Most Healthcare Managers Admit Their IT Systems Have Been Compromised 122
Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.
Re: (Score:1)
The only real solution is to give the whole project over to the NSA. They'll make sure nobody else has access to the data, unless they get paid.
Aaaand *NOTHING* happens to them... (Score:1, Interesting)
It's only a matter of time before real programming becomes a licensed profession.
And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.
And if you don't want actual standards and real legal responsibility, YOU ARE ONE OF THE CLOWNS.
Re: (Score:2)
All indicators show that programming is becoming less professional, not more so.
At best, you'll get some sort of liability clauses built into big military / government contracts that will be ultimately toothless when shit goes wrong.
Re: (Score:1)
"And if you don't want actual standards and real legal responsibility, YOU ARE ONE OF THE CLOWNS."
You don't know many professional working under license, do you? They would show you quite a different point of view.
Re: (Score:3)
And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.
You can't be that great if you haven't heard of Dunning-Kruger [wikipedia.org].
clueless management (Score:3)
Being licensed profession will stop clueless management from force stuff to be so easy to hack / not willing to pay the costs to have be done right.
Re: (Score:2)
Being licensed profession will stop clueless management from force stuff to be so easy to hack / not willing to pay the costs to have be done right.
If you're going to make it illegal for literally anyone else to write software, then maybe. I'd love to see you square your favorite licensing regime with anything resembling open source development.
Re: (Score:2)
The good thing is that licensed professionals have to adhere to professional standards or become liable.
But who will watch the watchers^Wregulators? (Score:2)
The good thing is that licensed professionals have to adhere to professional standards or become liable.
The problem is who sets those standards.
No-one knows how to write perfect software, because there is no such thing. Even with technically perfect implementation, there are always questions of requirements and design where at some point the specification of what you need isn't in a neat, unambiguous, technical form.
Very few people in the world know how to write highly robust and secure software, and the cost of doing so is often high. A few more people are exploring various potentially better ways of doing t
Re: (Score:1)
NSA spent so much money making the systems insecure, and 20% of systems still not weak enough.
Re: (Score:2)
It's only a matter of time before real programming becomes a licensed profession.
And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.
And if you don't want actual standards and real legal responsibility, YOU ARE ONE OF THE CLOWNS.
They tried licensing exams back in the 1970s and failed. Even back then, the field was too broad for a 1-size-fits-all set of exams. The only ways I can see to make licensing work is by having a trustworthy board that certifies based on proven training or experience. And based on union practices, getting a board that isn't slanted towards "friends" is hard enough.
Then again, as long as employers hire whoever bids the least over skills or experience, you can forget about them paying for licensed practitioner
Hey! back off the insults! (Score:1)
You are insulting the fine profession OF CLOWNING.
(although some folks taking up clowning instead of ...)
Re: (Score:3)
Cool idea. We could call the licensed programmers "Software Engineers", and have it actually be true.
Re:Aaaand *NOTHING* happens to them... (Score:5, Insightful)
We could call the licensed programmers "Software Engineers", and have it actually be true.
The trouble is, it wouldn't be, because we're probably still several decades away from the kind of maturity and evidence base we'd need in the industry to actually do software development as a true engineering discipline. It's a laudable goal, but we don't know how to do it yet.
Re: (Score:2)
It isn't the software that is the danger point. It is piss poor management culture in health care.
Granted medical software is decades behind the time compared to other sectors. But it is because health care management culture just doesn't get IT.
There are doctors with their ego, who think med school makes them qualified in all things.
Then you get higher ups in the business areas who need to pick and choose the fights with the doctors because most of the stuff they want is purely stupid or unreasonable. Plus
It's not just healthcare, either (Score:3)
You make a good point, but it applies beyond healthcare too.
May I introduce you to the auto industry? They'd like to sell you a new car that is always on-line, accepts OTA updates, and runs the safety-critical vehicle control systems on the same bus as the infotainment controls. What could possibly go wrong? (It's ironic that among the reports of hacks and abuses over recent months, there was also a report suggesting that many customers didn't use or actively didn't want a lot of these new electronic gadget
Re: (Score:2)
You want to find the scape goat for a security glitch.
