Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Medicine IT

Most Healthcare Managers Admit Their IT Systems Have Been Compromised 122

Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.
This discussion has been archived. No new comments can be posted.

Most Healthcare Managers Admit Their IT Systems Have Been Compromised

Comments Filter:
  • by Anonymous Coward

    It's only a matter of time before real programming becomes a licensed profession.

    And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.

    And if you don't want actual standards and real legal responsibility, YOU ARE ONE OF THE CLOWNS.

    • All indicators show that programming is becoming less professional, not more so.
      At best, you'll get some sort of liability clauses built into big military / government contracts that will be ultimately toothless when shit goes wrong.

    • by Anonymous Coward

      "And if you don't want actual standards and real legal responsibility, YOU ARE ONE OF THE CLOWNS."

      You don't know many professional working under license, do you? They would show you quite a different point of view.

    • by Z34107 ( 925136 )

      And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.

      You can't be that great if you haven't heard of Dunning-Kruger [wikipedia.org].

      • Being licensed profession will stop clueless management from force stuff to be so easy to hack / not willing to pay the costs to have be done right.

        • by Z34107 ( 925136 )

          Being licensed profession will stop clueless management from force stuff to be so easy to hack / not willing to pay the costs to have be done right.

          If you're going to make it illegal for literally anyone else to write software, then maybe. I'd love to see you square your favorite licensing regime with anything resembling open source development.

        • by gweihir ( 88907 )

          The good thing is that licensed professionals have to adhere to professional standards or become liable.

          • The good thing is that licensed professionals have to adhere to professional standards or become liable.

            The problem is who sets those standards.

            No-one knows how to write perfect software, because there is no such thing. Even with technically perfect implementation, there are always questions of requirements and design where at some point the specification of what you need isn't in a neat, unambiguous, technical form.

            Very few people in the world know how to write highly robust and secure software, and the cost of doing so is often high. A few more people are exploring various potentially better ways of doing t

        • NSA spent so much money making the systems insecure, and 20% of systems still not weak enough.

    • It's only a matter of time before real programming becomes a licensed profession.

      And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.

      And if you don't want actual standards and real legal responsibility, YOU ARE ONE OF THE CLOWNS.

      They tried licensing exams back in the 1970s and failed. Even back then, the field was too broad for a 1-size-fits-all set of exams. The only ways I can see to make licensing work is by having a trustworthy board that certifies based on proven training or experience. And based on union practices, getting a board that isn't slanted towards "friends" is hard enough.

      Then again, as long as employers hire whoever bids the least over skills or experience, you can forget about them paying for licensed practitioner

    • You are insulting the fine profession OF CLOWNING.

      (although some folks taking up clowning instead of ...)

    • Cool idea. We could call the licensed programmers "Software Engineers", and have it actually be true.

      • by Anonymous Brave Guy ( 457657 ) on Friday August 28, 2015 @08:22AM (#50408761)

        We could call the licensed programmers "Software Engineers", and have it actually be true.

        The trouble is, it wouldn't be, because we're probably still several decades away from the kind of maturity and evidence base we'd need in the industry to actually do software development as a true engineering discipline. It's a laudable goal, but we don't know how to do it yet.

    • It isn't the software that is the danger point. It is piss poor management culture in health care.
      Granted medical software is decades behind the time compared to other sectors. But it is because health care management culture just doesn't get IT.
      There are doctors with their ego, who think med school makes them qualified in all things.
      Then you get higher ups in the business areas who need to pick and choose the fights with the doctors because most of the stuff they want is purely stupid or unreasonable. Plus

      • You make a good point, but it applies beyond healthcare too.

        May I introduce you to the auto industry? They'd like to sell you a new car that is always on-line, accepts OTA updates, and runs the safety-critical vehicle control systems on the same bus as the infotainment controls. What could possibly go wrong? (It's ironic that among the reports of hacks and abuses over recent months, there was also a report suggesting that many customers didn't use or actively didn't want a lot of these new electronic gadget

    • You want to find the scape goat for a security glitch.
      Who is at fault?
      The guy who coded it?
      What wasn't it double checked?
      Was the product rushed out?
      Was the product used for its original use?

