2015 Could Be the Year of the Hospital Hack

schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."

Oh, I wouldn't worry about it.

[ColdWetDog]

EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

Re:Oh, I wouldn't worry about it.

Yes, this.

If I travel to a different state, some random hospital should be able to pull up my record with my consent (or without it in an emergency). It doesn't matter if it is 'in network' or using the right 3rd party vendor software.

Re:Oh, I wouldn't worry about it.

[BreakBad]

(M)illions? Maybe two keys to the left.

I wonder if it would be cheaper to eliminate EHR's and just let patients make up their medical history every visit.

Re:Oh, I wouldn't worry about it.

[laurencetux]

of course some of the problem is at the receptionists desk. Some of the local medical places will ask you for First name Last name and Birthday to try to find your record(s) but if you happen to have somebody with the same First Last and Birthday they may or may not bother to ask you for any other info. I have had a time getting seperated from the other guy (he is Edward i am Laurence). If it is supported by your E-Records system grab a copy of your "Lucy" record and have that one you (does anybody sell a flash drive cheaply that would be recognized by say an EMT??).

Re:Oh, I wouldn't worry about it.

I work at a healthcare related IT company and it's often hard enough to connect a bunch of systems together, making security not a top priority.
Most of the time it goes like this: "Let's just make sure it works and we can do security stuff like enabling SSL and protecting web services with WS-Security later". And obviously, that "later" never actually happens.

Re:Oh, I wouldn't worry about it.

[ColdWetDog]

I work at a healthcare related IT company and it's often hard enough to connect a bunch of systems together, making security not a top priority.
Most of the time it goes like this: "Let's just make sure it works and we can do security stuff like enabling SSL and protecting web services with WS-Security later". And obviously, that "later" never actually happens.

This. Right now with the big mandated roll out, vendors are scrambling to meet Meaningful Use (also known as Meaningless Abuse) criteria. This entertaining government mandate, like most government mandates is an overly complex, ever changing, voluminous coding horror.

The major security focus seems to be 'nothing works, nobody can get anything out of the system' - it's secure by definition.

Re:Oh, I wouldn't worry about it.

[FatdogHaiku]

EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

One of my own medical care providers completed the transition not long ago. I notice someone doing a zoom (reverse pinch) on one of my lab results and realized they were looking at an image of a printed page. At first I thought this was nuts as an image would have to be converted and OCRed to be machine readable. But now, I can see that stealing a bunch of images that you must read by eye or OCR is a lot less useful than nice regexp-able data. "Hey, we stole 300,000 medical files... all TIFFS" does not seem like hacker heaven to me... and that would be assuming they were not some proprietary, encrypted image file type.

I also noted that they transmit the images via FAX, not plain old internet. When dealing with a pharmacy they seem to actually FAX via POTS, I don't know about the procedure between providers.

I have to wonder if this is an attempt to make the information portable and shareable while trying to reduce it's attractiveness to outside parties...

Re:Oh, I wouldn't worry about it.

[jellomizer]

You sound like an MD.

Often the choice of the EMR isn't a rational choice, they put more thought into getting a new car then their EMR, even though it may cost more.

Mistakes.
1. Wrong Size. You have a small practice and you get the system meant for a large hospital. Because you figure you deserve the best. It would be like everyone buying a Mac Truck for their daily car needs, just because they may need that in the future. There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.

2. Unwilling to change your workflow. I have seen too many doctors use their EMR systems and populate information at the end of the day. While they were meant to be used on a Laptop or tablet in Real Time. Once you get the software most people can navigate rather quickly.

3. Fixed Price in your head. They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.

4. Lack of imagination. Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....

Re:Oh, I wouldn't worry about it.

Don't apologize for the EMR vendors and stereotype physicians. I have seen EMR deployed in a medium sized hospital that had race conditions that caused the patient's meds order to be doubled. I actually witnessed this happen myself while observing a doc submit their orders. In case you aren't aware, this type of bug could have fatal outcomes for patients.

I have also seen a PACS where the vendor-managed system would run out of disk space and make it so no radiologist could login... and the entire hospital was now on digital imaging. Maybe you would like to be admitted to a hospital ER where no one can read your CT scans, but as for me, "no thanks". I also liked that this vendor would push out software upgrades overnight with no notice and no published changelog.

So, don't simply presume docs are luddites and your EMR is a panacea if we could only see how wonderful it is. EMR *might* be a ney gain if it were coded more like avionics rather than a ramshackle clusterfuck from a dev team who has never heard of unit testing, much less a test-driven development SDLC.

Re:Oh, I wouldn't worry about it.

[Kjella]

The least common denominator is the print button, it might not have any interoperability but there'll be no security by obscurity. In the hospital, you're likely to run into three kinds of systems:

1) The patient administration system (PAS) which keeps track of all the logistics like scheduling appointments, staff lists, equipment, operating rooms, cleaning of rooms and all that. It's somewhat related to the journal in the sense that when you've seen the doctor there should be journal entry for it, but for a major hospital it's also many other things. It might be integrated in the EPJ, but it might also be its own system.

2) The electronic patient journal (EPJ) which is pretty much all about record keeping but when it comes down to it is all about text. Any structured information is supposed to be supported by the text entries, in fact in the US I heard there are professional medical coders that do it so the doctor just writes the journal text. Here it's mostly the doctor itself, but those rules can get quite complicated if there's multi-trauma or symptoms of underlying conditions or complications of procedures that are typically coded differently from "simple" code lookups. Your discharge report is typically also stored here.

3) All the actual medical systems, of which there are typically thousands in a large hospital and they all keep changing all the time to support advances in medicine. The bulk of your electronic health data never leaves these systems. They have to support the record keeping requirements, but that basically just means adding auditing to the field along with the field itself. There's no requirement that they should be able to dump this data out in any format and if it were you'd end up with a hilariously huge specification that would change daily with elements like <x-$company-$product-$major-$minor-$revision> elements doing database to xml dumps.

