2015 Could Be the Year of the Hospital Hack 130
schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."
Oh, I wouldn't worry about it. (Score:5, Insightful)
EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.
I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.
Re: (Score:1)
Yes, this.
If I travel to a different state, some random hospital should be able to pull up my record with my consent (or without it in an emergency). It doesn't matter if it is 'in network' or using the right 3rd party vendor software.
Re: (Score:2)
Re: (Score:3, Informative)
(M)illions? Maybe two keys to the left.
I wonder if it would be cheaper to eliminate EHR's and just let patients make up their medical history every visit.
Re: (Score:2)
Re: (Score:1)
I work at a healthcare related IT company and it's often hard enough to connect a bunch of systems together, making security not a top priority.
Most of the time it goes like this: "Let's just make sure it works and we can do security stuff like enabling SSL and protecting web services with WS-Security later". And obviously, that "later" never actually happens.
Re: (Score:2)
I work at a healthcare related IT company and it's often hard enough to connect a bunch of systems together, making security not a top priority.
Most of the time it goes like this: "Let's just make sure it works and we can do security stuff like enabling SSL and protecting web services with WS-Security later". And obviously, that "later" never actually happens.
This. Right now with the big mandated roll out, vendors are scrambling to meet Meaningful Use [practicefusion.com] (also known as Meaningless Abuse) criteria. This entertaining government mandate, like most government mandates is an overly complex, ever changing, voluminous coding horror.
The major security focus seems to be 'nothing works, nobody can get anything out of the system' - it's secure by definition.
Re:Oh, I wouldn't worry about it. BULLSHIT (Score:4, Interesting)
Thats just bullshit.
Meaningful Use is NOT a requirement. It is NOT Obamacare.
It is an incentive that actually gives money to organizations to help them implement EHR infrastructure.
In order to qualify, and to make sure that money is NOT WASTED, there are a number of requirements that must be met. Stage 1 MU is bone-headedly simple, and Stage 2 is pretty straight-forward. Stage 3 is not even written yet, but is likely to include reporting to show how it affects patient outcomes.
The idea of it all is to actively manage your patient population and to use analytics to improve patient outcomes. -And by doing so, you can actually reduce the total cost of healthcare.
The problems are 1: blood-sucking EHR vendors that charge millions and provide crap products. 2: dumbass healthcare administrators who are so involved with political back-stabbing that they totally fail to even attempt to get the free money available from MU
I've worked for a number of healthcare organizations over the last 10 years, and I've seen organizations both large and small not only succeed in MU funding, but thrive as well. (I've also witnessed others utterly fail)
I'm lucky to be part of one of the good organizations right now. yay!
Re: (Score:2)
EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.
I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.
One of my own medical care providers completed the transition not long ago. I notice someone doing a zoom (reverse pinch) on one of my lab results and realized they were looking at an image of a printed page. At first I thought this was nuts as an image would have to be converted and OCRed to be machine readable. But now, I can see that stealing a bunch of images that you must read by eye or OCR is a lot less useful than nice regexp-able data. "Hey, we stole 300,000 medical files... all TIFFS" does not see
Re:Oh, I wouldn't worry about it. (Score:4, Interesting)
You sound like an MD.
Often the choice of the EMR isn't a rational choice, they put more thought into getting a new car then their EMR, even though it may cost more.
Mistakes.
1. Wrong Size. You have a small practice and you get the system meant for a large hospital. Because you figure you deserve the best. It would be like everyone buying a Mac Truck for their daily car needs, just because they may need that in the future. There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.
2. Unwilling to change your workflow. I have seen too many doctors use their EMR systems and populate information at the end of the day. While they were meant to be used on a Laptop or tablet in Real Time. Once you get the software most people can navigate rather quickly.
3. Fixed Price in your head. They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.
4. Lack of imagination. Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....
Re: (Score:1, Insightful)
Don't apologize for the EMR vendors and stereotype physicians. I have seen EMR deployed in a medium sized hospital that had race conditions that caused the patient's meds order to be doubled. I actually witnessed this happen myself while observing a doc submit their orders. In case you aren't aware, this type of bug could have fatal outcomes for patients.
