2015 Could Be the Year of the Hospital Hack

schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."

Oh, I wouldn't worry about it.

[ColdWetDog]

EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

Re:Oh, I wouldn't worry about it.

[BreakBad]

(M)illions? Maybe two keys to the left.

I wonder if it would be cheaper to eliminate EHR's and just let patients make up their medical history every visit.

Re:Oh, I wouldn't worry about it.

[laurencetux]

of course some of the problem is at the receptionists desk. Some of the local medical places will ask you for First name Last name and Birthday to try to find your record(s) but if you happen to have somebody with the same First Last and Birthday they may or may not bother to ask you for any other info. I have had a time getting seperated from the other guy (he is Edward i am Laurence). If it is supported by your E-Records system grab a copy of your "Lucy" record and have that one you (does anybody sell a flash drive cheaply that would be recognized by say an EMT??).

Re:Oh, I wouldn't worry about it.

[jellomizer]

You sound like an MD.

Often the choice of the EMR isn't a rational choice, they put more thought into getting a new car then their EMR, even though it may cost more.

Mistakes.
1. Wrong Size. You have a small practice and you get the system meant for a large hospital. Because you figure you deserve the best. It would be like everyone buying a Mac Truck for their daily car needs, just because they may need that in the future. There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.

2. Unwilling to change your workflow. I have seen too many doctors use their EMR systems and populate information at the end of the day. While they were meant to be used on a Laptop or tablet in Real Time. Once you get the software most people can navigate rather quickly.

3. Fixed Price in your head. They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.

4. Lack of imagination. Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....

Re:Oh, I wouldn't worry about it.

[Kjella]

The least common denominator is the print button, it might not have any interoperability but there'll be no security by obscurity. In the hospital, you're likely to run into three kinds of systems:

1) The patient administration system (PAS) which keeps track of all the logistics like scheduling appointments, staff lists, equipment, operating rooms, cleaning of rooms and all that. It's somewhat related to the journal in the sense that when you've seen the doctor there should be journal entry for it, but for a major hospital it's also many other things. It might be integrated in the EPJ, but it might also be its own system.

2) The electronic patient journal (EPJ) which is pretty much all about record keeping but when it comes down to it is all about text. Any structured information is supposed to be supported by the text entries, in fact in the US I heard there are professional medical coders that do it so the doctor just writes the journal text. Here it's mostly the doctor itself, but those rules can get quite complicated if there's multi-trauma or symptoms of underlying conditions or complications of procedures that are typically coded differently from "simple" code lookups. Your discharge report is typically also stored here.

3) All the actual medical systems, of which there are typically thousands in a large hospital and they all keep changing all the time to support advances in medicine. The bulk of your electronic health data never leaves these systems. They have to support the record keeping requirements, but that basically just means adding auditing to the field along with the field itself. There's no requirement that they should be able to dump this data out in any format and if it were you'd end up with a hilariously huge specification that would change daily with elements like <x-$company-$product-$major-$minor-$revision> elements doing database to xml dumps.

There are lots of isolated attempts to standardize certain bits and pieces, like for example electronic referrals, prescriptions, lab requests, sending of x-ray images and to add more structured data, but they're much more limited in scope and you can certify compliance. Exporting the whole EPJ and importing it somewhere else is a huge beast. Also it's not entirely certain you'd want that. Say you have been to the hospital for an ugly STD and later for an eye infection. They want to send you to an eye specialist, does the whole journal go? Should your general practicioner have a huge hospital system? There's a lot of issues to be resolved with regards to a "global" journal.

One of the more difficult aspects is that at least here today the journal is not entirely yours. For psychiatric patients or where the doctor suspects child abuse, domestic violence or is speculating into possible conditions to check for the doctor can make private notes that are only available to themselves, not the patient itself. It has its uses but if everything flows freely it could also become a gossip column which is not the intent. The journal is also the doctor's working tool, you don't want him to start keeping a shadow system because by default the system is on broadcast. By far most doctors take their job very seriously and are just trying to help.

Re:Oh, I wouldn't worry about it.

[ColdWetDog]

Oh, I am an MD and one who has been dealing with EHRs for decades.

Unfortunately, you are partially correct. The C-level folks were told that the EHR wouldn't do what the salespeople said - even if it was tailored to a small hospital. Acutally, nobody buys stuff above their weight, it's just too damned expensive. What is commonly done is a small hospital merges with a bigger one or comes to some agreement to slave onto a big system. That can be done successfully but, as you point out, you may be using a Mack truck to delivery groceries. Done correctly, it does impress....