There are lots of isolated attempts to standardize certain bits and pieces, like for example electronic referrals, prescriptions, lab requests, sending of x-ray images and to add more structured data, but they're much more limited in scope and you can certify compliance. Exporting the whole EPJ and importing it somewhere else is a huge beast. Also it's not entirely certain you'd want that. Say you have been to the hospital for an ugly STD and later for an eye infection. They want to send you to an eye specialist, does the whole journal go? Should your general practicioner have a huge hospital system? There's a lot of issues to be resolved with regards to a "global" journal.

One of the more difficult aspects is that at least here today the journal is not entirely yours. For psychiatric patients or where the doctor suspects child abuse, domestic violence or is speculating into possible conditions to check for the doctor can make private notes that are only available to themselves, not the patient itself. It has its uses but if everything flows freely it could also become a gossip column which is not the intent. The journal is also the doctor's working tool, you don't want him to start keeping a shadow system because by default the system is on broadcast. By far most doctors take their job very seriously and are just trying to help.

Re:Oh, I wouldn't worry about it.

[ColdWetDog]

Oh, I am an MD and one who has been dealing with EHRs for decades.

Unfortunately, you are partially correct. The C-level folks were told that the EHR wouldn't do what the salespeople said - even if it was tailored to a small hospital. Acutally, nobody buys stuff above their weight, it's just too damned expensive. What is commonly done is a small hospital merges with a bigger one or comes to some agreement to slave onto a big system. That can be done successfully but, as you point out, you may be using a Mack truck to delivery groceries. Done correctly, it does impress....

Workflow always changes with EHRs. The problem with a lot of them is that the workflows make no clinical sense. We still have to treat patients. Especially the cheaper ones who don't spend a lot (or any) time thinking about the user interface. Most of them look like Visual Basic programs from the 1990's. Hell, our vendor can't even be bothered to get the tab order correct. This is a common complaint. Especially with the nonsensical federal regulations even simple things like admitting a patient get convoluted and weird. Lots of EHRs just don't have the flexibility to incorporate completely illogical processes.

Fixed price? Well, even the PHBs know that isn't going to happen. The problem is that if (when) there are serious overruns, a small institution just can't spend that money. It doesn't have the capital resources. There are a number of rural hospitals that are going under because of the mandated EHR. Our employee costs doubled for 18 months trying to shoehorn the stupid thing in. That was partly a fault of the vendor, partly our fault for not streamlining work flows before the EHR, but that is a very hard thing to get any system to do. I argued for years to get our acts together but that would have taken more money and more time, things smaller hospitals don't have much of. (The theme here is that there is an enormous gap between financial health of the bigger systems and the smaller outlying hospitals. This is due to the bizarre way we bill for things in the US - you get lots more money for doing something instead of keeping a patient from needing that something. To do much these days takes a big system - think cath labs, MRIs, lots of specialty teams on call 24/7 - think money and lots of it.)

Imagination doesn't seem to be an issue. I imagine that our EHRs programming and management staff is suspended over a pool of molten iron as we speak.

Re:Oh, I wouldn't worry about it.

[ColdWetDog]

EMR *might* be a ney (sic) gain if it were coded more like avionics rather than a ramshackle clusterfuck from a dev team who has never heard of unit testing, much less a test-driven development SDLC.

This. Very much this. I'm not much of a programmer, but I've never written code as bad as I've seen in our EHR. I know how to set up SQL tables more sensibly than our vendor does and I damn sure know more about CSS than our vendor. And that is very scary.

Re:Oh, I wouldn't worry about it.

[robot5x]

OFFTOPIC

@ColdWetDog, I'm writing a thesis currently on Health IT interoperability (I'm in NZ but what I can tell is these problems persist across vastly differing policy/funding environments). Would be interested in getting your thoughts on the topic from the real world perspective of a health practitioner. It's been tricky 'recruiting' clinical people with appropriate technical expertise to comment on what the barriers are. I do have some US/Canadian people lined up already - only one is a currently practicing doc though.

Re:Oh, I wouldn't worry about it.

[jandersen]

EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times

OTOH, there are examples that work, and have done so for a long time. Some 30 years ago or so, I worked for the Danish Sygehusdatacenter - a long word that means EHR, broadly speaking (very broadly: 'Hospital Data Centre', actually). All GPs and all hospitals had to use this system, which ran on an IBM mainframe with a huge number of 3270 terminals connected across the country. It worked remarkably well, because 1) Danish health care is NOT provided by a large number of private companies with no interest in cooperation, and 2) the system was relatively simple. There were occasional problems, like when one developer printed his largish COBOL program and the usual default printer wasn't available; instead of waiting in a queue until it came back, it was automatically sent on to the next available printer, which turned out to print small metal tags for attaching to patients' beds in a provincial hospital 200 km away. They made amazing souvenirs - I still have one.

Re:Oh, I wouldn't worry about it.

[uslurper]

ColdWetDog: good insight. As you said, smaller organizations have a difficult time implementing EHR systems. But much of that is because they dont have good communication between their clinical staff and their technical staff. The IT staff usually has little clinical background, and gets left out of discussions where they really need to be included.

  In a large organization, often times the IT staff has a clinical background as well, such as former nurses, etc.

-As a side note, how is an organization supposed to make an informed desicion about an EHR vendor?

Vendor 1: We do everything! Watch our slick presentation! See how easy it is!
Vendor 2: We do everything! Watch our slick presentation! See how easy it is!
Vendor 3: We do everything! Watch our slick presentation! See how easy it is!

What they dont tell you is that the large vendors have been around for a long time have a bunch of ancient, bloated, buggy code. (Epic, Cerner)

Re: Oh, I wouldn't worry about it.

[s0nicfreak]

I'm guessing you don't travel much.

Re: Oh, I wouldn't worry about it.

[scrote-ma-hote]

I'm a kiwi Doc who might fit your Bill if you need more of us?

