I remember when I first read about Chef Thomas Keller’s attentiveness to the law of diminishing returns. The idea is simple, with each bite, you get a little less enjoyment out of whatever it is you are eating. Some of Keller’s most famous dishes are only one or two bites. Leave ’em wanting more, he says. Well, as it turns out, the same is true for hacking.
The more it happens, the less we care.
In 2014 nearly everyone was hacked. Home Depot was hack. Target was hacked. Sony…well you know about Sony.
Celebrities are also a popular target. Jennifer Lawrence smartly said anyone who sought out photos of her was effectively abetting the hackers. By the time Taylor Swift was hacked in early 2015, the general reaction was…well…rather ho-hum.
News broke this week about the attack on insurance giant Anthem. It could be misconstrued as flippant, or know-it-all’y, but I think my reaction could best be summed up thusly:
It’s not that I don’t care, or that I’m not sympathetic – I do and I am. I’m just not surprised. So much of healthcare data secured by obscurity — think: fake rock hide-a-key. And, inside any give healthcare organization, hundreds if not thousands of people have access to datastores. Sure, there’s some notional security and there are, sometimes, audit trails. But it may simply be unrealistic to expect sensitive data, in the hands of large corporations, to ever be completely secure.
After the Sony attack, security researcher Steve Gibson remarked on his Security Now podcast on the challenges of securing Sony. Gibson suggested it would be nearly impossible for anyone to secure such massive, interconnected, multi-platform infrastructures. The same is undoubtedly true for large healthcare organizations.
Not to sound all Eyeore about it. I’ve just accepted that my health information, once it leaves my body, is vulnerable to attack. But here’s the good news — maybe no one cares? Sure none of us want our social security number and birthday circulating around. It’s an inconvenience and financial risk. But did anyone really care that Taylor Swift was hacked? Maybe the law of diminishing returns means we, as a society, are bored of hacks. And once we’re board, and there’s no real threat, then the target for the hackers is greatly diminished.