Slashdot Mirror
Hackers Corrupt Data For Cloud-Based Medical Marijuana System (bostonglobe.com)
Long-time Slashdot reader t0qer writes:
I'm the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked... What scares me about this breach is, I have about 30,000 patients in my database alone. If this company has 1,000 more customers like me, even half of that is still 15 million people on a list of people that "Smoke pot"...
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
" No patient, consumer, or client data was ever extracted or viewed," the company's data directory has said. "The forensic analysis proves that. The data was encrypted -- so it couldn't have been viewed -- and it was never extracted, so nobody has it and could attempt decryption." They're saying it was a "targeted" attack meant to corrupt the data rather than retrieve it, and they're "reconstructing historical data" from backups, though their web site adds that their backup sites were also targeted.
"In response to this attack, all client sites have been migrated to a new, more secure environment," the company's CEO announced on YouTube Saturday, adding that "Keeping our client's data secure has always been our top priority." Last week one industry publication had reported that the outage "has sent 1,000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues."
HIPAA rules do not describe how to secure your data. It only tells you that you need to secure your data and the procedures to follow when you're not compliant. It doesn't prescribe a particular encryption or what needs to be encrypted.
Case in point, most hospitals do not use encryption when exchanging private health information (because systems from idiots like EPIC are simply incapable of it). HIPAA just says you have to document it and mitigate. In most cases, the mitigation is "our internal network is secure, external sites use VPN" and then it doesn't matter the external VPN vendor only supports DES (yes, still single DES in 2016/2017), it's documented as being "encrypted", any hacking would be the result of 'evil hackers' which they can't do anything against and then it becomes the FBI's responsibility to catch the criminals, the hospitals have done their due diligence and don't need to report breaches because they have gone according to HIPAA standards.
Custom electronics and digital signage for your business: www.evcircuits.com
The federal perjury statute says a person is guilty of perjury if they lie in either of these two types of instances"
A) They've taken an oath in front of *any* court or competent *person* in any circumstance in which federal law allows an oath.
Or
B) Any written statement declaring "under penalty bof perjury", including a DMCA notice and certain customs forms.
Here's the actual text of the statute:
Whoeverâ" ...
(1) having taken an oath before a competent tribunal, officer, or person, in any case in which a law of the United States authorizes an oath to be administered, that he will testify, declare, depose, or certify truly, or that any written testimony, declaration, deposition, or certificate by him subscribed, is true, willfully and contrary to such oath states or subscribes any material matter which he does not believe to be true; or
(2) in any declaration, certificate, verification, or statement under penalty of perjury
* In a DMCA notice, the complainant swears under penalty lf perjury that they are the copyright holder or the copyright holder's representative. They do NOT swear under penalty of perjury that a jury won't later determine that it's fair use or any other issue of law.
The overwhelming pressure for access from recreational users does in fact spill over to the medical user community. We are not happy about it. It gives asshats like you ammo to a completely falacious argument.
I can assure you with good certainty from first hand observations that nobody that showed up was a medical patient under any reasonable definition of the term.
If you saw me, you would have absolutely NO WAY of knowing I have a medical problem. Funny thing is, without cannabis, I can't eat anything. I'll literally get diahreah from plain rice, or wheat thins. WITH cannabis, I can digest just about any food normally. "Medical" doctors, don't have a fucking clue what is wrong with me. In fact, according to their shitty 12-panel metabolic test (the only thing they know how to look at and therefor the only thing they look at) I'm supposedly perfectly healthy. Yeah, it's just all in my head that my body doesn't want to digest food.
P.S. Fuck you.