Re: Oh, I wouldn't worry about it.

[robot5x]

thanks! Very grateful for your offer. Will you be happy to get in touch at my email above?

No

[koan]

easy and fast access to medical information often trumps security."

That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.

Re:No

[nbauman]

easy and fast access to medical information often trumps security."

That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.

In a medical situation, that might be the right decision. If your patient turns up unconscious in the ER at 2am, or if you're covering for your partner and his patient turns up unconscious in the ER at 2am, easy and fast access might trump security.

There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

I don't think there's a practicing pediatrician in the country who would let a patient die in order to improve security.

Re:No

[koan]

I don't see why they can't have both.

Hospitals and doctors already have access to records, however the systems holding the records are the target.

So why can't those systems be secure and available?

There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

Yeah I don't buy that at all, and you give no link to back up your claim.
I worked in a hospital that had an electronic records system and a computer in each room, but the drugs for the patients were also listed in a book at the nurses station.
And each nurse/doctor knew what thier patients needed, most certainly in an ICU.
Especially this part

Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

Sounds like bullshit to me.

Re:No

[nbauman]

I don't see why they can't have both.

Hospitals and doctors already have access to records, however the systems holding the records are the target.

So why can't those systems be secure and available?

There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

Yeah I don't buy that at all, and you give no link to back up your claim.
I worked in a hospital that had an electronic records system and a computer in each room, but the drugs for the patients were also listed in a book at the nurses station.
And each nurse/doctor knew what thier patients needed, most certainly in an ICU.
Especially this part

Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

Sounds like bullshit to me.

It's a frequently-cited study. The message is, you can't just throw computers at something and make it better.

Let's see what somebody could find with a Google search, if they weren't so lazy:

At Children’s Hospital of Pittsburgh, mortality rates increased after the implementation of an electronic records system from Cerner in 2002, according to a study published in 2005 in the journal Pediatrics.

During the 18 months examined, the mortality rate increased to 6.6 percent in the five months after the system was installed, from 2.8 percent in the 13 months before, according to the study.

Delays in treating patients may have contributed to the deaths, the researchers said. Those delays were caused by several issues, including the number of clicks required to submit prescription orders and by restrictions imposed by the software on when doctors could order medications for incoming patients.

Re:No

[koan]

First lets go back and look at the original premise.

easy and fast access to medical information often trumps security."

I think you can have both.

The hospital I worked at had a book at the nurses desk with all the orders for each patient from the doctor, as well as the drugs, whatever set up you're talking about about has nothing to do with security or the system, it has to do with human error as you would never rely solely on an electronic system in a hospital, if they are they are batshit crazy.

So to take the example given.
http://www.bloomberg.com/news/...

That is a one off, not a system wide thing, just read it and see they use the words "may have" quite a bit.
This:

No, it's not, at least for inpatients. Some hospitals require that all orders be entered electronically unless the entire system is down. Try getting a verbal or handwritten order entered at the VA, even in the midst of a crisis. Even if you're not physically in the hospital.

Has nothing to do with what we were talking about.

I wrote all this out once and it's gone now, I sure hope it was a submission error on my part, hate to think someone deleted a post.

Re:No

[koan]

Oh and just because they want the stuff entered in electronically doesn't mean they don't have the paper, it has to go somewhere prior to going on the computer.

And the VA is a dinosaur, and an ineffectual one at that, one of my relatives works there and frequently complains about it.

We were talking main stream health care, not dark ages.

this isnt an "obamacare" thing.

[nimbius]

electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing. If you've never heard of companies like ACS, its hard to imagine a workforce of almost 3000 people standing over banks of scanners, feeding paper records into a hopper, for $9 an hour in 3 shifts. Electronic medical records would have been a thing with or without the ACA. Mandating them was just icing to get insurance companies to go along with the act.

what we at slashdot can agree on is that, ostensibly, this should mean an increase in IT staff. qualified professional network and systems administrators to secure and protect patient data. But thats not mandated in the ACA, and anyone working in IT for a hospital can attest wages are stagnant. But you can expect obama to be a lightning rod for shit like this because thanks to a fervent neoconservative effort most people cant even remember the Affordable Care Act. All they hear is "Obamacare"

Re:this isnt an "obamacare" thing.

[ColdWetDog]

That was certainly a part of it. The funny thing is that the insurers are the ones having the hardest time getting their electronic acts together. They invariably use gargantuan legacy systems, coded originally on punch cards and even changing the number of fields in a form requires thousands of programmer-years.

The other big push was by a weird combination of politicians latching on to anything that could possibly save money (ohhh! Shiny!) and big system / big vendors realizing that they were sitting pretty to gobble up lots of smaller systems that simply didn't have the capital to compete. EHRs are very, very expensive and time consuming. Once integrated into large systems, they do improve workflows and likely pay back the investment. For smaller hospitals, not so much.

The key in American medicine is to gobble up all of the patients with economically viable diseases. Mostly heart disease, orthopedics and cancer. The rest of the population is just a loss leader. So you need lots and lots of procedures^Hpatients to make your nut.

Re:this isnt an "obamacare" thing.

[michael_cain]

Medical practices, especially small practices, who haven't followed the changes to HIPAA that have occurred outside of the context of the ACA, will be in for a rude surprise if they're sloppy enough about their security practices ("willfully negligent") and have a breach. The civil fines have gotten much higher, are easier to impose, and it's much harder for the medical practice to hide behind service companies.

Re:this isnt an "obamacare" thing.

[Attila+Dimedici]

Yes, EMR was a "thing" before it was mandated by law. The key difference was/is that without the government mandate it would have happened as medical care providers found it economically valuable. That is, they would have seen value in making the transition and would have been invested in making the change. Instead we have a system where they have to do it and do not see the value in doing so. This means that instead of something which they see as being a way to improve either their bottom line, or improve patient care, or otherwise something of value to themselves, they see it as an imposition.