Who is at fault?
The guy who coded it?
What wasn't it double checked?
Was the product rushed out?
Was the product used for its original use?
Making it a licensed profession will not improve quality, it will make sure programmer salaries stay high (a good thing), but also reduce startups and new ideas.
Now it may be more prudent to have the software certified as secure from an outside certificate who isn't paid by the software maker, that will analyze the softw
Re: (Score:1)
Solution: (Score:2, Insightful)
Just relocate the servers to Hillary's basement. It's an accountability-free zone. Because obeying laws is for the little people.
Re: (Score:2, Informative)
BWHA-HA-HAHAHAH!! Z0MG, you're so Hillary-ous!!
...Oh, wait: http://www.dailynewsbin.com/ne... [dailynewsbin.com]
Looks like e-Ghazi was a big nothing-burger. Which is what we dirty fscking hippies have been saying ever since it was first trotted out. But: Please continue, Governor. Don't let minor things like facts get in the way of a good right-wing misogynistic rant. Your lives are bleak and meaningless enough as it is.
Re: (Score:3)
Re: (Score:2)
All that counts is winning. Morals, ethics, basic honesty, those are for everyone else. You're probably not allowed to be a cannibal in politics, but that's just about the only real line there is.
Re: (Score:2)
Re: (Score:2)
If I took 300 million in bribes I would retire for the rest of my life, not stay in the public eye.
Re: (Score:2)
Re: (Score:3, Insightful)
You assholes never miss a chance to inject your political ideology into a discussion where it's not relevant, do you.
I can do that too:
"It looks like healthcare IT has the same attitude towards its quality that George W Bush had towards 9-11."
Re:Solution: (Score:4, Informative)
"It looks like healthcare IT has the same attitude towards its quality that George W Bush had towards 9-11."
What are you talking about? Healthcare IT is a disaster, but 9/11 was a smashing success for Bush.
Holey Moley (Score:2)
half aren't adequately prepared the rest are liars (Score:1)
No, many of us have been shouting about this for so long that everyone else stopped listening.
Re: (Score:2)
Very true, unfortunately.
Re:Holey Moley (Score:4)
This has zero surprise value to anybody active in the IT security field. And yes, the numbers are scary, but they have been building up to today's abysmal state over several decades, as companies noticed they could get away with it and nothing was happening to them. I now even have heard the head of IT security of a large company serving a lot of customers say that a data-breach was not a reputational risk, because it happened so often these days that customers forget fast.
Re: (Score:2)
Freaked out in the "gee I'm so totally surprised by this" sense? Not even a little.
Freaked out that organizations continue to be grossly incompetent with IT and security and bear no responsibility? Absolutely.
This stuff is all around us, on a constant basis. That these guys know they've been compromised and done nothing means they are either incompetent, or so grossly underfunded there was only ever going to be one outcome.
But apparently being grossly negligent and incompetent with security isn't somethi
Re: (Score:2)
Am I they only one that is completely freaked out by this ? These are some seriously scary numbers !
I think some context is important. From what I can tell is a criminal organization hacking the hospital so they can access patient records and blackmail the patients is going to be counted the same as the secretary opening an email attachment, getting a virus, and temporarily turning into part of a botnet. It might not even be clear from IT's perspective which is which but I'm guessing most of those breaches are fairly benign.
Re:Holey Moley (Score:5, Insightful)
These numbers are basically bollocks. I'd be prepared to bet that 80% of any businesses, large, small or from the planet Zod have had a malware infection within the last 2 years. The point is that they're asking if they've had *any* problem - it could be that someone clicked a link, they realised their mistake and called IT to rebuild their machine, right up to confidential data transmission to parties unknown.
