Slashdot Mirror

← Back to Stories (view on slashdot.org)

Healthcare Organizations Under Siege From Cyberattacks, Study Says

Posted by Soulskill on from the it's-hip-to-ignore-hippa dept.

BigVig209 sends this report from the Chicago Tribune: "A new study set to be officially released Wednesday found that networks and Internet-connected devices in places such as hospitals, insurance companies and pharmaceutical companies are under siege and in many cases have been infiltrated without their knowledge. ... In the report, the groups found from September 2012 to October 2013 that 375 healthcare organizations in the U.S. had been compromised, and in many cases are still compromised because they have not yet detected the attacks. ... 'What's concerning to us is the sheer lack of basic blocking and tackling within these organizations,' said Sam Glines, chief executive of Norse. 'Firewalls were on default settings. They used very simple passwords for devices. In some cases, an organization used the same password for everything.'"

61 comments

  1. So much for HIPAA... by Buck+Feta · · Score: 2

    Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

    --
    I am Audience.
    1. Re:So much for HIPAA... by Anonymous Coward · · Score: 0

      What scale of organizations are we talking about here? I don't know of any small private healthcare organization that doesn't consider the owners'/partners' time-efficiency and working preferences to infinitely outweigh the importance of procedures to ensure accountability regarding access to confidential data.

      (Posting AC deliberately because I see this foolishness firsthand as a consultant!)

    2. Re:So much for HIPAA... by Anonymous Coward · · Score: 0

      Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information.

      No threat of punishment == no compliance.

      Well, then perhaps this is where HIPAA needs to take a fucking page from the financial lessons-learned playbook and start handing out actual punishments and fines, starting with some form of Federal-level ban on the kinds of insurance claims they can accept.

      Put pressure to cut out the moneymaker that is Medicare/Medicaid support on any hospital and see how quickly they comply. Old, obese people are worth a LOT of money.

    3. Re:So much for HIPAA... by Opportunist · · Score: 4, Insightful

      The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"? They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.

      You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.

      Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:So much for HIPAA... by jythie · · Score: 1

      There is where having a department doing auditing and certification would do the trick. I know people bristle at the idea of centralized bureaucracies , but this is a time where having some group (like CERT) in charge of training auditors and preforming the certifications.

      Years ago when I worked in a lab that needed to be HIPAA certified, our upstream contractor (a hospital) had people who`s job it was to make sure our setup meet the needs otherwise we would not get the data, and yep, we met them. I could see this basic pattern scaling up.

    5. Re:So much for HIPAA... by rhsanborn · · Score: 4, Informative

      Not surprising, really. The only time companies get punished for non-compliance is when they are the ones accessing protected health information. No threat of punishment == no compliance.

      That's not the case at all. HIPAA makes a distinction between covered entities (usually hospitals, doctors, insurance companies), business associates (people providing services for covered entities such as medical coding, transcription, IT services, etc.) that require access to protected health information, and everyone else who isn't allowed to access protected health information. If a covered entity loses or discloses protected health information, or is breached, that entity is responsible for fines under HIPAA, which are being levied regularly. e.g. http://www.healthcareitnews.co...

    6. Re:So much for HIPAA... by Anonymous Coward · · Score: 0

      We run into this all the time. One radiologist group in town does both hospitals and their own clinic. They always complain about having to change their passwords at our facility, as well as other security settings that we implement. 90% of them use the same password on their own systems.

    7. Re:So much for HIPAA... by jbmartin6 · · Score: 1

      "Regularly" is vague. HIPAA was passed in what, 1996? The first fines weren't levied until after 2010. So I think the parent's point is still valid, the act was pretty toothless as far as consequences for quite some time. The ratio of incidents to fines is still very heavily in favor of the careless. If you had a choice between paying $2 million in security or a remote chance of a $1 million fine, which would you take?

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    8. Re:So much for HIPAA... by Medievalist · · Score: 2

      No threat of punishment == no compliance.

      Don't worry, there's no lack of authoritarian punishment built into the system.