Re:this isnt an "obamacare" thing.

[Lunix+Nutcase]

The key difference was/is that without the government mandate it would have happened as medical care providers found it economically valuable.

Translation: Never.

Re:this isnt an "obamacare" thing.

[Attila+Dimedici]

That is not true. There were medical care providers who were making the transition to EMR. The problem was that not enough were making the transition as fast as the companies which had decided to make a business out of transitioning them to EMR had anticipated. Since the people who had invested in these companies based on that anticipated rate of transition were politically connected the government was used to speed up the transition.

Re:this isnt an "obamacare" thing.

[Enry]

The Department of Veterans Affairs has had EMRs for close to 50 years. AFAIK, there have been no major incidents with this. So, not only can the government do something well,they can also do with with a reasonable level of security.

Re:this isnt an "obamacare" thing.

[nbauman]

electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing.

And as I understand it, they were designed for the convenience of the insurance companies, with the primary task of billing, and handling the other information, like patient administration and clinical data was retrofitted later.

So if you went through the list of insurance company requirements, you'd have it all. If you went through the list of doctors' requirements, not so much.

Re:this isnt an "obamacare" thing.

[swedoc]

This is actually interresting. EMR systems should not be that complex. The base system is just text data, in chronological order that never (should) change. I'm visioning kind of a CVS system for a cover sheet for ease of use (latest record always complete but all changes traceable) but all notes accessible. Lab data is just numbers. X-ray data is more complicated but for that there is separate good systems, for instance Sectra. Also, most doctors do not need to see the actual x-rays, they only need the answer from the radiologist. This is basicly just a referral and can be handled the same way. Of course it is possible to make the systems do more, but the basic core should be there first. Easy to use. In standardised database format accessible through different frontends if need be (or competition rules mandate). Please oh please just get the basic bit right. Then it's okay to bolt on time booking, payment processing and other stuff that I don't care about or want to see as a clinician. Yes, I am a doctor. Anaesthesiologist. Also, I like programming.

Re:this isnt an "obamacare" thing.

[dogbowl]

This is true. Compared to other systems, the VISTA system operates very well for physicians at VA hospitals.

Its also open sourced -- so why don't the other EHR take advantage of that??

Re:this isnt an "obamacare" thing.

[demonlapin]

Because VistA is a pain to implement and maintain. Not every hospital has the IT resources of the federal government available. And it's not that easy to use.

Re:this isnt an "obamacare" thing.

[Enry]

It's not open source, it's public domain. When you run it in a hospital, you need to have support for the software you're using. You also need to have the same hardware and software configurations that are supported. For a small hospital that can be pretty expensive to do. I know that my local hospital is using VISTA at least in phlebotomy, maybe other areas.

Re:this isnt an "obamacare" thing.

[Attila+Dimedici]

No, Sony is getting right on securing PSN as soon as it is economically rewarding to do so. Medical care providers on the other hand have a wide spectrum of motivations. While all of them are motivated to some degree or another by economic self-interest (as is every one else), the primary motivation varies widely. Some are primarily motivated by what they believe is best for their patients. Some are primarily motivated by ego, they want to be seen as great care givers (or other aspect of the field). And some of them are motivated primarily by greed.
Besides that, the interest in technology mirrors the educated populace in general. Some are early adopters, some are even computer geeks. And some intensely dislike computers.

Re:Cash Doctors

[ColdWetDog]

In fact my medical records folder comes home with me from my visits and does not even physically stay in his office.

No, it doesn't. At least in the US, the original stays in the office. You might get a copy but even here in Nuttville we're not crazy enough to let the patient have the canonical record.

Besides, you do realize that your pharmacy sells your prescription information to mining companies and that the states typically monitor any restricted drug with a system of your own?

The only way to stay perfectly anonymous is to get care out of the country or stay healthy.

It wasn't obamacare, it was the ARRA

[anjrober]

Obamacare or ACA did not mandate the use of EHR. This was in legislation long before ACA, it was part of the American Recovery and Reinvestment Act (ARRA). It was specifically called Meaningful Use. it mandates a series of electronic use requirements over three phases with initially payments for use and later penalties by CMS. The vast majority of MU certified vendors were producing EHRs long before ARRA and have reasonable security in place. Clearly though some vendors, and hospitals need some shoring up though.

Re:It wasn't obamacare, it was the ARRA

[ColdWetDog]

EHRs might have 'reasonable' security in place, but, as we know, security isn't a thing, it's a process. And all too often, to get the damn EHR to work with the lab system, the radiology system, the billing system and bog-knows-what-else, the 'security' bits get compromised.

And then there are the users. I just LOVE typing in my user name and password one hundred times during the day. Yes, we could go single sign on. For another 100K and a bunch of other IT problems. No, we don't have that 100K. So no single sign on.

The only saving grace is that, as has been pointed out, there is little to be gained to brute forcing large numbers of medical records. Unless you live in Hollywood or DC or some place where your ratio of high value targets to plebs gets sort of reasonable, it's not going to be very lucrative. Nobody cares about your herpes.

Re:It wasn't obamacare, it was the ARRA

[anjrober]

i agree with all of your points.
connecting your EHR to your lab system, to your HIE, to your practice systems, etc is a mess. HL7 stinks. So things do indeed get missed.
of course, with deliberate, thoughtful deployments, these are solvable problems. it takes time and patience.

and don't get me started on end users. :-) but i do believe they are trying, they are busy, and they didn't go to medical school to deal with systems, but to help people.

Hospitals are a stupid target

[Stargoat]

Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend. In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with. You can try to get more info from all that PII, but again, it's a pain in the ass and available elsewhere. Other stuff is more lucrative for the investment of time, criminal risk, and energy.

If you were a terrorist, a hospital might be a bit more interesting, but the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.

No, hospitals are a stupid place to expend effort.