If they'd asked "have you lost any confidential patient data in the last 2 years?", I bet the number admitting to it would be virtually zero. For those that have lost data and know about it, they've either been out in public already, or else are doing everything they can to cover it up as it could be commercial suicide to admit such a thing. I'll bet the majority of companies of any sort couldn't be sure data had been lost unless it was a massive loss or performed by some idiot employee who got caught loading his desktop into the back of his car. Admitting you caught a virus here or there is pretty much a zero-risk thing to admit, because in most cases it causes no direct harm other than some extra work for some IT folks.
For all its worth, we could ask "has your home network been port scanned in the last year?". 80% of slashdotters would say yes, the other 20% would say no because they haven't checked, and yet nothing of value was gained or lost as a result. For extra click bait, I could then add "port scanning is the first step to far more serious hacks which could result in data loss" (which would mimic all the scaremongering in the article, all of which is attributed to KPMG).
Give me a choice (Score:2)
I wish I could request paper records. Some old systems are better than the replacement. I would rather not be entered into any electronic system.
The current electronic record systems are notoriously hard to use. Nurses and doctors end up copying and pasting and clicking through these systems with little regard to the accuracy of the data. As a result, when there is a lawsuit, the extremely poor data quality of the medical records ends up hugely supporting the plaintiff.
From a more basic perspective: whe
Re: (Score:1)
Better yet, let's use stone tablets so that it's harder for thieves to steal more than a few at a time. Paper is too easy to slip under a coat or tunic. And rats & moths eat it.
Never once was Fred Flintstone hacked.
Re: (Score:2)
Etching them in cave walks in ideograms might do the trick.
Re: (Score:2)
Re: (Score:2)
Ah yes, that was in the days before Stonebamacare. Poor Barney, his quarry health insurance didn't cover testicle reattachment.
Re:Give me a choice (Score:5, Insightful)
I wish I could request paper records.
You really don't. I've shilled for EHRs before [slashdot.org], but the TL;DR is
That doesn't mean the electronic versions don't have terrible, even maddening, flaws, but even the worst are better than paper.
Re:Give me a choice (Score:4, Informative)
I hear you--even within a hospital system, and even where standards exist, it's a pain. Ultrasound machines (for those that aren't imaging informaticists) are supposed to speak DICOM [wikipedia.org], but some do it creatively--one technically sent DICOM messages over the network, but most of what they contained was wrapped inside a proprietary XML blob rather than standard DICOM fields. What standard fields were implemented were implemented strangely, waffling between spelling out measurements ("centimeters") or using their abbreviations, mixing case, and reporting measurements to absurd precision (dozens of zeroes after the decimal point, for a bone measured in millimeters).
Sharing charts between hospitals is a mire of politics. There's the government's own Direct standard, which they mandated every hospital use to send charts, without any indication of what the recipient is supposed to do--a lot pipe them to /dev/null, because the vaguely defined content of the message is often useless and redundant with existing methods of communication. They're now working on legalese to require that you "do something" with the messages you receive, but exactly what that is (and how to objectively prove that you did it) they're still figuring out.
Then there are organizations like Commonwell, trying to monetize a data-sharing "standard" not even their founding members could be bothered to implement. They haven't sent a single chart as far as I know, but that doesn't stop them from issuing press releases praising their "interoperability" with the same frequency AT&T issues press releases praising their gigabit fiber.
Then there are HISPs (centralized, sometimes quasi-public, repositories of patient information). Some have managed to legislate themselves as mandatory middlemen, and, having done so, have proceeded to extract monopoly rents over the transmission of outdated and incorrect patient information. Even better is provider look-up--if they give you the wrong fax number for a physician, you are responsible for the HIPAA violation when a random gas station gets someone's medical information. This causes them to care as much as you'd expect about the integrity of the data they peddle (and that you're required to buy).
It's frustrating, because medical information has to be shared for it to be of use--there's no use having a mammography if no one will read the results, or if the people treating you can't access the study and have to order their own.
Re: (Score:2)
Certain kinds of errors have decreased dramatically. Computers reduce wrong patient/wrong medication errors dramatically, especially in systems that require you to scan the patient's barcode (to make sure you have the right patient), and then scan each medication's barcode (to make sure you've got the right meds). There's a lot of scholarly research available if you search for EHR medication errors, but this [exscribe.com] is one of the first non-paywalled things that pops up in Google.
