Physician Operates On Server, Costs His Hospital $4.8 Million

Hugh Pickens DOT Com (2995471) writes "Jaikumar Vijayan reports at Computerworld that a physician at Columbia University Medical Center (CU) attempted to "deactivate" a personally owned computer from a hospital network segment that contained sensitive patient health information, creating an inadvertent data leak that is going to cost the hospital $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web. The breach was discovered after the hospital received a complaint from an individual who discovered personal health information about his deceased partner on the Web. An investigation by the HHS Office for Civil Rights (OCR) found that neither Columbia University nor New York Presbyterian Hospital, who operated the network jointly, had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network. "For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," say the hospitals. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS." HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations. In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data."

Typcial

[nurb432]

This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

Re:Typcial

[TchrBabe]

Not just the "I'm a doctor..." mentality, it is characteristic of the whole healthcare system - if you aren't a _____ (fill in the blank with EMT, LPN, RN, PA, PhD, hospital admin) you don't know anything (in their minds). I wonder if they even had an IT department, or if they did, if it was competent (and not composed of the relative of one of the high end staff members - some kid who "built his own computer so he knows what he is doing"). The ability of the doctor to access and alter network settings indicates that the network wasn't properly configured, whether or not it was a privately owned computer.

Re: Typcial

[DigiShaman]

I've done IT work for many clinics here in Houston, and I've never ran into that mentality before. I suppose it depends on the circles you do work with. In my case, it was next to impossible to get anything approved when they're too busy to handle anything business related. Again, these were small clinics.

What they should be using is Bitlocker. It can be overly sensitive in that any major Windows Update, driver, and BIOS will flag for the recovery key at boot. You can back the key up to AD or have it stored elsewhere however. But when using Bitlocker for an organization, you really want a competent IT admin around to deal with this solution.

BTW, you could use Linux or Mac. For the sake practicality of the discussion, I'm assuming most clinics use Windows already with an AD forest.

Re:Typcial

[rotorbudd]

I bet this was the typical "I'm a physician. I'm the smartest person in the building. I can handle anything."
See: The most dangerous thing in the world
  "A Doctor in a Bonanza"

Re:Typcial

Your "IT staff" were idiots for letting this guy have his own machine on the network. Fire those bozos too.

Re:Typcial

Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

What do pants have to do with this?

Re:Typcial

[nurb432]

I used the term *doctor* for a reason, and did not want to limit it to "physician". I have seen this same attitude in other industries as well, far too often.

And sure, not all educated people are like that, but i do tend to see a lot of them get a big head at a particular point.

Re:Typcial

Yeah, they screwed up, but you've clearly never tried saying "no" to an "I'm a DOCTOR, dammit!" type. We all know what SHOULD be done in a case like this, but when you're dealing with a bully who probably CAN get you fired, sometimes it's hard to stand on principle.

Re:Typcial

[Kjella]

Except for IT of course. If you can master a computer then your impeccable logic and reasoning skills will make any other subject a piece of cake.

Re:Typcial

[nurb432]

I have seen those people too, thus 'any industry' in my statement.

Re:Typcial

very common that when someone becomes an expert in something they believe themselves an expert in everything.

can't tell from fluffy article whether it was a doctor 's hubris or dysfunctional IT dept. that should take the blame.

Re: Typcial

[the_B0fh]

How would BitLocker help in this case? Just curious why you think it'd help when it is information that's being exposed on the Internet, on a server that is running, and attached to the Internet, and not stolen laptops.

Re:Typcial

[StripedCow]

Not true. The IT people over at CERN didn't understand a bit about the subject they were working on. Thus, they decided to have some fun and invented the internet.

Re:Typcial

This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

Let's not be throwing stones here... Plenty of people on Slashdot have the "I'm an IT guy, I taught my self computers and know everything" mentality.

Re:Typcial

It's the same for some lawyers. Some of the biggest assclowns I've ever met were lawyers.

Re:Typcial

[JoeMerchant]

Malpractice insurance mentality....

Re:Typcial

[Jeremy+Erwin]

The HHS press release says

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

So, the physician wasn't completely clueless about computers, though perhaps HHS is being deliberately vague about his exact role.

Re:Typcial

Except they didn't.

Re:Typcial

Reminds me of that old joke:

Q: What's the difference between God and a surgeon?
A: God doesn't think he's a surgeon.

Re:Typcial

[Jonner]

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

The details are sparse, but it doesn't sound to me that the specific doctor was any more to blame than the IT people. It's hard to imagine how deactivating one machine would expose private information if that information were on properly secured systems in the first place. The scenario I'm can easily imagine is that the machines with private information were accessed with insecure protocols and all the doctor in question did was to plug them into a more public switch or router.

Re:Typcial

[Bing+Tsher+E]

Also, all you need to do to 'master a computer' is learn how to put together a clone using off-the-shelf parts and a phillips screwdriver. I remember how empowering it was to install Linux on a cheap clone box back in 1994, then build an 'internet' in my apartment by attaching surplus '386sx boxes on it with 3C503 cards and coax.

The biggest problem some IT people have is that they think the group of enamored people surrounding them who rely on them for help represent the whole world, and not the bubble they've created. You convinced your boss you know your stuff. Better be careful, because younger people who got their first PC when they were 4 are coming up in the ranks.

Re:Typcial

[Bing+Tsher+E]

It most certainly was NOT an IT person at CERN who invented the HTT protocol. He was a practicing scientist. The 'IT" people were probably busy replacing ribbons and making sure the paper wasn't spilling off the tractor feed mechanisms.

Re:Typcial

[WarJolt]

The answer is simple. Cloud based medical records and disallow local caching. A PC is disconnected, no problem. It scales and it allows you to consolidate security. I never understood why we trust IT staffs with medical record security. You really need a Dev Ops team for that.

Re:Typcial

[wonkey_monkey]

He was a practicing scientist.

Yes; a practising computer scientist (albeit one with a degree in physics) working as an independent software contractor. I'd call him an IT person.

Re:Typcial

[symbolset]

I'm a doctor Jim, not a network security analyst.

Re:Typcial

[Calydor]

And yet he yanked a rib out of Adam. I smell a malpractice lawsuit in the making.

Re: Typcial

[otherniceman]

At a company I worked for the CFO had used Bitlocker to encrypt his disk and didn't tell anyone. He was the only person in the company that had done this. We went through a major domain migration which failed and so the a new domain was created and everyone moved to it. Suddenly the CFO could not access his machine anymore and they could not recover anything.