I have also seen a PACS where the vendor-managed system would run out of disk space and make it so no radiologist could login... and the entire hospital wa
Re: (Score:2)
EMR *might* be a ney (sic) gain if it were coded more like avionics rather than a ramshackle clusterfuck from a dev team who has never heard of unit testing, much less a test-driven development SDLC.
This. Very much this. I'm not much of a programmer, but I've never written code as bad as I've seen in our EHR. I know how to set up SQL tables more sensibly than our vendor does and I damn sure know more about CSS than our vendor. And that is very scary.
Re:Oh, I wouldn't worry about it. (Score:5, Informative)
Oh, I am an MD and one who has been dealing with EHRs for decades.
Unfortunately, you are partially correct. The C-level folks were told that the EHR wouldn't do what the salespeople said - even if it was tailored to a small hospital. Acutally, nobody buys stuff above their weight, it's just too damned expensive. What is commonly done is a small hospital merges with a bigger one or comes to some agreement to slave onto a big system. That can be done successfully but, as you point out, you may be using a Mack truck to delivery groceries. Done correctly, it does impress....
Workflow always changes with EHRs. The problem with a lot of them is that the workflows make no clinical sense. We still have to treat patients. Especially the cheaper ones who don't spend a lot (or any) time thinking about the user interface. Most of them look like Visual Basic programs from the 1990's. Hell, our vendor can't even be bothered to get the tab order correct. This is a common complaint. Especially with the nonsensical federal regulations even simple things like admitting a patient get convoluted and weird. Lots of EHRs just don't have the flexibility to incorporate completely illogical processes.
Fixed price? Well, even the PHBs know that isn't going to happen. The problem is that if (when) there are serious overruns, a small institution just can't spend that money. It doesn't have the capital resources. There are a number of rural hospitals that are going under because of the mandated EHR. Our employee costs doubled for 18 months trying to shoehorn the stupid thing in. That was partly a fault of the vendor, partly our fault for not streamlining work flows before the EHR, but that is a very hard thing to get any system to do. I argued for years to get our acts together but that would have taken more money and more time, things smaller hospitals don't have much of. (The theme here is that there is an enormous gap between financial health of the bigger systems and the smaller outlying hospitals. This is due to the bizarre way we bill for things in the US - you get lots more money for doing something instead of keeping a patient from needing that something. To do much these days takes a big system - think cath labs, MRIs, lots of specialty teams on call 24/7 - think money and lots of it.)
Imagination doesn't seem to be an issue. I imagine that our EHRs programming and management staff is suspended over a pool of molten iron as we speak.
Re: (Score:3)
@ColdWetDog, I'm writing a thesis currently on Health IT interoperability (I'm in NZ but what I can tell is these problems persist across vastly differing policy/funding environments). Would be interested in getting your thoughts on the topic from the real world perspective of a health practitioner. It's been tricky 'recruiting' clinical people with appropriate technical expertise to comment on what the barriers are. I do have some US/Canadian people lined up already - only one is a currently pract
Re: Oh, I wouldn't worry about it. (Score:2)
Re: (Score:2)
Re: (Score:2)
ColdWetDog: good insight. As you said, smaller organizations have a difficult time implementing EHR systems. But much of that is because they dont have good communication between their clinical staff and their technical staff. The IT staff usually has little clinical background, and gets left out of discussions where they really need to be included.
In a large organization, often times the IT staff has a clinical background as well, such as former nurses, etc.
-As a side note, how is an organization
Small practices aren't dumb (Score:3)
You have a small practice and you get the system meant for a large hospital.
That's typically because they work closely with a particular hospital and desire compatibility with the hospital's EMR system. Not always but often.
There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.
