> Sending medical images to Microsoft seems like a major HIPAA violation.
Without sounding to condescending: Bro... this entire Industry still relies on using fax or snailmail for records. Using slow, leaky, non-private/seure channels for sensitive information is not as much of a concern to this field than one thinks if you've been in the belly of the beast.
Ask anyone who has spent anytime doing IT work at a hospital, or better yet a disgruntled nurse who works the counter after a 12 hour shift.
You ever try requesting an MRI in the US?
After needing several during COVID and being turned a way and having lots of time on my hands I've actually learned a hack to get it the same week (or in my case the same day recently) now that we're out of the pandemic because I knew who to press for a physical paper trail and get it submitted (via fax) and have it approved by all parties: it cost me a day off of work, and tons of leg work on the phone but it was done and I literately didn't care so long as it was done and prove my method was sound. I got it done after business hours, too!
I'm starting to think that the issue with it being so archaic is not because a better solution doesn't exist, but because it's made this way in order for them to justify the long delays in procedures and increase membership duration on their policies and they use things like HIPPA and other acts to justify the lengthy process and obscene amounts of money needed to be able to modify the way things are done, which is why software people just move on and the same mediocrity continues to the detriment of us all.
Try talking to healthcare workers too. They think there is some magic about faxes.
>They are so fast(no they arent, something can be ahead of them)
>They are safe compared to email(literally anyone can walk by the fax and take it)
>They are faster than a phone call, because doctors don't pick up the phone. (What...)
You can mention the US government has ultra high security communication that uses the internet, you can mention the value of finance information, you can talk about the secrets your billion dollar company sends over email/web. But noooo, patient information is too sensitive and urgent to be sent over email/web....
I know 3 people off the top of my head that have gotten in trouble for looking up people's health information because it was physically stored on premises.
All 3 still work in the medical field to this day, one of them is a doctor...
I imagine this is a huge issue in the medical field.
Fax is still a magical thing in healthcare specifically because of how easy it is to use under HIPAA.
HIPAA has all of these crazy rules for anything digital, but the second you switch to good ol’ telephony the rules all become “there’s no rule because hacking a telephony system would be a federal crime.” I’m not joking. Telephony is considered a “mere conduit” while the internet is not.
It really is stupid. HIPAA has all of these controls, but phones are just fair game.
It would be great if the US also considered internet to be a mere conduit and went after those messing with it. The we wouldn't need to break backwards compat for entirely static public content and waster energy in forcing everything under TLS.
What specifically did you do to get an MRI quickly? Your personal doctor didn't want to give you one? Or the hospital/MRI place didn't want to give you one?
Waaaaait! In the US also the FAX is still a thing?! Seriously?!
I have heard terrible stories from Germany and Japan, but did not know that also the US…
I work for an insurance company that for a long time didn't trust digital signatures. So we accepted docs from our agents via fax. They were there four decades ago, and they're still there (of course they're fax servers). They'll probably be there when I retire.
The US has a zillion healthcare providers. Some are so huge and well resourced that they literally have $100 million+ digital record systems. Some are so tiny that it's one doctor operating out of an old house with pen and paper. A fax machine is the least common denominator.
> In the US also the FAX is still a thing?! Seriously?!
Yep. My current employer, as well as the two prior to this one, all have and use fax machines despite being tech companies. Not because they want to, but because so many other companies out there still require it.
It's sending URL's, and it's not clear if it is also sending cookies or other auth info. I would think / hope that any images covered by HIPAA would not be leakable by URL alone.
I don't know HIPAA specifics off-hand, but I would not be the least bit surprised if ephemeral pre-signed urls get generated for sharing HIPAA protected assets based on cookies/auth. If the URL is live for a time window and doesn't insta-expire on refresh, then it's conceivable that data gets leaked here.
HIPAA requires "reasonable" measures. Hilariously, you can't chuck a drive full of plain text PII into a dumpster in the back of your building...
...unless there's a fence around it.
A lot of the nonsense around shredding hard drives is just the drive industry convincing people that they need to destroy perfectly good devices.
Unless you're facing state-level actors a simple zero-out or pipe from /dev/random will suffice. Or with a lot of modern drives where the data on the platter is encrypted by default, just send the "secure erase" command, causing the drive to roll over the controller's private key.
>A lot of the nonsense around shredding hard drives is just the drive industry convincing people that they need to destroy perfectly good devices.
Unless you're willing to prove beyond a shadow of a doubt that each and every such hard drive does not in any shape or form contain sensitive information and pay hefty fines and jail time when you inevitably fail, the only nonsense here is you. It has been proven time and time again that data once written can be and will be recovered.