      But you know, if merely punishing people stopped them from complying with rules we'd be living in paradise. Our punishment-oriented culture serves to gratify the sadism of our rulers, and doesn't really do much to prevent crime. In real life the most effective way to prevent crime is to ensure the availability of rewarding work... and hospital paperwork, I have to tell you, is the opposite of rewarding labor.

    9. Re:So much for HIPAA... by Anonymous Coward · · Score: 0

      And to think, all of this HIPAA nonsense would be practically nonexistent if we had real first world healthcare. (Single payer socialized healthcare, you limp wristed conservative toadies) The point of these regulations is to protect you from health insurance companies that can and do everything in their power to deny you coverage when you get sick.

    10. Re:So much for HIPAA... by Anonymous Coward · · Score: 0

      had people who`s job

      People who is job? You mean that old guy in the bible?

      Or are you simply semiliterate and meant "whose"? If so, what grade did you drop out of, sixth? Read a few books, dumbass, and you won't make stupid mistales like that. Honestly, if I couldn't read well enough to know who's from whose and there from they're and their and lose from loose, I'd be embarrased to make a logged-in comment.

      Oh, and your job at the lab, what did you do there, wash glassware? Clean toilets?

      Please go back to reddit, this is a nerd site. Nerds are literate, not aliterate or illiterate as you seem to be.

    11. Re:So much for HIPAA... by hawkinspeter · · Score: 1

      If you're going to be so uppity about someone's mistake, then at least spell "embarrased" correctly (and put a hyphen in "semi-literate"). I appreciate the attempt to improve people's writing skills, but you're doing it in a way that makes you look like an arse.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    12. Re:So much for HIPAA... by Anonymous Coward · · Score: 0

      Oh god you mean I'll have to pay 5,000$ fine or higher several 100k per year employees that still cannot guarantee security?

  2. Bad news by Anonymous Coward · · Score: 0

    We're sorry to tell you that your child passed away from a ping timeout...

    1. Re:Bad news by Opportunist · · Score: 4, Funny

      BSOD just got a very new meaning.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Bad news by Chris+Mattern · · Score: 2

      Well, that gives a whole new meaning to Time To Live...

  3. One password. by Savage-Rabbit · · Score: 1

    In some cases, an organization used the same password for everything.'"

    That's not negligence, it's just the Navy keeping up with the times and implementing Single-Sign-On.

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
    1. Re:One password. by oodaloop · · Score: 1

      Glad to see you're keeping up with the times, being that this article is about healthcare and not the Navy.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    2. Re:One password. by cold+fjord · · Score: 1

      The Slashdot editors exploited their superior agility and got inside his posting decision cycle. His defeat is now assured.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    3. Re:One password. by oodaloop · · Score: 1

      and got inside his posting decision cycle

      You mean his OODALOOP?????

      Ha Ha Ha Ha!!

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  4. Re:I bet this is the Muzzies by Anonymous Coward · · Score: 0

    ... their abominable religion thrives where there is pain, suffering, and misery.

    So do Christianity, news organizations and weapons manufacturers to name a few ... what's your point?

  5. Why is C# .Net used for medical devices? by IgnorantMotherFucker · · Score: 2

    Recall that at least the original license agreement for Sun Java specified that it must not be used to operate nuclear power plants. That got a lot of ridicule but was arguably a good idea.

    From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net.

    That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

    --
    Please mail me URLs of software employers.
    1. Re:Why is C# .Net used for medical devices? by gl4ss · · Score: 1

      no but the ui is going to be written in c#.

      (...so that it'll be deprecated in a few years)

      --
      world was created 5 seconds before this post as it is.
    2. Re:Why is C# .Net used for medical devices? by Chewbacon · · Score: 3

      Rapid application development perhaps. Hospitals are trying to get these systems up and running for the sake of cash deposits and reimbursement from Uncle Sam and every company who can write software, good or bad, wants a piece of it. And yeah, it may run on windows. One of the fluoroscopes in my lab runs Win2K.