Re: Typcial

[cbreak]

That sounds stupid. He should have used proper encryption like Apple's File Vault or TrueCrypt. Those work independently of that domain stuff. And they allow you to back up a recovery key too.

Re:Typcial

Sure, building and running a PC is easy. Building a network is easy. Knowing the right way to do it to scale to your environment, making it useful, highly available and secure... that's why there are IT people, as opposed to arrogant know-it-alls who built a PC once.

You sound like the idiot who cost his hospital several million dollars in the OP-- probably by removing it from the domain, but leaving the web server (which shouldn't have been on his personal machine) still running and serving out PHI (which shouldn't have been on his web server) without authentication.

It reminds me of the joke about the plumber who came out one night to fix a customer's clogged drain. He looked at the pipes, tapped on a couple, pulls out a rubber mallet, and knocks the side of a pipe. The drain clears, he tells the homeowner "that'll be $105"-- the homeowner says "$105 just to hit a pipe with a hammer?", the plumber responds "$5 to hit the pipe-- $100 for knowing which pipe and how hard".

I'm directly responsible for about 150 servers right now-- I updated openSSL on all of them in under 5 minutes with two commands when heartbleed broke, after generating a report of which servers had vulnerable versions (so we could regenerate certificates). That's the difference between an IT professional, and someone who built a PC one time.

Besides... the up and coming kids have iPads, that they've never seen the inside of, and have no clue how it works anyway.

Re:Typcial

It's not restricted by profession.

Back in the 90s, the firm I was with was installing a full ethernet network in a law office - moving from 286/386 PCs to Pentium II's. Also included were 2 servers - 1 file server, and 1 server solely for the billing database.

The receptionist (who "knew computers", and was responsible for 75% of our call outs to the location) got dicking around one day, and wiped the billing server. (Hey, don't look at me - I didn't set permissions). Being smart people, though, we'd installed a solid backup system (that worked). Total loss was a few hours of data entry. The receptionist got to have a long chat with the Sr. Partner spearheading the project about the use of the company PCs.

Re:Typcial

[X0563511]

Port Security.

There's no "no" to say. "We're sorry, only devices installed by IT can access the network."

Re:Typcial

Yep. Man's troubles began with that incident.

Re: Typcial

Dev Ops?? Hand in your geek card on the way out.

Re:Typcial

[Hognoxious]

3C503 cards

As I type I'm resting my feet on a machine with one of those in it. Still worked last time I fired it up (which was probably last year...).

They don't make 'em like that anymore.

Re: Typcial

[kbg]

Yes the mistake was using Microsoft software, which has these major bugs. You don't have the encryption connected to the domain...period.

Re:Typcial

[OakDragon]

The patient never recovered.

Re:Typcial

The breech is the rear or lower part of any object, such as the breech of a cannon, it doesn't just mean pants. (Hence "breech birth" when the lower part of the baby breaches first.)

Re:Typcial

[nurb432]

Even if you aren't 'completely clueless' you should let the experts that you pay to do their jobs and stay out of the way. ( regardless of what that job is )

Re:Typcial

[nurb432]

No matter how competent you are, or wrong it is to do it, when the guy that writes your paycheck says 'do this', you have 3 basic choices:

1 - Do it ( and if you are smart, document it )
2 - Leave
3 - Refuse ( and get fired )

Also not everyone has option 2 available to them on a whim, so often times 1 and 2 are tied together, in a delayed fashion. 3 is never the best option.

Re: Typcial

No, the mistake was using an incompetent admin who wasn't able to perform a simple domain migration. Bitlocker did its job, protect the data, the fault lies with the admin.

Re:Typcial

They may be looking for data about my hospital resurrection... but it is irrelevant, no one will care about it except people who dislike the issue. Meanwhile, a genocide keeps its course here in NYC and nobody ll care because it is mostly women and you can catalog them as foreigners, probably, not as American foreign interest or American colony either.

Re:Typcial

[nhat11]

Who +1 nurb432 for insightful? If you met any average doctor, most don't care to tell you they don't know anything about computers because they only want to focus on medicine. The ignorance in this post lol

Re:Typcial

Would you rather have the world know your name and address, or that you have mega-herpes with a side of colon cancer?

wait a minute

If they're gonna blame the doctor for "attempting to deactivate" something, they have to explain wth that means...otherwise it's just a scapegoat

Re: wait a minute

[DigiShaman]

Most like suspended or deactivated Bitlocker. That, and perhaps removed it from the domain and back into workgroup mode.

Re:wait a minute

[NemoinSpace]

The advantage of being vague and obtuse probably glosses over several other specific HIPPA violations that would drag several other responsible higher ups into the mud and saved them another million dollars in fines. That is why companies spend more on administrators than on IT. /What we really need is to expand H1-b's. After all, they been telling us that for years and we just don't get it/ hmmm, why did i wait till the last sentence to add a sarcasm tag?

Re: wait a minute

[cbiltcliffe]

You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

Re: wait a minute

[bill_mcgonigle]

Most like suspended or deactivated Bitlocker. That, and perhaps removed it from the domain and back into workgroup mode.

Nah, neither of those things would have make patient information available over the World Wide Web.

It sounds like nonsense, frankly.

Probably to protect the anaesthesiologist. Oh, did the article not say it was an anaesthesiologist? But it always is.

Re: wait a minute

[Jeremy+Erwin]

My guess is that he or she was developing an app for fellow doctors, and was running a backend on a personally owned server for testing purposes. When app development was complete, the physician reconfigured this machine to work on other projects, but neglected to scrub it of HIPAA data, or access rights to this data.

The computer was then opened up to the outer world for another project that didn't involve patient data.-- google searched the machine, and found the data trove.

But perhaps I'm reading too much into
"The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. "

Re: wait a minute

[David_Hart]

You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

Wrong, you just have to have local Admin rights.

The proper way to remove a computer from the domain is to log in as a user with local admin rights and then enter a domain account with the rights to Add/Remove Computers. This removed the computer from the domain and deletes the computer account from the domain.

However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials. The domain part will fail, but the computer will be switched to workgroup mode on reboot. The difference is that there is now an orphaned computer account still listed in the domain. But the client is now no longer on the domain as far as it is concerned.

The reason why this is allowed is simply because a mechanism is needed to switch a computer from domain mode to workgroup mode if, for some reason, the domain is unavailable.

Re:wait a minute

[Mendy]

This describes it in a little more detail.

My guess is that he turned off a webapp which then caused the HTTP server to provide open directory access. This doesn't explain why he was doing it though or indeed why he was able to.

