Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
Despite years of strenuous effort, the idea of mass digital identity remains stuck somewhere between non-existent and a total mess.
Ask someone to prove their identity today, and almost without exception they will fall back on a paper passport, driving licence, or bank account statements, usually backed by a social security number (SSN). The online world struggles to accommodate these.
Digital identity systems such as the UK government’s Gov.UK Verify exist but barely any are used in anger. They float around in no man’s land, like clever experiments whose original objective their creators have lost track of.
Meanwhile, shadowing flesh and blood human identities are virtual ones built from oceans of online data. Much of this is handed over willingly to “surveillance capitalists” – Facebook, Google and advertisers, for instance – but lots more exists in this parallel dimension people are only dimly aware exists.
It’s also the world of identity middle-men such as Equifax, which collected so much valuable data it eventually burst at the seams, spilling millions of names, addresses, SSNs, birth dates and driving licence numbers to cybercriminals who could use it to fuel industrial identity theft for years to come.
Sophos Home
Free home computer security software for all the family
Learn More
Not everyone is giving up yet, however, including the Social Market Foundation (SMF), a UK think tank, which argues in a new report that governments should stop shilly-shallying around and press ahead with full-blown digital ID systems.
But aren’t government systems a damp squib? According to the SMF, the problem of systems such as Gov.UK Verify (which uses private-sector partners) is that they were conceived to serve access to government services such as tax and benefits when the real need is much wider.
Verify’s usefulness would improve dramatically if only companies could use it to identify people too:
Encouragingly, use of Verify in private sector contexts is being actively explored, and we believe there are significant benefits for consumers that could arise from this.
Advantages such as:
Passports could give way to app-based identity systems, possibly backed by biometrics
Expensive paper systems could be banished forever
Online verification could be transformed from today’s guesswork and assumption-based model.
Welfare and immigration fraud would be reduced
Because everyone would have an ID, social exclusion faced by people who lack documents could be reduced
Verification and digital identity could be about to become an industry in its own right so jobs could be at stake
And cybercriminals would no longer find is easy to carry out identity theft against a system that included real-time identity checks on individuals themselves.
Sceptics will see in this as a reprise of the failed UK identity card scheme of a decade ago, eventually scrapped in 2010 after burning through £4.5bn ($6.3bn). Certainly, it’s hard to see how a new ID system wouldn’t initially need to rely on physical documents of the sort that sank the original system on cost grounds.
The other problem is government itself. Solving the digital identity conundrum once and for all can probably only be done at government level – but what if people don’t trust government?
The poster child for digital ID is Estonia, the first country in the world to conduct general elections across the Internet backed by a digital identity system years ahead of other developed countries.
Then there’s India’s Aadhaar, a biometric digital ID system with 1.2bn members that critics have described as “Orwellian”.  The worry is that the Aadhaar model hands government the power to withhold as well as enable access to services as a form of social control.
Which of the two extremes should countries such as the UK and US look to? Probably both deserve scrutiny, but it’s interesting that some of the same civil liberties arguments levelled at Aadhaar also dogged the UK’s ID cards.

This suggests that the path to 21st century digital identity will not be smooth. The flaw in today’s identity model is that data is smeared just about everywhere and anywhere, and incentives to guard it have become warped by commercial self-interest.
But until someone comes up with a way to implement an alternative that doesn’t simply over-centralise power with governments, digital identity will remain a rocky road.
With identity theft at record levels what is hard to believe that digital identity can’t be postponed indefinitely. But the old world of uncertain, weakly defended identity won’t go away quickly – expect Equifax-style breaches to be with us for a while yet.

