Once upon a time, criminals had to break into homes and businesses to gain access to valuables. In the outdated, offline world, the concept of “valuables” generally applied to cash, jewelry and other physical goods. Lock the front doors, conventional wisdom said, and you’ll be relatively secure.
Now that the Internet has redefined our lives and businesses, break-ins are virtual and the new currency is information — personally identifying information, to be exact. The rush to an online economy has stood conventional wisdom on its ear, and all the locked front doors on the planet won’t make us any safer.
They won’t protect our governments, either, as Virginia’s administration is now learning. Hackers claim to have broken into a state-run prescription drug database — run by the Prescription Monitoring Program — last month and stolen or deleted 8 million patient records and 35 million prescription records. They demanded a $10 million ransom for the safe return of the compromised data, or threatened to sell it to the highest bidder.
As the debate continues over whether this is the biggest cybercrime attack in history, the reality for regular folks is frightening: There are no safe havens anymore, and not even governments — who we entrust with our most private information — are immune. We can lock our doors at night, but we have no control over the myriad third parties that touch our data after we relinquish control.
To its credit, Virginia refuses to play ball. Much as the U.S. government doesn’t negotiate with terrorists, this state government won’t bow down to the datanappers’ demands, either. While the state investigates whether an actual breach occurred, officials have confirmed that all of the compromised data is safely stored on backups and the systems themselves have been secured from further attacks.
But while this high-stakes game of cybercrime brinkmanship plays out, the system in question, the Prescription Monitoring Program, remains offline and unavailable. This unresolved outage is costing the state and its citizens dearly, and calls into question plans to overhaul the entire health care system with adequate doses of technology and process.
As health records go digital, can governments at all levels assure us what’s happening in Virginia won’t also happen to electronic health records (EHRs) around the world? Although public-sector agencies almost always claim to be using the latest security tools and processes, they can’t guarantee our government-run health care infrastructure will be inviolable.
It’s a sobering issue. As government agencies take responsibility for ever-expanding volumes of information about us, citizens must hold them just as accountable for securing it.
But as governments hurriedly plan and deploy platforms, systems and processes to automate the business of managing bureaucracy and accelerating service delivery, the risk of cybercrime only grows. Massive new public data repositories represent irresistible targets of opportunity for identity thieves. It’s fair to question whether governments at any level possess sufficient technical and process maturity to keep our data safe from cybercriminals.
I don’t blame governments for trying. Because we’ve become accustomed to using advanced Web 2.0-based tools to manage our everyday lives, we now expect our governments to join the 21st century, as well. And that’s the right step, as shifting some of the machinery of government online can potentially reduce costs for budget-beleaguered agencies. Unfortunately for them and for us, though, deploying these services means little if it opens up new avenues for data-based crime.
Ultimately, the Virginia experience can be likened to the canary in the coal mine. Greater investments in e-health will be effectively neutralized if governments don’t devote sufficient resources to secure deployment and management. E-health and similar examples of e-government could represent some of the largest deployments of Web services to date. It makes sense to go slow if it’ll help reduce vulnerability.
As citizens, we can’t lock the doors any more, but we can certainly demand our elected officials have the best possible security infrastructure in place before they collect our data and aggregate it in centralized repositories highly prized by cybercriminals.
Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at editor (at) certmag (dot) com.