2015 Could Be the Year of the Hospital Hack

schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."

Oh, I wouldn't worry about it.

[ColdWetDog]

EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

Re:Oh, I wouldn't worry about it.

[BreakBad]

(M)illions? Maybe two keys to the left.

I wonder if it would be cheaper to eliminate EHR's and just let patients make up their medical history every visit.

Re:Oh, I wouldn't worry about it.

[jellomizer]

You sound like an MD.

Often the choice of the EMR isn't a rational choice, they put more thought into getting a new car then their EMR, even though it may cost more.

Mistakes.
1. Wrong Size. You have a small practice and you get the system meant for a large hospital. Because you figure you deserve the best. It would be like everyone buying a Mac Truck for their daily car needs, just because they may need that in the future. There are a lot of small EMR systems that are fast and easy to use, but doesn't cover everything under the sun.

2. Unwilling to change your workflow. I have seen too many doctors use their EMR systems and populate information at the end of the day. While they were meant to be used on a Laptop or tablet in Real Time. Once you get the software most people can navigate rather quickly.

3. Fixed Price in your head. They start shopping with a fixed price in their head... Often buying not on features but the one closest to the price.

4. Lack of imagination. Once you get the data digital, there is so much more you can do with the data. Statistical Analysis on effectiveness of procedures. Being able to request and get back results electronically, getting alerts from the hospital. etc....

Re:Oh, I wouldn't worry about it.

[Kjella]

The least common denominator is the print button, it might not have any interoperability but there'll be no security by obscurity. In the hospital, you're likely to run into three kinds of systems:

1) The patient administration system (PAS) which keeps track of all the logistics like scheduling appointments, staff lists, equipment, operating rooms, cleaning of rooms and all that. It's somewhat related to the journal in the sense that when you've seen the doctor there should be journal entry for it, but for a major hospital it's also many other things. It might be integrated in the EPJ, but it might also be its own system.

2) The electronic patient journal (EPJ) which is pretty much all about record keeping but when it comes down to it is all about text. Any structured information is supposed to be supported by the text entries, in fact in the US I heard there are professional medical coders that do it so the doctor just writes the journal text. Here it's mostly the doctor itself, but those rules can get quite complicated if there's multi-trauma or symptoms of underlying conditions or complications of procedures that are typically coded differently from "simple" code lookups. Your discharge report is typically also stored here.

3) All the actual medical systems, of which there are typically thousands in a large hospital and they all keep changing all the time to support advances in medicine. The bulk of your electronic health data never leaves these systems. They have to support the record keeping requirements, but that basically just means adding auditing to the field along with the field itself. There's no requirement that they should be able to dump this data out in any format and if it were you'd end up with a hilariously huge specification that would change daily with elements like <x-$company-$product-$major-$minor-$revision> elements doing database to xml dumps.

There are lots of isolated attempts to standardize certain bits and pieces, like for example electronic referrals, prescriptions, lab requests, sending of x-ray images and to add more structured data, but they're much more limited in scope and you can certify compliance. Exporting the whole EPJ and importing it somewhere else is a huge beast. Also it's not entirely certain you'd want that. Say you have been to the hospital for an ugly STD and later for an eye infection. They want to send you to an eye specialist, does the whole journal go? Should your general practicioner have a huge hospital system? There's a lot of issues to be resolved with regards to a "global" journal.

One of the more difficult aspects is that at least here today the journal is not entirely yours. For psychiatric patients or where the doctor suspects child abuse, domestic violence or is speculating into possible conditions to check for the doctor can make private notes that are only available to themselves, not the patient itself. It has its uses but if everything flows freely it could also become a gossip column which is not the intent. The journal is also the doctor's working tool, you don't want him to start keeping a shadow system because by default the system is on broadcast. By far most doctors take their job very seriously and are just trying to help.

Re:Oh, I wouldn't worry about it.

[ColdWetDog]

Oh, I am an MD and one who has been dealing with EHRs for decades.