And there are many that cannot exchange records with other systems which defeats 99% of the purpose of having an EMR system in the first place. Just because it is smaller doesn't make it necessarily a better fit. Granted, many of them don't really examine the options closely enough but it would be pretty easy to get siloed into a small package that doesn't re
Re:Oh, I wouldn't worry about it. (Score:5, Informative)
The least common denominator is the print button, it might not have any interoperability but there'll be no security by obscurity. In the hospital, you're likely to run into three kinds of systems:
1) The patient administration system (PAS) which keeps track of all the logistics like scheduling appointments, staff lists, equipment, operating rooms, cleaning of rooms and all that. It's somewhat related to the journal in the sense that when you've seen the doctor there should be journal entry for it, but for a major hospital it's also many other things. It might be integrated in the EPJ, but it might also be its own system.
2) The electronic patient journal (EPJ) which is pretty much all about record keeping but when it comes down to it is all about text. Any structured information is supposed to be supported by the text entries, in fact in the US I heard there are professional medical coders that do it so the doctor just writes the journal text. Here it's mostly the doctor itself, but those rules can get quite complicated if there's multi-trauma or symptoms of underlying conditions or complications of procedures that are typically coded differently from "simple" code lookups. Your discharge report is typically also stored here.
3) All the actual medical systems, of which there are typically thousands in a large hospital and they all keep changing all the time to support advances in medicine. The bulk of your electronic health data never leaves these systems. They have to support the record keeping requirements, but that basically just means adding auditing to the field along with the field itself. There's no requirement that they should be able to dump this data out in any format and if it were you'd end up with a hilariously huge specification that would change daily with elements like <x-$company-$product-$major-$minor-$revision> elements doing database to xml dumps.
There are lots of isolated attempts to standardize certain bits and pieces, like for example electronic referrals, prescriptions, lab requests, sending of x-ray images and to add more structured data, but they're much more limited in scope and you can certify compliance. Exporting the whole EPJ and importing it somewhere else is a huge beast. Also it's not entirely certain you'd want that. Say you have been to the hospital for an ugly STD and later for an eye infection. They want to send you to an eye specialist, does the whole journal go? Should your general practicioner have a huge hospital system? There's a lot of issues to be resolved with regards to a "global" journal.
One of the more difficult aspects is that at least here today the journal is not entirely yours. For psychiatric patients or where the doctor suspects child abuse, domestic violence or is speculating into possible conditions to check for the doctor can make private notes that are only available to themselves, not the patient itself. It has its uses but if everything flows freely it could also become a gossip column which is not the intent. The journal is also the doctor's working tool, you don't want him to start keeping a shadow system because by default the system is on broadcast. By far most doctors take their job very seriously and are just trying to help.
Re: (Score:2)
EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times
OTOH, there are examples that work, and have done so for a long time. Some 30 years ago or so, I worked for the Danish Sygehusdatacenter - a long word that means EHR, broadly speaking (very broadly: 'Hospital Data Centre', actually). All GPs and all hospitals had to use this system, which ran on an IBM mainframe with a huge number of 3270 terminals connected across the country. It worked remarkably well, because 1) Danish health care is NOT provided by a large number of private companies with no interest in
Re:Cash Doctors (Score:4, Insightful)
In fact my medical records folder comes home with me from my visits and does not even physically stay in his office.
No, it doesn't. At least in the US, the original stays in the office. You might get a copy but even here in Nuttville we're not crazy enough to let the patient have the canonical record.
Besides, you do realize that your pharmacy sells your prescription information to mining companies [kevinmd.com] and that the states typically monitor any restricted drug with a system of your own?
The only way to stay perfectly anonymous is to get care out of the country or stay healthy.
Re:Cash Doctors (Score:4, Interesting)
And the minute his malpractice carrier sees that, he will never be insured again.
You both may be big boys, but you're not lawyers. And lawyers trump big boys in this system.
Re: (Score:2)
Isn't there also a requirement under the state licensing laws that require doctors to keep adequate medical records?
Re: (Score:2)
Stay healthy? (Score:2)
I take the "stay healthy" route.