Any storage media that contains or contained sensitive information must be physically destroyed. That is the only surefire, foolproof way that we currently know of to securely and permanently delete sensitive information.
> Unless you're willing to prove beyond a shadow of a doubt that each and every such hard drive does not in any shape or form contain sensitive information
I'm not sure which part of "HIPAA says you can take an UNENCRYPTED hard drive and toss it in a dumpster provided it has a fence around it" you didn't understand.
> Any storage media that contains or contained sensitive information must be physically destroyed.
...and as previously mentioned: not for PII healthcare data.
The bit about "you can only be SURE if you destroy it" is pure hard drive manufacturer nonsense.
Find me a single case where someone has recovered data from a non-solid state (hybrid or otherwise) drive or tape that has undergone a SMART secure erase or NIST / DoD compliant wipe.
In decades, I have never heard of such an incident.
Simple, I read a paper that vaccines cause autism... Now prove to me that you are not an elephant.
Now lets get purely logical. There is a non-zero chance of risk, and the best risk avoidance strategy is to not take the risk in the first place, so shred the drive.
So lets make a software, that would secure erase the drive and try to recover the data, and prove that you are not actually an elephant. But why?
Make a lot of money instead? Make a hard drive with a secure erase feature, and yes I know, but like put a spin on it, maybe a button, or better yet, you secure erase the drive backed by an industry grade non-recoverability warranty for a cheap $10/yr./drive subscription access to our secure erase service. We come to you next day, give a certificate and everything, you can put it in your HIPAA folder and show it to your risk committee.
Your market? Health care, gov, and problems that solely exist in between the keyboard and the screen.
Trivia: At the old AT&T (not at&t, the (mostly) mobile/cell company), it was standard to degausse the drive then drill through the middle of the radius and park a bolt there.
Bonus points if You had a spot welder to secure a nut to the bolt.
But given that our hardware is largely cheap and disposable, it's almost always cheaper to throw another device or 1000 on top of the shredder pile than it is to pay a tech to make sure every one of them has been zeroed.
If you put an image in a Google doc it will be accessible by the URL regardless of if you are logged in or not. Perhaps not in every case, but in the basic case I have tested this has been true.
Sharing the URL is equivalent to sharing the image in these cases.
And what prevents a distributed denial of service attack or fuzzing using Microsoft's infrastructure? If you were to trick many users into visiting a site with 1000 variants of:
Yeah, since it's sending the URLs, Microsoft couldn't get to the actual images in question because they'd in a private network, behind a login, etc. If the images are hosting on a public domain or IP, that is not on Microsoft.
Under HIPAA, any scrap of "individually identifiable health information" that can be used to connect online data with a patient cannot be sent to a third party without consent.
Just curious, how are images protected by login:password? The only way I know is htacess, which isn't really an easily scalable/usable feature... Many years ago, maybe 10 when I used Facebook I recall you could share a picture location with anybody regardless of login (i.e. Right click, copy image location, send over whatever), so the URL wouldn't be guessable or possible to predict, and the protection would be that you would get access to such url only when logged. I think in this context, the private network idea would only work if you are on vpn and you share urls that are only accesible vía vpn, is this a common setup for medical images? Is this expected? I wouldn't mind having a key or an image descrambler/decrypting/token but can't say the same about my grandma, my mother, my brother, my nephews...
Images are like any other web asset and can be protected either by the web server (htpasswd) or the application's logic.
I think you've been brainwashed by modern storage services (S3) where the URL is essentially always public and out of your control. It's trivial to password protect an image when it's on your server. I would assume any medical provider would protect their images by checking the session and not serve them via AWS.
Generally, no-one hosts public content on the S3. It is simply really expensive when it comes to outbound traffic. The content is usually cached and served by CDN, where you have full control over authentication and cross-origin rules.
You're right, although I would not assume anything when it comes to privacy, there are so many examples where companies did not follow best practice.
We need to move away from this model where others are in control of our private data to one where it's owned and controlled by us, giving access to service providers as needed.
Maybe. Maybe not. I used to work in health insurance. HIPAA protected information is "Personally identifying information" (name, email, etc) plus a medical diagnosis, treatment, or cost of treatment.
It might be PII. It might be sensitive. But if it's not both of those, it's not HIPAA protected.
If you think about medical textbooks where there are pictures of patients and their maladies, but they are not identified this makes sense why both are required. Otherwise educating new doctors would be impossible.