Re: wait a minute

[Rich0]

As pointed out, you only need local admin access, and if you're going to let people use their own computers on the network, then it stands to reason that they'll have local admin access.

The solution to this problem is to not attach computers to the hospital systems which aren't owned and administered by the hospital.

Re:wait a minute

This describes it in a little more detail.

My guess is that he turned off a webapp which then caused the HTTP server to provide open directory access. This doesn't explain why he was doing it though or indeed why he was able to.

This. Exactly this. Hospital IT... You fail.
Captcha: failings

(I am CS/BME)

Re:wait a minute

[DarwinSurvivor]

Someone needs to take a cluebat to whoever set the server to default to "directory access".

Re: wait a minute

[mpe]

However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials.

In practice all you need to do is enter anything, including a single space, into the username box.

Re: wait a minute

[cbiltcliffe]

You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

Bloody autocorrect. That's what I get for typing posts using my phone.

Can't say that I've ever tried it on a system with local admin rights. Usually I don't set up my domains in such a manner, because users can't resist the fuzzy kitten videos that come with free....ahem...."screensavers".

The old laptop security chink

[rmdingler]

It's not clear why a physician had a personally owned system connected to the network, or why he was attempting to deactivate it.

Of course it is. It was more convenient for him/her personally, despite putting sensitive patient data at risk in a venue beyond the doctor's ken.

It's a commons tragedy (the Bizzaro-World Spock-doctrine): better for one at the expense of the many.

Re:The old laptop security chink

[mwvdlee]

A personally owner system doesn't come with all those annoying login password and security confirmations.

Re:The old laptop security chink

[Bill_the_Engineer]

Hospitals are slow about refreshing their IT hardware and the hospital in TFA involves physicians working for both New York Presbyterian and Columbia University Medical Center. I wouldn't be surprised that the only way the physician could get a newer laptop capable of running his software in a reasonable amount of time was to order one with his own money and have the IT staff configure it for him.

The article has the smell of bullshit coming from the IT department that was ultimately responsible. Instead of saying they mishandled off boarding the physicians computer, they gave the impression that the physician was directly responsible for the breach. If a medical physician can cause a website to appear on the hospital network and have that page accessible to the internet then I think its about time to clean house and the hospital seriously needs to find new IT staff.

Re:The old laptop security chink

[TobinLathrop]

And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

Re:The old laptop security chink

[Rich0]

And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

Yup. Companies want to treat "bring your own device" as if it meant "pay for the company's device" and it isn't surprising that this causes problems. They should simply provision employees with devices if they want them to work remotely/etc.

Re:The old laptop security chink

It's a commons tragedy (the Bizzaro-World Spock-doctrine): better for one at the expense of the many.

Nope. it's a Bizzaro-World Napoleonic Quote:

Never ascribe to incompetence that which is adequately explained by incompetence.

>INB4 Hanlon

Re:The old laptop security chink

Never ascribe to incompetence that which is adequately explained by malice.

FTFY.

Re:The old laptop security chink

And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

Yup. Companies want to treat "bring your own device" as if it meant "pay for the company's device" and it isn't surprising that this causes problems. They should simply provision employees with devices if they want them to work remotely/etc.

BYOD was not driven by the companies, but by the employees - they wanted to use their own devices for work. You have it backwards. Now, there is no question that some companies are slow to upgrade their equipment, but that's a different issue.

Re:The old laptop security chink

[Rich0]

BYOD was not driven by the companies, but by the employees - they wanted to use their own devices for work. You have it backwards. Now, there is no question that some companies are slow to upgrade their equipment, but that's a different issue.

They're the same issue. People wouldn't want to use their smartphones for work if the company just issued them smartphones that they actually want to use. Devices were selected almost entirely for the sake of the ease of administration, with little regard for usability.

Re:wait a minute - personally owned computer ?

In which case he was entitled to 'deactivate it'. Not necessarilly to expose the information, but that may not have been his fault.

Really?

[scotts13]

There almost has to be more to this story than we're hearing, and I'd be interested in the details. Why dopes one have to "reconfigure" a server to disconnect a single, personally owned computer from a network? The doctors I know would pull the ethernet cable, pick up the computer and go home, without even thinking about the sever.

Not the Doctors fault

[Charliemopps]

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

Re:Not the Doctors fault

[rmdingler]

Right on.

He actually deserves some bug bounty money.

Lock down your network dumbasses

[wiredlogic]

What's the point in having a "secure" HIPAA compliant network that anyone can connect any old computer to? If the admins had just locked out unauthorized MAC addresses this wouldn't have happened. It would have cost them less than 4.8 million to implement even at healthcare contractor rates.

Re:Lock down your network dumbasses

I bet the hospital in question has a policy of BYOD for physicians probably due to physicians being self-employed or contract employee from a different medical group. The article has the smell of an IT department taking advantage of not actually owning the computer in question in order to deflect blame away from themselves.

We have a similar arrangement where I work which involves contract employers owning the equipment but have an agreement to allow the designated IT provider manage them for us. Technically they are owned by us but the maintenance and security is handled by a central authority. Our equipment's MAC address must be whitelisted just to sign in on the network, and the equipment isn't even assigned an IP address on the "private" network until the installed inventory program reports its status and a quick port scan takes place. As part of our contract, the IT provider is responsible for decommissioning our equipment which boils down to verifying the hard drive is wiped and the MAC address taken off the whitelist.

Re:Lock down your network dumbasses

What would have happened if someone, after being connected to the network, decided they need to tunnel elsewhere and disable their firewall for everything to work? Now suddenly the owner of the laptop has run-around all the security protections of the entire network and others could potentially get access to anything that person is authorized to see.

That is likely what has happened here. The doctor worked at two hospitals. He deactivated something which caused server data to be accessible out of the controlled network. How is someone supposed to stop this from happening while still letting real work get done? Lock down everything? That is the prevailing attitude here on slashdot. the new home for CS knowitalls and tech news weenies. There is some risk that must be accepted for real work to get done.

If you have the security features in place that all admins really want, you will be replaced in short order by someone willing to play ball for the sake of productivity. Christ this is a hospital. What do you think would happen when a doctor is at odds with IT? The administration will always side with their cash cow and not their cost center.

It is almost as if everyone on slashdot does not have any actual experience in IT. All the people left here are the clueless or programmers that are wasting time instead of pounding out code like they are supposed to.