Oh is that all there is to it? If those darn cancer patients would just "stay healthy" then they wouldn't have to deal with those pesky doctors. Why didn't anyone else think of that?
Re: (Score:2)
Re: (Score:2)
No, it doesn't. At least in the US, the original stays in the office. You might get a copy but even here in Nuttville we're not crazy enough to let the patient have the canonical record.
That would be entirely up to that doctor, and you have no reason whatsoever to doubt the accuracy of what he said.
Re: (Score:3)
That would be entirely up to that doctor
No, it's not. For example, the State of New Jersey requires that doctor's keep the original records.
Do I have a right to my medical records?
In most instances, the patient has a right to receive a copy of his or her medical records, not the original. Although most patients assume that the records belong to them, the Board requires that the physician to maintain the original to ensure that the patient’s medical history is available to any subsequent treating physician or health care provider. Copies may be given to the patient, another doctor, your attorney, your insurance company or another family member if the patient expressly authorizes it. If a patient is deceased, the duly appointed executor or administrator of the estate may obtain copies also. Medical records cannot be released to a spouse, family member (except in the case of a child), attorney or any other person unless the patient gives his/her express consent to release them to that specific person.
http://www.state.nj.us/lps/ca/... [state.nj.us]
So it's highly likely that if that situation is true that the doctors he is dealing with could be breaking the requirements of their medical license.
Re: (Score:2)
So it's highly likely that if that situation is true that the doctors he is dealing with could be breaking the requirements of their medical license.
Probably more likely that they re-write the same information down in their own folder after he leaves.
Re: (Score:2)
Besides, you do realize that your pharmacy sells your prescription information to mining companies [kevinmd.com]
For the benefit of those who might wonder why companies such as Freeport-McMoRan [fcx.com] would care that you picked up some Augmentin at the pharmacy, that's "data mining companies".
Re: (Score:2)
How can I say this? Because my doctor will do this for any cash-paying patient who asks.
Re: (Score:2)
It is impossible in a number of states whose licensing board requires that the doctor's keep the original records. If you're in the US, what state do you live in?
No (Score:1)
easy and fast access to medical information often trumps security."
That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.
Re:No (Score:4, Interesting)
easy and fast access to medical information often trumps security."
That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.
In a medical situation, that might be the right decision. If your patient turns up unconscious in the ER at 2am, or if you're covering for your partner and his patient turns up unconscious in the ER at 2am, easy and fast access might trump security.
There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.
I don't think there's a practicing pediatrician in the country who would let a patient die in order to improve security.
Re: (Score:1)
I don't see why they can't have both.
Hospitals and doctors already have access to records, however the systems holding the records are the target.
So why can't those systems be secure and available?
There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.
Yeah I don't buy that at all, and you give no link to back up your claim.
I worked in a hospital that had an electronic records system and a computer in each room, but the drugs for the patients were also listed in a book at the nurses station.
And each nurse/doctor knew what thier patients needed, most certainly in
Re: (Score:2)
I don't see why they can't have both.
Hospitals and doctors already have access to records, however the systems holding the records are the target.
So why can't those systems be secure and available?
There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.
Yeah I don't buy that at all, and you give no link to back up your claim.
I worked in a hospital that had an electronic records system and a computer in each room, but the drugs for the patients were also listed in a book at the nurses station.
And each nurse/doctor knew what thier patients needed, most certainly in an ICU.
Especially this part
Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.
Sounds like bullshit to me.
It's a frequently-cited study. The message is, you can't just throw computers at something and make it better.
Let's see what somebody could find with a Google search, if they weren't so lazy:
At Children’s Hospital of Pittsburgh, mortality rates increased after the implementation of an electronic records system from Cerner in 2002, according to a study published in 2005 in the journal Pediatrics.
During the 18 months examined, the mortality rate increased to 6.6 percent in the five months after the syst
Re: (Score:1)
First lets go back and look at the original premise.
easy and fast access to medical information often trumps security."
