This demanded a cross-industry summit—so now medical, security pros attend CyberMed.
Read the whole story
Read the whole story
Why is the healthcare industry still so bad at cybersecurity?
- Thread starter JournalBot
- Start date
Don't give them any ideas... That will show up on your next bill as a fee. Christ, I'm surprised the phone companies aren't already doing it.
Upvote
4
(4
/
0)
TL
R
Healthcare went from records-based management systems which were essentially color coded medical record file folders to digital data-based file management overnight.
Healthcare lost an inherent security protocol in physical records placed in the hands of patients to walk their medical record to their next specialist. No one had a higher investment than patient to securely waltz their records to the wisdom of a specialist with the promise of finding they won't die.
Data files wiz through networks unseen to parts unknown and specialists whose promise enhances the networks chosen by Healthcare. Many vested interests have turned the patient into the product.
The less secure ( i.e. DNA, medical tests, etc...) the more " data" to mine for profit, risk reduction and synergy savings.
Healthcare's uncanny valley remains while living off its purposeful past reputation. Patients woke naturally source care for their health outside the hospital setting centerpiece
RHealthcare went from records-based management systems which were essentially color coded medical record file folders to digital data-based file management overnight.
Healthcare lost an inherent security protocol in physical records placed in the hands of patients to walk their medical record to their next specialist. No one had a higher investment than patient to securely waltz their records to the wisdom of a specialist with the promise of finding they won't die.
Data files wiz through networks unseen to parts unknown and specialists whose promise enhances the networks chosen by Healthcare. Many vested interests have turned the patient into the product.
The less secure ( i.e. DNA, medical tests, etc...) the more " data" to mine for profit, risk reduction and synergy savings.
Healthcare's uncanny valley remains while living off its purposeful past reputation. Patients woke naturally source care for their health outside the hospital setting centerpiece
Upvote
-9
(4
/
-13)
Here is a call for regulation to solve the problem.
...while here regulation is said to contribute to the problem.
How could we solve this sort of conflict, where what may aid may also ail?
Upvote
9
(10
/
-1)
ColdWetDog
Ars Legatus Legionis
'Cuz that machine that runs XP is a $500K device with a supposedly 10 year lifetime. Which means that a cash strapped hospital will drag it out until 15 years. And the manufacturer won't upgrade the machine ... until you buy a new one. And the middleware vendor wants to charge you another $10K to hook it into their system.
Not everybody does this. GE seems to be pretty reasonable. Everything big runs some version of Linux that talks to lots of other things. But that seems to be an exception.
Part 2 - Big hospitals have enormous IT setups. That are cobbled together. Even the big EHR vendors don't hook to everything. And again, even a big hospital can't afford to toss everything out and start with new machines that go ping all of the time. Even if they could actually buy it, just installing and training everyone is a daunting task. Little hospitals can't afford 'nutthin. Pretty much any rural hospital is cash strapped and personnel strapped with no relief in sight (because they typically don't do cardiac, oncology and big time ortho which is where all of the money is).
Hell, even when you can align most of your stars - have adequate equipment, technical backup and infrastructure, admin is going to shoot everyone in the foot by not hiring enough temporary staff to let people actually learn what they're supposed to be doing.
We're doomed.
Perhaps not but it's certainly one of the main reasons I retired as soon as possible. Now I get to look at the medical system from the other side. It's still pretty ugly.
//must not rant too much
Upvote
36
(36
/
0)
Regulations would be communism. It starts with a few required software patches, before you know it they're executing people in Central Park.
Upvote
10
(18
/
-8)
As a doctor (public hospital in Denmark) i can tell you part of why security stinks.
The software is crap.
Am I going to use 5 more minutes to do the registration correctly (minimum of 90 clicks in the correct, illogical order) , or do i go see the man puking up blood?
We use EPIC and i can tell you the software does not work.
When our main software is so bad all software is treated with disdain.
Doctors have other things to think about than the correct use of software.
Please treat us as children with ADHD when you design the software.
If the software is not intuitive, easy to understand and needlessly complicated we will hate it.
If you design software for a hospital, please, please, please, be informed about what a hospital is. Hospitals are crays complicated. If you do not understand the workflow, you can not design software that will be used corretcly.
The software is crap.