      --
      Chewbacon
      The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
    3. Re:Why is C# .Net used for medical devices? by melikamp · · Score: 1

      From time to time I see posts for medical device coding jobs on craigslist and the like. Quite commonly they require one to have experience with C# .Net. That doesn't make a whole lot of sense to me. Heart disease runs in my family. If I get a pacemaker, is it going to be running Microsoft Windows?

      This is yet another symptom of a very common disease: enter computers, and all of the sudden medical professionals simply ignore patient privacy and security. May be it's for the lack of understanding on the part of individual doctors, but then where are their governing bodies looking? They are selling us out. They must be corrupt three times over.

      Last time I went to a doctor for a regular checkup, I almost asked her: are my responses private? [Yes, I assume] Then why the bloody hell are you typing them into a Windoze? You are sharing them with Microsoft and its affiliates as you are typing them in front of me, so where do they go when I am not looking? I didn't confront her, though, opting instead to be very discrete about my medical condition.

    4. Re:Why is C# .Net used for medical devices? by jythie · · Score: 2

      "Medical devices" covers a lot of area. I suspect things like pace makers are developed using some RTOS while desktop apps designed to connect to devices are written in some commonly used language like C# or Java.

      Though there is probably a lot of pressure due to what kinds of programmers they can find. One thing that pushed LISP out of certain industries, even when it worked really well for individual companies, was difficulty finding experienced programmers.

      Medical devices should probably be programmed using something like Ada, but finding developers for it is getting harder and harder.

    5. Re:Why is C# .Net used for medical devices? by jellomizer · · Score: 1

      Why use C#? Well it is actually rather simple. In many areas they are easier to find developers, then with Java or C.
      Microsoft Products don't suck as much as Slashdot makes them out for. Windows 2000 onward have been very stable, and for the past decade I have seen more Linux Kernel Crashes than Blue Screens of Death. Making your product in C# vs Java isn't that big of a deal, the real issue that I find, is that you are Stuck on Windows, and that sucks because you may want to be flexible with your next upgrade, and at least be able to stick it to Microsoft the next time you renegotiate your licences. (Well all our key apps are Java, if you don't lower your license rate by 20% then we figure it will be cheaper to migrate it all to Linux)

      Healthcare has this other problem. It has been 10 years behind the rest of the technology. You go events pushing state of the art healthcare technology and you see it is stuff that other industries have been using for year. Right now their big push is adding Business Intelligence to their software.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:Why is C# .Net used for medical devices? by Anonymous Coward · · Score: 0

      I see you have a modern fluoro room then. We have a room that is still running NT4. Our biomed guy just had to rebuild a CR reader system that was running Win2K. They are on segregated vlans though.

    7. Re:Why is C# .Net used for medical devices? by maple_shaft · · Score: 1

      Right now their big push is adding Business Intelligence to their software.

      If you ask any IT upper manager or executive in a US health system what Business Intelligence is then if they can give you any answer at all it is some recited drivel fed them by the plethora of vendors selling snake oil at the last HIMS conference.

      Having nearly a decade of experience working as a software engineer for healthcare ISV's and healthcare systems, I have earned a bit of a perspective to why healthcare IT struggles behind nearly every other industry. To understand why things are dysfunctional and why such organizations are teeming with incompetence you need a bit of history into how many of these healthcare systems came to be.

      These large non-profit organizations didn't spring up overnight, they usually started as a loose agreement between a university medical school in need of bright medical professionals for research and teaching, and a number of different hospitals that always have a need for top medical talent. These resulted in a loose confederation of hospitals. When healthcare became big business then the ranks of many of these healthsystems started to be run by MBA's and other executives with more of a business background. At this point things began to be more centralized and federated by consolidating all of the IT resources in the different facilities into one place. Many of these people though used to be nurses or were self educated kids who really knew nothing about IT outside of installing software on a doctors workstation in a small community hospital. Through tenure many of these people rose through the ranks and became the very managers and executives that run many of these healthsystems today.

