> It's my understanding that e-mail and text aren't encrypted, so 
> definitely not HIPPA compliant.

Which is why the only email they ever send is "you have a new message 
from your physician" or similar.

> Does it take much talent to gain access to a patient's portal records?

the business of these companies (Epic, et al.) is predicated on keeping 
this data protected. Same with Bitwarden, 1Password, etc. If you use a 
weak password, don't use two factor authentication, or the HTTP 
connection uses a weak form of TLS encryption than it is much easier to 
snoop on a connection.

That said, it seems highly unlikely that a normal individual would be 
targeted in such an attack. What value does it do to spend the effort to 
find out that I take Nexium to manage chronic heartburn? Very little. 
What are they going to do, try and extort me?

-- ak


| ander kierig
| Application Development
| University of Minnesota Libraries
| https://www.lib.umn.edu/about/staff/ander-kierig
| they/them

On 2025-02-17 at 12:31 (-0600) charles meyer wrote:

> My esteemed listmates,
>
> It's my understanding that e-mail and text aren't encrypted, so 
> definitely
> not HIPPA compliant.
>
> But, couldn't doctor's offices/hospitals have you sign a form saying 
> that
> you acknowledge the risk of using unencrypted communications and what
> information they're allowed to send in what channels
>
> Better you use an email to confirm the date and time of an appointment 
> than
> using a PW generator where it could be hacked and now the miscreants 
> can
> access your patient portal and gather all your health care records.
>
> We know the patient portals aren't the only way in for miscreants but 
> is it
> one of the easier way to get healthcare info?
>
> It's easier than dumpster diving.
>
> Police detectives and the FBU have shared that most criminals are lazy 
> (and
> or dumb) so that's why they're criminals. It takes talent and the 
> right
> temperament to write code so many miscreants could never use their 
> "powers
> for good and not evil" as they have no special talents.
>
> Does it take much talent to gain access to a patient's portal records?
>
> An experienced detective explained to me that many of those using
> Ransomware never created that software but found it "on the dark web" 
> (chat
> rooms) where they are given step-by-step instructions of how to use 
> the
> Ransomware created by others.
>
> We have some patrons who have been really circumspect re: sharing 
> their
> email addresses and/or phone #s with us just for a library card.
>
> Others don't want to share their driver's license numbers.
>
> We're all trying to assess and manage risk but how much do we really 
> know
> and understand about our or others' vulnerabilities?
>
> Thanks,
>
> Charles.
>
> Charlotte County Public Library