Am I going to use 5 more minutes to do the registration correctly (minimum of 90 clicks in the correct, illogical order) , or do i go see the man puking up blood?
We use EPIC and i can tell you the software does not work.
When our main software is so bad all software is treated with disdain.
Doctors have other things to think about than the correct use of software.
Please treat us as children with ADHD when you design the software.
If the software is not intuitive, easy to understand and needlessly complicated we will hate it.
If you design software for a hospital, please, please, please, be informed about what a hospital is. Hospitals are crays complicated. If you do not understand the workflow, you can not design software that will be used corretcly.
Upvote
63
(63
/
0)
Because security practices don't make them money. If anything, its an expense. And if they can save money by skimping anything non-critical, they will.
Upvote
0
(2
/
-2)
The doctor receptionists still ask for SS# and DOB. Ya, you give them that and how do you know they wont open a bank account in your name.
Upvote
-18
(1
/
-19)
There are cases where there is no better software to be had. I'm familiar with one situation where there is precisely one provider of software that meets all relevant regulatory requirements. If you are in that business, you will use that software.
For any competitor, 'minimum viable product' starts at 100% compliance, so forget the idea of starting small and iterating quickly. Even if you could put together a viable competitor, you then need to convince customers to buy in. That's hard because when it comes to compliance, there is safety in doing what everyone else does. Being the first one to try something different carries a lot of risk.
Upvote
32
(32
/
0)
I don't work in medical, but I do see thousands of medicaid patients on the dental side every year, and when I am doing an exam for $27, I am already losing money. The fiscal reality here is that if you are treating low income medicaid patients, you can either treat a lot of them and keep the lights on, or you can keep a pace that is more appropriate to cash fee patients and go out of business.
Upvote
14
(14
/
0)
Must be nice to own that software then. No competitors and there is a market that have to use it.
Upvote
6
(6
/
0)
ColdWetDog
Ars Legatus Legionis
There is plenty of medical software. It all sucks. Badly. The entire ISO 9000 paradigm of logging every frackin' thing coupled with the insane billing requirements in the US (and in Denmark, sorry you're using EPIC - are things that bad over there?) makes for a very poor work flow. Even when you try to rationalize and streamline the workflow, you realize that you can't. Because.
And the because is a billing and / or regulatory requirement. And that's jus the EHR / billing part. We haven't even begun to hook together all of the machines that go ping.
And then ... the Internet. That wonderful device that is a security nightmare in and of itself. If you're annoyed that your toaster wants to connect to the Internet, wait until you have 250 expensive machines whose service contracts insists on such.
Upgrade software? Which software today? Given all of the various code-requiring gizmos and processes in a typical hospital, you could have the entire platform trying to upgrade something every single hour. And we all know how well upgrades are debugged....
Ain't so easy as 'well, you go do it'. If it was, somebody would have done it.
Upvote
21
(21
/
0)
Based on my IT career, reading about health care IT, and zealously following political news:
1. As the first comment said, profit motive! 17.7% of the US' GDP and rising goes to healthcare. Upper management and shareholders want that money and IT spending minimizes that.
2. The obnoxious "perfect unicorn" hiring habit I see all the time in IT, as do my buddies in recruiting. It seems to be obnoxiously bad here in NYC. "Oh, you have 19 of my 20 bullet points. You're useless. I'm going to keep looking, all the while overworking my existing workers."
*3 months later*
Hiring manager: "Why haven't you found me someone yet!?"
Recruiter: "I have found plenty. But they either don't meet your list so you discount them outright or they meet your requirements but, given how rare 5 years of Kubernetes experience and multiple programming languages is, they want $300K a year and an office, which you refuse to give them. Not sure what you expect me to do here."
Hiring manager: "You're useless too! I'm going to a different recruiting company!"
*3 months later*...
3. Countless organizations still see IT as a cost to be minimized at all costs, not something to invest and spend on. Training someone in areas they're deficient in? Fuck that!
4. Looping back to #2 and #3, people there are overworked. Despite the lamentations of upper management, we're human beings, not robots. Productivity falls sharply after 50 hours a week, and plummets after 55 weeks.
Multi-tasking is horrid for productivity. Try telling your boss this and, in my experience, you will be dismissed at best, paint a giant bullseye on your back at worse.
