> Could you give me examples of real harmful consequenses of the
> security violation in patient data systems where Apache-SSL was not
> enough? Maybe i underestimate the problem but i don't really
> understand its value - maybe it is obvious benefit from bank system
> cracking or so, but why attack patient data management system?
SSL is usually good enough to protect the data ON THE WAY between server and client.
Nothing else. It does not enhance security ON the server or ON the client. You never
can secure the client if you use Java as it is impossible to secure memory in current
Java implementations.
Really harmful consequences of security breach in health informatics can be even more
devastating than security breach in banking. Imagine what happens if health insurers /
life insurers / employers get unrestricted access! Imagine somebody publishing or
modifying HIV test results.
Imagine the following scenario which allegedly has already happened:
Mrs X sees her doctor Y about a breast lump. He recommends further investigations to
rule out malignancy, she refuses. He insists on several occasions and documents it in
his computerized patient record system. She doesn't comply and moves town, loosing
contact to Dr. Y.
A year later, her new doctor Z diagnoses "incurable" breast cancer. Mr. A, husband to
Mrs X and infamous "hacker", gets access to Dr Y's health records and deletes all
evidence that Dr. Y has practiced according to "best practice" and sues him for
negligence. As most doctors, Y has been negligent about backups. He is stuffed and can
start driving Taxi while Mr. A enjoys his millions with his prospective new wife on
the Bahamas..
Horst
