My doctor’s digital prescription service has been ransomwared. It’s been a few weeks, and they paid the millions of dollars in Bitcoin or whatever, but it’s still encrypted and my doctor had to write me a prescription on paper.
The fact that a digital prescription service could have that happen is madness to me. The fact that they don’t have offline backups for prescriptions is insane. Yes, they could have been in there for a while, encrypting everything, but if the company had tested its backups they’d have found out immediately.
All of these are things that wouldn’t have happened if computing professions were held to standards.
Ok, sure. What standards? For fields like Civil Engineering it’s pretty easy to come up with reasonable standards. But, if a software engineer is writing a generic key-value store, how do you evaluate whether that item meets the required standards?
There are things that a developer can and should check to make sure his code is secure, but my focus is mainly on the systems and those can definitely be held to standards. Things like checking dependencies for known exploits, enforcing 2FA and TLS on all connections, encrypting data at rest, and testing backups, among a lot of other stuff.
I’ve worked with hundreds of organizations across many different industries in my career and almost none of them do all or even most of those, even if they need to be compliant for things like HIPAA or SOX. I once worked with an aerospace company whose sysadmin/webmaster/network guy was literally the founder’s son, who got the job because he knew how to make a web page.
My doctor’s digital prescription service has been ransomwared. It’s been a few weeks, and they paid the millions of dollars in Bitcoin or whatever, but it’s still encrypted and my doctor had to write me a prescription on paper.
The fact that a digital prescription service could have that happen is madness to me. The fact that they don’t have offline backups for prescriptions is insane. Yes, they could have been in there for a while, encrypting everything, but if the company had tested its backups they’d have found out immediately.
All of these are things that wouldn’t have happened if computing professions were held to standards.
Ok, sure. What standards? For fields like Civil Engineering it’s pretty easy to come up with reasonable standards. But, if a software engineer is writing a generic key-value store, how do you evaluate whether that item meets the required standards?
There are things that a developer can and should check to make sure his code is secure, but my focus is mainly on the systems and those can definitely be held to standards. Things like checking dependencies for known exploits, enforcing 2FA and TLS on all connections, encrypting data at rest, and testing backups, among a lot of other stuff.
I’ve worked with hundreds of organizations across many different industries in my career and almost none of them do all or even most of those, even if they need to be compliant for things like HIPAA or SOX. I once worked with an aerospace company whose sysadmin/webmaster/network guy was literally the founder’s son, who got the job because he knew how to make a web page.