/ie6 or whatever.
|
# ? Jan 25, 2018 18:34 |
|
anthonypants posted:i'm pretty sure hipaa isn't prescriptive and that you're thinking of fips certification Yeah, for HIPPA and PCI, you're required to undergo periodic audits to validate compliance. Software falls under those audits. There's no requirement to "certify" each patch or upgrade at the time of development. You only have to certify compliance for stuff that's actively in use at audit time.
|
# ? Jan 25, 2018 19:07 |
|
ate poo poo on live tv posted:Isn't the problem with hipaa and software that once the software is "hipaa compliant" you can no longer change it without having to get it "re-certified" which costs real money. Thus the software is never touched again and has to run on windows 95/ie6 or whatever. government has this problem, but the certifications expire after a while so this problem can only slow things down rather than halting them forever also, they don't actually care how much the software changes. what they care about is how much the version number changes. as long as you don't bump the major version #, you can change pretty much anything and not trigger re-certification
|
# ? Jan 25, 2018 19:30 |
|
anthonypants posted:i'm pretty sure hipaa isn't prescriptive and that you're thinking of fips certification ugh loving FIPS
|
# ? Jan 25, 2018 20:04 |
|
ate poo poo on live tv posted:Isn't the problem with hipaa and software that once the software is "hipaa compliant" you can no longer change it without having to get it "re-certified" which costs real money. Thus the software is never touched again and has to run on windows 95/ie6 or whatever. this isn't true. theres no such thing as hipaa certification.
|
# ? Jan 25, 2018 20:04 |
|
quote:Dutch agencies provide crucial intel about Russia's interference in US-elections https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/
|
# ? Jan 25, 2018 21:48 |
|
spankmeister posted:https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/ then they describe what a phishing attack is, then they talk about what the dutch and american hacker teams do. besides, i don't even remember any big news coming from state department emails. there were the emails on hillary's personal server, which wasn't at the state department, and there was the podesta emails, who also didn't work for the state department. seems like this has less to do with the us election than russia's facebook spend
|
# ? Jan 25, 2018 22:13 |
|
lol this is literally routine poo poo that we do to other country's elections but now it happens to us and waa-waa-waa
|
# ? Jan 25, 2018 22:38 |
|
Shaggar posted:this isn't true. theres no such thing as hipaa certification. there is such a thing as falling for scammy companies that will you sell you it, probably.
|
# ? Jan 25, 2018 22:44 |
|
|
# ? Jun 5, 2024 03:11 |
|
Subjunctive posted:ugh loving FIPS FIPS mode? FIPS mode
|
# ? Jan 25, 2018 22:59 |