@Catawu @briankrebs I’m not really interested in their frame of reference or what they think about the people impacted. That’s not because I don’t care, but because I think it's irrelevant to the deeper underlying issues.
I’m actually more interested to what extent this situation may violate #HIPAA and other #patientprivacy laws. Part of the functional challenge in what is currently going on at the federal level is that many privacy and #healthcare safeguards such as HIPAA are a complex mixture of laws passed by Congress and regulations defined by the executive branch to implement those laws.
I am not a lawyer, but I do deal with #privacyregulations and #regulatorycompliance issues professionally. To the extent that the administration is arguing that they have constitutional authority to make changes to the implementations developed and overseen by the executive branch itself, the extent of what is being done seems unprecedented but may not be illegal per se. I am not qualified to make that determination, but I think it's the foundational question that needs to be asked.
On the other hand, the parts of HIPAA and other federally-enacted laws regarding #healthcare and privacy are in fact laws established within our country’s constitutional framework. The executive branch can’t simply wish clearly-established laws into the cornfield. Unfortunately, many laws leave a great deal of the implementation details—whether unintentionally or through deliberate delegation—to the executive branch, the states, or various regulatory agencies. In turn, many of those regulators also operate to one extent or another under the executive branch, and that further complicates the picture.
Many federal laws leave a great deal of wiggle room for interpretation to the executive and judicial branches whether not by design, but congressionally-enacted laws and protections provided by the Constitution itself cannot simply be ignored. While there's definitely a difference, separating a "law" from the "regulations" that implement that law isn't necessarily a simple exercise.
The real challenge is that our republic was designed as a Venn diagram of overlapping roles, responsibilities, and authority that were meant to operate in a state of carefully-balanced tension. The republic's framework has never been tested this broadly within my lifetime, if ever. Even though how our three branches of government should work is material covered in any decent highschool civics class, the complexity of statutory vs. regulatory authority requires legal and Constitutional scholarship that is more than the average citizen can bring to bear on the matter. I'd like to think I understand these issues better than most—and I certainly have my own personal and professional instincts about what's right and wrong—but I wouldn't dream of claiming to understand all the nuances involved.
Professionally, I am taking a deliberately apolitical approach to what is a very legitimate set of questions about constitutional authority. Likewise, my apolitical but professional experience tells me that there is entirely too much gray area around the constitutional and legal topics to determine with certainty what is legal as opposed to what is moral or ethical. In my professional experience, what is right and what is lawful aren't always the same.
Unless society as a whole is willing to revisit some of the underlying assumptions collectively made over the past several hundred years about the differences between legislative laws and the administrative regulations that implement them, this problem is unlikely to go away anytime soon. In fact, it is likely to spread to other areas with similar gray areas. As an argument by analogy, the current legal mess around #copyright and #LLM training may be similar in terms of being pure sophistry where the term "fair use" is clearly being used in an intellectually dishonest way, but apparently it's far enough into the gray to pass legal muster right now. Decades or centuries of legislative layering has led to a legal framework that never envisioned modern realities. Revisiting and revising centuries of legal accretion would require a strong moral compass, a great deal of political courage, and in-depth analysis by legal and constitutional scholars (among others) in order to address the very real institutional unraveling we're observing.
Sadly, in a society that frequently classifies expertise as “elitism" such a brutally honest conversation is unlikely to happen soon. A broad reconsideration of how our republic was designed to function and a hard look at how it actually functions would require high levels of both personal and political courage. It's even less likely to be rapidly prioritized without sufficiently clear political self-interest from a majority of those with the remaining authority to materially affect the outcome.
What I’ve said may strike some as political opinion rather than strictly analytical observation. However, my statements are deliberately based on well-established sociological and psychological norms rather than current politics. I feel confident in asserting that the likelihood of Congress or the Supreme Court—much less the general public—addressing these things effectively in the near term is essentially zero. For any elected or appointed official acting alone, the risk of asserting constitutional prerogatives vastly exceeds both the collective will of their respective institutions and the already-ceded institutional powers required to do so effectively.
Oracle Health Breach: What IT Leaders Must Learn
Attack vector: Compromised customer credentials
Impact: Multi-org data theft, extortion attempts, and HIPAA compliance chaos
Oracle told hospitals:
Oracle's under fire: A breach at Oracle Health compromised patient data, with Oracle allegedly shifting responsibility to hospitals and avoiding documentation. This follows hot on the heels of denial regarding an alleged Oracle Cloud breach, raising serious questions about their security culture.
Clop's back in the headlines: Sam's Club - a Walmart subsidiary - is investigating claims of a Clop ransomware attack, potentially linked to the Cleo file transfer vulnerability that has already hit other organizations hard.
Don't miss this bizarre twist: Cable operator WideOpenWest (WOW!) is dealing with a breach claimed by Arkana Group, who are publicizing the stolen data (usernames, passwords, etc.) with a… Russian music video. The alleged attack vector? Infostealer malware.