      Making it a licensed profession will not improve quality, it will make sure programmer salaries stay high (a good thing), but also reduce startups and new ideas.
      Now it may be more prudent to have the software certified as secure from an outside certificate who isn't paid by the software maker, that will analyze the softw

    • by kmoser ( 1469707 )
      Great idea! I'm glad you're looking forward to following my standards.
  • Solution: (Score:2, Insightful)

    by Anonymous Coward

    Just relocate the servers to Hillary's basement. It's an accountability-free zone. Because obeying laws is for the little people.

    • Re: (Score:2, Informative)

      by ewhac ( 5844 )

      BWHA-HA-HAHAHAH!! Z0MG, you're so Hillary-ous!!

      ...Oh, wait: http://www.dailynewsbin.com/ne... [dailynewsbin.com]

      Looks like e-Ghazi was a big nothing-burger. Which is what we dirty fscking hippies have been saying ever since it was first trotted out. But: Please continue, Governor. Don't let minor things like facts get in the way of a good right-wing misogynistic rant. Your lives are bleak and meaningless enough as it is.

    • Re: (Score:3, Insightful)

      by BVis ( 267028 )

      You assholes never miss a chance to inject your political ideology into a discussion where it's not relevant, do you.

      I can do that too:

      "It looks like healthcare IT has the same attitude towards its quality that George W Bush had towards 9-11."

  • Am I they only one that is completely freaked out by this ? These are some seriously scary numbers !
    • No, many of us have been shouting about this for so long that everyone else stopped listening.

    • by gweihir ( 88907 ) on Thursday August 27, 2015 @08:48PM (#50406599)

      This has zero surprise value to anybody active in the IT security field. And yes, the numbers are scary, but they have been building up to today's abysmal state over several decades, as companies noticed they could get away with it and nothing was happening to them. I now even have heard the head of IT security of a large company serving a lot of customers say that a data-breach was not a reputational risk, because it happened so often these days that customers forget fast.

    • Freaked out in the "gee I'm so totally surprised by this" sense? Not even a little.

      Freaked out that organizations continue to be grossly incompetent with IT and security and bear no responsibility? Absolutely.

      This stuff is all around us, on a constant basis. That these guys know they've been compromised and done nothing means they are either incompetent, or so grossly underfunded there was only ever going to be one outcome.

      But apparently being grossly negligent and incompetent with security isn't somethi

    • Am I they only one that is completely freaked out by this ? These are some seriously scary numbers !

      I think some context is important. From what I can tell is a criminal organization hacking the hospital so they can access patient records and blackmail the patients is going to be counted the same as the secretary opening an email attachment, getting a virus, and temporarily turning into part of a botnet. It might not even be clear from IT's perspective which is which but I'm guessing most of those breaches are fairly benign.

    • Re:Holey Moley (Score:5, Insightful)

      by coofercat ( 719737 ) on Friday August 28, 2015 @06:55AM (#50408241) Homepage Journal

      These numbers are basically bollocks. I'd be prepared to bet that 80% of any businesses, large, small or from the planet Zod have had a malware infection within the last 2 years. The point is that they're asking if they've had *any* problem - it could be that someone clicked a link, they realised their mistake and called IT to rebuild their machine, right up to confidential data transmission to parties unknown.

      If they'd asked "have you lost any confidential patient data in the last 2 years?", I bet the number admitting to it would be virtually zero. For those that have lost data and know about it, they've either been out in public already, or else are doing everything they can to cover it up as it could be commercial suicide to admit such a thing. I'll bet the majority of companies of any sort couldn't be sure data had been lost unless it was a massive loss or performed by some idiot employee who got caught loading his desktop into the back of his car. Admitting you caught a virus here or there is pretty much a zero-risk thing to admit, because in most cases it causes no direct harm other than some extra work for some IT folks.

      For all its worth, we could ask "has your home network been port scanned in the last year?". 80% of slashdotters would say yes, the other 20% would say no because they haven't checked, and yet nothing of value was gained or lost as a result. For extra click bait, I could then add "port scanning is the first step to far more serious hacks which could result in data loss" (which would mimic all the scaremongering in the article, all of which is attributed to KPMG).

  • I wish I could request paper records. Some old systems are better than the replacement. I would rather not be entered into any electronic system.

    The current electronic record systems are notoriously hard to use. Nurses and doctors end up copying and pasting and clicking through these systems with little regard to the accuracy of the data. As a result, when there is a lawsuit, the extremely poor data quality of the medical records ends up hugely supporting the plaintiff.

