In response to the Perspectives column written by Charles Cooper, "":
I love the statement:
"You can count on companies to talk about implementing cybersecurity guidelines and best practices until they're blue in the face. Truth be told, however, you won't see major changes until the law holds actual fannies to the fire."
Exactly! Software vendors and value-added resellers are driven by dollars, not altruism. Nothing's wrong with that per se, but there needs to be corporate responsibility in here somewhere. Why do you think the Health Insurance Portability and Accountability Act exists? OK, there needed to be a way to guarantee portability of coverage, but what's the reason for mandating the privacy and computer security part? The only way to get most vendors to do "the right thing" regarding privacy and information protection is to legislate it. Sue 'em, I say.
I was recently at a conference attended by thousands of health care professionals. It included an expo of hundreds of application vendors. I used the occasion to sample 25 of the system builders and application vendors to see what they were doing differently now that HIPAA was in force. The answer was, for the most part, "nothing."
Their response was that if they could show the government's watchdogs that they were applying "best practices" to their systems, they were not liable in the eyes of HIPAA. So, I asked, if you put a security policy in place and add a firewall, that constitutes a best practice? Yep. There is no motivation to raise the bar unless legislation demands it. It just costs too much. Phooey.
Do you think Microsoft really cares about building in security, driven by an altruistic need? Hardly. The only reason you see reaction from them now is they know masses of users are increasingly fed up with sloppy code and will--some day--respond with their wallets. There are more Microsoft alternatives today, and more are coming. They hear the footsteps.
Louis A. Jurgens