Another security breach in the news, the Chicago Tribune says:
Medical information such as Social Security numbers, pharmacy records and other personal health data from about 130,000 people covered by health insurance giant Wellpoint Inc. may have been accessed via the Internet, the health insurance giant confirmed.
Read the full story here.
If you will indulge a little prognostication, consider that all forms of authenticating a human involve one of three things: something you "have" (like an office key, or a passcard); something you "know" (like a password, or your mother's maiden name); or something you "are" (like a fingerprint or retinal scan). Stronger authentication processes involve combinations of these, say, a passcard AND a password.
It occurs to me that the migration of vast stores of personal information into electronic stores and the subsequent raiding of those stores (whether lawfully or unlawfully) is going to rapidly diminish the value of something you "know" as an authentication tool. Right now, anyone reasonably accomplished on the internet can figure out my full name, date of birth, city I was born in, my mother's maiden name, and possibly the name of my dog growing up, all without violating any laws or paying any money. It's all out there, and I don't even have a personal blog, a Myspace page or an account on Friendster. If I did, it would be even easier. And once there is a generation of inviduals whose entire life is online - - everything, somewhere - - then relying on something one "knows" to prove identity will become a paltry authenticator indeed. If you peg the birth of the web around 1992, those folks are turning 16 this year - - time already for car purchases and credit cards, and soon enough off to college.
That leaves something you "have" and something you "are" to carry the task. But something you "have" was already the weakest and rapidly diminishing in prominence. Keys work just as well for thieves as they do for their rightful owners. The ATM card, for example, only gets you in the door to the ATM, then you have to have the PIN to get any money.
So my guess is that the next ten years will see "something you are" come to fore as the predominant and utlimately sole authenticator of human identity. Point-of-service thumbscans and point-of-contract eyescans may well become the norm. Or perhaps we will return to that quintessential method of signing contracts, sealing deals by affixing the DNA signature present in a drop of our own blood. And even that may fall by the wayside as cloning gains ground in mainstream reproductive methods.
Or, if you really want to carry the ball forward, come up with a next category of authenticator. "Somehow we think?" Seems like we'll need it soon enough.
Update (4/22/08): The University of Miami announced that thousands of computer records have been stolen from the company UM used to store their offsite records.
A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported. Law enforcement is investigating the incident as one of a series of petty thefts in the area.Shortly after learning of the incident, the University determined it would be unlikely that a thief would be able to access the back-up tapes because of the complex and proprietary format in which they were written. Even so, the University engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of back-up tapes.
. . .
Anyone who has been a patient of a University of Miami physician or visited a UM facility since January 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.
Another source, Florida Healthflash, pegged the total number of records stolen at 2.1 million. The 47,000 is the number of records containing billing information.
Read the University's statement here.