Open offices are also God-fucking-awful for productivity, but they're all the rage because they're dirt cheap to implement.
It all boils down to out-of-touch upper management trying to squeeze blood from a stone to the point that said stone is reduced to kitty litter.
I was just let go from a job I started recently because they were shocked that 6'6" me did not take kindly to being crammed into a desk 34" wide in an open-office, which I measured with a tape measure. The constant banging of limbs all the while surrounded by DING DING DING DING of Slack and people coughing their guts up was already driving me insane. I kept bringing up the desk issue to HR, they kept saying "It's not fair to the others," ignoring the fact I'm not 5'2" or something, so I guess my griping and misery was apparent. At least I got a nice severance.
So yeah, pardon the rant, but fuck out-of-touch management, fuck open offices, and keep multi-tasking to a minimum because constantly having to re-focus nukes your productivity.
1. As the first comment said, profit motive! 17.7% of the US' GDP and rising goes to healthcare. Upper management and shareholders want that money and IT spending minimizes that.
2. The obnoxious "perfect unicorn" hiring habit I see all the time in IT, as do my buddies in recruiting. It seems to be obnoxiously bad here in NYC. "Oh, you have 19 of my 20 bullet points. You're useless. I'm going to keep looking, all the while overworking my existing workers."
*3 months later*
Hiring manager: "Why haven't you found me someone yet!?"
Recruiter: "I have found plenty. But they either don't meet your list so you discount them outright or they meet your requirements but, given how rare 5 years of Kubernetes experience and multiple programming languages is, they want $300K a year and an office, which you refuse to give them. Not sure what you expect me to do here."
Hiring manager: "You're useless too! I'm going to a different recruiting company!"
*3 months later*...
3. Countless organizations still see IT as a cost to be minimized at all costs, not something to invest and spend on. Training someone in areas they're deficient in? Fuck that!
4. Looping back to #2 and #3, people there are overworked. Despite the lamentations of upper management, we're human beings, not robots. Productivity falls sharply after 50 hours a week, and plummets after 55 weeks.
Multi-tasking is horrid for productivity. Try telling your boss this and, in my experience, you will be dismissed at best, paint a giant bullseye on your back at worse.
Open offices are also God-fucking-awful for productivity, but they're all the rage because they're dirt cheap to implement.
It all boils down to out-of-touch upper management trying to squeeze blood from a stone to the point that said stone is reduced to kitty litter.
I was just let go from a job I started recently because they were shocked that 6'6" me did not take kindly to being crammed into a desk 34" wide in an open-office, which I measured with a tape measure. The constant banging of limbs all the while surrounded by DING DING DING DING of Slack and people coughing their guts up was already driving me insane. I kept bringing up the desk issue to HR, they kept saying "It's not fair to the others," ignoring the fact I'm not 5'2" or something, so I guess my griping and misery was apparent. At least I got a nice severance.
So yeah, pardon the rant, but fuck out-of-touch management, fuck open offices, and keep multi-tasking to a minimum because constantly having to re-focus nukes your productivity.
Upvote
39
(42
/
-3)
I prefer carrots; they let me walk up to people and go "What's up, doc?" and then take a bite. But that works, thanks.
Upvote
10
(10
/
0)
I'm not sure where to put this info, but I figure I trust Ars Technica's journalism expertise. I believe the IMG (International Medical Group) insurance company has been hit with ransomware and are not disclosing it. Their systems "have been down" for weeks now and I've called to handle issues with my insurance and one time I called the woman on the phone said "we experienced a cyber incident" which set off red flags in my mind and so I searched to see if I could find any news about them being hit with ransomware and could not find anything. I have a feeling they're trying to keep it under wraps. Maybe something to look into?
Upvote
3
(3
/
0)
For what these companies charge for their products, not patching their devices and not having a bug bounty program is just not OK. We need some kind of zero-tolerance policy here: if your buggy unpatched device gets hacked and as a result someone dies or is seriously injured--your company gets liquidated, period. And maybe a few of the execs go to jail. I'm sure that will get these devices locked down pretty quick.
Upvote
0
(3
/
-3)
1. Penny pinchers
You can have pharmacists, dentists, anesthesiologist, etc all making $$$$, but when it comes to pushing them into updating their xp, 7, 8 computers to 10, they'd rather not to save money.