Re:Hospitals are a stupid target

[djdanlib]

Coming soon to headlines near you:

The number of STDs this celebrity has will shock you! Now with the names of the partners they got it from!

You'll never guess who has herpes! Online dating, now with health background checks (including identifiable previous partners) on each potential match.

Parents, find out if your grown children have had a pregnancy test with this one tool.

Media leaks from the hack suggest that my opponent has mental health issues, so clearly you should vote for me instead.

Sorry, we can't hire you. HR investigation pulled up your medical records and told us to invent a reason not to hire you, because they think with your conditions you will be taking a lot of medical leave.

Re:Hospitals are a stupid target

There is a lot more than that there:

1: Hacking isn't just downloading a lord-king-God XML file with everyone's info in it. Part of hacking is altering and destroying data. Now, picture the fallout if a celeb's medical records get changed from "fatal allergic to Prozium" to "pump this sucka full of Prozium if he comes in, to stabilize him." Very trivial modification, and would only take a single UPDATE statement at the DB level to do so. The fallout would be a dead celeb [1], then a knee-jerk Congress passing thousand-page "anti-cyber-terrorism" laws that they have not read.

2: The good ol' fraternal (not identical) twins of extortion and blackmail. Medical records can be a treasure trove, and going through them is a great place to start trying to find dirt on someone... dirt that can be handed to a prosecutor who needs the conviction for his record.

3: Just wanton screwing around with medical records. If someone took a million records and just changed stuff like what meds people were allergic to and what conditions they have, it would render the whole database poisoned. Doing that, a hacker could utterly destroy and shutter a hospital, and wherever the tainted medical records went to. Of course, just the threat of this will get payouts in the tens of millions. Remember, it just takes one zero in a medicine dose to go from therapeutic to lethal in a lot of cases.

Don't fall into the trap that "hackers just want to slurp up data", that a lot of businesses are lulled into, just like the mantra, "security has no ROI". The bad guys can use UPDATE, and DELETE, just as they can the SELECT statement. It might take a little bit more, but the consequences of this would permanently close most medical institutions for good.

[1]: Here in the US, celebrities have as much power as Saudi princes do in KSA soil.

Re:Hospitals are a stupid target

[Lunix+Nutcase]

3: Just wanton screwing around with medical records. If someone took a million records and just changed stuff like what meds people were allergic to and what conditions they have, it would render the whole database poisoned. Doing that, a hacker could utterly destroy and shutter a hospital, and wherever the tainted medical records went to. Of course, just the threat of this will get payouts in the tens of millions. Remember, it just takes one zero in a medicine dose to go from therapeutic to lethal in a lot of cases.

You do realize that people can already do that with paper records as well right? There's also much less effort involved.

Re:Hospitals are a stupid target

[AchilleTalon]

Should be mod up. By far the most comprehensive description of the threat so far.

Re:Hospitals are a stupid target

The glut of credit card data on the market means that the going rate for credit card data on the black market right now is about $1/account. Contrast this to $10/health record. (http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924)

Why?

1) health records have excellent data to facilitate identity theft
2) banks have much more rigorous anti-fraud systems in place, and consumers know to check credit reports
3) Because of #2, fraudulent health insurance claims schemes are going to be able to make more money over a longer period of time
4) health records of federal employees or political figures provide excellent data for politically motivated attackers, including state-sponsored threat operators acting as part of, or on behalf of a foreign intelligence service, who would use this information for blackmail/extortion, or to influence the outcome of an election.

I am an infosec guy at a large health insurance company, and these (among other things) are the sorts of motivations that we are concerned with, which is why I am posting anonymously. However, I will say that in order to adequately defend any asset, you have to have a circumspect view of the value of that data to an adversary. Some things are worth more than others to different people. Recognizing that fact is an important step in developing a proper defensive strategy. If I were you I would not so quickly write something off just because I didn't immediately see the value in it myself. Just sayin'.

Re:Hospitals are a stupid target

[Voyager529]

If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend.

Yes, but banking breaches/CC Fraud is so common, that the two times it's happened to me, it's been "an errand" - pick up my dry cleaning, get a haircut, cancel my debit card and submit a fraud form, get drinks for company tonight, put some gas in the car. It's that prevalent that it's a well-trodden path, with laws, protections, procedures, canned forms, and an express line to get it squared away. Medical record fraud is a much more difficult problem. You don't need your particular credit card number. You DO need your particular medical file. An SSN change is its own LENGTHY process, as all the rest of your ID cards also need to be changed as well. I don't even know how that works with regards to actually receiving Social Security, either.

In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with.

Pardon my lack of SQL syntax, but...

SELECT * FROM patient_address WHERE current_prescriptions Contains "Oxycodone" OR "Percocet" AND WHERE area_code EQUALS "212" OR "914".

You now have a comprehensive list of houses to rob in Manhattan where you can get prescription painkillers. Simple B&E, and you've got bottles that can be sold on the street at $40/pill. Or, introduce a middle man - find a drug dealer who will pay a couple grand for a list like that, and make a few grand for sending an e-mail. Send that list - or subsets of it - to 50 different drug dealers, and you've got a year's salary in an afternoon.

the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.

No, hospitals are a stupid place to expend effort.

If literally nothing else, call the owner of the hospital and blackmail him/her that if they don't deposit a million dollars into your offshore account in the Cayman Islands, that list will end up on Pastebin, and it would mean that the hospital would likely be litigated into oblivion and that person's life is over - WELL worth the million bucks to keep it quiet. For better or worse, we both lack creativity. I'm sure that if I were to spend an actual afternoon attempting to come up with nefarious ways to use data gleaned from a hospital, I could do better. The fact that such a list isn't actual bank account numbers doesn't mean that it's not worth real money to someone.

Re:Hospitals are a stupid target

[phantomfive]

A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

That's enough to apply for a credit card.

Re: Hospitals are a stupid target

[Kjella]

I'm thinking insurance fraud. Putting in claims for procedures not completed. Sure, doctors and staff can do it now, but with outside attackers it might become more likely.

