Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Medicine Privacy Politics

2015 Could Be the Year of the Hospital Hack 130

schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."
This discussion has been archived. No new comments can be posted.

2015 Could Be the Year of the Hospital Hack

Comments Filter:
  • by ColdWetDog ( 752185 ) on Monday December 29, 2014 @09:42AM (#48688879) Homepage

    EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

    I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

    • by Anonymous Coward

      Yes, this.

      If I travel to a different state, some random hospital should be able to pull up my record with my consent (or without it in an emergency). It doesn't matter if it is 'in network' or using the right 3rd party vendor software.

    • Re: (Score:3, Informative)

      by BreakBad ( 2955249 )

      (M)illions? Maybe two keys to the left.

      I wonder if it would be cheaper to eliminate EHR's and just let patients make up their medical history every visit.

    • of course some of the problem is at the receptionists desk. Some of the local medical places will ask you for First name Last name and Birthday to try to find your record(s) but if you happen to have somebody with the same First Last and Birthday they may or may not bother to ask you for any other info. I have had a time getting seperated from the other guy (he is Edward i am Laurence). If it is supported by your E-Records system grab a copy of your "Lucy" record and have that one you (does anybody sell
    • by Anonymous Coward

      I work at a healthcare related IT company and it's often hard enough to connect a bunch of systems together, making security not a top priority.
      Most of the time it goes like this: "Let's just make sure it works and we can do security stuff like enabling SSL and protecting web services with WS-Security later". And obviously, that "later" never actually happens.

      • I work at a healthcare related IT company and it's often hard enough to connect a bunch of systems together, making security not a top priority.
        Most of the time it goes like this: "Let's just make sure it works and we can do security stuff like enabling SSL and protecting web services with WS-Security later". And obviously, that "later" never actually happens.

        This. Right now with the big mandated roll out, vendors are scrambling to meet Meaningful Use [practicefusion.com] (also known as Meaningless Abuse) criteria. This entertaining government mandate, like most government mandates is an overly complex, ever changing, voluminous coding horror.

        The major security focus seems to be 'nothing works, nobody can get anything out of the system' - it's secure by definition.

        • by uslurper ( 459546 ) on Tuesday December 30, 2014 @12:32PM (#48697123)

          Thats just bullshit.

          Meaningful Use is NOT a requirement. It is NOT Obamacare.
          It is an incentive that actually gives money to organizations to help them implement EHR infrastructure.
          In order to qualify, and to make sure that money is NOT WASTED, there are a number of requirements that must be met. Stage 1 MU is bone-headedly simple, and Stage 2 is pretty straight-forward. Stage 3 is not even written yet, but is likely to include reporting to show how it affects patient outcomes.

          The idea of it all is to actively manage your patient population and to use analytics to improve patient outcomes. -And by doing so, you can actually reduce the total cost of healthcare.

          The problems are 1: blood-sucking EHR vendors that charge millions and provide crap products. 2: dumbass healthcare administrators who are so involved with political back-stabbing that they totally fail to even attempt to get the free money available from MU

          I've worked for a number of healthcare organizations over the last 10 years, and I've seen organizations both large and small not only succeed in MU funding, but thrive as well. (I've also witnessed others utterly fail)

          I'm lucky to be part of one of the good organizations right now. yay!

    • EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

      I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

      One of my own medical care providers completed the transition not long ago. I notice someone doing a zoom (reverse pinch) on one of my lab results and realized they were looking at an image of a printed page. At first I thought this was nuts as an image would have to be converted and OCRed to be machine readable. But now, I can see that stealing a bunch of images that you must read by eye or OCR is a lot less useful than nice regexp-able data. "Hey, we stole 300,000 medical files... all TIFFS" does not see

    • by jellomizer ( 103300 ) on Monday December 29, 2014 @12:26PM (#48690293)

      You sound like an MD.

      Often the choice of the EMR isn't a rational choice, they put more thought into getting a new car then their EMR, even though it may cost more.

      Mistakes.
      1. Wrong Size. You have a small practice and you get the system meant for a large hospital. Because you figure you deserve the best. It would be like everyone buying a Mac Truck for their daily car needs, just because they may need that in the future. There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.

      2. Unwilling to change your workflow. I have seen too many doctors use their EMR systems and populate information at the end of the day. While they were meant to be used on a Laptop or tablet in Real Time. Once you get the software most people can navigate rather quickly.