I think you can have both.
The hospital I worked at had a book at the nurses desk with all the orders for each patient from the doctor, as well as the drugs, whatever set up you're talking about about has nothing to do with security or the system, it has to do with human error as you would never rely solely on an electronic system in a hospital, if they are they are batshit crazy.
So to take the example given.
http://www.bloomberg.com/news/... [bloomberg.com]
That is a one of
Re: (Score:1)
Oh and just because they want the stuff entered in electronically doesn't mean they don't have the paper, it has to go somewhere prior to going on the computer.
And the VA is a dinosaur, and an ineffectual one at that, one of my relatives works there and frequently complains about it.
We were talking main stream health care, not dark ages.
Comment removed (Score:5, Insightful)
Re:this isnt an "obamacare" thing. (Score:5, Informative)
That was certainly a part of it. The funny thing is that the insurers are the ones having the hardest time getting their electronic acts together. They invariably use gargantuan legacy systems, coded originally on punch cards and even changing the number of fields in a form requires thousands of programmer-years.
The other big push was by a weird combination of politicians latching on to anything that could possibly save money (ohhh! Shiny!) and big system / big vendors realizing that they were sitting pretty to gobble up lots of smaller systems that simply didn't have the capital to compete. EHRs are very, very expensive and time consuming. Once integrated into large systems, they do improve workflows and likely pay back the investment. For smaller hospitals, not so much.
The key in American medicine is to gobble up all of the patients with economically viable diseases. Mostly heart disease, orthopedics and cancer. The rest of the population is just a loss leader. So you need lots and lots of procedures^Hpatients to make your nut.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
The key difference was/is that without the government mandate it would have happened as medical care providers found it economically valuable.
Translation: Never.
Re:this isnt an "obamacare" thing. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
The Department of Veterans Affairs has had EMRs for close to 50 years. AFAIK, there have been no major incidents with this. So, not only can the government do something well,they can also do with with a reasonable level of security.
Re: (Score:2)
This is true. Compared to other systems, the VISTA system operates very well for physicians at VA hospitals.
Its also open sourced -- so why don't the other EHR take advantage of that??
Re: (Score:2)
Re: (Score:2)
It's not open source, it's public domain. When you run it in a hospital, you need to have support for the software you're using. You also need to have the same hardware and software configurations that are supported. For a small hospital that can be pretty expensive to do. I know that my local hospital is using VISTA at least in phlebotomy, maybe other areas.
Re: (Score:2)
electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing.
And as I understand it, they were designed for the convenience of the insurance companies, with the primary task of billing, and handling the other information, like patient administration and clinical data was retrofitted later.
So if you went through the list of insurance company requirements, you'd have it all. If you went through the list of doctors' requirements, not so much.
Re: (Score:2)
Seriously, they're about me. They should give me full and complete access to them, I should have control over them.
Yet...it's like pulling teeth to get records of my tooth extraction.
Gee, all I have to do to see my records is to ask. Same thing if I need an explanation. Then again, I'm in Kanuckistan, where we do things differently :-) Plus it helps that I've got great doctors.
They are not just your records (Score:3)
Seriously, they're about me. They should give me full and complete access to them, I should have control over them.
They are NOT solely about you. They are about the actions taken to treat you. They are business records in addition to being health records and as such you should have some amount of of access but a practice would be insane to give you full control of them. You certainly should not have the right to modify medical records or delete them. You should not have the right to withhold the records from the practice in the event of the dispute. The practice is required by law to keep them stored safely for a n
Re: (Score:1)
"You certainly should not have the right to modify medical records"
In the United States HIPAA explicitly 'gives' you this right at 45 CFR 164.526
http://www.gpo.gov/fdsys/pkg/CFR-2013-title45-vol1/xml/CFR-2013-title45-vol1-sec164-526.xml
That's not what it says... (Score:2)
Uhhh, that same text basically gives them the right to deny any request you have to amend anything. In particular:
"A covered entity may deny an individual's request for amendment, if it determines that the protected health information... is accurate and complete."