Re:Lock down your network dumbasses

1) They are only allowed to have superuser privileges on the machines if they took a admittedly easy class that pretty much creates a paper trail and the only firewall they would control is their own workstation not the one separating them from the internet.

2) The inventory program which is required both contractually and technically for access manages the configuration of the machine and reports the lack of a firewall in the security deficit report. The same inventory program sends a list of network connections made and reports hardware configuration. At another facility with stricter requirements, that software alerted the IT security staff of a possible breach when a USB thumb drive was inserted into a workstation.

3) The firewalls on the other hosts will alert IT security. We had an incident involving an infected laptop being attached to the network. It was flagged as soon as the malware tried to propagate.

4) Access to the external internet is provided by a network of firewalls. Judging by the paperwork that crosses my desk, it is safe to assume that any long lasting tunnels that bridge the firewall has to be explained and routed through proper channels. We had a machine that required access to a machine outside of our private network. It accomplished this with an encrypted tunnel similar to SSH. The programmer working on the machine failed to specify a source port in his configuration and allowed the TCP stack to assign a random number to it. It wouldn't have mattered to the application since the return path was hardcoded, but the router flagged it and the connection was short lived and after a number of reconnects were outright banned by the router. For long lived tunnel connections we have to specify both source IP including source port and destination IP including target port.

I admit that a hospital doesn't have to be as secure as my workplace, but after 10 years this is no longer cutting edge technology outside of the reach of businesses with lesser security requirements. Also hospitals tend to have fixed IT requirements which doesn't require the workstations having direct unfettered access to the internet. They can proxy the web and email access. If anything hospitals should be easier.

Re:Lock down your network dumbasses

Unfortunately, there's an element you're overlooking-- Doctors at hospitals, bring in money. IT staff costs money. Guess who wins any arguments? The neurosurgeon who has a patent hanging on his wall for a nifty treatment method that the hospital makes a crap-ton of money from, doesn't have to listen to anyone.

Typical Scenario:
Dr.: "I want to use my computer on the network!"
IT: "that's insecure, and a really bad idea"
Dr.: "I bring more money into this hospital than you'll ever see in your lifetime. Put it on the network!"
IT: "That's a violation of our security policy. We can't do that."

*one nasty email later to CEO/CIO of hospital*

IT Boss: "Put it on the network, or you're fired".

At which point, I insist on having it in writing that I said it was a bad idea, put it in my CYA folder, and hope the doctor has more cluefulness than reasonableness.

I'd like to say this has never happened-- but I've heard or said every one of those quotes, even if they weren't all in the same conversation.

Re:Lock down your network dumbasses

lol. The network at the hospital I used to work at was the Wild West. In most locations, anything plugged into the network was immediately handed its very own public IP address. Even if you used private IPs, we were on a University network large enough to be a threat all on its own.

Honestly it wasn't *that* bad, the university had a netops team with a few security specialists who played whack-a-mole with the worms and the bruteforce attempts and the DDoS attacks that came streaming in. I was much more concerned about laptops getting stolen, since our antiquated software cached portions of the patient DB on the local hard drive. And the doctors that would log into a computer in a public location and just leave it logged in with the patient database open. Or the staff who would try to use their gmail address for PHI. Our time was much better spent addressing issues like that rather than attempting to monitor the network for suspiciously long connections that we couldn't do anything about anyway or hunting down USB drives (seriously?).

Re:Lock down your network dumbasses

[Cederic]

So learn how to work it.

"Sure, get the Head of Compliance to sign off this breach of security standards and I'll get right on it. Yes, he'll require you to sign a personal liability waiver allowing the hospital to recharge any fines it receives due to insecurities arising from your computer"

I hate bureaucracy but good corporate governance exists for a reason. "You can't do this" is seldom the right answer. "You can do this, here is how" is a great response to be able to give, and if the "how" is punitive, painful and personally embarrassing then hey, they shouldn't have asked for something so fucking stupid in the first place.

"attempting to deactivate"

[Blaskowicz]

That's why you don't let Doctor Bashir play with the ship's phasers or the self-destruct sequence. There are other qualified high-rank officers to do that kind of work (when they're not mind-controlled by aliens or trapped in another plane of existence)

This is very common

A friend of mine did a job as an IT intern for a big Dutch university hospital and he and all his colleagues could access all patient records without it even getting logged.

IT Fail

[flyingfsck]

"We also have continually strengthened our safeguards" - Ha ha ha...

There was no IT security, control or safeguards. The doctor should not have been able to use his personal computer on the hospital net.

Re:IT Fail

The doctor should not have been able to use his personal computer on the hospital net.

I wouldn't be surprised if the "personal computer" mentioned in the article is actually a computer owned by the physician for professional use (i.e. not owned by but obviously mismanaged by the hospital IT).

Re:This is very common

[flyingfsck]

I thought you were going to say: "Without him even logging in", since that would be even more likely.

Most physicians have personally owned systems

They get money that is provided to *them* to buy computers for continuing education - it's a convoluted mess and little can be done to stop it because they are required to use the things to 'learn' so many hours a day.

Re:Most physicians have personally owned systems

[spire3661]

Irrelevant. I.T failed in preventing him from doing it, and HR failed in letting the Dr. know exactly why this would be a bad idea. Drs. can afford their own private internet connection, there is no excuse for piggybacking on a medical care network so they can learn shit.

Re:Most physicians have personally owned systems

[chooks]

Irrelevant. I.T failed in preventing him from doing it,

Agreed. I have never worked in a place (hospital or otherwise) where an end user could expose an internal service to the public.

HR failed

That pretty much sums up HR in general.

Drs. can afford their own private internet connection,

out of curiosity, how do you think this would work? A doctor is at the hospital, needs network access and.....has the phone company install a phone line in each of the wards she is rounding in? The "learning shit" is kinda important...like looking up the proper drug dose for a particular patient population, new diagnostic criteria, etc...

many docs think they are experts at computers. A minority actually are. Thus looks like a guy playing sysadmin who get left holding the dookie from incompetent net admins

Free money for the government

But the aggrieved patients whose information has become public knowledge get none of it. Something is wrong with that picture.

Re:Free money for the government

If, in a democracy, the government money isn't being spent as if it is the people's money, the people are doing something wrong. And the whole point of public law is that it imposes sanctions "in the public interest", not for the sake of the specific victim. (Sometimes this justifies stupidity, e.g. anti-marijuana law, but mostly it's why we have a civilisation and not a libertarian dystopia.)

Any personal damages can still be claimed in civil court.