不是每个人都放弃,然而,然而,包括社会市场基金会(SMF),英国的一个智库, 提出一个新的报告说,政府应该停止犹豫不决,推进全面的数字标识系统。



Hurricane Harvey: Hospital EHRs Appear to Weather the Storm

Ben Taub Hospital in Houston, which was evacuated. Credit: Andrew Kragie, Houston Chronicle
In the wake of Hurricane Harvey, Texas hospitals have not reported issues involving access to electronic health records and other critical systems, says Lance Lunsford of the Texas Hospital Association. But some hospitals particularly hard-hit by flooding have evacuated patients.
See Also: How to Scale Your Vendor Risk Management Program
网络安全法普法宣传 004《网络安全法》的突出亮点
Meanwhile, healthcare organizations in the region are getting some relief from complying with the HIPAA Privacy Rule and other regulations to help expedite quick treatment of patients.
“You have to take into account that Houston is in the heart of the target zone of hurricane tracks,” Lunsford says. “We’ve had 15 years since [tropical storm] Allison, then Hurricane Katrina, and many big storms in between, to learn from and to build the physical and technology infrastructures, emergency and response plans.”
Hospitals in the region “have understood how vulnerable they are and have stepped up their infrastructures, emergency management and staffing to deal with hurricane threats,” he says.
That includes hospitals moving computer and electrical equipment “to higher ground” to avoid the damage caused to some in past storms by flooding of basements where IT and high-end medical equipment were formerly stored, he says.
“There haven’t been reports of massive failures,” he told Information Security Media Group. “Hospital leaders are learning the lessons of the past.”
While most hospitals so far appear not to be reporting hurricane-related problems with their information systems, it’s likely still too soon to know whether smaller clinics and pharmacies are also in good shape, Lunsford says.
“Most of them closed up shop [to prepare and deal with the storm late last week] and haven’t reopened yet,” he notes.
Mac McMillan, president of security consulting firm CynergisTek, which is based in Austin, Texas, says that while many smaller clinics and offices have been closed, “the hospitals have continued to operate, but the biggest challenge is getting patients to their doors. First it was the floods from the storm, now it is the controlled flooding as they work to save the dams and levees.”
McMillan notes that Houston is a city that “understands the need for solid plans for disasters from storms. Testing and conducting practice drills is a part of their culture. The problem is as some have said the reality of the next storm is never the same as the one in the past, and Harvey is like no other in history in terms of the amount of water they are having to contend with.”
Easing HIPAA
Meanwhile, The Department of Health and Human Services has declared a public health emergency in Texas. HHS Secretary Tom Price, M.D., under his authority in the Public Health Service Act and Social Security Act, is allowing the Centers for Medicare and Medicaid Services “to waive certain documentation requirements to help ensure facilities can deliver care” to Medicare patients, according to an HHS statement.
HHS notes that many Medicare beneficiaries have been evacuated to neighboring communities where receiving hospitals and nursing homes may have no healthcare records, information on current health status or even verification of the person’s status as a Medicare beneficiary. “Due to the emergency declaration and other actions taken by HHS, CMS is able to waive certain documentation requirements to help ensure facilities can deliver care,” HHS says.
As part of that emergency declaration, HHS has issued a bulletin about how the HIPAA Privacy Rule regulations fit into extreme emergency situations and the rule’s requirements that are being waived temporarily in the hurricane-affected regions.
“Severe disasters – such as Hurricane Harvey – impose additional challenges on healthcare providers,” HHS notes in the bulletin. “Often questions arise about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel.
“The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts and to assist patients in receiving the care they need.”
HHS is exercising its authority to waive sanctions and penalties against hospitals in Texas that do not comply with the following provisions of the HIPAA Privacy Rule:
The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
The requirement to honor a request to opt out of the facility directory;
The requirement to distribute a notice of privacy practices;
The patient’s right to request privacy restrictions;
The patient’s right to request confidential communications.
HHS adds that such a waiver only applies under specific conditions, including in the emergency area and for the emergency period identified in the public health emergency declaration; to hospitals that have instituted a disaster protocol; and for up to 72 hours from the time the hospital implements its disaster protocol.
“When the presidential or secretarial declaration terminates, a hospital must then comply with all the requirements of the privacy rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol,” HHS says.
Other Efforts
Meanwhile, the National Health Information Sharing and Analysis Center is working with federal agencies, including HHS and the Department of Homeland Security, to assist in the disaster efforts, says Denise Anderson, executive director.
“NH-ISAC is sending out alerts and cross-sector information as applicable as well as attending calls with HHS and DHS,” she says. “We are coordinating with the DHS National Infrastructure Integration Center, HHS and our partners and monitoring any member requests that come in.”
HHS notes it is also is helping evacuate hospital patients to healthcare facilities outside the impacted area.

Among flooded hospitals that have evacuated patients is Ben Taub Hospital in Houston, which is operated by Harris Health Care.
In a separate statement issued Monday, HHS said that thousands of Texans sheltering at the George R. Brown Convention Center in Houston will have medical care on site through a 250-bed Federal Medical Station being established by HHS at the request of Texas’ State Department of Health.
“The Federal Medical Station we are setting up and staffing in Houston will provide vital care to Texans affected by Hurricane Harvey, and we stand ready to devote additional resources as needed,” Price says in the HHS statement.
HHS says it also has additional Federal Medical Stations available for patient care in Texas, and has positioned two 250-bed stations in Baton Rouge ready to be deployed in Louisiana should state officials determine they are needed.
HHS adds that it has more than 500 personnel on the ground to assist those affected by Hurricane Harvey and 1,300 more on standby.
The agency also has helped local public health officials address the needs of those who rely upon electricity-dependent medical equipment. HHS has provided information to local public health officials about the number of Medicare beneficiaries in each impacted area who rely on 14 types of life-maintaining and assistive equipment, ranging from oxygen concentrators to electric wheelchairs, as well as data on the number of people who rely on dialysis, oxygen, and home health services.
“These citizens are among the most vulnerable in their communities and most likely to need life-saving assistance in prolonged power outages,” HHS says.
HHS did not immediately respond to ISMG’s request for additional information about the disaster efforts, how many hospitals in the affected region have been evacuated and whether access to patient electronic information has been disrupted.
Beware of Scams
Besides help in dealing with the physical challenges posed by the hurricane, federal regulators are also cautioning businesses and the public about phishing scams.
In an alert, DHS’ U.S. Computer Emergency and Response Team warns users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.”
Users are advised “to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source,” the alert states. “US-CERT encourages users and administrators to use caution when encountering these types of email messages and take … preventative measures to protect themselves from phishing scams and malware campaigns.


网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
成都出土75座古墓 年代从战国到唐宋