      So now we have a world today where non-profit health systems reaping MASSIVE profits and having MASSIVE budgets need reasons and excuses to spend so much of their money or else they risk losing their non-profit status. Incompetent management that is in over their head, highly political system of rank and advancement, duct-taped together legacy systems from a number of different hospitals with medical records, money-hungry vendors cashing in on easy sales for "Business Intelligence" and "Analytics" software packages that either don't work or aren't needed, and grueling death march projects that at times seem like a government jobs program with no other reason to exist than to spend money because the board of trustees in these health systems can only take so much of the profits.

      This is all really a massive bubble propped up by massive amounts of money that must be spent, run by people who don't know what they are doing.

    8. Re:Why is C# .Net used for medical devices? by Anonymous Coward · · Score: 1

      You are sharing them with Microsoft and its affiliates as you are typing them

      This is called "paranoia". It's a medical condition.

      opting instead to be very discrete about my medical condition

      So you won't tell your doctor about your paranoia, but you'll tell a random group of people on Slashdot?

      Face it, you're squarely in "wingnut" territory. Microsoft does not keep copies of your data unless you send it to one of their services. They don't care that you're paranoid because it doesn't make them any money. They also don't care about anything else you do or don't do. Nobody is paying attention to you or "spying" on you. You're not that important. Nothing about you is valuable to them. At a certain point, continued paranoid behavior crosses into the realm of narcissism. At that point, everyone laughs at you, not just near you.

    9. Re:Why is C# .Net used for medical devices? by ljw1004 · · Score: 1

      C#' is an ISO standard that runs (great) on ios, android, desktop Linux, netduino, as well as windows

    10. Re:Why is C# .Net used for medical devices? by flyingfsck · · Score: 1

      Hell, an RTOS in a pacemaker makes me shudder. The first pacemaker used a single transistor.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  6. Re:Where's me beta? by Cenan · · Score: 1

    Stop posting AC timothy

    --
    ... whatever ...
  7. of things beyond repair, not worth fixing.... by Anonymous Coward · · Score: 0

    we start anew... free the innocent stem cells... see you there

  8. audubon soc. building replica byrd drones? by Anonymous Coward · · Score: 0

    so our patrons can still have something to watch... they say. right away the WMD on credit cabalists are hacking the repli-byrds causing them to viciously attack the innocent (until now) byrd watchers, & their keepers. uncomplicate remains the keynote...

  9. Firewall it. by Karmashock · · Score: 2

    By which I do not mean putting some off the shelf software or hardware between your network and the federal ACA system. Rather, have an isolated system distinct from the rest of your network which interacts with the ACA. Give that system no access to the rest of your network or vice versa except through very tightly controlled protocols. Effectively, assume that machine is compromised or at least in extreme danger of being compromised.

    Then carry on. Worst case, that isolated system will be infiltrated. But since the Federal ACA system is compromised that's nothing special. Your internal network will remain safe from that vector and you can continue to comply with this federal boondoggle.

    Government... we only take them seriously because they threaten to shoot us. No really. Absent threats of violence who would be complying with the ACA at this point? No one. That's all that keeps this bullshit going.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  10. Simple solution by Anonymous Coward · · Score: 2, Insightful

    We need a law (or laws) that place very painful penalties on any business or organization that suffers a data breach through their own negligence.

    The right wingers who run a lot of these businesses just love to talk about the magical results we can get by relying on the free market. Well, let's see them put their money where their mouth is. Currently, they can be sloppy with their IT practices and pay virtually no price even when something goes wrong that causes considerable pain to their customers/users and society at large. It's a classic externalized cost. Internalize it via triple-damages penalties or something similar, and I guarantee that their IT practices will improve dramatically in a matter of weeks.

    1. Re:Simple solution by jythie · · Score: 1

      the problem is, within that philosophical system (I can not call it economic, that set of economic theories were debunked decades ago) the customers would be the ones to punish the company by going somewhere else and there are no "external costs", the only thing that matters is what on their side of the interface and everything outside that the market magically fixes.