2. Not broken, no fix/updates necessary mentality.
3. Regardless.
It's not the doctor's fault that 0/no modern computer made today is Not Vulnerable to a 0-day attack.
None
Not one
Doesn't exist
You can patch and update every minute of the day and still get attacked by a 0-day today.
....
What most organizations don't have beyond the superficial latest os+ patches+av is a good cybersecurity team that constantly monitors for attacks and can shut down systems and networks instantly to mitigate corrupted systems.
You can have pharmacists, dentists, anesthesiologist, etc all making $$$$, but when it comes to pushing them into updating their xp, 7, 8 computers to 10, they'd rather not to save money.
2. Not broken, no fix/updates necessary mentality.
3. Regardless.
It's not the doctor's fault that 0/no modern computer made today is Not Vulnerable to a 0-day attack.
None
Not one
Doesn't exist
You can patch and update every minute of the day and still get attacked by a 0-day today.
....
What most organizations don't have beyond the superficial latest os+ patches+av is a good cybersecurity team that constantly monitors for attacks and can shut down systems and networks instantly to mitigate corrupted systems.
Upvote
-2
(3
/
-5)
Little is going to change until a CEO or senator loses a kid to a hospital cyber security breach. That really seems to be the process now, it's gotta personally affect the shot callers to get anything done.
Upvote
13
(13
/
0)
Punishment isn't going to work, because we'll never do it in the oligarchy we have going today.
The only thing that will work is nationalization of the health care industry.
Passing laws and other shit won't stop the health care industry from putting profits ahead of all things. It hasn't so far, and there's no reason to think that more "enlightened" punishment will move that needle, either.
So, take it all out of their hands, and put it into the hands of the government. Even IF the government is wasteful, it'll be run better, because the people have input into what the government does. We don't have any input into how the health care system is run today.
Nationalizing the health care industry may put all the eggs into one basket, but it also creates a stronger basket. Cyber attacks usually go after the low-hanging fruit, and the budgets in training folks in good cyber security practices (I mean the rank and file who are too ignorant to avoid clicking on links in e-mails from people they don't really know) are non-existent. Someone complained that medical personnel don't know IT. Well, fucking duh. No one bothers to teach them anything, because that costs MONEY.
You'd have a budget for on-going training of staff (there're a lot of things people just get thrown into without any orientation in health care that should have at least a sit-down session telling them "this is what you do and don't do"), and best practices in security for records.
Not to mention, cheaper and more accessible health care (which would be the #1 reason for nationalizing it).
But as long as a profit motive remains in the mix, you're always going to have people putting profit ahead of everything else. Take away the profit motive, ensure enough capital to run it right, and you're set. The rest is just implementation.
Upvote
0
(7
/
-7)
As an employee of an MSP that services a few medical clinics: There are three major reasons for why they probably end up behind the curve:
1. Client willingness to exercise best practices, e.g. dual factor authentication. It takes an awful lot of urging to convince doctors and nurses that the few seconds of added security to get logged into a machine is worth it. Many even insist on keeping their passwords simple, and every single time they need to change it, it takes bringing up real horror stories of ransomware to remind them that it's not a safe option to make things easy on them.
2. Tool manufacturer's support of Windows 10. The past year was full of calls to x-ray, MRI, and CT scanner support teams, many of which just told us that we should just isolate all relevant devices onto their own VLAN and keep their software on windows 7 computers. Sure, that's possible, but what happens when someone plugs a device into the network while spoofing their mac address to get past switchport filtering? A few of these manufacturers didn't get their stuff fully functional until very early January.
3. Unwillingness to upgrade hardware. Good lord it takes a lot of pushing to convince people that they need to buy a computer that has more than a core 2 duo and 2 gigs of ram in it. Gah.
Exercising best practices is really all we can do. Software manufacturer tells us "just turn windows firewall off" and we say "no, tell us what ports are needed and we will make that work." But oh, their stuff still uses SMB1...thankfully THAT has been dealt with. Our current clients are nice and locked down, but I know the next time we pick up a clinic, this whole dance will need to be done once again.