Hospitals keep a very close track of their income, so I doubt it would be possible to bill a procedure without inside help. Even then it's a risky proposition because the liability for medical fraud may exceed the liability for economic fraud by far. Imagine if a doctor thought he'd had the procedure but he really didn't and the patient died, you might be looking at a million dollar malpractice lawsuit for a thousand dollar feigned procedure. I guess it could happen more with small add-on charges, but I doubt outright faking is very common.

Re:Hospitals are a stupid target

[Lunix+Nutcase]

No one is going to be modifying a million records at once anyway. If people are forging records it's going to be selected targets.

Re:Hospitals are a stupid target

[painandgreed]

Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

You're forgetting insurance information. Besides all the information you mentioned which is suitable to steal and identity, they can use the health records and insurance for fraud to either get drugs that might be allowed to the real patient or treatment or payment for costly procedures.

paper records less vulnerable to attack

[johnrpenner]

see — if doctors had just kept to their paper records, they couldnt be hacked..
lol

Re:paper records less vulnerable to attack

[Lunix+Nutcase]

Yeah, no one can possibly sneak in and steal paper records! Unpossible!

Re:paper records less vulnerable to attack

[Lunix+Nutcase]

So that's why there are dozens of stories about stolen paper records just in the last 5 years? And that's just what is caught and reported.

Re:I just want to own my own medical records.

[BarbaraHudson]

Seriously, they're about me. They should give me full and complete access to them, I should have control over them.

Yet...it's like pulling teeth to get records of my tooth extraction.

Gee, all I have to do to see my records is to ask. Same thing if I need an explanation. Then again, I'm in Kanuckistan, where we do things differently :-) Plus it helps that I've got great doctors.

Yeah, Right

[JoeCommodore]

(sarcasm) "easy and fast access to medical information", why dont you just throw in inexpensive there while you are at it.(/sarcasm)

We are talking about the US private health care industry, right?

Could be...

[MachineShedFred]

2015 could also be the year of the International Pick-up-sticks championship too.

What sensationalist garbage.

Lame

[Lunix+Nutcase]

*yawn* Because paper records are sooper seekrit secure?

http://www.healthdatamanagemen...
http://www.ydr.com/local/ci_25...
http://www.hartfordbusiness.co...
http://www.fiercehealthcare.co...

2015 could be the year of just about anything!

[mschaffer]

Really? I am beginning to wonder why I still look at /. after seeing an article like that.

Re:Cash Doctors

[ColdWetDog]

And the minute his malpractice carrier sees that, he will never be insured again.

You both may be big boys, but you're not lawyers. And lawyers trump big boys in this system.

Small doc offices as well

[sergentzimm]

I work with smaller doctor offices and their EHR"s. Let me tell you that you all should be terrified with how they run most of their systems. I can't tell you how many docs keep simple passwords and tell their whole staff. Worst is if you get physical access to the office, it's plastered everywhere. Most have a basic setup with windows firewalls and cheap antivirus. None of that matters when the docs or their staff abuse their systems and go just about everywhere on the computers.. Basically, I am just waiting for the day when I come in and our offices are hacked. Hell many of them could have it happen and they wouldn't know unless they threw a virus on their way out.

Re:Small doc offices as well

[Lunix+Nutcase]

If you have physical access to those same offices you could can easily steal their paper records. Most such offices have horrendous physical security.

During high school and college I worked in the medical records department of a mid-size hospital. It would have been trivially easy to tamper with or even photocopy and walk out with patient records.

Re:All electronic, really stupid....

[Lunix+Nutcase]

How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.

Why does anyone want to hack medical records?

[clovis]

It's not for credit cards, blackmail, or targeted advertising or any of that small potato stuff.
It's for filing fake claims to insurance companies and medicare.
This is already a 100 million dollar/year business.

Re:Why does anyone want to hack medical records?

[Lunix+Nutcase]

http://www.reuters.com/article...

Re:Cash Doctors

[AchilleTalon]

How does this apply to people at large? People get sick, take drugs, may have accidents. The "stay healthy" path is not entirely under control of anyone. I don't know anyone who wants to be sick. Neverthless, people die of cancer, cardiovascular diseases, flu, and so on.

Hospital IT is an easy target

[tompaulco]

Hospital IT pay is laughable. All of the money goes into doctors, facilities and fancy but mostly unnecessary equipment. Since you mostly get what you pay for, most hospital IT infrastructure is crap.
Hospitals aren't really the best place to find lots of healthcare information. I mean if you are tracking a celebrity that went into a specific hospital, that is one thing, but if you are datamining for lots of information, there exist larger repositories.

easy and fast access to medical information

[sribe]

Obviously, this author does not know the first fucking thing about hospital EMRs ;-)

Re:easy and fast access to medical information

[Lunix+Nutcase]

Yeah if you want easy and fast access you'd just break in and steal the paper records. Or you can also just steal the paper records from an unlocked van.

Re:Cash Doctors

[sribe]

No, it doesn't. At least in the US, the original stays in the office. You might get a copy but even here in Nuttville we're not crazy enough to let the patient have the canonical record.

That would be entirely up to that doctor, and you have no reason whatsoever to doubt the accuracy of what he said.

Re:Cash Doctors

[Lunix+Nutcase]

That would be entirely up to that doctor

No, it's not. For example, the State of New Jersey requires that doctor's keep the original records.

Do I have a right to my medical records?
In most instances, the patient has a right to receive a copy of his or her medical records, not the original. Although most patients assume that the records belong to them, the Board requires that the physician to maintain the original to ensure that the patient’s medical history is available to any subsequent treating physician or health care provider. Copies may be given to the patient, another doctor, your attorney, your insurance company or another family member if the patient expressly authorizes it. If a patient is deceased, the duly appointed executor or administrator of the estate may obtain copies also. Medical records cannot be released to a spouse, family member (except in the case of a child), attorney or any other person unless the patient gives his/her express consent to release them to that specific person.

http://www.state.nj.us/lps/ca/...