Re:Free money for the government

[the_B0fh]

Too bad I don't have mod points, this is one AC post that's really good.

Healthcare IT in the US

[maple_shaft]

Having worked in IT and software development for a number of different health systems some common themes run true.

1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

2) Easy money. Money comes easy to these organizations. This plus...

3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

Re:Healthcare IT in the US

Your experience doesn't match what I observed and sounds more like a disgruntled employee than insightful.

Re: Healthcare IT in the US

Probably because you are not the Hero. ;)

Re: Healthcare IT in the US

Exactly what I was thinking. The grand parent reads more of stereotypes than experience.

Re:Healthcare IT in the US

[Bill_the_Engineer]

There are a number of things wrong with your post:

1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

2) Easy money. Money comes easy to these organizations. This plus...

Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves having to manage tech school graduates and heroes.

Re:Healthcare IT in the US

[maple_shaft]

Allow my rebuttal...

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like

Your arguments about malpractice risks and insurance for that are negligible.

In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves hav

Re:Healthcare IT in the US

[Trax]

As an emergency physician and former IT engineer with Unix system administration background, I'll say that most of the important software and hardware choices are made by the IT department and C-level executives without any input by physicians what-so-ever. I'll reply to your points line by line:

> 1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are > made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect > for other professionals who are not a doctor.

The healthsystem SHOULD EMPHASIS the need of the PHYSICIAN over that of the patient when we are the ones using the EMR, PACS (picture archiving and communication system), network drive, intranet, and other features day in and day out. The needs of the patient come into play when interfacing with these systems to retrieve their laboratory and imaging results, physician communication, and others when at home or elsewhere. If the IT department doesn't like this, then too bad as the users needs outweigh yours -- remember that this is coming from a practicing clinician.

Just keep trotting out the old-line about how physicians have no respect for any other professionals as there's no basis for it in the real world. If you look around at the landscape of healthcare in the US, you'll see that it's the physicians that are dis-respected every day at the hands of the administration, fellow professionals, and patients.

http://www.thedailybeast.com/a...

> 2) Easy money. Money comes easy to these organizations. This plus...

Money does not come easy to any of these organizations unless your are a huge health system such as Mount Sinai in NYC or Mayo Clinic or any of the other health systems around the country. If you're that big, you can tell the insurance companies how much they will need to pay up. However, the majority of hospitals are 1-2 hospitals and have a very limited budget for many things including EMRs, IT staff and departments, and ultimately hardware and software. It's not like they have money to burn...

> 3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and > concern over things such as nepotism and incompetence aren't as important as they would be in other companies

IT departments in hospitals are rampant with nepotism, incompetence, and wastefullness. The heads of the security, network, and support divisions have no clue when it comes to support clinicians including physicians, nurses, LPNs, or any other staff that requires using the computer for any health related work.

Re:Healthcare IT in the US

[Bill_the_Engineer]

Allow my rebuttal...

Always...

If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

Well technology always outpace ethics so I'm in favor of anything that reasonably slows down advancement in order to make sure all the pitfalls are accounted for.

In your example, IBM Watson would fall in the realm of medical research and doesn't necessarily have real-time patient data. My understanding was that they would get some sort of aggregate data in their research. One of the largest hospitals that I'm familiar with has a live telemetry department which gather realtime patient stats (including EKG) into a single "war room" environment to keep patient monitoring costs low. They carry the data on a network physically separated from the rest of the hospital infrastructure.

In addition, I place this upcoming equipment in the realm of medical diagnostic equipment that happens to be a computer. It may help the doctor with his practice but it wouldn't necessarily replace him/her outright.

I would also assume that medical diagnostic equipment would be handled differently from the basic tools of the trade that are data entry points found at nurses stations, patient bedside (e-quip is catching on down here), doctor's iPad, and admissions that are handled by IT today. Regardless, IT will still be working on behalf of the staff of the hospital not the patients directly.

You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like.

You're talking about tax benefits now. Earlier you were talking about "easy money" which is revenue. You can't pay your expenses with "write offs", instead you lower your tax burden. You still need to make enough revenue to remain solvent.

This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

Ive seen this. However the money still isn't "easy". You insinuated an endless of supply of easy money earlier, now you may be unintentionally changing the topic to what to do wi

Re:Healthcare IT in the US

[maple_shaft]

Thank you for giving your input as a physician. It is nice to hear from your perspective. I admit that I was unfairly categorizing all physicians into this category of being disrespectful to other professions. It is a real thing though but admittedly small in the grander scheme of the problems at play here.

IT departments in hospitals are rampant with nepotism, incompetence, and wastefullness. The heads of the security, network, and support divisions have no clue when it comes to support clinicians including physicians, nurses, LPNs, or any other staff that requires using the computer for any health related work.

I see this in health systems big and small. You recognize the problem too, but you didn't really address my theory as to why this is, easy money and low accountability. Why in your opinion do you believe this is? I am very curious about your perspective.

Re:Healthcare IT in the US

[Rich0]

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

Are you a doctor? IT isn't paid by the doctors - they're paid by the HOSPITAL. Doctors and IT workers are just two classes of people working at the hospital to take care of the HOSPITAL's cusomters - the patients. There is a legal fiction designed to shield hospitals from liability/etc which also makes the patients the doctor's customer's as well, but if you subscribe to that fiction then the doctors aren't even legally associated with the IT department at all.

I work in an IT department for a for-profit corporation and while I certainly have internal clients, ultimately we all work for the corporation and are supposed to look after its interests. Usually making my clients happy is the best thing for the company, but when their personal interests do not coincide with what is best for the company, then it is time to escalate issues and let the executives earn their pay. When a client wants me to spend $1M to save $20k/yr of their organization's time, then it is time to tell them to just live with the processes they have today. (And yes, I realize that there are reasons to do IT work besides productivity.)

Re:Healthcare IT in the US

[Cederic]

I work in an IT department for a for-profit corporation and while I certainly have internal clients, ultimately we all work for the corporation and are supposed to look after its interests. Usually making my clients happy is the best thing for the company, but when their personal interests do not coincide with what is best for the company, then it is time to escalate issues and let the executives earn their pay.

Nicely put. The doctors' customers are IT's customers because without them the doctors don't need IT.

Looking out for the interests of the doctors is impossible without understanding their own obligations and requirements around patients. Preventing a doctor from alienating his entire patient base through poor IT implementation sounds like a pretty reasonable IT contribution.

Re:Healthcare IT in the US

[Cederic]

If the IT department doesn't like this, then too bad as the users needs outweigh yours -- remember that this is coming from a practicing clinician.

