[galaxytachyon]

Those on HN are considered extremely tech-savvy and security aware and yet we are still concerned about our accounts getting compromised like this. What can a random user like our moms or siblings do? They won't even notice these kind of attack.

It is such a pathetic state of affair where massive leaks like these are expected. I contend this is a result of lax regulation and lack of consequences. In healthcare, patient data are locked down so hard even people who need to work with them have problems getting to them. It is because of regulations. Everything is traceable, recorded, and maintained to the strictest standards possible. It costs a huge amount of money but as a result, we don't see many serious breaches.

Compared it to fintech and regular tech services, these guys make fuckton of profits and yet suffer almost no regulations. What a joke.

[const_cast]

> What can a random user like our moms or siblings do?

Install a password manager. It's the perfect piece of software. It's not only so much more secure, but it's just a more pleasant experience in every single way. It's very rare that the secure option is more convenient.

[exiguus]

Maybe they can't. But actually, you can install them a password manager and let them generate random password. Setup with them 2fa (FreeOTP or something). And change with them every password when you are at home for chrismas.

Also, when they now found themself on have i been powned, they have a bigger problem, because they have likely malware on the phone or computer.

[charcircuit]

Biometric authentication / passkeys / other forms of authentication which are not phishable and are backed by a random key.

Then proper OS security is needed to protect authentication tokens from being stolen by malware.

[tialaramex]

> What can a random user like our moms or siblings do?

Security Keys. Your mother and siblings have seen keys before right? They can understand the metaphor and use it. Several of the accounts listed, such as Google and Facebook allow Security Keys.

Bad guys can't steal the credentials out of Security Keys the way they'd steal say passwords or a TOTP code, they would need to physically obtain access to the keys, your mother and siblings almost certainly don't face adversaries who'll break into their homes or hold them at gunpoint, just ordinary online automated attacks.

[galaxytachyon]

You seriously overestimate the average user. There is a reason why 123456 is still a common password. I would not expect a grandma to know how to put a key on her phone and use it reliably.

And my main argument is that corporations can do better. We should not put the burden on the common folks when the ones who are in the positions to do something are not pulling their weight. Sure, this will reduce their profit, and probably their share prices, and as a result, dev's compensation. Maybe that is the hardest part to argue through.

[codedokode]

> I would not expect a grandma to know how to put a key on her phone and use it reliably.

If your grandma knows how to insert a key into a lock then she will be able to insert a key into a phone.

[marcosdumay]

The more relevant problem here is what she does once she loses the key, or it breaks.

[ghusto]

Legit question from someone who both wants their mum to stop getting hacked, and is not sure Security Keys are a good idea: What happens when they lose their phone?

My limited understanding is that the key is on their phone (let's say it's a Google key, on an Android phone). When their phone gets lost, stolen, or breaks, are they screwed? This worries me because the chances of the phone being lost is high.

[AStonesThrow]

A security key is a hardware token that uses USB, Bluetooth, NFC. A security key may not have TOTP capability like a Yubikey. Security keys are not marketed or suitable for consumers, and sysadmins don’t like them either:

https://utcc.utoronto.ca/~cks/space/blog/sysadmin/YubikeyMos...

You may be thinking of "passkeys" and while a security key can be a form of passkeys, the ones generated for your mum will be on her device, yes.

A passkey is a shortcut, for now. Relying on a passkey being in place is another good way to forget your password. ;-)

[jgerrish]

Safety deposit box with backup recovery codes.

That puts a lot of burden on users though.

Maybe start a pilot automated service run by Google or Microsoft or whoever where backup codes are securely sent to local credit unions and it's all almost transparent to the user. They just need to either pick up the code at the credit union and put it in their safety deposit box or approve that last step.

I'm not upset at all about banking working with private entities or any of the past with banks. I'm mostly upset because some of these ideas are good, you know? Maybe not this, but some. For a short while longer.

[gabeio]

Security Keys are an independent device. I believe you are thinking of Passkeys which can live on the phone or in a password manager like 1Password.

If you do go with a security key it’s typically recommended to have at least 2 so that if one dies or is lost both have the same level of access. So long as you add them both/all to every account you need to access.

[mschuster91]

> Security Keys. Your mother and siblings have seen keys before right? They can understand the metaphor and use it. Several of the accounts listed, such as Google and Facebook allow Security Keys.

The problem with these is, they can get lost, stolen, damaged or misplaced. With a physical key to the home, no problem - call up a locksmith and if you don't have an ID card also the police, he'll drill out the lock and you can enter your home back.

Google, Facebook, whatever - good luck trying to get into touch with a human to reset your "security key".

[jsnell]

What regulation are you proposing? Forcing all computers to be locked down so hard that users can't install malware?

[6510]

We would have to go outside to find dopamine. It wouldn't be safe. People would die.

edit:

I remember thinking in the 90's that it was weird as hell that the operating system sits in the same folder tree as the users documents, applications live there too! What a concept? Like keeping your socks in the same drawer as your bills and plumbing tools. Spare tire in the kitchen. Lawn mower under the bed.