Translation, if they say the record is good, then you have no right to amend it. Guess what they're going to say if you request to amend your record?
Unrestricted control of health records by patients (Score:2)
In the United States HIPAA explicitly 'gives' you this right
Apparently you didn't bother to read your link. It gives the right to request an amendment in 164.526 (a) (1) but immediately below in 164.526 (a) (2) it explicitly gives health care providers the right to deny the amendment for very broad reasons. Like I said, a health care provider would be insane to permit unrestricted control of health records to patients. They are NOT your records exclusively. They are health records but also business records, legal records and sometimes financial records. Do you
It wasn't obamacare, it was the ARRA (Score:5, Informative)
Obamacare or ACA did not mandate the use of EHR. This was in legislation long before ACA, it was part of the American Recovery and Reinvestment Act (ARRA). It was specifically called Meaningful Use. it mandates a series of electronic use requirements over three phases with initially payments for use and later penalties by CMS. The vast majority of MU certified vendors were producing EHRs long before ARRA and have reasonable security in place. Clearly though some vendors, and hospitals need some shoring up though.
Re: (Score:2)
EHRs might have 'reasonable' security in place, but, as we know, security isn't a thing, it's a process. And all too often, to get the damn EHR to work with the lab system, the radiology system, the billing system and bog-knows-what-else, the 'security' bits get compromised.
And then there are the users. I just LOVE typing in my user name and password one hundred times during the day. Yes, we could go single sign on. For another 100K and a bunch of other IT problems. No, we don't have that 100K. So no
Re: (Score:2)
i agree with all of your points.
connecting your EHR to your lab system, to your HIE, to your practice systems, etc is a mess. HL7 stinks. So things do indeed get missed.
of course, with deliberate, thoughtful deployments, these are solvable problems. it takes time and patience.
and don't get me started on end users. :-) but i do believe they are trying, they are busy, and they didn't go to medical school to deal with systems, but to help people.
Hospitals are a stupid target (Score:4, Insightful)
Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?
If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend. In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with. You can try to get more info from all that PII, but again, it's a pain in the ass and available elsewhere. Other stuff is more lucrative for the investment of time, criminal risk, and energy.
If you were a terrorist, a hospital might be a bit more interesting, but the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.
No, hospitals are a stupid place to expend effort.
Re: (Score:3)
Coming soon to headlines near you:
The number of STDs this celebrity has will shock you! Now with the names of the partners they got it from!
You'll never guess who has herpes! Online dating, now with health background checks (including identifiable previous partners) on each potential match.
Parents, find out if your grown children have had a pregnancy test with this one tool.
Media leaks from the hack suggest that my opponent has mental health issues, so clearly you should vote for me instead.
Sorry, we can't
Re: (Score:1)
There is a lot more than that there:
1: Hacking isn't just downloading a lord-king-God XML file with everyone's info in it. Part of hacking is altering and destroying data. Now, picture the fallout if a celeb's medical records get changed from "fatal allergic to Prozium" to "pump this sucka full of Prozium if he comes in, to stabilize him." Very trivial modification, and would only take a single UPDATE statement at the DB level to do so. The fallout would be a dead celeb [1], then a knee-jerk Congress p
Re: (Score:2)
3: Just wanton screwing around with medical records. If someone took a million records and just changed stuff like what meds people were allergic to and what conditions they have, it would render the whole database poisoned. Doing that, a hacker could utterly destroy and shutter a hospital, and wherever the tainted medical records went to. Of course, just the threat of this will get payouts in the tens of millions. Remember, it just takes one zero in a medicine dose to go from therapeutic to lethal in a lot of cases.
You do realize that people can already do that with paper records as well right? There's also much less effort involved.
Re: (Score:2)
No one is going to be modifying a million records at once anyway. If people are forging records it's going to be selected targets.