So it's highly likely that if that situation is true that the doctors he is dealing with could be breaking the requirements of their medical license.

I work in IT at a hospital, and I'm worried

Posting anonymously because job. I work in IT at a hospital.

I'm worried about the lax attitude towards security at my workplace. Don't get me wrong, we're serious about privacy. We follow all the HIPPA guidelines and have regular training about them. Any use of records not immediately related to care (research, billing) requires approval of an internal review board. Nothing identifiable leaves the organization (unless it's transfering your records to your new doctor). There's severe criminal penalties for misuse of records. What we do is logged and monitored. We're absolutely serious about making sure no one here misuses your data. You are safe from us invading your privacy.

But it's like it never occurs to them that malicious people from outside the organization might want to do something nasty. People can use personal devices to access work resources. Access to critical systems is a remote desktop session away, with handy "remember my password" boxes pre-checked. There is no two-factor authentication. Security training ends at "don't share your password" and "don't click strange links/files in email." There's no awareness of the threat and there's nothing I can do about it. And nothing I've seen at other facilities makes me think we're alone. So, yeah, I'm worried.

Re:I work in IT at a hospital, and I'm worried

Posting anonymously because job. I work in IT at a hospital.

The place I work at takes security very seriously - lots of rules for passwords, screens locking after being idle, RSA tokens, etc - and it costs a lot to maintain. Which means we have to charge patients more than places which are lax, or else make a lower margin than they do. Which means we have less patients, which means less money, which means we have to charge patients even more, or else cut out services.

Re:I work in IT at a hospital, and I'm worried

[eli+pabst]

Posting anonymously because job. I work in IT at a hospital.

I'm worried about the lax attitude towards security at my workplace. Don't get me wrong, we're serious about privacy. We follow all the HIPPA guidelines and have regular training about them. Any use of records not immediately related to care (research, billing) requires approval of an internal review board. Nothing identifiable leaves the organization (unless it's transfering your records to your new doctor). There's severe criminal penalties for misuse of records. What we do is logged and monitored. We're absolutely serious about making sure no one here misuses your data. You are safe from us invading your privacy.

But it's like it never occurs to them that malicious people from outside the organization might want to do something nasty. People can use personal devices to access work resources. Access to critical systems is a remote desktop session away, with handy "remember my password" boxes pre-checked. There is no two-factor authentication. Security training ends at "don't share your password" and "don't click strange links/files in email." There's no awareness of the threat and there's nothing I can do about it. And nothing I've seen at other facilities makes me think we're alone. So, yeah, I'm worried.

I think it just varies from place to place. Typically once your institution has a significant breach where large numbers of medical records are leaked, they get a major wake-up call when the government hands them a massive fine for HIPAA violation. The last two medical centers I worked at had recent HIPAA smack downs and pretty soon after two-factor authentication was rolled out, USB drives were banned, and non-VPN remote access was dropped. Security was much better there than at academic research centers where it was pretty much the wild west and you could do whatever you like, with the only thing at risk was student records. I think the fact that there are some pretty substantial penalties being levied for HIPAA violations is providing incentive for anyone holding protected health information to get their act together, so it's just a matter of time if your employer is being lax.

Re:I work in IT at a hospital, and I'm worried

[uslurper]

See tagline...

Small practices aren't dumb

[sjbe]

You have a small practice and you get the system meant for a large hospital.

That's typically because they work closely with a particular hospital and desire compatibility with the hospital's EMR system. Not always but often.

There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.

And there are many that cannot exchange records with other systems which defeats 99% of the purpose of having an EMR system in the first place. Just because it is smaller doesn't make it necessarily a better fit. Granted, many of them don't really examine the options closely enough but it would be pretty easy to get siloed into a small package that doesn't really fit the practice.

They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.,

That's generally because they have a finite budget for the EMR system and they know they are probably going to take a bath on it financially for several years at best. EMR systems are VERY expensive. Just because a different system would fit their needs better doesn't mean they can necessarily afford it.

Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....

I think you greatly overestimate the amount of time available to a typical practice to do such things like statistical analysis. I think you also overestimate how compatible EMR systems are with each other. Unless you happen to use the same system from the same vendor as the place you are exchanging records with you probably are out of luck doing it electronically.

Stay healthy?

[sjbe]

I take the "stay healthy" route.

Oh is that all there is to it? If those darn cancer patients would just "stay healthy" then they wouldn't have to deal with those pesky doctors. Why didn't anyone else think of that?

They are not just your records

[sjbe]

Seriously, they're about me. They should give me full and complete access to them, I should have control over them.

They are NOT solely about you. They are about the actions taken to treat you. They are business records in addition to being health records and as such you should have some amount of of access but a practice would be insane to give you full control of them. You certainly should not have the right to modify medical records or delete them. You should not have the right to withhold the records from the practice in the event of the dispute. The practice is required by law to keep them stored safely for a number of years (in general) after you have been treated. You have no such legal requirement. In many countries the medical records are explicitly the property of the health service and not yours in any way.

Yet...it's like pulling teeth to get records of my tooth extraction.

It's generally not all that hard to get copies of medical records, particularly if you as at the time of service. Some places are more cooperative than others but it's doable.

Re:They are not just your records

"You certainly should not have the right to modify medical records"

In the United States HIPAA explicitly 'gives' you this right at 45 CFR 164.526
http://www.gpo.gov/fdsys/pkg/CFR-2013-title45-vol1/xml/CFR-2013-title45-vol1-sec164-526.xml

Re:Cash Doctors

[Guy+Harris]

Besides, you do realize that your pharmacy sells your prescription information to mining companies

For the benefit of those who might wonder why companies such as Freeport-McMoRan would care that you picked up some Augmentin at the pharmacy, that's "data mining companies".