[galaxytachyon]

Maybe we can start with heavy penalties for whoever responsible for these breaches? The users are irresponsible, but at the higher levels, the company can afford to tighten access and guard their data better.

Would these companies leak their own business critical documents? No. So why can't they be forced to treat sensitive customer's data the same way?

[jsnell]

This is not data leaked by businesses. The businesses were also not breached.

The data was stolen from the users' computers, by malware installed by the users themselves.

[dogmatism]

wait what?

CHS lost millions of records, was fined a few million (out of profit of 1.2 billion) UCLA similar. Bunch of others I don't think even got fined like Ascension recently lost all data in a ransomware attack

It's useful going after a rogue employee, but on an org level it's security theater

[throw10920]

> In healthcare, patient data are locked down so hard even people who need to work with them have problems getting to them. It is because of regulations. Everything is traceable, recorded, and maintained to the strictest standards possible. It costs a huge amount of money but as a result, we don't see many serious breaches.

...and one of the side-effects is that it contributes to the insane price of healthcare.

Effective regulation, like security, is about finding the sweet spot between security and efficiency. It's extremely easy to turn off your brain and say that nobody has access to the data (which makes it perfectly secure/private) - but obviously that's an insane approach. It's hard, but extremely important, to actually maximize the security-efficiency product.

PII should not have the regulations that are currently applied to healthcare/PHI - it'd massively increase the costs (both financial, and worker/individual productivity) of doing everything. It needs a better regulation model that is designed to maximize the security-efficiency product.

Most likely, the best model is one that focuses more on outcomes (huge penalties for leaking PII, along with a few things like chain of custody for user data (which I don't think that even HIPAA does) - not to exclude regulation of process of course) than processes (HIPAA describing in excruciating and unnecessary detail all of the ways that you have to process PHI - which include RESTRICTING THE WAYS THAT I CAN MANAGE MY OWN HEALTH DATA).

[galaxytachyon]

The cost of healthcare is unlikely due to data management cost. That is almost an absurd comment.

The cost to develop a drug is in the billions. Manufacturing costs are in the tens to hundreds of millions. Locking down some server and implement better security would be a drop in a bucket.

And even if it was more expensive, the biggest pharma megacorps are a fraction of the size of the like of tech megacorps. If the chumps down the street can do it as a side job, why can't the big boys whose entire business is supposedly about data and software can't do better?

[const_cast]

Also the data management is not even that stringent in the US. Your health data is shared with literally hundreds of third-parties and you consent to it. HIPAA doesn't protect against that, it protects against your boyfriend finding out your diagnosis.

[throw10920]

> The cost of healthcare is unlikely due to data management cost. That is almost an absurd comment.

I did not state that it was solely due to that. Please read my comment carefully:

> ...and one of the side-effects is that it contributes to the insane price of healthcare.

Meanwhile, this is a crazy red herring:

> The cost to develop a drug is in the billions. Manufacturing costs are in the tens to hundreds of millions.

The cost for smaller practices and procedures that have nothing to do with drugs or manufacturing has skyrocketed.

It's not very hard to understand that the primary cost of regulation is on smaller businesses and practices. Regulation imposes a disproportionate cost on smaller organizations, leading to consolidation. This is a bad thing. The results of regulation can be a net benefit if you reduce those costs while maximizing the positive effects. This should be incredibly obvious.

Moreover, this is a rather uninformed claim:

> Locking down some server and implement better security would be a drop in a bucket.

That's not how HIPPA works. HIPPA prescribes that you have to use certain HIPPA-compliant services and technologies. That's not a cost burden - that's a compliance burden. It's not enough for your systems to be secure - they have to be HIPPA-compliant, which is so insanely difficult for small practices to do in-house that it forces all of them to use large, expensive, complex medical platforms, and pushes many others to consolidate with larger hospitals in order to amortize the overhead of managing these systems. And guess what? Consolidation in markets without extremely strict anti-monopoly enforcement leads to higher prices and worse products and services.

Yes, the cost of actually running the servers is very low. But that's almost never the primary cost of regulation - that's straight-up factually false. The primary cost of regulation is the overhead of compliance.

That's why any sane person strives to maximize the security-efficiency product, or the analog in whatever area you're trying to regulate.

There's literally no excuse for not trying to do this, or for defending the idea that we shouldn't take efficiency into account when designing regulation, except malice.

> If the chumps down the street can do it as a side job

Yes, and as is incredibly obvious to everyone, healthcare is orders of magnitude more expensive than services provided by those tech megacorps. This is evidence (even if weak), that bad regulation makes things more expensive, not less.

> why can't the big boys whose entire business is supposedly about data and software can't do better?

You clearly did not read my whole comment. I'm not arguing that regulation isn't necessary. I'm pointing out the fact that you have to optimize the security-efficiency product, and NOT do what HIPPA does, which is maximize security at the cost of a very high amount of efficiency to the point where it infringes on patient rights.

The only absurd comment here is the one that did not actually read what it was responding to, and is mostly composed of red herrings, claims that don't line up with reality, and logical fallacies.