    From a more basic perspective: whe

    • by Tablizer ( 95088 )

      I wish I could request paper records. Some old systems are better than the replacement.

      Better yet, let's use stone tablets so that it's harder for thieves to steal more than a few at a time. Paper is too easy to slip under a coat or tunic. And rats & moths eat it.

      Never once was Fred Flintstone hacked.

    • by Z34107 ( 925136 ) on Thursday August 27, 2015 @07:46PM (#50406325)

      I wish I could request paper records.

      You really don't. I've shilled for EHRs before [slashdot.org], but the TL;DR is

      • Paper charts kill people. They don't check for drug interactions; they don't double-check that you've got the right patient when you're operating or administering medications; in the case of a recall, they can't tell you who received a bad batch of a vaccine; and they certainly can't tell a first responder that unconscious you is allergic to blue dye, unless they already happen know your regular clinic and have a fax machine in the ambulance.
      • Paper charts are useless for patient care. The hospitalist trying to reconcile what you were taking at home with what they want to give you in the hospital can't actually determine whether they're about to kill you if the cardiologist treating your heart attack happened to take the only copy of the chart to enter his notes. If they made a second copy for the cardiologist, there's no guarantee his notes and medications will ever get entered into the hospitalists copy, or into pharmacy's copy, who might also wonder why two different doctors plus your PCP are trying to dose you on blood thinners, or into your regular doctor's copy, who might be totally unaware of the cardiologist's findings
      • Paper charts are expensive. If nobody knows that you already had a lab or an X-Ray, they're going to order it again. If they do know you had one of the above, you're going to have to wait for a fax, or for them to mail negatives. Because handwriting and general disorganization, especially over a long admission, tends to make them write-only, it's much harder to know exactly what they gave you and why, which makes it harder to justify to the government or an insurance company why they should pay your tab.

      That doesn't mean the electronic versions don't have terrible, even maddening, flaws, but even the worst are better than paper.

  • Only the technically illiterate use 'cyber' in relation to the Internet. Please stop embarrassing your readers.

    "those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%)."

    In todays distributed, objects-in-the-cloud type of Internet, anti-virus are mostly ineffectual, so are firewalls as procedure calls can be rela
  • Healthcare records should have zero connection to your finances.
    • The problem is, that's not something that could be realistically done. Health insurance has to have your SSN to determine identity and for tax purposes - the insurer needs to make sure they are billing the right people, and they need to make sure that their clients can verify their insurance information because of the way health insurance (especially through an employer) interacts with the tax system. Most employer-provided health insurance is paid for pre-tax, and if the IRS comes along with any questions

      • by guruevi ( 827432 )

        So the health care provider needs a health insurance subscriber number, not an SSN to identify someone. The health provider can in turn have the SSN but that limits the surface significantly.

    • Would be nice if we could have 2-3 National ID numbers of varying security so that we could give the low security one to places like that, reserving the high security one for things like finances.
      • by eth1 ( 94901 )

        Would be nice if we could have 2-3 National ID numbers of varying security so that we could give the low security one to places like that, reserving the high security one for things like finances.

        No, we need to fundamentally change the system so that its "security" doesn't rely on the secrecy of a few widely distributed numbers.

  • Malware could mean something as simple as "the accountant tried to install a screensaver." This story really doesn't tell us anything about how often critical medical systems are attacked......

    (and of course the systems are vulnerable, just like every other system connected to the internet).
    • Deliberate attacks generally target insurance data. You can't make much off of knowing someone got a booboo, but insurance fraud is a gold mine.

      That isn't to say that ambient malware isn't finding its way everywhere else. The reality is that modalities (CTs, MRIs, etc.), are rarely patched, many are running ancient versions of Windows. Re-imaging systems--sometimes near daily at some facilities--is the normal strategy for addressing malware. Lack of support from the manufacturer being principally to bla

    • by gweihir ( 88907 )

      "The accountant tried to install a screensaver." does not usually generate a security incident.

  • by QuietLagoon ( 813062 ) on Thursday August 27, 2015 @08:33PM (#50406533)
    It wouldn't surprise me if the statistic held true across all industries.
    • by gweihir ( 88907 )

      With the abysmal state of IT security these days? No you will get no argument from me.

