The concept of criticality is one that some would argue includes varying degrees, but for others whether data is critical or not is a binary question. There are all sorts of laws and guidance I’ve been privy to since at least 2001 that have invoked the critical label. Earlier, in the post-9/11 era, most of that surrounded critical infrastructure: the electric grid, water systems, the internet trunk lines, and so on.
As hacking and such gained momentum in both practice and the media’s coverage of the practice, I honed my security work from its broader scope down to cybersecurity. My senses of criticality became less attuned to infrastructure and turned to describe data and information.
There’s more than one definition of “critical” in plain English, likewise. As you read this you are being critical, unlike its use in critical infrastructure. You might be critical, in a reader’s sense, in various ways to further complicate things. You may feel like expressing an adverse reaction to my writings, or you disapprove of my opinions. You might be critical like a film or book critic conducts their business as they analyze and evaluate their subject matters (objectively, if you please).
The use of “critical” that applies to today’s column, I guess at a level below your own critical review of the piece itself, is meant to implicate a crisis. In Latin, the origin of the word is criticus and it came into fashion in English speaking circles in the 16th century, half a millennium ago, to relate to what we’re dealing with today: the crisis of disease.
There are many types of information that computer security professionals discuss, and ultimately try to protect; and if not, then try to recover. The list even includes good ol’ hard copy, paper-based information. Information security, as a concept, covers as broad a set of information types as the word “information” itself may allude to. Still, as you can imagine, the crux of the InfoSec community focuses their intentions on digital information. Some of that subset of information is critical. Your Amazon purchases or wish list are not likely considered critical. TikTok videos, Facebook posts, Tweets, and a whole host of commonplace communications, just like in real life, are not bound to any criticality measures.
There are many types of data that you produce, however, that would be considered critical. Sure, that new salad spinner you scored on Amazon falls outside of criticality, but how you acquired it contains clear cut critical information. Your credit card number, your shipping address, your email. These are the types of information that security professionals work to protect. Some of the cache of critical information is grouped into what’s known as personally identifiable information, often abbreviated as PII. Your PII is what might lead a bad actor to learn who you are in the most personal way. It might be low hanging fruit for the hacker, such as your Social Security number and date of birth. With those two data points all sorts of havoc could ensue. One’s PII might be more subtle, though. It presents a puzzle in a way, though one that could be solved with the end game being able to personally identify you, and therefore hijack your identity. A simple Amazon transaction is rife with PII. In addition to PII, that quick purchase also dropped critical financial information into the hands of any savvy hacker.
Financial information is its own breed of critical information. There are many forms. Businesses and banks have special regulations to comply with that each have as their goal consumer protection and economic stability. That’s some big picture financial data criticality. As stated, that breed’s taxonomy delves deeply, down to your own payment card digits. Any way you look at it, information that has a nexus with dough-re-mi, the almighty dollar, the cheddar, the Benjamins…. You get it. That’s critical.
Educational records are another set aside type of critical information that deserves, and receives, special protections. I’m likely biased in bring this critical information to bear because I teach and am ever aware of the logical reasons to protect students’ information, for their own sakes, as well as my legal duties under state and federal law to protect the same. School information, I would say, falls into the critical camp.
One area that you, me, and everyone we know or don’t, have involvement in within the paradigm of critical information is healthcare data. From the moment of your first breath to the last, healthcare professionals and systems fiddle with your information. Maybe it’s not the most critical information—that might be national security or defense data, nuclear sciences, other sets more likely to affect all of humanity—but it’s seriously critical nonetheless. Without secured healthcare information, there’s no telling what diagnoses, what pharmaceuticals, what procedures, or what altogether the precise, tailored healthcare solutions are best derived for you. Without secured healthcare information, there’s no telling (to the care providers) who you even are, to be melodramatic about it. It’s true. Many, many cases of healthcare data integrity compromises have resulted in applying the wrong solution, the wrong medicine, even the wrong replacement organ or limb.
So, to end my lecture about information’s criticality on healthcare seems apt. Also, timely. Memorial Health System, a group of hospitals in Ohio and West Virginia, was attacked last week. Ransomware was the vehicle. The results were unsurprising. Surgeries were cancelled. Ambulances were steered to alternate care centers. Its network of various outpatient clinics and similar facilities were shuttered. The entirety of its IT operations stalled out.
Memorial doesn’t service millions of patients like some mega-hospitals, and that makes the case more intriguing. It shows that, despite the obvious criticality alongside the smallish target, the hackers are no less reckless. Where will they go next? No matter, it’s a critical question.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
Commented
Sorry, there are no recent results for popular commented articles.