1. Client willingness to exercise best practices, e.g. dual factor authentication. It takes an awful lot of urging to convince doctors and nurses that the few seconds of added security to get logged into a machine is worth it. Many even insist on keeping their passwords simple, and every single time they need to change it, it takes bringing up real horror stories of ransomware to remind them that it's not a safe option to make things easy on them.
2. Tool manufacturer's support of Windows 10. The past year was full of calls to x-ray, MRI, and CT scanner support teams, many of which just told us that we should just isolate all relevant devices onto their own VLAN and keep their software on windows 7 computers. Sure, that's possible, but what happens when someone plugs a device into the network while spoofing their mac address to get past switchport filtering? A few of these manufacturers didn't get their stuff fully functional until very early January.
3. Unwillingness to upgrade hardware. Good lord it takes a lot of pushing to convince people that they need to buy a computer that has more than a core 2 duo and 2 gigs of ram in it. Gah.
Exercising best practices is really all we can do. Software manufacturer tells us "just turn windows firewall off" and we say "no, tell us what ports are needed and we will make that work." But oh, their stuff still uses SMB1...thankfully THAT has been dealt with. Our current clients are nice and locked down, but I know the next time we pick up a clinic, this whole dance will need to be done once again.
Upvote
12
(12
/
0)
I'm upstream support at a vendor these days. The health insurance companies generally have decent but low productivity IT and infosec people. As such they usually have double the staff to get anything done because the right jobs in health insurance are early retirement and golfing programs.
Hospital systems by contrast attract the same talent pool public sector IT does - the marginally incompetent expecting other people to teach them their jobs. For lack of a better phrase they attract talent of a Pakled culture, uninterested in furthering their skills or reputation.
Upvote
-9
(1
/
-10)
Thank the endless regulations which require the software to be that way. If you don't include a bazillion warnings and something goes wrong guess who gets sued into Oblivion.
The fact of the matter is this is an enormously complicated problem with no easy answers --the people here pretending the problem is simply because of mean ol capitalists that hate people are incredibly naive. The problem is that to fix everything you would need to redo the entire infrastructure of a hospital which would be enormously expensive, would be enormously disruptive, and would require enormous amounts of retraining.
And quite frankly require a lot of old doctors who will never understand the new tech to retire. And even if you ignore that doctors unions would never ever let that happen for obvious reasons, there aren't enough doctors to replace them.
Basically anyone who wants to boil this problem down to easy, obvious solutions has no clue how deep the rabbit hole goes.
Upvote
16
(17
/
-1)
Reason for #1: Profits.
Reason for #2: Profits.
Reason for #3: Profits.
Best practices only work if you have the funding going toward implementation and training. In all cases, across the board, the budgets for cybersecurity are inadequate because of the pursuit of profits. The only exception to that rule is for operations that run in the red already, which means they don't even have profits, let alone the money, to invest in capital expenses (because machines aren't cheap, either).
The point is, not enough money is being devoted to the issue. Manufacturers have little incentive to upgrade things if there's no demand from buyers to have upgraded things. And when the buyers are focusing on the quarterly earnings reports, there's not a lot motivating them to reduce the profit margins with capital expenses.
Pass laws if you want to, they'll be ignored enough times to render them basically pointless.
Get rid of the profit motive altogether and attitudes and priorities change.
But your post highlights not only the proof of what I said above yours, but why my post denotes the only way to permanently fix this. Granted, it may take a while, but it won't be fixed at all unless the profit motive is impacted. I'd rather see profits go away than see prices for health care (I read about Utah paying state employees to FLY TO MEXICO to get their prescriptions!) go up to get better cyber security.
Our health care system isn't just broken, it's in fucking ruins. Nationalizing it is the only way to fix this myriad of ills.
Upvote
-3
(6
/
-9)
Lol.
They can't even run an app to count people in a fucking gym, can't even get basic websites correct, but sure they will definitely be able to pull this off. Pure lol.
Upvote
-15
(2
/
-17)
My current doctor office - which is a national chain - just switched to managed provider for handling the patient records and external interface. It's all convenient and such. I look for them to be ransomed in the next year. It's pretty much inevitable at this point as most of these breaches are actually contracted providers getting hacked rather than individual practices and the security for those systems are almost always abysmal. The awful thing is they have a page where you can give the office (rather the provider) an on record credit card for charging copays which they store "for up to 365 days on your behalf". What could POSSIBLY go wrong? I declined. I'm not that brain dead. I feel sorry for those that aren't as savvy and don't think it through.