Yeah, we can tell.

The users are fucking lucky to get an IT system. IT departments run under-funded, with stupid regulation, no authority and no appreciation. You've exemplified most of that in one Slashdot post.

I don't give a flying fuck how hard it is for you to access PACS, the network drive, the intranet or any other IT system if the alternative is sharing patient records over the Internet.

So I'm going to inconvenience you to assure secure access. Note how I've already immediately compromised you, as a user. Note too how I don't fucking care, and never will care, because your needs are less important than those of the organisation for which you work.

If the hospital gets continually and repeatedly fined for breaches of security then you end up without a job and patients don't get treatment. So Mr Practicising Clinician, shut the fuck up and stop acting the prima donna pretending other professionals don't know what they're doing.

Re:Healthcare IT in the US

[Bill_the_Engineer]

Are you a doctor? IT isn't paid by the doctors - they're paid by the HOSPITAL. Doctors and IT workers are just two classes of people working at the hospital to take care of the HOSPITAL's cusomters - the patients. There is a legal fiction designed to shield hospitals from liability/etc which also makes the patients the doctor's customer's as well, but if you subscribe to that fiction then the doctors aren't even legally associated with the IT department at all.

No I'm not a doctor. You are completely correct that the IT department works on behalf of the hospital. However in the context of this particular discussion, IT works on behalf of the doctors (which are part of the hospital staff) and do not provide a service directly to the patient.

I work in an IT department for a for-profit corporation and while I certainly have internal clients, ultimately we all work for the corporation and are supposed to look after its interests. Usually making my clients happy is the best thing for the company, but when their personal interests do not coincide with what is best for the company, then it is time to escalate issues and let the executives earn their pay. When a client wants me to spend $1M to save $20k/yr of their organization's time, then it is time to tell them to just live with the processes they have today. (And yes, I realize that there are reasons to do IT work besides productivity.)

Again IT provides what is considered a normal level of service. As an IT department, you deny requests that are outside acceptable corporate practices. I'm sure most of these practices were negotiated at a higher managerial level with staff input, and regardless of how reasonable the IT policy you will always have someone who insist they need something that violates that policy. The doctors are still one of your customers, and you are responsible for their IT requirements. The hospital management is also your customer, and you are responsible for making sure all of their policies are carried out and that no harm comes to the hospital via the IT department. Having the doctors as a customer, and having the hospital management as a customer is not mutually exclusive.

Re:Healthcare IT in the US

[Rich0]

So, I get what you're saying about IT needs to look out for more than just its own needs.

However, hospital management isn't really a "customer" in most cases. If you're talking about the CEOs email account, then the CEO is a customer like anybody else. However, if you're talking about the CEO telling IT than nobody can start a project without approval, then the CEO isn't a customer - he's the manager.

Ultimately, internal divisions like "doctors," "IT," "HR," etc are all conveniences. Legally, there is a corporation, and the officers/board are responsible for everything it does. It is up to them to organize internally in whatever fashion makes sense. If they want to stay in business, they'll do a good job of it. :)

Re:Healthcare IT in the US

[Bill_the_Engineer]

However, hospital management isn't really a "customer" in most cases. If you're talking about the CEOs email account, then the CEO is a customer like anybody else. However, if you're talking about the CEO telling IT than nobody can start a project without approval, then the CEO isn't a customer - he's the manager.

Hospital management is always the IT's customer. They pay your department to perform services and protect the infrastructure. Everytime you perform work for any staff member, you are performing a service for (and on the behalf of) management.

Re:Healthcare IT in the US

[Rich0]

Hospital management is always the IT's customer. They pay your department to perform services and protect the infrastructure. Everytime you perform work for any staff member, you are performing a service for (and on the behalf of) management.

Well, they're your customer in the same sense that your boss is your "customer." If you look at it from the standpoint that you personally are a business that sells your labor, then your boss is a customer, and so is some guy who bribes you to share your company's secrets with them. However, that really isn't a great way of defining the term in practice.

The customer-centric attitude is generally advisable when dealing with just about anybody. However, I prefer to use the term customer to refer to somebody whose business you need to earn in a competitive marketplace. Generally internal clients aren't customers by that definition - they can't elect to not work with the IT department. I'm not suggesting that they shouldn't be treated well, but the dynamic is a bit different. If you had one customer that generated little revenue but was the source of 30% of your costs, you'd elect to just lose their business if they were a true customer. However, looking at your internal clients your legal department might fit that bill and getting rid of them isn't really going to make your costs go away.

That was really my point - it isn't about who you need to listen to, but that the nature of the relationship between you and your boss is different than the relationship between you and your client.

Cause = Arrogance of doctors

[fygment]

There is no cure.

Re:Cause = Arrogance of doctors

[StripedCow]

The cure is to teach some math or CS classes in medical school.
Not really to teach them math or CS, but to teach them not to be arrogant.

Re:Cause = Arrogance of doctors

[HornWumpus]

That's supposed to be why they take physics and chemistry in pre-med. That and keeping the memorizers out of medical school.

My dad taught a chemistry class for medical students track. Those professors where very conscious of their duty to keep morons from becoming doctors. A C did that. Some of these dweebs couldn't plug and chug formulas or balance a redox equation. Yet they had all already gotten As in high school chemistry. Great memorizers, hard workers, some just couldn't think. All _needed_ an A. They all just wanted to get on to organic, where they could memorize naming rules.

Make them take P-chem.

No.

I have done IT work in clinic environments and every doctor I have worked with usually started the conversation with, "I'm really stupid about computers .... could you help me with ...." or something like that.

That was from a doc who was 30 something. The older they get, the more tech phobic they are.

My wife is a provider and we have a contest to see who has the most "arrogant ass" story. Or who is more arrogant: doctors or IT/Software developers/engineers.

I won hands down - technology people are the arrogant asses.

Re:No.

[lagomorpha2]

I won hands down - technology people are the arrogant asses.

Though you would never guess that by reading slashdot comments.

Re:No.

[greenbird]

I won hands down - technology people are the arrogant asses.

The difference is technology people are typically arrogant about technology, what should be their area of expertise, whereas most of the arrogant ass doctors I've encountered are arrogant about everything. The technology guy isn't going to walk into the doctor's office and start telling him about how to do doctoring stuff. A great many people will tell tell technology people all about how to do their job.