    2. Re:Simple solution by rhsanborn · · Score: 1

      There is a law, it's called HIPAA. Healthcare organizations are very cognizant of HIPAA and do work to avoid breaches of healthcare data. The Department of Health and Human Services does hand out significant fines for breaches. http://www.hhs.gov/ocr/privacy... Additionally, for large breaches, healthcare organizations are required to notify prominent news media, which arguably has a larger financial impact than the fines themselves.

    3. Re:Simple solution by maple_shaft · · Score: 1

      That doesn't work in many areas where many of these healthcare systems have a practical monopoly in their respective regions. There is often no other choice for customers (Let it be known I find that term offensive, they are really patients). They really aren't broken up because they are also "non-profit" which is lately becoming an ethically dubious term for many health systems.

    4. Re:Simple solution by jythie · · Score: 1

      *nods* and even when there are choices in a particular region, often one's health coverage makes the choice for them, and forgoing one's employer provided health care and going to the individual market is often a bad economic choice for individuals or families. So the barrier to voting with one's dollars becomes very high.

  11. Summarize by sociocapitalist · · Score: 0

    Let me summarize the situation so we can avoid having an article for every industry.

    Any business worth any substantial amount of money is, and has been for years, under constant 'cyberattack'.

    --
    blindly antisocialist = antisocial
  12. Cost of IT by Anonymous Coward · · Score: 0

    I have been working in health care IT strictly for 6 years now and the problem is not the lack of security at all from my standpoint. It is however the lack of spine in the industry. We have no one that will stand up in this time of change (read up on meaningful use in health care) and say no.....I will not continue to put the customer at risk just to get this project running. Why not? Because it will cost them their job....why? Because the people leading us into things like the government website fiasco don't get what it is they are asking their IT to do - thus causing IT to continuously lay down project after project that is just barely stood up let alone implement it correctly or bother to maintain it properly. I can speak from experience in the small to midsized markets - the give a hoot is broken in favor of timelines and making some ones project a success for their resumes. It will not change until someone has the spine to stand up and explain in layman's terms the how/why these projects cannot continue to be pounded out in neck breaking speed. As an IT person in health care I can honestly say no one listens to us until something is way past broken and it costs them dearly, which causes me to just want to put my head down in defeat and only do what I am told. Why not.....Every one else can right? Feel free to email tyroniuz (the at sign) Gmail dot com if you care to get any more feedback from the downward spiraling trenches of IT

  13. Not surprising by jbmartin6 · · Score: 1

    I've been there. The organizations just don't care, it is more important to keep doctors happy. There is very little appreciation for IT and its value. And since there are limited consequences for breaches, there is no motivation to change.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  14. We are constantly under attack by hsmith · · Score: 1

    We are a healthcare startup and we get the usual metasploit attacks, but more important we are phished like crazy.

    The information is valuable and because it is, healthcare firm staff will be easy pickings for being targets.

    They simply don't know what they are doing (for instance, there is a 90% chance your doctor is using SMS/MMS to communicate about patients)

  15. I'm guessing its insurance companies. by mark_reh · · Score: 1

    Who else would benefit from knowing your health info? Drug companies could spam you with ads, I suppose, but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems. For health insurers, this has supposedly been fixed under Obamacare, but like taxes, there are many lawyers looking for loopholes and they will certainly find them. And what about life insurance? Those guys would love to have all your medical records...

    1. Re:I'm guessing its insurance companies. by CrimsonAvenger · · Score: 1

      but insurance companies have the most to gain by denying coverage to the "accident prone, chronically ill, and those who might inherit propensities for certain health problems.

      Which is illegal under the ACA, hence irrelevant.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    2. Re:I'm guessing its insurance companies. by mark_reh · · Score: 1

      Right. And rich people pay income taxes like the rest of us, too.