Part of the problem here is federal mandates that require all records to be digitized even to the point where they're running doctors that keep paper records out of the practice. It's insane. That's a great idea on paper, but no one in Congress even gave half a thought to data security when they drafted those rules. Now we're at such a point that everything is networked together, those devices that shouldn't be networked are accessible by computers that themselves have Internet access. Those computers are usually easily pwned either via exploit or social engineering. So now you have people's lives hanging by threads thanks to rules written by incompetent politicians who can barely turn their office computer on and are so incompetent they can't even figure out how to report votes in their own caucuses. People are going to end up getting killed and these politicians will still be running around getting sound bytes that "SOMETHING NEEDS TO BE DONE!" without the slightest clue what to do about it and screw it up even worse when they draft even more incompetently designed rules.
Part of the problem here is federal mandates that require all records to be digitized even to the point where they're running doctors that keep paper records out of the practice. It's insane. That's a great idea on paper, but no one in Congress even gave half a thought to data security when they drafted those rules. Now we're at such a point that everything is networked together, those devices that shouldn't be networked are accessible by computers that themselves have Internet access. Those computers are usually easily pwned either via exploit or social engineering. So now you have people's lives hanging by threads thanks to rules written by incompetent politicians who can barely turn their office computer on and are so incompetent they can't even figure out how to report votes in their own caucuses. People are going to end up getting killed and these politicians will still be running around getting sound bytes that "SOMETHING NEEDS TO BE DONE!" without the slightest clue what to do about it and screw it up even worse when they draft even more incompetently designed rules.
Upvote
0
(5
/
-5)
Can somebody tell me what is wrong with using Bouncy Castle ? It was mentioned in passing in the article.
Upvote
0
(1
/
-1)
In a hospital, doctors are users and don't typically interact with IT. When they do it is typically adversarial because they don't want to follow sound security practices as that slows them down. The vast majority still prefer paper.
Another significant fundamental problem is that healthcare companies are now IT companies but managed by healthcare minded management. Ultimately the profit motive of these companies prevents them from investing into security personnel and audits.
The cost of upgrading decades old systems that work but are unsecure is staggering.
Another significant fundamental problem is that healthcare companies are now IT companies but managed by healthcare minded management. Ultimately the profit motive of these companies prevents them from investing into security personnel and audits.
The cost of upgrading decades old systems that work but are unsecure is staggering.
Upvote
7
(7
/
0)
You realize that politicians rarely write the laws themselves and the legalese for stuff like this often comes from industry insiders, right? The text of the law likely came from the companies that write this software to begin with.
I'm not saying that makes it better - the companies that write medical coding software are borderline incompetent - but it's the politicians doing what experts are telling them to do.
For that matter, the same has been true for decades for nearly any major (and most minor) laws passed. For better or worse (generally worse) industry, or at least think tanks related to them, write the actual text f the law.
Upvote
3
(4
/
-1)
Why do you have passwords? Doctors aren't going to tell you how to deploy infrastructure securely. It's the job of the CIO to lay down the law there - that's why they're a C-level.
And if your security is so bad that it threatens the welfare/privacy of the patients, why aren't you being more vocal on behalf of the patients - don't you have some responsibility here? You don't have to be at odds with the doctors - you need to convince them to be on your side and push against the administration.
But apart from IT, software engineers need to get their shit together, develop best practices, validation tools, push for standards and legislation like every other engineering discipline. Why the fuck does anyone rely on passwords in a HIPAA setting anyway? It's not like we don't have a few dozen better solutions at our disposal now. How is it Apple can make it so I can buy a coffee from a dude with a cart with virtually no possibility for that transaction to be hacked, and the entire healthcare IT industry is still fumbling around like it's 1998?
(And for context, I have a close family member who is a CIO of a major health insurer - so I have a bit of insight about how bad shit is in terms of healthcare software and contracting)
Upvote
9
(9
/
0)
Because I was a contractor with negative job security and the CIO's only qualification was being a hunting buddy of the CEO.