Workflow always changes with EHRs. The problem with a lot of them is that the workflows make no clinical sense. We still have to treat patients. Especially the cheaper ones who don't spend a lot (or any) time thinking about the user interface. Most of them look like Visual Basic programs from the 1990's. Hell, our vendor can't even be bothered to get the tab order correct. This is a common complaint. Especially with the nonsensical federal regulations even simple things like admitting a patient get convoluted and weird. Lots of EHRs just don't have the flexibility to incorporate completely illogical processes.

Fixed price? Well, even the PHBs know that isn't going to happen. The problem is that if (when) there are serious overruns, a small institution just can't spend that money. It doesn't have the capital resources. There are a number of rural hospitals that are going under because of the mandated EHR. Our employee costs doubled for 18 months trying to shoehorn the stupid thing in. That was partly a fault of the vendor, partly our fault for not streamlining work flows before the EHR, but that is a very hard thing to get any system to do. I argued for years to get our acts together but that would have taken more money and more time, things smaller hospitals don't have much of. (The theme here is that there is an enormous gap between financial health of the bigger systems and the smaller outlying hospitals. This is due to the bizarre way we bill for things in the US - you get lots more money for doing something instead of keeping a patient from needing that something. To do much these days takes a big system - think cath labs, MRIs, lots of specialty teams on call 24/7 - think money and lots of it.)

Imagination doesn't seem to be an issue. I imagine that our EHRs programming and management staff is suspended over a pool of molten iron as we speak.

Re:Oh, I wouldn't worry about it.

[robot5x]

OFFTOPIC

@ColdWetDog, I'm writing a thesis currently on Health IT interoperability (I'm in NZ but what I can tell is these problems persist across vastly differing policy/funding environments). Would be interested in getting your thoughts on the topic from the real world perspective of a health practitioner. It's been tricky 'recruiting' clinical people with appropriate technical expertise to comment on what the barriers are. I do have some US/Canadian people lined up already - only one is a currently practicing doc though.

this isnt an "obamacare" thing.

[nimbius]

electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing. If you've never heard of companies like ACS, its hard to imagine a workforce of almost 3000 people standing over banks of scanners, feeding paper records into a hopper, for $9 an hour in 3 shifts. Electronic medical records would have been a thing with or without the ACA. Mandating them was just icing to get insurance companies to go along with the act.

what we at slashdot can agree on is that, ostensibly, this should mean an increase in IT staff. qualified professional network and systems administrators to secure and protect patient data. But thats not mandated in the ACA, and anyone working in IT for a hospital can attest wages are stagnant. But you can expect obama to be a lightning rod for shit like this because thanks to a fervent neoconservative effort most people cant even remember the Affordable Care Act. All they hear is "Obamacare"

Re:this isnt an "obamacare" thing.

[ColdWetDog]

That was certainly a part of it. The funny thing is that the insurers are the ones having the hardest time getting their electronic acts together. They invariably use gargantuan legacy systems, coded originally on punch cards and even changing the number of fields in a form requires thousands of programmer-years.

The other big push was by a weird combination of politicians latching on to anything that could possibly save money (ohhh! Shiny!) and big system / big vendors realizing that they were sitting pretty to gobble up lots of smaller systems that simply didn't have the capital to compete. EHRs are very, very expensive and time consuming. Once integrated into large systems, they do improve workflows and likely pay back the investment. For smaller hospitals, not so much.

The key in American medicine is to gobble up all of the patients with economically viable diseases. Mostly heart disease, orthopedics and cancer. The rest of the population is just a loss leader. So you need lots and lots of procedures^Hpatients to make your nut.

Re:this isnt an "obamacare" thing.

[Attila+Dimedici]

Yes, EMR was a "thing" before it was mandated by law. The key difference was/is that without the government mandate it would have happened as medical care providers found it economically valuable. That is, they would have seen value in making the transition and would have been invested in making the change. Instead we have a system where they have to do it and do not see the value in doing so. This means that instead of something which they see as being a way to improve either their bottom line, or improve patient care, or otherwise something of value to themselves, they see it as an imposition.

Re:this isnt an "obamacare" thing.

[Attila+Dimedici]

That is not true. There were medical care providers who were making the transition to EMR. The problem was that not enough were making the transition as fast as the companies which had decided to make a business out of transitioning them to EMR had anticipated. Since the people who had invested in these companies based on that anticipated rate of transition were politically connected the government was used to speed up the transition.

Re:Cash Doctors

[ColdWetDog]

In fact my medical records folder comes home with me from my visits and does not even physically stay in his office.