[const_cast]

The insane cost of small business is because of the existence of a private insurance industry. There's thousands of insurers and you need to work with a lot of them. Every single thing you do needs to be authorized and ran through them.

They decide your medications you can prescribe, when you prescribe them, who can have them, how long your visits will be, when you should have those visits, how many visits you need to make a diagnosis, and on and on and on and on. Every single detail - multiplexed across thousands of insurers.

So, you need administration, and lots of it. The system is so horribly fragmented that all hopes of efficiency are lost. A single-payer solution is orders of magnitude more simple, and thereby more efficient. A lot of problems just go away when you only have one person doling out recommendations, one person doing care, and one person paying.

Also, the doctors who are making most of the decisions around your care aren't the doctors you go to. It's dozens of doctors, mostly nameless, working for your insurer making those decisions. How this isn't considering practicing medicine is beyond everyone.

[throw10920]

> So, you need administration, and lots of it. The system is so horribly fragmented that all hopes of efficiency are lost.

You're misattributing the cause of the complexity. The cause of the complexity is not due to the existence of private insurance, but the fact that it's changed from being insurance, that insures you against catastrophic financial loss due to an expensive surgery (that is, risk pooling), to a subsidization layer that permeates all healthcare, including routine visits to the doctor. That is what causes the complexity, because then you're right, that change evolves a massive amount of paperwork that imposes huge burdens on small businesses.

> Every single detail - multiplexed across thousands of insurers.

This is false, intentionally or not. Smaller practices rarely interact with more than a dozen insurers or so insurers, by the very nature of the fact that they're small, so this is off by about two orders of magnitude.

> A single-payer solution is orders of magnitude more simple, and thereby more efficient.

...and by "single payer" you mean the patients, right?

I have several years of working with a large federal government. Unless you're referring to a small state like Finland, the idea that a large government managing healthcare payments will make things "orders of magnitude more simple" is so naive as to be beyond laughable. The government makes even the most simple things (filling out paperwork to be reimbursed for staying in a hotel for a single night) insanely complex, and take far longer, and use far more resources (funded by taxpayers), than it does in private industry.

Yes, you're right that the interface between the medical practice and the insurance system becomes less complex when you have a single insurer, but the actual handling of claims becomes orders of magnitude more complex with the government, so the claim that it'll become "more efficient" is an extreme stretch.

If you live in the US, it's already trivially false, as it's extremely easy to see how incredibly inefficient many of the federal agencies are (I'm not going to use non-Western countries as other examples). Those agencies perform necessary functions, which is why they still have to exist, but anyone remotely familiar with the US government knows how bad of an idea it would be for it to handle health insurance. If they manage to figure out how to manage bureaucracy at a large scale, then single-payer health insurance becomes feasible. But until then, any suggestion of it is either extremely naive or flatly malicious.

[const_cast]

> You're misattributing the cause of the complexity.

I agree with you, but IMO it's completely unavoidable.

The concept of health insurance in strict terms of insurance was never possible. Not long term, anyway. Health is complex and chronic conditions cost a lot of money over a lifetime. The idea of insurance "just in case" doesn't work, period. Health is fundamentally different from car accidents or home hail damage.

> Smaller practices rarely interact with more than a dozen insurers or so insurers, by the very nature of the fact that they're small, so this is off by about two orders of magnitude.

Sure, but which dozen insurers they interact with isn't the same place to place. There's not a ton of knowledge transfer or business practice reuse here. You need billing specialists. So, across the entire industry of small private practices, it is thousands of insurers.

> The government makes even the most simple things (filling out paperwork to be reimbursed for staying in a hotel for a single night) insanely complex

Right, but the reason these tasks because insanely complex is because they're taken and split into 1 million pieces, which are then scattered across multiple levels of government, multiple agencies, multiple private contractors, who then have their own contractors, and multiple laws across multiple decades.

Our government, the US government, is not centrally planned where it matters. Every chance we get, we outsource as much as possible to the private sector. So one problem will become 1 thousand.

The simple reality is that the US has the worst healthcare system in the developed world, and it's not even close. Not only is our healthcare more expensive per person including taxes, it's also significantly worse with worse health outcomes across the board.

Every other developed country figured it out, and so can we. That doesn't mean it will be easy. But that's the truth - our system sucks, and it's because the private sector is far too involved in healthcare. We need to consolidate and collapse multiple parts of the system into one, and the complexity will go down.

The US has a poor government culture and mindset. We really thrive and actually want the inefficiency. It's the military shovel problem. We could produce a shovel for 20 bucks, but we want jobs, no? So we go ahead and outsource that to the private sector so we can get out 150 dollar military grade shovel, and it probably sucks, but we made a lot of people rich in the process. Each little hop from party to party represents a small increase in complexity and a little bit of cash shaven off the top. So naturally, we try to maximize the amount of parties involved. The best part is those contractors aren't even doing the work themselves - they're probably sub-contracting it out for god knows how many levels.

But, this can be fixed. It's not a foundational or necessary part of our government, it's a deliberate choice we make. Other countries don't make this choice, or do it much less.