But for all the HIPAA guidelines, we know of major health care breaches
(e.g. Kaiser, HCA, Lab Corp, etc.) so the strict guidelines didn't protect
the patients' data with those companies.

If huge corps can't protect data it doesn't seem to bode well for smaller
companies or practices.

I wondered if anyone on this list was knowledgeable about how exactly these
security breaches were effected?

How did a phishing expedition expose hundreds of thousands of other
patient's health info with those security breaches?

My concern with the pw generators are that some are storing a person's info
on their site. Not all but a few are. Imagine, if you will, that millions
store several pws to health care accounts, investment cos, etc. With lesser
guidelines than HIPAA?

Which leads me to a related question (although not the OP if I can please
be given some latitude?) - what creative ways are you aware of in creating
more effective passwords to help people?

I've read creating a phrase or borrowing dialogue from your favorite movie
- "You Can't Handle the Truth" but with no spaces in between has been
recommended.

But, is that more effective than a pw generator?

Other techniques you've used?

BTW, WM in my prior post was referencing Wealth Management. Family offices,
brokerages, banks rep'ing $100 million in investable assets (more than your
traditional accredited investor) where security and cindentiallty are as
important to them as ROI (return on investment).

Thank you,

Charles.

Charlotte County Public Library


Date:    Thu, 13 Feb 2025 14:41:22 +0000
From:    Xavier Tilley <[log in to unmask]>
Subject: Re: [External] [CODE4LIB] Patient Portals

All of these healthcare software providers have to follow guidelines for
making HIPAA compliant software. There are strict guidelines for how to
handle data access, data backups, login security, etc.

Password generators are really simple to code. They just generate a random
string that contains certain types of characters to make the password
harder to brute force. Banks do not have to follow HIPAA guidelines. Their
software needs to be secure, but the rules for guarding your financial data
are a bit less regulated.

Practically all of the data breaches in the past few years have been caused
by people getting tricked by phishing emails. That has nothing to do with
the security of the portal because someone just handed their keys over.

Hospitals pay so much when infected with ransomware, not because patient
data has leaked and they want to protect you, but because so much of the
hospital is computerized now that they can't really provide care to
patients if they are locked out of the network. A lot of hospitals can't
even dispense Tylenol without logging into a computer to access the drug
drawer. So, if they don't pay, people die.

I'm not familiar with this WM you referenced.

Tilley