zlacker

Right, but if they aren't going to follow best security practices and prove it (via a signed a hardware attestation of the running software that includes the transport key they want me to use to send them the data), then I'm not going to send them the data. That's my choice.

>>fleven+(OP)
> if they aren't going to follow best security practices and prove it (via a signed a hardware attestation of the running software that includes the transport key they want me to use to send them the data)

You can mandate whatever remote attestation you want, and they'll follow whatever security practices they damn well feel like and you can't do a damn thing about it. So, you've given up your ability to run software that doesn't spy on you, and they're operating business as usual because they don't have a single goddamn reason to care what you think remote attestation mean in the real world.

>>fleven+(OP)
> best security practices

as defined by whom? Some government (which one) organization ?

This will end up making everything more ossified and less secure.

But also once that is in place, various organizations and goverments will be able to force you to use whatever spyware they want, in order for your attestation to go through.

>>unionp+R2
Best security practices as defined by Microsoft, but if I want, I can still create my own arbitrary security requirements and enforce them via software/audits.

>>fleven+(OP)
In the US healthcare industry, providers are legally mandated to share patient data with certain other organizations. You don't have a choice.

>>judge2+L3
Microsoft. The same company which strongly pushes a spyware-filled, user-hostile OS. "best"? Really?

but if I want, I can still create my own arbitrary security requirements and enforce them via software/audits

Try doing that to your bank or whatever other large company you interact with...

>>userbi+Db
You can't have your cake and eat it too. Everyone has agency, to decide who they interact with and who they give money to or, on the other side, who they sell products to/provide services to, and there are remarkably few exceptions to this rule (most based on things that the victim can't control). If a company wants to require you only use their products, or only use a allowlist of approved products, they can do that, just as you can decide not to use their services if they charge too much, perform unethical actions, or even if their company name contains the letter 'Y'.

>>judge2+L3
Best security practices as defined by Microsoft = "You can't have a computer if your country is under US sanctions". Important word: US, a single country. I don't want to punch such a huge hole in any of my systems.

>>judge2+L3
SP500 corp I often work with has security department filled with mindless drones, who say things like "regular enforced passwords changes are well regarded best practice".

You almost certainly use software that calls their server at some point. Hope you will enjoy their vision of security. I'm moving into the woods if they can define how my _personal_ computer behaves.

>>unionp+R2
"as defined by whom? Some government (which one) organization ?"

As defined by the user.

RA doesn't care what software you run. In fact RA is better supported by Linux than any other OS! And, although the discussion in this thread is about RA of entire machines, that's actually pretty old school. Modern RA is all about attesting the tiniest slice of code possible, hence the "enclave" terminology. The surrounding OS and infrastructure doesn't get attested because it can be blinded with encryption. This is beneficial for both sides. I don't actually necessarily care how you configure your OS or even if it's up to date with security patches, if the security model treats the entire OS as an adversary, which is how Intel SGX works. You just attest the code inside the enclave and I send/receive encrypted messages with it.

>>nradov+56
They actually aren't. The only reason that is necessitated is A) medicare/medicaid integration is strongly predicated on EMR, and our damn insurance model is cripplingly dependent in it.

There's nothing that keeps a medical provider from going old school.

Unless I'm completely overlooking something... It may have snuck in with ACA.

>>salawa+z21
Yes you are overlooking a variety of more recent federal laws and associated interoperability regulations, some of which apply even to providers that only accept direct payments from patients and don't bill third-party payers (insurers).

The basic guiding principle in force since HIPAA in 1996 is that patients, not providers, control access to their medical records regardless of whether those are stored on paper or in an EHR. If the patient authorizes sharing those records with another healthcare organization then the provider can charge a small fee for that service but they can't introduce additional spurious technical requirements on the receiving system.

>>judge2+0c
Corporations are an artificial construct that we as a society let exist. We can decide to add additional restrictions to that existence like requiring them to not discriminate based on what software you run on your own devices.