Re: (Score:2)
Re: (Score:3, Insightful)
The glut of credit card data on the market means that the going rate for credit card data on the black market right now is about $1/account. Contrast this to $10/health record. (http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924)
Why?
1) health records have excellent data to facilitate identity theft
2) banks have much more rigorous anti-fraud systems in place, and consumers know to check credit reports
3) Because of #2, fraudulent health insurance claims schemes are goi
Re: (Score:3)
If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend.
Yes, but banking breaches/CC Fraud is so common, that the two times it's happened to me, it's been "an errand" - pick up my dry cleaning, get a haircut, cancel my debit card and submit a fraud form, get drinks for company tonight, put some gas in the car. It's that prevalent that it's a well-trodden path, with laws, protections, procedures, canned forms, and an express line to get it squared away. Medical record fraud is a much more difficult problem. You don't need your particular credit card number. You D
Re: (Score:2)
A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?
That's enough to apply for a credit card.
Re: (Score:2)
Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?
You're forgetting insurance information. Besides all the information you mentioned which is suitable to steal and identity, they can use the health records and insurance for fraud to either get drugs that might be allowed to the real patient or treatment or payment for costly procedures.
Re: (Score:2)
I'm thinking insurance fraud. Putting in claims for procedures not completed. Sure, doctors and staff can do it now, but with outside attackers it might become more likely.
Hospitals keep a very close track of their income, so I doubt it would be possible to bill a procedure without inside help. Even then it's a risky proposition because the liability for medical fraud may exceed the liability for economic fraud by far. Imagine if a doctor thought he'd had the procedure but he really didn't and the patient died, you might be looking at a million dollar malpractice lawsuit for a thousand dollar feigned procedure. I guess it could happen more with small add-on charges, but I dou
paper records less vulnerable to attack (Score:2)
see — if doctors had just kept to their paper records, they couldnt be hacked..
lol
Re: (Score:2)
Yeah, no one can possibly sneak in and steal paper records! Unpossible!
Re: (Score:2)
So that's why there are dozens of stories about stolen paper records just in the last 5 years? And that's just what is caught and reported.
Yeah, Right (Score:2)
(sarcasm) "easy and fast access to medical information", why dont you just throw in inexpensive there while you are at it.(/sarcasm)
We are talking about the US private health care industry, right?
Could be... (Score:2)
2015 could also be the year of the International Pick-up-sticks championship too.
What sensationalist garbage.
Lame (Score:2)
*yawn* Because paper records are sooper seekrit secure?
http://www.healthdatamanagemen... [healthdatamanagement.com]
http://www.ydr.com/local/ci_25... [ydr.com]
http://www.hartfordbusiness.co... [hartfordbusiness.com]
http://www.fiercehealthcare.co... [fiercehealthcare.com]
2015 could be the year of just about anything! (Score:2)
Really? I am beginning to wonder why I still look at /. after seeing an article like that.
Small doc offices as well (Score:1)
Re: (Score:2)
If you have physical access to those same offices you could can easily steal their paper records. Most such offices have horrendous physical security.
During high school and college I worked in the medical records department of a mid-size hospital. It would have been trivially easy to tamper with or even photocopy and walk out with patient records.
Why does anyone want to hack medical records? (Score:2)
It's for filing fake claims to insurance companies and medicare.
This is already a 100 million dollar/year business.
Re: (Score:2)
http://www.reuters.com/article... [reuters.com]
Hospital IT is an easy target (Score:2)
Hospitals aren't really the best place to find lots of healthcare information. I mean if you are tracking a celebrity that went into a specific hospital, that is one thing, but if you are datamining for lots of information, there exist larger repositories.
easy and fast access to medical information (Score:2)
Obviously, this author does not know the first fucking thing about hospital EMRs ;-)
Re: (Score:2)
Yeah if you want easy and fast access you'd just break in and steal the paper records. Or you can also just steal the paper records from an unlocked van [fiercehealthcare.com].
I work in IT at a hospital, and I'm worried (Score:1)
Posting anonymously because job. I work in IT at a hospital.