      3. Fixed Price in your head. They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.

      4. Lack of imagination. Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Don't apologize for the EMR vendors and stereotype physicians. I have seen EMR deployed in a medium sized hospital that had race conditions that caused the patient's meds order to be doubled. I actually witnessed this happen myself while observing a doc submit their orders. In case you aren't aware, this type of bug could have fatal outcomes for patients.

        I have also seen a PACS where the vendor-managed system would run out of disk space and make it so no radiologist could login... and the entire hospital wa

        • EMR *might* be a ney (sic) gain if it were coded more like avionics rather than a ramshackle clusterfuck from a dev team who has never heard of unit testing, much less a test-driven development SDLC.

          This. Very much this. I'm not much of a programmer, but I've never written code as bad as I've seen in our EHR. I know how to set up SQL tables more sensibly than our vendor does and I damn sure know more about CSS than our vendor. And that is very scary.

      • by ColdWetDog ( 752185 ) on Monday December 29, 2014 @01:44PM (#48691043) Homepage

        Oh, I am an MD and one who has been dealing with EHRs for decades.

        Unfortunately, you are partially correct. The C-level folks were told that the EHR wouldn't do what the salespeople said - even if it was tailored to a small hospital. Acutally, nobody buys stuff above their weight, it's just too damned expensive. What is commonly done is a small hospital merges with a bigger one or comes to some agreement to slave onto a big system. That can be done successfully but, as you point out, you may be using a Mack truck to delivery groceries. Done correctly, it does impress....

        Workflow always changes with EHRs. The problem with a lot of them is that the workflows make no clinical sense. We still have to treat patients. Especially the cheaper ones who don't spend a lot (or any) time thinking about the user interface. Most of them look like Visual Basic programs from the 1990's. Hell, our vendor can't even be bothered to get the tab order correct. This is a common complaint. Especially with the nonsensical federal regulations even simple things like admitting a patient get convoluted and weird. Lots of EHRs just don't have the flexibility to incorporate completely illogical processes.

        Fixed price? Well, even the PHBs know that isn't going to happen. The problem is that if (when) there are serious overruns, a small institution just can't spend that money. It doesn't have the capital resources. There are a number of rural hospitals that are going under because of the mandated EHR. Our employee costs doubled for 18 months trying to shoehorn the stupid thing in. That was partly a fault of the vendor, partly our fault for not streamlining work flows before the EHR, but that is a very hard thing to get any system to do. I argued for years to get our acts together but that would have taken more money and more time, things smaller hospitals don't have much of. (The theme here is that there is an enormous gap between financial health of the bigger systems and the smaller outlying hospitals. This is due to the bizarre way we bill for things in the US - you get lots more money for doing something instead of keeping a patient from needing that something. To do much these days takes a big system - think cath labs, MRIs, lots of specialty teams on call 24/7 - think money and lots of it.)

        Imagination doesn't seem to be an issue. I imagine that our EHRs programming and management staff is suspended over a pool of molten iron as we speak.

        • OFFTOPIC

          @ColdWetDog, I'm writing a thesis currently on Health IT interoperability (I'm in NZ but what I can tell is these problems persist across vastly differing policy/funding environments). Would be interested in getting your thoughts on the topic from the real world perspective of a health practitioner. It's been tricky 'recruiting' clinical people with appropriate technical expertise to comment on what the barriers are. I do have some US/Canadian people lined up already - only one is a currently pract

        • ColdWetDog: good insight. As you said, smaller organizations have a difficult time implementing EHR systems. But much of that is because they dont have good communication between their clinical staff and their technical staff. The IT staff usually has little clinical background, and gets left out of discussions where they really need to be included.

          In a large organization, often times the IT staff has a clinical background as well, such as former nurses, etc.

          -As a side note, how is an organization

      • You have a small practice and you get the system meant for a large hospital.

        That's typically because they work closely with a particular hospital and desire compatibility with the hospital's EMR system. Not always but often.

        There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.