Other issues are more challenging.
Re: (Score:2)
Keep searching, m8. There really is a lot of stuff out there: Medication errors: prevention using information technology systems [nih.gov]
Re: (Score:2)
Re: (Score:2)
It doesn't do ANYTHING you are talking about
EHRs absolutely do do all of those things, including checking drug interactions, allergies, and pregnancy and lactation warnings, and there absolutely is scholarly evidence of their effectiveness if you care to Google. Here's one concluding barcoding and CPOE [nih.gov] are "vital."
If your EHR doesn't do those things, then that's a defect peculiar to whatever software you're using.
The medication lists are ALWAYS wrong or misleading as they are huge and hard to read, harder to update
You think they were any shorter, easier, or more up to date on paper? A bad computer system can make med rec harder, but even a good one
Re: (Score:1)
They probably hacked her phone too.
Attack of the cyber attack malware .. (Score:2)
"those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%)."
In todays distributed, objects-in-the-cloud type of Internet, anti-virus are mostly ineffectual, so are firewalls as procedure calls can be rela
Re: (Score:2)
One more reason not to use SSN for healthcare ID (Score:2)
Re: (Score:2)
The problem is, that's not something that could be realistically done. Health insurance has to have your SSN to determine identity and for tax purposes - the insurer needs to make sure they are billing the right people, and they need to make sure that their clients can verify their insurance information because of the way health insurance (especially through an employer) interacts with the tax system. Most employer-provided health insurance is paid for pre-tax, and if the IRS comes along with any questions
Re: (Score:3)
So the health care provider needs a health insurance subscriber number, not an SSN to identify someone. The health provider can in turn have the SSN but that limits the surface significantly.
Re: (Score:3)
Re: (Score:2)
Would be nice if we could have 2-3 National ID numbers of varying security so that we could give the low security one to places like that, reserving the high security one for things like finances.
No, we need to fundamentally change the system so that its "security" doesn't rely on the secrecy of a few widely distributed numbers.
malware (Score:2)
(and of course the systems are vulnerable, just like every other system connected to the internet).
Re: (Score:2)
Re: (Score:2)
And on the plus-side, if somebody dies as a result, a hospital is an ideal place for that to not attract notice until the numbers become significant. Sure, errors are made and if for every 100 dead from human error, you have 1 dead from computer compromise, I can live with that. As long as it is not targeted. (And I know that wherever decisions are made, errors are made and that is just as it is and we have to live with is. Not making decisions is far worse.)
These days, most hackers to not have the knowledg
Re: (Score:2)
Why aren't the nursing stations locked down? Why are they even running Windows? Why does your application require such high privileges?
The first thing to do would be to boot the ridiculous vendor requirements from the system(s) and either go with a decent system or build your own.
Re: (Score:2)
Deliberate attacks generally target insurance data. You can't make much off of knowing someone got a booboo, but insurance fraud is a gold mine.
That isn't to say that ambient malware isn't finding its way everywhere else. The reality is that modalities (CTs, MRIs, etc.), are rarely patched, many are running ancient versions of Windows. Re-imaging systems--sometimes near daily at some facilities--is the normal strategy for addressing malware. Lack of support from the manufacturer being principally to bla
Re: (Score:2)
"The accountant tried to install a screensaver." does not usually generate a security incident.
Why just healthcare IT managers? (Score:4, Insightful)
Re: (Score:2)
With the abysmal state of IT security these days? No you will get no argument from me.
Re: (Score:2)
With the abysmal state of IT security these days? No you will get no argument from me.
Let's look at why IT security is where it's at today: We have people forcing new, untested, cool buzzword technology into the workplace that are not needed.
Those same executives are resistant to updating (Score:2)
The company I work for, Bright Plaza [brightplaza.com], has a SAAS that can almost eliminate the risk of phishing attacks and several other threats, while improving the user login experience. (It's a proof of knowledge SAAS that can support almost any type of proof of knowledge, from text and picture passwords to cognitive self tests and others.) And, based on the number of Lamborghini's at the Healthcare IT conferences, there's no lack of money available. Even more, the HIPAA lawas make it extremely expensive to expose cl
In other news... (Score:3)
20% of Healthcare CIOs are idiots or liars. Every healthcare organization has seen the basic web malware on the the inside of the firewall. If they haven't been cyptolockered at least once, the do not use the internet. Patching in healthcare sucks. Doctors do anything they want with IT systems. If you have an electronic healthcare record, someone unauthorized has seen it. Hospitals systems are busy building new sites and cutting IT 10%. I saw one EHR deployment where every client/user logged into the database as "SA". The only faith I have in the system is that it has been compromised already...
SD
Re: (Score:2)
> 20% of Healthcare CIOs are idiots or liars.
Or both., I'm afraid. Or the survey was badly constructed. I've seen a number of security compliance surveys, especially now with HIPAA laws affecting health care security, that were designed to allow hospital IT departments to claim more or less security with subtle interpretation. The result is that for medical IT staff who needed more security funding, and wanted to justify the work, they'd answer the surveys one way and say "we have a problem, we need to
Re: (Score:2)
I saw one EHR deployment where every client/user logged into the database as "SA".
Unfortunately this isn't limited to heatlhcare. I know of banks (plural) where everyone in the office logged into their Novell systems as "admin". Everyone.
Re: (Score:2)
. I know of banks (plural) where everyone in the office logged into their Novell systems as "admin".
That is the ultimate security...could you even find a black hat person willing to bother with Novell anymore?
It's 100%, those numbers are lies (Score:3)
None of which took more than 15 minutes to do, And I did it with my phone because I was bored waiting in line to see the doctor.
Got all the doctors names, what surgery is where, the insurance contacts, the accounting data, how much everyone gets paid(best part) but didn't touch patient data because I knew that one has it's own criminal penalties.
Point being no one noticed, no one cares to notice, after years they still don't know.
I didn't even go after the hospitals seriously, I used a fucking phone.
I don't know how much harder it can be to penetrate insurance companies or large hospital chains. but it can be done in a timely manner. I beleive You can actually have a timetable for hacking them because they all use the same crappy software vendors.
Re: (Score:2)
No surprise - I work in the industry (Score:5, Informative)
1. Legacy mainframe systems that have no data integrity - dates like 99/99/9999 are considered valid
2. Legacy mainframe systems that have no data integrity - tabs present in names & addresses, so a tab-delimited extract then proves challenging
3. IT Staff who refuse to block China and the -stans (despite having only US coverage), saying that it is not a complete solution.
4. On the database side, passwords stored in cleartext. Surprisingly, this apparently isn't a violation of PCI rules.
My advice? If you have a sensitive claim, pay cash and don't involve the insurance company. This is difficult, and may require you to use a different doctor when going this route. Bonus points if you can use fake ID. You would be absolutely astonished at where the claims data goes. Third parties get all sorts of data. HIPAA exclusions are enormous. If you think only your doctor knows about your embarassing drug addiction/sexual disease/mental health problem you are grossly mistaken.
Not surprising (Score:2)
Why is this surprising to anyone? I am sure it is quite similar in every industry. Between businesses cutting their IT staff (especially common between 2008-2012), moving from dedicated security people to having the admins be responsible for security as a secondary responsibility, to having dedicated security people from certificate factories who are more interested in checklists and getting shiny new toys from whichever vendor gets them the best bribe (movie tickets, sports game tickets, etc.); how is anyo
Re: (Score:2)
Re: (Score:2)
It really depends.
Are we talking 'true' socialism is big fat quotes.
Or are we talking the kind of system that tend to occur when socialists implement their policies.
It's the same communism or capitalism as abstract ideals.
We can theorize that the Soviet Union was not truly communist. But there never was an ideal communist state.
We can theorize what an ideal libertarian state could be, but there never was such a state.
Yet in the end of the day, what actually matters is the policy that comes out.
The ACA is in