In any field I usually take arrogance as a sign of incompetence. Typically smart people think they know less then they really do and stupid people usually think they know more. The caveat being perception of arrogance is somewhat relative also. Arrogant people usually perceive anyone who knows more about something then they do as arrogant. That being said though, there are definitely a lot of incompetent technology people, almost certainly a lot more then there are incompetent doctors.

Re:No.

then[ then ]
adverb
1. at that time: Prices were lower then.
2. immediately or soon afterward: The rain stopped and then started again.
3. next in order of time: We ate, then we started home.
than[ than, then; unstressed thuhn, uhn ]
conjunction
1. (used, as after comparative adjectives and adverbs, to introduce the second member of an unequal comparison): She's taller than I am.
2. (used after some adverbs and adjectives expressing choice or diversity, such as other, otherwise, else, anywhere, or different, to introduce an alternative or denote a difference in kind, place, style, identity, etc.): I had no choice other than that. You won't find such freedom anywhere else than in this country.
3. (used to introduce the rejected choice in expressions of preference): I'd rather walk than drive there.

I bet a doctor might know the difference......

Re:No.

Most doctors are arrogant because they highly encouraged to do so. especially now that they are now gatekeepers. Healthcare in general is a pretty dismal lot. Problem is that no one will be allowed to fix it and call a stone a stone.

Amateurs that do not know their limits

[gweihir]

Would a surgeon let an amateur operate on a patient? No. Do they think they are as good as competent CS experts? Yes. Pathetic.

Re:Amateurs that do not know their limits

[sconeu]

"Hey, doc! I've done some first aid before. Mind if I treat your patient?"
"Hell no!"
"Why not?"
"Because I spent years obtaining an advanced degree, and have spent years since practicing and keeping my skills up to date."
"Well, then, doc, for the exact same reason, KEEP YOUR HANDS OFF OF MY NETWORK".

Re:Amateurs that do not know their limits

Do you really think a CS degree and a MD are in any way comparable? I'm not saying the surgeon wasn't exercising poor judgement, but there is no equivalency between the selectivity or difficulty of those two specialties.

Re:Amateurs that do not know their limits

[Cederic]

Do you really think that a specialist degree and a decade of experience counts for nothing?

A doctor can get arsey about their extra work needed to get professional status but it still doesn't mean they can design a network inside-out. Shit, I've been working in IT for two decades and I sure as hell can't.

So the roleplay conversation to which you replied is valid, is useful and is relevant.

Re:Amateurs that do not know their limits

[gweihir]

As in that the surgeon is a complete amateur at CS stuff? Yes. Of course, a fully trained surgeon has a lot more experience than a fresh MA in CS in absolute terms. But that is not the point.

He was just "practicing"

[AcerbusNoir]

The perfect example of a practicing doctor.

Which is worse?

[jettoblack]

One branch of government profits from hospitals unintentionally misusing your private information, then another branch of government takes those profits to fund the intentional and illegal misuse of your private information.

Exploited Laptop

In Ludlum's Bourne universe, I would conclude that the laptop has been viraled out. Fly those doctors to Malaysia!

An Assumption of Competence

[Rambo+Tribble]

In their education, professionals, whether physicians or IT admins, are often inculcated with a professional swagger to the effect that they assume superiority in any situation. It is wise not to trust the judgement of those who exhibit this characteristic. They are commonly blind to their own failings and dismissive to others' concerns. Sadly, many are most impressed by this phenomenon, which they misapprehend as, "confidence".

Re:An Assumption of Competence

I agree with the above, especially 'many are most impressed by this phenomenon, which they misapprehend as, "confidence"'

B-E-T-A IS BACK

I surf only "anonymously" on slashdot(no account/login). Every time I load /. I use the following url:

http://slashdot.org/?nobeta=1

It 'generally remembers my preference' but more and more as I click the article/comment page I am redirected to beta version.

I can then manually change the url to remove the beta. in the url but that becomes a drag.

Did any of the boasters about alternative/new /. sites ever get off the ground?

Re: Network, heal thyself

[TheRealHocusLocus]

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

Clearly the [recital 2a] Googlebot and others were spidering patient data for some time, those 6,800 records would account for a lot of traffic. EVEN IF the queries were https encrypted or the URLs contained session hashes instead of data, logs would show web spiders accessing presumably 'internal use only' functions.

It is the responsibility of the senior IT administrator to establish a 'normal' baseline and track data flows at the router level, also set up an automated system which profiles web logs to profile transactions into as narrow a 'normal' definition as possible... and flag unusual patterns. If unusual flow is spotted this responsibility includes direct content sniffing of unencrypted communications.

No real hacker would identify as Googlebot when vacuuming out an internal-use database, for fear of setting off trip wires. If only such trip wires had been in place...

Ask Slashdot: How Do You Tell a Compelling Story About IT Infrastructure?

I hereby submit this one.

doctors are independent contractors or something l

[Joe_Dragon]

doctors are independent contractors or something like that where they work for some outside company so they may need to have there machines to get work done.

Yeah, can someone fill in ANY blanks on this story

[mekkab]

Let's ignore how the IT dept should have some kind of network traffic scans to see this stuff, how the heck does a non-admin do something like this? And I'm not attributing it to malice, I'm sure this guy "meant well" and in the process managed to screw everything up. Otherwise, I'm going with "scapegoats" for 1000, Alex.

Re:doctors are independent contractors or somethin

[ColdWetDog]

Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT. I can't imagine them letting anyone have a friggin server with an outside connection. Especially a system as large as this.

The only way I can put this together is that Columbia is so large that they've lost control of their network to the point where any half bright person could just set up a server. I'm pretty sure that if the doc had said "I need a personal server to go through the firewall" (and whatever else they have) he would have been laughed out the room.

Of course, TFA has no detailed information on what exactly happened so we are just guessing.

This is the result of IT Janitor/Plumber talk

When Joe Office Worker gets it in his head that IT are not professional white collar workers who are their coworkers and not their lackies, this is the result. "I own a computer at home, I can do this better than some dumb IT Janitor/Plumber" And people wonder why IT thinks they're idiots.

Re:This is the result of IT Janitor/Plumber talk

Well I dunno where you work, but where I work the IT lackies are pretty dumb.

I generally have to boot Linux from a CD-ROM to fix stupid Windows things that they break.

That's why the hospital has been fined

[Bruce66423]

The fact that the system allowed this to occur is the responsibility of the hospital. The advantage of this for us geeks is that we can point to it when discussing security with senior management; that sort of scale of fine does get their attention. OTOH if we don't make the effort to ensure our systems are secure, we deserve the kicking.

