About medical secrets or who needs information security?

    In our country, due to sloppiness, I would even say gouging of one that has already turned into a state threat

    “I have nothing to take, so there is no reason to worry” - this is the opinion not only of the average people, but also the leaders of the non-core business. If a person has his own small business and conducts bookkeeping in excel, convince him to pay for some kind of information security, which is not profitable. He will hope for "maybe". After all, a violation of integrity \ confidentiality \ accessibility may not occur, then why pay?

    Each Russian company subjected to a cyber attack loses an average of $ 3.3 million per year. This is stated in the report of Hewlett-Packard, which the company announced at the event HP Security media day

    And if "maybe it’s not a ride", then what will it lead to?

    I will give an example from life.
    Like many living people, I somehow managed to take medical tests in one large laboratory. And as a “trick” there is a “online results” service. Quite convenient when you do not have to go for results.
    The surname and contract number are used as the account. Connection on the site via https.

    The whole process did not cause suspicion until it looked at the address bar.

    https: // **** / print / search_ready_one /? id = 111111

    111111 is the number of my contract in clear text. Putting in the address bar the contract number from other analyzes, I saw the results without authorization and indicating the name. And what prevented me from seeing the results of others? Only conscience. Those. neither an authorization session nor identifier hiding was conducted.

    On my next trip to the laboratory, I asked the girls to tell the management that it wasn’t beautiful to violate the law on medical secrets (the text of the law ).

    After a while, I again had to see my results. That's what I saw in the address bar:

    https: // ******* / print / search_ready_one / id = T1dRMU5EWjBaMlJtWjJabk9XNXVOVFprWm1kdWFURXhNVEV4TVRGMWFYTmtaakV4TVc5c2F6az0 = & archive The 1NGQ1NDZ0Z0,mZ2ZnNG5uNTZkZmduaTE5NTQyMjR1aXNkZjExMW9sazQ = =?

    Well, I think well done what. Hashed, coded. But interest took its toll and I threw the line into the base64 decoder.
    It turned out:

    OWQ1NDZ0Z2RmZ2ZnOW5uNTZkZmduaTExMTExMTF1aXNkZjExMW9sazk =

    Again base64? It’s strange. Once again:


    Where 1111111 the number of the contract. And the rest of the numbers? It's not clear yet. I change the contract number to the number of another study, do not touch the rest, code twice and get the results of another study again explicitly without authorization!

    The results indicate the full name of the phone number. For attackers, the number of scenarios is not limited:
    - phishing - introduce yourself as a doctor to buy a super medicine with home delivery.
    - blackmail - handed over for sexually transmitted infections? Does the wife know? Etc…


    At least I'm not pleased. When such a delicate side of my life as medicine is available to third parties.
    And today the situation has not changed, although more than a year has passed.

    What I would like to ask the community about:

    How often do you leave personal data with different organizations? Who and how do you think should ensure the confidentiality of your data? There are 152 Federal Laws ( text of the law ), but who should monitor its implementation?
    What cases of inaccurate handling of your data have you encountered?
    Who is involved in web development, why are such, I’m not afraid of the word, unsuitable web developers have orders?

    Also popular now: