Slashdot Mirror
2015 Could Be the Year of the Hospital Hack
schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."
EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.
I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.
Faster! Faster! Faster would be better!
Does the electronic health record requirement apply to doctors who do not take insurance or any kind of federal payments?
I've been using a cash doctor for a number of years for privacy reasons (yes I have an HSA for major stuff but there has been no major stuff). In fact my medical records folder comes home with me from my visits and does not even physically stay in his office.
easy and fast access to medical information often trumps security."
That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.
"If any question why we died, Tell them because our fathers lied."
electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing. If you've never heard of companies like ACS, its hard to imagine a workforce of almost 3000 people standing over banks of scanners, feeding paper records into a hopper, for $9 an hour in 3 shifts. Electronic medical records would have been a thing with or without the ACA. Mandating them was just icing to get insurance companies to go along with the act.
what we at slashdot can agree on is that, ostensibly, this should mean an increase in IT staff. qualified professional network and systems administrators to secure and protect patient data. But thats not mandated in the ACA, and anyone working in IT for a hospital can attest wages are stagnant. But you can expect obama to be a lightning rod for shit like this because thanks to a fervent neoconservative effort most people cant even remember the Affordable Care Act. All they hear is "Obamacare"
Good people go to bed earlier.
Seriously, they're about me. They should give me full and complete access to them, I should have control over them.
Yet...it's like pulling teeth to get records of my tooth extraction.
Obamacare or ACA did not mandate the use of EHR. This was in legislation long before ACA, it was part of the American Recovery and Reinvestment Act (ARRA). It was specifically called Meaningful Use. it mandates a series of electronic use requirements over three phases with initially payments for use and later penalties by CMS. The vast majority of MU certified vendors were producing EHRs long before ARRA and have reasonable security in place. Clearly though some vendors, and hospitals need some shoring up though.
Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?
If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend. In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with. You can try to get more info from all that PII, but again, it's a pain in the ass and available elsewhere. Other stuff is more lucrative for the investment of time, criminal risk, and energy.
If you were a terrorist, a hospital might be a bit more interesting, but the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.
No, hospitals are a stupid place to expend effort.
Hoist Number One and Number Six.
see — if doctors had just kept to their paper records, they couldnt be hacked..
lol
Which part of the ACA requires providers to store health info electronically? Are you perhaps referring to Meaningful Use as part of the American Recovery and Reinvestment Act of 2009? If so, that's hardly a requirement, although federal reimbursements may eventually be cut.
(sarcasm) "easy and fast access to medical information", why dont you just throw in inexpensive there while you are at it.(/sarcasm)
We are talking about the US private health care industry, right?
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
2015 could also be the year of the International Pick-up-sticks championship too.
What sensationalist garbage.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
*yawn* Because paper records are sooper seekrit secure?
http://www.healthdatamanagemen...
http://www.ydr.com/local/ci_25...
http://www.hartfordbusiness.co...
http://www.fiercehealthcare.co...
Really? I am beginning to wonder why I still look at /. after seeing an article like that.
Yet another stupid move by the Obama administration, this time with its signature failure, Obamacare.
With the NSA and giant corporations getting hacked almost weekly, what chance is there for proper security and a small community hospital? Virtually none.
I work with smaller doctor offices and their EHR"s. Let me tell you that you all should be terrified with how they run most of their systems. I can't tell you how many docs keep simple passwords and tell their whole staff. Worst is if you get physical access to the office, it's plastered everywhere. Most have a basic setup with windows firewalls and cheap antivirus. None of that matters when the docs or their staff abuse their systems and go just about everywhere on the computers.. Basically, I am just waiting for the day when I come in and our offices are hacked. Hell many of them could have it happen and they wouldn't know unless they threw a virus on their way out.
It's not for credit cards, blackmail, or targeted advertising or any of that small potato stuff.
It's for filing fake claims to insurance companies and medicare.
This is already a 100 million dollar/year business.
Year 2015 will be the year of Linux on the desktop!!!!
Hospital IT pay is laughable. All of the money goes into doctors, facilities and fancy but mostly unnecessary equipment. Since you mostly get what you pay for, most hospital IT infrastructure is crap.
Hospitals aren't really the best place to find lots of healthcare information. I mean if you are tracking a celebrity that went into a specific hospital, that is one thing, but if you are datamining for lots of information, there exist larger repositories.
If you are not allowed to question your government then the government has answered your question.
Obviously, this author does not know the first fucking thing about hospital EMRs ;-)
Posting anonymously because job. I work in IT at a hospital.
I'm worried about the lax attitude towards security at my workplace. Don't get me wrong, we're serious about privacy. We follow all the HIPPA guidelines and have regular training about them. Any use of records not immediately related to care (research, billing) requires approval of an internal review board. Nothing identifiable leaves the organization (unless it's transfering your records to your new doctor). There's severe criminal penalties for misuse of records. What we do is logged and monitored. We're absolutely serious about making sure no one here misuses your data. You are safe from us invading your privacy.
But it's like it never occurs to them that malicious people from outside the organization might want to do something nasty. People can use personal devices to access work resources. Access to critical systems is a remote desktop session away, with handy "remember my password" boxes pre-checked. There is no two-factor authentication. Security training ends at "don't share your password" and "don't click strange links/files in email." There's no awareness of the threat and there's nothing I can do about it. And nothing I've seen at other facilities makes me think we're alone. So, yeah, I'm worried.
He won't have to carry around that fake one anymore.
2015 may be year the cubs win and after that the grid may come down.
dey even be haxxorin ur pillz nao
.. we have HIPAA. /s
You have a small practice and you get the system meant for a large hospital.
That's typically because they work closely with a particular hospital and desire compatibility with the hospital's EMR system. Not always but often.
There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.
And there are many that cannot exchange records with other systems which defeats 99% of the purpose of having an EMR system in the first place. Just because it is smaller doesn't make it necessarily a better fit. Granted, many of them don't really examine the options closely enough but it would be pretty easy to get siloed into a small package that doesn't really fit the practice.
They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.,
That's generally because they have a finite budget for the EMR system and they know they are probably going to take a bath on it financially for several years at best. EMR systems are VERY expensive. Just because a different system would fit their needs better doesn't mean they can necessarily afford it.
Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....
I think you greatly overestimate the amount of time available to a typical practice to do such things like statistical analysis. I think you also overestimate how compatible EMR systems are with each other. Unless you happen to use the same system from the same vendor as the place you are exchanging records with you probably are out of luck doing it electronically.
I take the "stay healthy" route.
Oh is that all there is to it? If those darn cancer patients would just "stay healthy" then they wouldn't have to deal with those pesky doctors. Why didn't anyone else think of that?
Seriously, they're about me. They should give me full and complete access to them, I should have control over them.
They are NOT solely about you. They are about the actions taken to treat you. They are business records in addition to being health records and as such you should have some amount of of access but a practice would be insane to give you full control of them. You certainly should not have the right to modify medical records or delete them. You should not have the right to withhold the records from the practice in the event of the dispute. The practice is required by law to keep them stored safely for a number of years (in general) after you have been treated. You have no such legal requirement. In many countries the medical records are explicitly the property of the health service and not yours in any way.
Yet...it's like pulling teeth to get records of my tooth extraction.
It's generally not all that hard to get copies of medical records, particularly if you as at the time of service. Some places are more cooperative than others but it's doable.
What was the name of this source and what was the name of the computer facility where this breach occurred? ref
Anybody who thinks hospitals are an unlikely target should come to work with me tomorrow. We've had three attacks in the last month, and we're still cleaning up from the one that hit right before Christmas. It's apparently really nasty, something that none of the security firms they've contacted have seen before.
Uhhh, that same text basically gives them the right to deny any request you have to amend anything. In particular:
"A covered entity may deny an individual's request for amendment, if it determines that the protected health information... is accurate and complete."
Translation, if they say the record is good, then you have no right to amend it. Guess what they're going to say if you request to amend your record?
In the United States HIPAA explicitly 'gives' you this right
Apparently you didn't bother to read your link. It gives the right to request an amendment in 164.526 (a) (1) but immediately below in 164.526 (a) (2) it explicitly gives health care providers the right to deny the amendment for very broad reasons. Like I said, a health care provider would be insane to permit unrestricted control of health records to patients. They are NOT your records exclusively. They are health records but also business records, legal records and sometimes financial records. Do you have any idea of the amount of fraud that would occur if patients had unrestricted control of their medical record? You are not the only party with a protected interest in the handling of those documents and I wouldn't expect them to relinquish control of the documents without a court order.
Thats just bullshit.
Meaningful Use is NOT a requirement. It is NOT Obamacare.
It is an incentive that actually gives money to organizations to help them implement EHR infrastructure.
In order to qualify, and to make sure that money is NOT WASTED, there are a number of requirements that must be met. Stage 1 MU is bone-headedly simple, and Stage 2 is pretty straight-forward. Stage 3 is not even written yet, but is likely to include reporting to show how it affects patient outcomes.
The idea of it all is to actively manage your patient population and to use analytics to improve patient outcomes. -And by doing so, you can actually reduce the total cost of healthcare.
The problems are 1: blood-sucking EHR vendors that charge millions and provide crap products. 2: dumbass healthcare administrators who are so involved with political back-stabbing that they totally fail to even attempt to get the free money available from MU
I've worked for a number of healthcare organizations over the last 10 years, and I've seen organizations both large and small not only succeed in MU funding, but thrive as well. (I've also witnessed others utterly fail)
I'm lucky to be part of one of the good organizations right now. yay!
oldhack: "Security is a waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. "
North Korea, or disgruntled former employees?
Star Trek transporters are just 3d printers.