        And there are many that cannot exchange records with other systems which defeats 99% of the purpose of having an EMR system in the first place. Just because it is smaller doesn't make it necessarily a better fit. Granted, many of them don't really examine the options closely enough but it would be pretty easy to get siloed into a small package that doesn't re

    • by Kjella ( 173770 ) on Monday December 29, 2014 @01:12PM (#48690755) Homepage

      The least common denominator is the print button, it might not have any interoperability but there'll be no security by obscurity. In the hospital, you're likely to run into three kinds of systems:

      1) The patient administration system (PAS) which keeps track of all the logistics like scheduling appointments, staff lists, equipment, operating rooms, cleaning of rooms and all that. It's somewhat related to the journal in the sense that when you've seen the doctor there should be journal entry for it, but for a major hospital it's also many other things. It might be integrated in the EPJ, but it might also be its own system.

      2) The electronic patient journal (EPJ) which is pretty much all about record keeping but when it comes down to it is all about text. Any structured information is supposed to be supported by the text entries, in fact in the US I heard there are professional medical coders that do it so the doctor just writes the journal text. Here it's mostly the doctor itself, but those rules can get quite complicated if there's multi-trauma or symptoms of underlying conditions or complications of procedures that are typically coded differently from "simple" code lookups. Your discharge report is typically also stored here.

      3) All the actual medical systems, of which there are typically thousands in a large hospital and they all keep changing all the time to support advances in medicine. The bulk of your electronic health data never leaves these systems. They have to support the record keeping requirements, but that basically just means adding auditing to the field along with the field itself. There's no requirement that they should be able to dump this data out in any format and if it were you'd end up with a hilariously huge specification that would change daily with elements like <x-$company-$product-$major-$minor-$revision> elements doing database to xml dumps.

      There are lots of isolated attempts to standardize certain bits and pieces, like for example electronic referrals, prescriptions, lab requests, sending of x-ray images and to add more structured data, but they're much more limited in scope and you can certify compliance. Exporting the whole EPJ and importing it somewhere else is a huge beast. Also it's not entirely certain you'd want that. Say you have been to the hospital for an ugly STD and later for an eye infection. They want to send you to an eye specialist, does the whole journal go? Should your general practicioner have a huge hospital system? There's a lot of issues to be resolved with regards to a "global" journal.

      One of the more difficult aspects is that at least here today the journal is not entirely yours. For psychiatric patients or where the doctor suspects child abuse, domestic violence or is speculating into possible conditions to check for the doctor can make private notes that are only available to themselves, not the patient itself. It has its uses but if everything flows freely it could also become a gossip column which is not the intent. The journal is also the doctor's working tool, you don't want him to start keeping a shadow system because by default the system is on broadcast. By far most doctors take their job very seriously and are just trying to help.

    • EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times

      OTOH, there are examples that work, and have done so for a long time. Some 30 years ago or so, I worked for the Danish Sygehusdatacenter - a long word that means EHR, broadly speaking (very broadly: 'Hospital Data Centre', actually). All GPs and all hospitals had to use this system, which ran on an IBM mainframe with a huge number of 3270 terminals connected across the country. It worked remarkably well, because 1) Danish health care is NOT provided by a large number of private companies with no interest in

  • by koan ( 80826 )

    easy and fast access to medical information often trumps security."

    That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.

    • Re:No (Score:4, Interesting)

      by nbauman ( 624611 ) on Monday December 29, 2014 @04:36PM (#48692123) Homepage Journal

      easy and fast access to medical information often trumps security."

      That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.

      In a medical situation, that might be the right decision. If your patient turns up unconscious in the ER at 2am, or if you're covering for your partner and his patient turns up unconscious in the ER at 2am, easy and fast access might trump security.

      There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

      I don't think there's a practicing pediatrician in the country who would let a patient die in order to improve security.

      • by koan ( 80826 )

        I don't see why they can't have both.

        Hospitals and doctors already have access to records, however the systems holding the records are the target.

        So why can't those systems be secure and available?

        There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

        Yeah I don't buy that at all, and you give no link to back up your claim.
        I worked in a hospital that had an electronic records system and a computer in each room, but the drugs for the patients were also listed in a book at the nurses station.
        And each nurse/doctor knew what thier patients needed, most certainly in

        • by nbauman ( 624611 )

          I don't see why they can't have both.

          Hospitals and doctors already have access to records, however the systems holding the records are the target.

          So why can't those systems be secure and available?

          There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

          Yeah I don't buy that at all, and you give no link to back up your claim.
          I worked in a hospital that had an electronic records system and a computer in each room, but the drugs for the patients were also listed in a book at the nurses station.
          And each nurse/doctor knew what thier patients needed, most certainly in an ICU.
          Especially this part

          Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

          Sounds like bullshit to me.

          It's a frequently-cited study. The message is, you can't just throw computers at something and make it better.

          Let's see what somebody could find with a Google search, if they weren't so lazy:

          At Children’s Hospital of Pittsburgh, mortality rates increased after the implementation of an electronic records system from Cerner in 2002, according to a study published in 2005 in the journal Pediatrics.

          During the 18 months examined, the mortality rate increased to 6.6 percent in the five months after the syst

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday December 29, 2014 @09:50AM (#48688921)
    Comment removed based on user account deletion
    • by ColdWetDog ( 752185 ) on Monday December 29, 2014 @10:03AM (#48689013) Homepage

      That was certainly a part of it. The funny thing is that the insurers are the ones having the hardest time getting their electronic acts together. They invariably use gargantuan legacy systems, coded originally on punch cards and even changing the number of fields in a form requires thousands of programmer-years.

      The other big push was by a weird combination of politicians latching on to anything that could possibly save money (ohhh! Shiny!) and big system / big vendors realizing that they were sitting pretty to gobble up lots of smaller systems that simply didn't have the capital to compete. EHRs are very, very expensive and time consuming. Once integrated into large systems, they do improve workflows and likely pay back the investment. For smaller hospitals, not so much.

      The key in American medicine is to gobble up all of the patients with economically viable diseases. Mostly heart disease, orthopedics and cancer. The rest of the population is just a loss leader. So you need lots and lots of procedures^Hpatients to make your nut.

      • by swedoc ( 1310721 )
        This is actually interresting. EMR systems should not be that complex. The base system is just text data, in chronological order that never (should) change. I'm visioning kind of a CVS system for a cover sheet for ease of use (latest record always complete but all changes traceable) but all notes accessible. Lab data is just numbers. X-ray data is more complicated but for that there is separate good systems, for instance Sectra. Also, most doctors do not need to see the actual x-rays, they only need the ans
    • Medical practices, especially small practices, who haven't followed the changes to HIPAA that have occurred outside of the context of the ACA, will be in for a rude surprise if they're sloppy enough about their security practices ("willfully negligent") and have a breach. The civil fines have gotten much higher, are easier to impose, and it's much harder for the medical practice to hide behind service companies.
    • Yes, EMR was a "thing" before it was mandated by law. The key difference was/is that without the government mandate it would have happened as medical care providers found it economically valuable. That is, they would have seen value in making the transition and would have been invested in making the change. Instead we have a system where they have to do it and do not see the value in doing so. This means that instead of something which they see as being a way to improve either their bottom line, or improve
      • The key difference was/is that without the government mandate it would have happened as medical care providers found it economically valuable.

        Translation: Never.

        • by Attila Dimedici ( 1036002 ) on Monday December 29, 2014 @10:48AM (#48689361)
          That is not true. There were medical care providers who were making the transition to EMR. The problem was that not enough were making the transition as fast as the companies which had decided to make a business out of transitioning them to EMR had anticipated. Since the people who had invested in these companies based on that anticipated rate of transition were politically connected the government was used to speed up the transition.
    • by Enry ( 630 )

      The Department of Veterans Affairs has had EMRs for close to 50 years. AFAIK, there have been no major incidents with this. So, not only can the government do something well,they can also do with with a reasonable level of security.

      • by dogbowl ( 75870 )

        This is true. Compared to other systems, the VISTA system operates very well for physicians at VA hospitals.

        Its also open sourced -- so why don't the other EHR take advantage of that??

        • Because VistA is a pain to implement and maintain. Not every hospital has the IT resources of the federal government available. And it's not that easy to use.
        • by Enry ( 630 )

          It's not open source, it's public domain. When you run it in a hospital, you need to have support for the software you're using. You also need to have the same hardware and software configurations that are supported. For a small hospital that can be pretty expensive to do. I know that my local hospital is using VISTA at least in phlebotomy, maybe other areas.

    • by nbauman ( 624611 )

      electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing.

      And as I understand it, they were designed for the convenience of the insurance companies, with the primary task of billing, and handling the other information, like patient administration and clinical data was retrofitted later.

      So if you went through the list of insurance company requirements, you'd have it all. If you went through the list of doctors' requirements, not so much.

  • by anjrober ( 150253 ) on Monday December 29, 2014 @10:04AM (#48689023)

    Obamacare or ACA did not mandate the use of EHR. This was in legislation long before ACA, it was part of the American Recovery and Reinvestment Act (ARRA). It was specifically called Meaningful Use. it mandates a series of electronic use requirements over three phases with initially payments for use and later penalties by CMS. The vast majority of MU certified vendors were producing EHRs long before ARRA and have reasonable security in place. Clearly though some vendors, and hospitals need some shoring up though.

    • EHRs might have 'reasonable' security in place, but, as we know, security isn't a thing, it's a process. And all too often, to get the damn EHR to work with the lab system, the radiology system, the billing system and bog-knows-what-else, the 'security' bits get compromised.

      And then there are the users. I just LOVE typing in my user name and password one hundred times during the day. Yes, we could go single sign on. For another 100K and a bunch of other IT problems. No, we don't have that 100K. So no

      • i agree with all of your points.
        connecting your EHR to your lab system, to your HIE, to your practice systems, etc is a mess. HL7 stinks. So things do indeed get missed.
        of course, with deliberate, thoughtful deployments, these are solvable problems. it takes time and patience.

        and don't get me started on end users. :-) but i do believe they are trying, they are busy, and they didn't go to medical school to deal with systems, but to help people.

  • by Stargoat ( 658863 ) <stargoat@gmail.com> on Monday December 29, 2014 @10:08AM (#48689063) Journal

    Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

    If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend. In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with. You can try to get more info from all that PII, but again, it's a pain in the ass and available elsewhere. Other stuff is more lucrative for the investment of time, criminal risk, and energy.

    If you were a terrorist, a hospital might be a bit more interesting, but the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.

    No, hospitals are a stupid place to expend effort.

    • Coming soon to headlines near you:

      The number of STDs this celebrity has will shock you! Now with the names of the partners they got it from!

      You'll never guess who has herpes! Online dating, now with health background checks (including identifiable previous partners) on each potential match.

      Parents, find out if your grown children have had a pregnancy test with this one tool.

      Media leaks from the hack suggest that my opponent has mental health issues, so clearly you should vote for me instead.

      Sorry, we can't

    • by Anonymous Coward

      There is a lot more than that there:

      1: Hacking isn't just downloading a lord-king-God XML file with everyone's info in it. Part of hacking is altering and destroying data. Now, picture the fallout if a celeb's medical records get changed from "fatal allergic to Prozium" to "pump this sucka full of Prozium if he comes in, to stabilize him." Very trivial modification, and would only take a single UPDATE statement at the DB level to do so. The fallout would be a dead celeb [1], then a knee-jerk Congress p

      • 3: Just wanton screwing around with medical records. If someone took a million records and just changed stuff like what meds people were allergic to and what conditions they have, it would render the whole database poisoned. Doing that, a hacker could utterly destroy and shutter a hospital, and wherever the tainted medical records went to. Of course, just the threat of this will get payouts in the tens of millions. Remember, it just takes one zero in a medicine dose to go from therapeutic to lethal in a lot of cases.

        You do realize that people can already do that with paper records as well right? There's also much less effort involved.

      • Should be mod up. By far the most comprehensive description of the threat so far.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The glut of credit card data on the market means that the going rate for credit card data on the black market right now is about $1/account. Contrast this to $10/health record. (http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924)

      Why?

      1) health records have excellent data to facilitate identity theft
      2) banks have much more rigorous anti-fraud systems in place, and consumers know to check credit reports
      3) Because of #2, fraudulent health insurance claims schemes are goi

    • If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend.

      Yes, but banking breaches/CC Fraud is so common, that the two times it's happened to me, it's been "an errand" - pick up my dry cleaning, get a haircut, cancel my debit card and submit a fraud form, get drinks for company tonight, put some gas in the car. It's that prevalent that it's a well-trodden path, with laws, protections, procedures, canned forms, and an express line to get it squared away. Medical record fraud is a much more difficult problem. You don't need your particular credit card number. You D

    • A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

      That's enough to apply for a credit card.

    • Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

      You're forgetting insurance information. Besides all the information you mentioned which is suitable to steal and identity, they can use the health records and insurance for fraud to either get drugs that might be allowed to the real patient or treatment or payment for costly procedures.

  • see — if doctors had just kept to their paper records, they couldnt be hacked..
    lol

  • (sarcasm) "easy and fast access to medical information", why dont you just throw in inexpensive there while you are at it.(/sarcasm)

    We are talking about the US private health care industry, right?