Re: Network, heal thyself

[David_Hart]

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

You missed the part where the doctor is actually a developer and was essentially working in IT....

And we wonder

And we wonder why doctor costs keep going up. Stuff like this comes back and costs patients money. Insurance pays for it, hospitals pay to be insured, patients pay to visit doctor.

Yes....

In medical, not knowing and asking questions is accepted and encouraged.

Humility in medical is a MUST.

In technology, not knowing is a sign of being stupid. It is a sign of incompetence.

I have worked on operating systems. I once asked about some esoteric fact about networking that would have required a week of reading and experimentation and I was told that I was "stupid" and I did not "belong here" (that was on a Cousera Networking class, BTW).

Humility in tech is a sign of "weakness" and "stupidity".

The employers follow that ideology. Like Google and everyone else in Silicon Valley.

Not knowing "everything" is a sign of stupidity.

As far as tech hiring people are concerned, all of us are stupid - and bring in the H1-bs.

I love tech but I really hate this arrogant attitude that is so pervasive in tech - and why I left - and still here because of my avocation.

Re:Yes....

[greenbird]

Humility in medical is a MUST.

I'd say it's not. At least that's not true of a good many of the practitioners.

Not knowing "everything" is a sign of stupidity.

Only stupid people would think that. To know "everything" in the technology field is at least on par with knowing "everything" in the medical field. Only an idiot would think anyone could even remotely come anywhere near knowing "everything" in either field.

As far as tech hiring people are concerned, all of us are stupid - and bring in the H1-bs.

Hmmm...been working in this field for 25 years now and rarely have I encountered that. The few occasions I did it was quickly evident the persons involved were idiots. Being willing to admit I didn't know something has almost always earned respect rather than contempt.

Re:Yes....

[electrofelix]

Humility in medical is a MUST.

I'd say it's not. At least that's not true of a good many of the practitioners.

It is however true of many of the good practitioners

Medical group submits to Hospital IT ...

[perpenso]

Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT.

A while ago some article around here mentioned a group of doctors who had privileges at a local hospital. The hospital required the medical group to agree to hospital IT policies, security audits and unannounced penetration tests in order to connect the group's computers to the hospital network.

Low accountability

[Trax]

I see it as an issue of low accountability for the most part, having different IT areas budgeted and the need to spend that budget before the year is out or otherwise we won't get the same amount of money next year. That's the mentality that most organizations take with silo-ing of budgets but to me seems to be a waste.

In my organization, they have outsourced the servers and support for the EMR to the EMR manufacturer for them to host in the "cloud" while adding more Citrix redirections and latency for the users. The entire EMR support staff is several orders of magnitude larger than the database / networking / software engineers combined. The people that they do hire to write support side software are imbeciles at best and have been here for several years -- no one is fired for incompetence but layoffs do occur.

Unfortunately, the higher ups in the C-level do not seem to understand the sandcastle that they've built within the hospital and IT department as their vision of what should be and the reality of it are completely divorced. I can see it as a physician with engineering and consulting experience who works in the ED day in and day out but the C-levels who are mostly non-physicians do not see the cruft that's built up or the inefficiencies that they have introduced.

If I had my way, I would bring everything in-house, bring in more open source systems, and hire engineers to write custom applications. Nonetheless, there is so much you can do when your ONE community hospital.

As to IT supporting its users, the issue is very simple and cuts across the entire healthcare system. Engineers do not talk to clinicians about the systems that they build and in so doing build clinical systems for engineers. I understand the mindset but as a emergency physician that has to see many patients in the day, the system that they've hoisted on us becomes a PITA to work with as the workflow I have created for myself does not equate with the workflow software engineers "think" that I should have. I want more input from physicians into the systems that are built. I want the engineers to come to the ER or to the inpatient floors or to the office to see how we work and help us perform in efficiently and safely.

Shooting the messenger

[FatLittleMonkey]

don't look at me - I didn't set permissions [...] The receptionist got to have a long chat with the Sr. Partner spearheading the project about the use of the company PCs.

I would suggest the Sr. Partner was (like TFS and GP) blaming the wrong person. If your receptionist can delete your billing system, you are doing computers wrong and should probably just give up the whole technology thing.

We see the same attitude when companies threaten/injunct/sue academics who discuss technical flaws in security systems. As if showing that the security is lame caused the security to be lame.

Money!

Money: The universal problem-fixing tool!
That's the "funny" thing about government agencies. We pay an awesome amount of taxes to support their existence, then when they actually have to DO something, we need to pay them again to do it.

That would be like me getting $100k a year to be a software engineer, but then when my boss gives me work, he pays me more money to do the work. Of course a dream scenario like that can only happen when the money is going toward pure waste, and not actually benefiting any person.

Re:Typcial -Arrogance has a Reason.

[lucien86]

This kind of arrogance comes from literally being the smartest person in the room most of the time and from talking to idiots all day - something doctors do all the time. don't blame the doctors, look at the patients...

Specialization

[DarthVain]

I have probably forgotten more about IT than most even know. However, while I think I am competent in what I do, I do not know everything, nor is it really reasonable to do so. That is why specializations exist. Don't talk to the Network guy regarding your DB problems, or your DB guy about your Coding issues... Sure they may have some related experience and overlap, but likely won't be as knowledgeable as someone that does that as their core. Same with Doctors, they will all have a common background, but asking the ass doctor about your shoulder joint issue might get you the answer you need, but then again you might be better served by asking the right person.

I have been in the field long enough both in education and work, and have worked with enough people, to come to a pretty easy conclusion. Whatever you think you know, you don't know as much as you think... People that like above arrogantly attest that they know everything about everything are bullshitting you. Many are good enough to get the broad strokes and then figure out the actual details later, but that isn't quite the same thing.

Anyway this sort of cross arrogance is more about thinking something is easy when it is not, and "how hard can it be? I'm a smart person!". In most cases, sure you can do it, but likely not well. Like I have never done plumbing before. But "How hard can it be?", I could give it a shot, read a book, watch a few youtube videos... What I produce might work, but will it be good? Probably not. It will probably take me much longer to produce something that functions in a non-optimized way, that may or may not violate whatever building standards exist in my local area, which if discovered would have to be ripped out and replaced by a professional anyway. Where a professional would presumably know how to design the best system, do it in a much quicker fashion, and adhere to whatever rules or standards exist that are required. Sound similar?

It does not make sense.

I just wanna know what "deactivate" means in this context. Cause if it means shutting it off." I do not see how data leakage was even possible.