Re:All electronic, really stupid....

[Voyager529]

How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.

Perhaps they're not more secure in the literal sense, but they're less of an enticing target. It requires physical presence, and probably some form of breaking and entering. It requires physical transport (which likely means multiple trips), and either a LOT of work on a photocopier, or banking on the fact that no one will miss them. Once you have them, you need to go through them by hand and glean any useful information through manual file sifting.

Digital records are stolen through the Ethernet port. They won't be "gone", so they won't be "missed". They can be sifted, sorted, filtered, and pivoted until they produce useful information. If the records don't produce useful data, it'd be much more difficult to convict the thief of a crime, whereas physical record theft still leaves a laundry list of crimes with which to convict that are easier to prove.

Should the cabinets be locked? Yes...but the only place on a computer you need a crowbar to get what you want is in a game of Half-Life.

Re:Cash Doctors

[nbauman]

Isn't there also a requirement under the state licensing laws that require doctors to keep adequate medical records?

A trusted and anonymous source?

[lippydude]

What was the name of this source and what was the name of the computer facility where this breach occurred? ref

This is probably correct.

[middlehead]

Anybody who thinks hospitals are an unlikely target should come to work with me tomorrow. We've had three attacks in the last month, and we're still cleaning up from the one that hit right before Christmas. It's apparently really nasty, something that none of the security firms they've contacted have seen before.

That's not what it says...

[dlenmn]

Uhhh, that same text basically gives them the right to deny any request you have to amend anything. In particular:

"A covered entity may deny an individual's request for amendment, if it determines that the protected health information... is accurate and complete."

Translation, if they say the record is good, then you have no right to amend it. Guess what they're going to say if you request to amend your record?

Re:Cash Doctors

[LF11]

If you look around, there are doctors who will let you take home your original patient record. Just because you haven't tried to do this doesn't mean it is impossible.

How can I say this? Because my doctor will do this for any cash-paying patient who asks.

Unrestricted control of health records by patients

[sjbe]

In the United States HIPAA explicitly 'gives' you this right

Apparently you didn't bother to read your link. It gives the right to request an amendment in 164.526 (a) (1) but immediately below in 164.526 (a) (2) it explicitly gives health care providers the right to deny the amendment for very broad reasons. Like I said, a health care provider would be insane to permit unrestricted control of health records to patients. They are NOT your records exclusively. They are health records but also business records, legal records and sometimes financial records. Do you have any idea of the amount of fraud that would occur if patients had unrestricted control of their medical record? You are not the only party with a protected interest in the handling of those documents and I wouldn't expect them to relinquish control of the documents without a court order.

Re:Cash Doctors

[Lunix+Nutcase]

It is impossible in a number of states whose licensing board requires that the doctor's keep the original records. If you're in the US, what state do you live in?

Re:Oh, I wouldn't worry about it. BULLSHIT

[uslurper]

Thats just bullshit.

Meaningful Use is NOT a requirement. It is NOT Obamacare.
It is an incentive that actually gives money to organizations to help them implement EHR infrastructure.
In order to qualify, and to make sure that money is NOT WASTED, there are a number of requirements that must be met. Stage 1 MU is bone-headedly simple, and Stage 2 is pretty straight-forward. Stage 3 is not even written yet, but is likely to include reporting to show how it affects patient outcomes.

The idea of it all is to actively manage your patient population and to use analytics to improve patient outcomes. -And by doing so, you can actually reduce the total cost of healthcare.

The problems are 1: blood-sucking EHR vendors that charge millions and provide crap products. 2: dumbass healthcare administrators who are so involved with political back-stabbing that they totally fail to even attempt to get the free money available from MU

I've worked for a number of healthcare organizations over the last 10 years, and I've seen organizations both large and small not only succeed in MU funding, but thrive as well. (I've also witnessed others utterly fail)

I'm lucky to be part of one of the good organizations right now. yay!

Re:Cash Doctors

[s0nicfreak]

So what happens when you get into a car accident on the way to/from the doctor and that folder goes flying out, the contents thrown off a bridge or scattered across the highway?

Re:Cash Doctors

[s0nicfreak]

So it's highly likely that if that situation is true that the doctors he is dealing with could be breaking the requirements of their medical license.

Probably more likely that they re-write the same information down in their own folder after he leaves.

which one?

[gzuckier]

North Korea, or disgruntled former employees?

Re:All electronic, really stupid....

[gzuckier]

How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.

Yep. As I've posted before, when EMRs were just getting off the ground, in the 90s, I saw a presentation by some honcho in some company at a conference, and he said whenever he got asked about security of computerized records, he would excuse himself, head for the nearest nurses' station, grab a fistful of charts, walk back to whatever room, and toss them on the table. All the hospital execs in the room kind of chuckled and grinned ruefully. I've thought about that every time I visit somebody in the hospital to this date, and pass by the nurses' station which still has random stacks of charts sitting here and there, not too carefully watched.

Re:All electronic, really stupid....

[gzuckier]

How exactly are paper records any more secure? I've gone into a number of clinics and doctor's offices were the only "security" of their medical records is an easily broken into cabinet.

Perhaps they're not more secure in the literal sense, but they're less of an enticing target. It requires physical presence, and probably some form of breaking and entering. It requires physical transport (which likely means multiple trips), and either a LOT of work on a photocopier, or banking on the fact that no one will miss them. Once you have them, you need to go through them by hand and glean any useful information through manual file sifting.

Digital records are stolen through the Ethernet port. They won't be "gone", so they won't be "missed". They can be sifted, sorted, filtered, and pivoted until they produce useful information. If the records don't produce useful data, it'd be much more difficult to convict the thief of a crime, whereas physical record theft still leaves a laundry list of crimes with which to convict that are easier to prove.

Should the cabinets be locked? Yes...but the only place on a computer you need a crowbar to get what you want is in a game of Half-Life.

Ah you make good points. who's got mod points left over?