Upvote
11
(11
/
0)
One big issue of medical devices with IT components included:
Non modular design. No standard interface between the core tech of the device and the built in PC.
It’s just not possible to change the OS of the PC incorporated in the machine.
This could be fixed easily be modular design. This is on big point for regulators.
Non modular design. No standard interface between the core tech of the device and the built in PC.
It’s just not possible to change the OS of the PC incorporated in the machine.
This could be fixed easily be modular design. This is on big point for regulators.
Upvote
3
(4
/
-1)
Controlled obsolescence and support contracts.
It's a vicious cycle. Hardware and software vendors feel justified ripping off the medical industry because the medical industry rips off everyone they touch. Self interest and collusion.
Upvote
4
(4
/
0)
When interviewing for a hospital IT job, they actually asked me how I would respond to a screaming, disrespectful doctor...apparently it happens a lot.
That hospital actually did some good security practices...separation of roles, etc. But then had a service account that was local admin on almost everything that WAY too many people had the password to.
They bought a smaller hospital and that whole place was eat up with malware, etc. They basically just replaced all desktops and servers from scratch.
Hospitals will always be a big target due to the amount of personal info they have to carry (and payment methods). It is not easy for them.
Upvote
21
(21
/
0)
So I was a presenter and exhibitor at SCAMC (Symposium on Computer Applications in Medical Care) once in D.C.
Spent a lot of time, effort, and money promoting a UHR - Universal Health Record - to the VA, BIA, CHAMPUS, and the private sector.
Same year, presented at the ACEP (American College Of Emergency Physicians) Congress in SFO with a senior fellow from Harvard Med.
Everyone was very supportive of preventing...for ANY reason...the very scenario that starts this article.
That was 1990.
30 years later, not only do we NOT have a portable, durable health record, there’s a labyrinth of stupidity and profiteering at all levels that’s nearly unbelievable.
No mystery here. Just greedy cowards and fools in charge.
Spent a lot of time, effort, and money promoting a UHR - Universal Health Record - to the VA, BIA, CHAMPUS, and the private sector.
Same year, presented at the ACEP (American College Of Emergency Physicians) Congress in SFO with a senior fellow from Harvard Med.
Everyone was very supportive of preventing...for ANY reason...the very scenario that starts this article.
That was 1990.
30 years later, not only do we NOT have a portable, durable health record, there’s a labyrinth of stupidity and profiteering at all levels that’s nearly unbelievable.
No mystery here. Just greedy cowards and fools in charge.
Upvote
13
(13
/
0)
Not really. The healthcare industry is $3.3T annually, and healthcare software is not inherently complicated. It only seems complicated because you have no agreed upon standards and you have 40 layers of participants rent seeking off of each other.
Upvote
-1
(8
/
-9)
Health IT is a dumpster fire of the first magnitude. For those of you who kept up with the MCAS fiasco, the best way to explain how EHRs work for providers is to imagine that you are asked to fly planes that are known to have an irregular flight characteristic or a malfunctioning system, except when you go to the cockpit, you are greeted by an interface that tends to change every six months, displays where half the readouts are irrelevant, half of the relevant ones are hidden, buttons may or may not have the same function depending on the state of the program, other buttons that simply don't work as they ought to. Oh, and you fly a new plane every eight minutes.
Providers care, but Healthcare in the US is run by MBAs (and policy is set by lawmakers who are mostly business or law people) with little understanding of medicine, let alone the tech involved and couldn't care less about patient or provider- as long as the bottom line &campaign contributions are OK. The science is slowly catching up with the realization the EHR can easily kill patients - no hacking intended, but papers looking at this are still few and far in between.
For a funnier description of the problem, see this.
Upvote
5
(6
/
-1)
People need to stop and consider how this happened.
10 months. 9 million records. My understanding is that not everything is in there, but a number of vets have reported that there are records that they can only find in Apple Health.
I think the key here is no rent seeking. Apple's not trying to secure a decade long contract with the VA that ensure revenue flow. To them it's a free service value-add to the iOS device you're paying for. And they have battle tested infrastructure for security and identity that they're building on top of. And that record format is now going to become the industry standard simply because all of the existing players were trying to secure their piece of the pie, ultimately blocking a real standard from developing.
<cue Apple is bad at services>
Upvote
16
(16
/
0)