No, it doesn't. At least in the US, the original stays in the office. You might get a copy but even here in Nuttville we're not crazy enough to let the patient have the canonical record.

Besides, you do realize that your pharmacy sells your prescription information to mining companies and that the states typically monitor any restricted drug with a system of your own?

The only way to stay perfectly anonymous is to get care out of the country or stay healthy.

It wasn't obamacare, it was the ARRA

[anjrober]

Obamacare or ACA did not mandate the use of EHR. This was in legislation long before ACA, it was part of the American Recovery and Reinvestment Act (ARRA). It was specifically called Meaningful Use. it mandates a series of electronic use requirements over three phases with initially payments for use and later penalties by CMS. The vast majority of MU certified vendors were producing EHRs long before ARRA and have reasonable security in place. Clearly though some vendors, and hospitals need some shoring up though.

Hospitals are a stupid target

[Stargoat]

Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend. In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with. You can try to get more info from all that PII, but again, it's a pain in the ass and available elsewhere. Other stuff is more lucrative for the investment of time, criminal risk, and energy.

If you were a terrorist, a hospital might be a bit more interesting, but the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.

No, hospitals are a stupid place to expend effort.

Re:Hospitals are a stupid target

[djdanlib]

Coming soon to headlines near you:

The number of STDs this celebrity has will shock you! Now with the names of the partners they got it from!

You'll never guess who has herpes! Online dating, now with health background checks (including identifiable previous partners) on each potential match.

Parents, find out if your grown children have had a pregnancy test with this one tool.

Media leaks from the hack suggest that my opponent has mental health issues, so clearly you should vote for me instead.

Sorry, we can't hire you. HR investigation pulled up your medical records and told us to invent a reason not to hire you, because they think with your conditions you will be taking a lot of medical leave.

Re:Hospitals are a stupid target

The glut of credit card data on the market means that the going rate for credit card data on the black market right now is about $1/account. Contrast this to $10/health record. (http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924)

Why?

1) health records have excellent data to facilitate identity theft
2) banks have much more rigorous anti-fraud systems in place, and consumers know to check credit reports
3) Because of #2, fraudulent health insurance claims schemes are going to be able to make more money over a longer period of time
4) health records of federal employees or political figures provide excellent data for politically motivated attackers, including state-sponsored threat operators acting as part of, or on behalf of a foreign intelligence service, who would use this information for blackmail/extortion, or to influence the outcome of an election.

I am an infosec guy at a large health insurance company, and these (among other things) are the sorts of motivations that we are concerned with, which is why I am posting anonymously. However, I will say that in order to adequately defend any asset, you have to have a circumspect view of the value of that data to an adversary. Some things are worth more than others to different people. Recognizing that fact is an important step in developing a proper defensive strategy. If I were you I would not so quickly write something off just because I didn't immediately see the value in it myself. Just sayin'.

Re:Hospitals are a stupid target

[Voyager529]

If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend.

Yes, but banking breaches/CC Fraud is so common, that the two times it's happened to me, it's been "an errand" - pick up my dry cleaning, get a haircut, cancel my debit card and submit a fraud form, get drinks for company tonight, put some gas in the car. It's that prevalent that it's a well-trodden path, with laws, protections, procedures, canned forms, and an express line to get it squared away. Medical record fraud is a much more difficult problem. You don't need your particular credit card number. You DO need your particular medical file. An SSN change is its own LENGTHY process, as all the rest of your ID cards also need to be changed as well. I don't even know how that works with regards to actually receiving Social Security, either.

In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with.

Pardon my lack of SQL syntax, but...

SELECT * FROM patient_address WHERE current_prescriptions Contains "Oxycodone" OR "Percocet" AND WHERE area_code EQUALS "212" OR "914".

You now have a comprehensive list of houses to rob in Manhattan where you can get prescription painkillers. Simple B&E, and you've got bottles that can be sold on the street at $40/pill. Or, introduce a middle man - find a drug dealer who will pay a couple grand for a list like that, and make a few grand for sending an e-mail. Send that list - or subsets of it - to 50 different drug dealers, and you've got a year's salary in an afternoon.

the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.

No, hospitals are a stupid place to expend effort.

If literally nothing else, call the owner of the hospital and blackmail him/her that if they don't deposit a million dollars into your offshore account in the Cayman Islands, that list will end up on Pastebin, and it would mean that the hospital would likely be litigated into oblivion and that person's life is over - WELL worth the million bucks to keep it quiet. For better or worse, we both lack creativity. I'm sure that if I were to spend an actual afternoon attempting to come up with nefarious ways to use data gleaned from a hospital, I could do better. The fact that such a list isn't actual bank account numbers doesn't mean that it's not worth real money to someone.