  • 2015 could also be the year of the International Pick-up-sticks championship too.

    What sensationalist garbage.

  • *yawn* Because paper records are sooper seekrit secure?

    http://www.healthdatamanagemen... [healthdatamanagement.com]
    http://www.ydr.com/local/ci_25... [ydr.com]
    http://www.hartfordbusiness.co... [hartfordbusiness.com]
    http://www.fiercehealthcare.co... [fiercehealthcare.com]

  • Really? I am beginning to wonder why I still look at /. after seeing an article like that.

  • I work with smaller doctor offices and their EHR"s. Let me tell you that you all should be terrified with how they run most of their systems. I can't tell you how many docs keep simple passwords and tell their whole staff. Worst is if you get physical access to the office, it's plastered everywhere. Most have a basic setup with windows firewalls and cheap antivirus. None of that matters when the docs or their staff abuse their systems and go just about everywhere on the computers.. Basically, I am just wa
    • If you have physical access to those same offices you could can easily steal their paper records. Most such offices have horrendous physical security.

      During high school and college I worked in the medical records department of a mid-size hospital. It would have been trivially easy to tamper with or even photocopy and walk out with patient records.

  • It's not for credit cards, blackmail, or targeted advertising or any of that small potato stuff.
    It's for filing fake claims to insurance companies and medicare.
    This is already a 100 million dollar/year business.
  • Hospital IT pay is laughable. All of the money goes into doctors, facilities and fancy but mostly unnecessary equipment. Since you mostly get what you pay for, most hospital IT infrastructure is crap.
    Hospitals aren't really the best place to find lots of healthcare information. I mean if you are tracking a celebrity that went into a specific hospital, that is one thing, but if you are datamining for lots of information, there exist larger repositories.
  • Obviously, this author does not know the first fucking thing about hospital EMRs ;-)

  • Posting anonymously because job. I work in IT at a hospital.

    I'm worried about the lax attitude towards security at my workplace. Don't get me wrong, we're serious about privacy. We follow all the HIPPA guidelines and have regular training about them. Any use of records not immediately related to care (research, billing) requires approval of an internal review board. Nothing identifiable leaves the organization (unless it's transfering your records to your new doctor). There's severe criminal penalties for m

    • by Anonymous Coward

      Posting anonymously because job. I work in IT at a hospital.

      The place I work at takes security very seriously - lots of rules for passwords, screens locking after being idle, RSA tokens, etc - and it costs a lot to maintain. Which means we have to charge patients more than places which are lax, or else make a lower margin than they do. Which means we have less patients, which means less money, which means we have to charge patients even more, or else cut out services.

    • Posting anonymously because job. I work in IT at a hospital.

      I'm worried about the lax attitude towards security at my workplace. Don't get me wrong, we're serious about privacy. We follow all the HIPPA guidelines and have regular training about them. Any use of records not immediately related to care (research, billing) requires approval of an internal review board. Nothing identifiable leaves the organization (unless it's transfering your records to your new doctor). There's severe criminal penalties for misuse of records. What we do is logged and monitored. We're absolutely serious about making sure no one here misuses your data. You are safe from us invading your privacy.

      But it's like it never occurs to them that malicious people from outside the organization might want to do something nasty. People can use personal devices to access work resources. Access to critical systems is a remote desktop session away, with handy "remember my password" boxes pre-checked. There is no two-factor authentication. Security training ends at "don't share your password" and "don't click strange links/files in email." There's no awareness of the threat and there's nothing I can do about it. And nothing I've seen at other facilities makes me think we're alone. So, yeah, I'm worried.

      I think it just varies from place to place. Typically once your institution has a significant breach where large numbers of medical records are leaked, they get a major wake-up call when the government hands them a massive fine for HIPAA violation. The last two medical centers I worked at had recent HIPAA smack downs and pretty soon after two-factor authentication was rolled out, USB drives were banned, and non-VPN remote access was dropped. Security was much better there than at academic research centers

  • What was the name of this source and what was the name of the computer facility where this breach occurred? ref [trustedsec.com]
  • Anybody who thinks hospitals are an unlikely target should come to work with me tomorrow. We've had three attacks in the last month, and we're still cleaning up from the one that hit right before Christmas. It's apparently really nasty, something that none of the security firms they've contacted have seen before.
  • North Korea, or disgruntled former employees?

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...