  16. Nothing to see here! by erroneus · · Score: 1

    This story doesn't indicate that this is largely the NSA collecting information in support of further executive adjustments to the Afraudable Care Act. This is just how they operate. "It's better to beg for forgiveness than to get permission or follow legislation. It's even better to deny that you did it than to beg for forgiveness." --Eric Holder

  17. Low-level DDOS by ahs_boy · · Score: 3, Interesting

    One of my clients is an umbrella organization for a few local community health centers, and there has been a steady stream of empty POST submissions to their website -- at the rate of about 2/second -- for about 4 straight months now. Virtually every hit is from a unique IP address, so the spoofing is either great, or the botnet is enormous. This is normally a VERY low-traffic site, so the attack constitutes about 99% of their traffic at this point.

    I'm assuming that the timing of the start of the attacks -- just as the Affordable Health Care Act came into effect -- is not a coincidence. It's a brain-dead attack, and easy to mitigate, but I'm a bit dumbfounded that it continues to this day, despite having no effect on the accessibility of their site at all.

    1. Re:Low-level DDOS by Anonymous Coward · · Score: 0

      Don't the health centers have their own IP ranges? Can't they filter their traffic?

      Also, POST requests *cannot* happen with spoofed IPs. That's a ridicules idea. TCP handshake does not complete for spoofed IPs hence no POST requests.

      spoofed SYN -> server ACK -> ???? oops

  18. NSA by Lawrence_Bird · · Score: 1

    just wants to know which terrorists are going to the hospital and for what treatment. ordinary citizens have nothing to fear, it is only collecting meta-data about your bloodwork, x-rays, mri's......

  19. How Rude by Anonymous Coward · · Score: 0

    "...and in many cases have been infiltrated without their knowledge."

    That's just a lack of basic courtesy. Whatever happened to the common decency of letting someone know you're about to sneak into their house?

  20. MOD PARENT BULLSHITE by Anonymous Coward · · Score: 0

    The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"?

    Yes I have. I've read the entire HIPAA and HITECH acts, including the data transfer standards. It takes weeks just to get through the non-standards documents. Luckily I'm paid to do it.

    They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.

    That's not entirely false. There are many references to clarifications that will be provided by the Secretary of HHS (who tends to pass the buck to NIST these days) and also implicit references to industry best practices and explicitly to the "reasonable man" legal standard (which seems to be what you're referring to).

    You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.

    Wrong. The only people who can't be "pinned" are the government regulators themselves - the compliance standards, as officially and legally clarified by the Secretary, explicitly reference things like FIPS 140-2 which have exact requirements. Failure to comply with those is punishable. The weasel-wording you've pointed out serves to protect and empower the regulators who are outside of the congressional legislative process, it does nothing to protect non-compliant hospitals, for example.

    Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.

    It's a consultant's dream alright, for two reasons - one, it's a gold mine because the rules constantly change as the Secretary makes "statements", and two, because people like you are spreading inaccurate information about liability. I can't tell you how many times I've heard fools say that "nobody will prosecute us for this..." setting themselves up for a board-mandated takeover of the IT department by consultants.

  21. Sorry about the busted grammar by Medievalist · · Score: 1

    sed 's/complying with/breaking/' <previous post >coherent post

    That'll teach me to use preview mode... oh well, at least the link worked.

  22. Interesing, but I wonder..... by sgt_doom · · Score: 1

    An acquaintance of mine, several years back, worked at a medical coding company called Meddata (based out of Ohio, I believe, and owned by a private equity/leveraged buyout firm) which kept having computer problems, which their inept and incompetent IT sleazoids were unable to prevent. She monitored their systems inhouse, and ascertained that they were being hacked at mercilessly, within the USA region. It didn't take her long to figure it out: the executives there, from a previous company but now in top levels at Meddata, had screwed over numerous people at their previous company (there was, and may still be, a dedicated web site to the lawsuits against that outfit), and people were attempting revenge. Sometimes, it really is that simple.

  23. JCAHO to the rescue! by Anonymous Coward · · Score: 0

    The Joint Commission (the new name for the organization which used to by known as JCAHO) has recently started to cover the IT side of laboratory systems. Failling this leads to the lab losing their license.