Re:Cash Doctors

[ColdWetDog]

And the minute his malpractice carrier sees that, he will never be insured again.

You both may be big boys, but you're not lawyers. And lawyers trump big boys in this system.

Re:Cash Doctors

[Lunix+Nutcase]

That would be entirely up to that doctor

No, it's not. For example, the State of New Jersey requires that doctor's keep the original records.

Do I have a right to my medical records?
In most instances, the patient has a right to receive a copy of his or her medical records, not the original. Although most patients assume that the records belong to them, the Board requires that the physician to maintain the original to ensure that the patient’s medical history is available to any subsequent treating physician or health care provider. Copies may be given to the patient, another doctor, your attorney, your insurance company or another family member if the patient expressly authorizes it. If a patient is deceased, the duly appointed executor or administrator of the estate may obtain copies also. Medical records cannot be released to a spouse, family member (except in the case of a child), attorney or any other person unless the patient gives his/her express consent to release them to that specific person.

http://www.state.nj.us/lps/ca/...

So it's highly likely that if that situation is true that the doctors he is dealing with could be breaking the requirements of their medical license.

Small practices aren't dumb

[sjbe]

You have a small practice and you get the system meant for a large hospital.

That's typically because they work closely with a particular hospital and desire compatibility with the hospital's EMR system. Not always but often.

There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.

And there are many that cannot exchange records with other systems which defeats 99% of the purpose of having an EMR system in the first place. Just because it is smaller doesn't make it necessarily a better fit. Granted, many of them don't really examine the options closely enough but it would be pretty easy to get siloed into a small package that doesn't really fit the practice.

They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.,

That's generally because they have a finite budget for the EMR system and they know they are probably going to take a bath on it financially for several years at best. EMR systems are VERY expensive. Just because a different system would fit their needs better doesn't mean they can necessarily afford it.

Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....

I think you greatly overestimate the amount of time available to a typical practice to do such things like statistical analysis. I think you also overestimate how compatible EMR systems are with each other. Unless you happen to use the same system from the same vendor as the place you are exchanging records with you probably are out of luck doing it electronically.

They are not just your records

[sjbe]

Seriously, they're about me. They should give me full and complete access to them, I should have control over them.

They are NOT solely about you. They are about the actions taken to treat you. They are business records in addition to being health records and as such you should have some amount of of access but a practice would be insane to give you full control of them. You certainly should not have the right to modify medical records or delete them. You should not have the right to withhold the records from the practice in the event of the dispute. The practice is required by law to keep them stored safely for a number of years (in general) after you have been treated. You have no such legal requirement. In many countries the medical records are explicitly the property of the health service and not yours in any way.

Yet...it's like pulling teeth to get records of my tooth extraction.

It's generally not all that hard to get copies of medical records, particularly if you as at the time of service. Some places are more cooperative than others but it's doable.

Re:No

[nbauman]

easy and fast access to medical information often trumps security."

That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.

In a medical situation, that might be the right decision. If your patient turns up unconscious in the ER at 2am, or if you're covering for your partner and his patient turns up unconscious in the ER at 2am, easy and fast access might trump security.

There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

I don't think there's a practicing pediatrician in the country who would let a patient die in order to improve security.

Re:Oh, I wouldn't worry about it. BULLSHIT

[uslurper]

Thats just bullshit.

Meaningful Use is NOT a requirement. It is NOT Obamacare.
It is an incentive that actually gives money to organizations to help them implement EHR infrastructure.
In order to qualify, and to make sure that money is NOT WASTED, there are a number of requirements that must be met. Stage 1 MU is bone-headedly simple, and Stage 2 is pretty straight-forward. Stage 3 is not even written yet, but is likely to include reporting to show how it affects patient outcomes.

The idea of it all is to actively manage your patient population and to use analytics to improve patient outcomes. -And by doing so, you can actually reduce the total cost of healthcare.

The problems are 1: blood-sucking EHR vendors that charge millions and provide crap products. 2: dumbass healthcare administrators who are so involved with political back-stabbing that they totally fail to even attempt to get the free money available from MU

I've worked for a number of healthcare organizations over the last 10 years, and I've seen organizations both large and small not only succeed in MU funding, but thrive as well. (I've also witnessed others utterly fail)

I'm lucky to be part of one of the good organizations right now. yay!