      • With the abysmal state of IT security these days? No you will get no argument from me.

        Let's look at why IT security is where it's at today: We have people forcing new, untested, cool buzzword technology into the workplace that are not needed.

  • The company I work for, Bright Plaza [brightplaza.com], has a SAAS that can almost eliminate the risk of phishing attacks and several other threats, while improving the user login experience. (It's a proof of knowledge SAAS that can support almost any type of proof of knowledge, from text and picture passwords to cognitive self tests and others.) And, based on the number of Lamborghini's at the Healthcare IT conferences, there's no lack of money available. Even more, the HIPAA lawas make it extremely expensive to expose cl

  • by stinkydog ( 191778 ) <sd@@@strangedog...net> on Thursday August 27, 2015 @09:28PM (#50406795) Homepage

    20% of Healthcare CIOs are idiots or liars. Every healthcare organization has seen the basic web malware on the the inside of the firewall. If they haven't been cyptolockered at least once, the do not use the internet. Patching in healthcare sucks. Doctors do anything they want with IT systems. If you have an electronic healthcare record, someone unauthorized has seen it. Hospitals systems are busy building new sites and cutting IT 10%. I saw one EHR deployment where every client/user logged into the database as "SA". The only faith I have in the system is that it has been compromised already...

    SD

    • > 20% of Healthcare CIOs are idiots or liars.

      Or both., I'm afraid. Or the survey was badly constructed. I've seen a number of security compliance surveys, especially now with HIPAA laws affecting health care security, that were designed to allow hospital IT departments to claim more or less security with subtle interpretation. The result is that for medical IT staff who needed more security funding, and wanted to justify the work, they'd answer the surveys one way and say "we have a problem, we need to

    • I saw one EHR deployment where every client/user logged into the database as "SA".

      Unfortunately this isn't limited to heatlhcare. I know of banks (plural) where everyone in the office logged into their Novell systems as "admin". Everyone.

      • . I know of banks (plural) where everyone in the office logged into their Novell systems as "admin".

        That is the ultimate security...could you even find a black hat person willing to bother with Novell anymore?

  • by Behrooz Amoozad ( 2831361 ) on Thursday August 27, 2015 @11:13PM (#50407115)
    I have hacked into 3 different hospitals, not large ones, moderate size.
    None of which took more than 15 minutes to do, And I did it with my phone because I was bored waiting in line to see the doctor.
    Got all the doctors names, what surgery is where, the insurance contacts, the accounting data, how much everyone gets paid(best part) but didn't touch patient data because I knew that one has it's own criminal penalties.
    Point being no one noticed, no one cares to notice, after years they still don't know.
    I didn't even go after the hospitals seriously, I used a fucking phone.
    I don't know how much harder it can be to penetrate insurance companies or large hospital chains. but it can be done in a timely manner. I beleive You can actually have a timetable for hacking them because they all use the same crappy software vendors.
  • by cpm99352 ( 939350 ) on Thursday August 27, 2015 @11:23PM (#50407143)
    Incompetence abounds in the health care industry:

    1. Legacy mainframe systems that have no data integrity - dates like 99/99/9999 are considered valid

    2. Legacy mainframe systems that have no data integrity - tabs present in names & addresses, so a tab-delimited extract then proves challenging

    3. IT Staff who refuse to block China and the -stans (despite having only US coverage), saying that it is not a complete solution.

    4. On the database side, passwords stored in cleartext. Surprisingly, this apparently isn't a violation of PCI rules.


    My advice? If you have a sensitive claim, pay cash and don't involve the insurance company. This is difficult, and may require you to use a different doctor when going this route. Bonus points if you can use fake ID. You would be absolutely astonished at where the claims data goes. Third parties get all sorts of data. HIPAA exclusions are enormous. If you think only your doctor knows about your embarassing drug addiction/sexual disease/mental health problem you are grossly mistaken.
  • Why is this surprising to anyone? I am sure it is quite similar in every industry. Between businesses cutting their IT staff (especially common between 2008-2012), moving from dedicated security people to having the admins be responsible for security as a secondary responsibility, to having dedicated security people from certificate factories who are more interested in checklists and getting shiny new toys from whichever vendor gets them the best bribe (movie tickets, sports game tickets, etc.); how is anyo

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...