Security Disconnects

Author
Peter Welcher
Architect, Operations Technical Advisor

This is a brief blog about some Security disconnects I’ve noticed.

The cause is different stages of Cyber Security awareness. However, I suspect it is more the right hand not talking to the left hand within some organizations. So, to speak. Perhaps outside contractors and a business office control website development and billing practices but they need to talk to internal or external cybersecurity people.

Security Disconnect #1

I’m getting older. Part of that apparently redefines “fun leisure activity” as spending more quality time with doctors. Lately, I’ve had a bit of “we ran this test or scan, you’re fine as far as this part of your body (specialist A), but we noticed THIS so out of an abundance of caution you ought to go see specialist B.” So far, thank goodness, it has been “Things are ok, but let’s periodically monitor that.”

As a result, I’m now interacting with several different medical and billing portals, all of whom want me to fill out an annoyingly complete list of 100-200 things that might or might not be part of my medical history. Ok, couldn’t we have ONE location with my health history, say my primary care provider, and grant access to other organizations as needed?

The security disconnect is related to the fact that eventually they all want their co-pay, of course, which can be paid online. But the link in the text message or email goes to some website I’ve never heard of. And per most cyber security training over the last couple of years, email/text messages can be spoofed, so we shouldn’t click links to unknown sites.

Yes, the timing means it’s probably ok, but …

So, I’d much prefer to either:

  1. Be given a URL to the medical organization’s site and click on “pay bill” there, or
  2. Be given a link on the medical organization’s site that lists the 3rd party sites they use (less user-friendly), etc.

Security Disconnect #2

The same problem occurs with medical and other customer surveys. I get an email, the link goes to some firm I’ve never heard of, I check out their web page as a sanity check. And then, to log in or validate myself, the first thing they want is my birth date, at least for most medical sites. Same as some/many of the medical billing sites above.

Excuse me, if the “please fill out the survey” email came from a hacker, this would be a great way to capture my birthdate, which would then give them access to some medical records (where not front-ended with 2FA or MFA).

This seems like an education problem: are the business people at these companies out of touch with current security wisdom?

Security Disconnect #3

My birth date and phone number are not strongly secure indicators of my identity. They’re both out in the world at numerous businesses, subject to leakage. Thus, I have a real problem with only those pieces of information (and/or my home address) being used to grant access to medical websites, scheduling via phone calls, etc. While convenient and user-friendly, they provide pathetic security.

Conclusion

I don’t really have a conclusion. I’ve tried talking to billing departments about it. They will confirm the billing or credit card payment weird URL is legit, but don’t seem to understand why I’m asking or see that my having to ask reflects a problem.

           Public domain. Harker, G. (1910). Don Quixote fighting windmills [Drawing]. Retrieved from https://commons.wikimedia.org/wiki/File:Don_Quixote_fighting_windmills.jpg

My other thought is: does YOUR organization have tech or security disconnects like this? As we perform more and more business functions via the web, text messaging, and email, more and more business entities are having their fingers in web development or process development. With differing levels of security and other awareness. What can be done to ensure consistency and security? How do you even find out about such endeavors?

Let’s start a conversation! Contact us to see how NetCraftsmen experts can help with your complex challenges.

 

Disclosure statement