I'm worried about the lax attitude towards security at my workplace. Don't get me wrong, we're serious about privacy. We follow all the HIPPA guidelines and have regular training about them. Any use of records not immediately related to care (research, billing) requires approval of an internal review board. Nothing identifiable leaves the organization (unless it's transfering your records to your new doctor). There's severe criminal penalties for m
Re: (Score:1)
Posting anonymously because job. I work in IT at a hospital.
The place I work at takes security very seriously - lots of rules for passwords, screens locking after being idle, RSA tokens, etc - and it costs a lot to maintain. Which means we have to charge patients more than places which are lax, or else make a lower margin than they do. Which means we have less patients, which means less money, which means we have to charge patients even more, or else cut out services.
Re: (Score:2)
Posting anonymously because job. I work in IT at a hospital.
I'm worried about the lax attitude towards security at my workplace. Don't get me wrong, we're serious about privacy. We follow all the HIPPA guidelines and have regular training about them. Any use of records not immediately related to care (research, billing) requires approval of an internal review board. Nothing identifiable leaves the organization (unless it's transfering your records to your new doctor). There's severe criminal penalties for misuse of records. What we do is logged and monitored. We're absolutely serious about making sure no one here misuses your data. You are safe from us invading your privacy.
But it's like it never occurs to them that malicious people from outside the organization might want to do something nasty. People can use personal devices to access work resources. Access to critical systems is a remote desktop session away, with handy "remember my password" boxes pre-checked. There is no two-factor authentication. Security training ends at "don't share your password" and "don't click strange links/files in email." There's no awareness of the threat and there's nothing I can do about it. And nothing I've seen at other facilities makes me think we're alone. So, yeah, I'm worried.
I think it just varies from place to place. Typically once your institution has a significant breach where large numbers of medical records are leaked, they get a major wake-up call when the government hands them a massive fine for HIPAA violation. The last two medical centers I worked at had recent HIPAA smack downs and pretty soon after two-factor authentication was rolled out, USB drives were banned, and non-VPN remote access was dropped. Security was much better there than at academic research centers
Re: (Score:2)
See tagline...
A trusted and anonymous source? (Score:1)
This is probably correct. (Score:1)
which one? (Score:1)
Re: (Score:2)
How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.
Re: (Score:2)
How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.
Perhaps they're not more secure in the literal sense, but they're less of an enticing target. It requires physical presence, and probably some form of breaking and entering. It requires physical transport (which likely means multiple trips), and either a LOT of work on a photocopier, or banking on the fact that no one will miss them. Once you have them, you need to go through them by hand and glean any useful information through manual file sifting.
Digital records are stolen through the Ethernet port. They
Re: (Score:1)
How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.
Perhaps they're not more secure in the literal sense, but they're less of an enticing target. It requires physical presence, and probably some form of breaking and entering. It requires physical transport (which likely means multiple trips), and either a LOT of work on a photocopier, or banking on the fact that no one will miss them. Once you have them, you need to go through them by hand and glean any useful information through manual file sifting.
Digital records are stolen through the Ethernet port. They won't be "gone", so they won't be "missed". They can be sifted, sorted, filtered, and pivoted until they produce useful information. If the records don't produce useful data, it'd be much more difficult to convict the thief of a crime, whereas physical record theft still leaves a laundry list of crimes with which to convict that are easier to prove.
Should the cabinets be locked? Yes...but the only place on a computer you need a crowbar to get what you want is in a game of Half-Life.
Ah you make good points. who's got mod points left over?
Re: (Score:1)
How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.
Yep. As I've posted before, when EMRs were just getting off the ground, in the 90s, I saw a presentation by some honcho in some company at a conference, and he said whenever he got asked about security of computerized records, he would excuse himself, head for the nearest nurses' station, grab a fistful of charts, walk back to whatever room, and toss them on the table. All the hospital execs in the room kind of chuckled and grinned ruefully. I've thought about that every time I visit somebody in the hospita