Unfortunately, you are partially correct. The C-level folks were told that the EHR wouldn't do what the salespeople said - even if it was tailored to a small hospital. Acutally, nobody buys stuff above their weight, it's just too damned expensive. What is commonly done is a small hospital merges with a bigger one or comes to some agreement to slave onto a big system. That can be done successfully but, as you point out, you may be using a Mack truck to delivery groceries. Done correctly, it does impress....

Workflow always changes with EHRs. The problem with a lot of them is that the workflows make no clinical sense. We still have to treat patients. Especially the cheaper ones who don't spend a lot (or any) time thinking about the user interface. Most of them look like Visual Basic programs from the 1990's. Hell, our vendor can't even be bothered to get the tab order correct. This is a common complaint. Especially with the nonsensical federal regulations even simple things like admitting a patient get convoluted and weird. Lots of EHRs just don't have the flexibility to incorporate completely illogical processes.

Fixed price? Well, even the PHBs know that isn't going to happen. The problem is that if (when) there are serious overruns, a small institution just can't spend that money. It doesn't have the capital resources. There are a number of rural hospitals that are going under because of the mandated EHR. Our employee costs doubled for 18 months trying to shoehorn the stupid thing in. That was partly a fault of the vendor, partly our fault for not streamlining work flows before the EHR, but that is a very hard thing to get any system to do. I argued for years to get our acts together but that would have taken more money and more time, things smaller hospitals don't have much of. (The theme here is that there is an enormous gap between financial health of the bigger systems and the smaller outlying hospitals. This is due to the bizarre way we bill for things in the US - you get lots more money for doing something instead of keeping a patient from needing that something. To do much these days takes a big system - think cath labs, MRIs, lots of specialty teams on call 24/7 - think money and lots of it.)

Imagination doesn't seem to be an issue. I imagine that our EHRs programming and management staff is suspended over a pool of molten iron as we speak.

this isnt an "obamacare" thing.

[nimbius]

electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing. If you've never heard of companies like ACS, its hard to imagine a workforce of almost 3000 people standing over banks of scanners, feeding paper records into a hopper, for $9 an hour in 3 shifts. Electronic medical records would have been a thing with or without the ACA. Mandating them was just icing to get insurance companies to go along with the act.

what we at slashdot can agree on is that, ostensibly, this should mean an increase in IT staff. qualified professional network and systems administrators to secure and protect patient data. But thats not mandated in the ACA, and anyone working in IT for a hospital can attest wages are stagnant. But you can expect obama to be a lightning rod for shit like this because thanks to a fervent neoconservative effort most people cant even remember the Affordable Care Act. All they hear is "Obamacare"

Re:this isnt an "obamacare" thing.

[ColdWetDog]

That was certainly a part of it. The funny thing is that the insurers are the ones having the hardest time getting their electronic acts together. They invariably use gargantuan legacy systems, coded originally on punch cards and even changing the number of fields in a form requires thousands of programmer-years.

The other big push was by a weird combination of politicians latching on to anything that could possibly save money (ohhh! Shiny!) and big system / big vendors realizing that they were sitting pretty to gobble up lots of smaller systems that simply didn't have the capital to compete. EHRs are very, very expensive and time consuming. Once integrated into large systems, they do improve workflows and likely pay back the investment. For smaller hospitals, not so much.

The key in American medicine is to gobble up all of the patients with economically viable diseases. Mostly heart disease, orthopedics and cancer. The rest of the population is just a loss leader. So you need lots and lots of procedures^Hpatients to make your nut.

Re:this isnt an "obamacare" thing.

[Attila+Dimedici]

That is not true. There were medical care providers who were making the transition to EMR. The problem was that not enough were making the transition as fast as the companies which had decided to make a business out of transitioning them to EMR had anticipated. Since the people who had invested in these companies based on that anticipated rate of transition were politically connected the government was used to speed up the transition.

Re:Cash Doctors

[ColdWetDog]

In fact my medical records folder comes home with me from my visits and does not even physically stay in his office.

No, it doesn't. At least in the US, the original stays in the office. You might get a copy but even here in Nuttville we're not crazy enough to let the patient have the canonical record.

Besides, you do realize that your pharmacy sells your prescription information to mining companies and that the states typically monitor any restricted drug with a system of your own?

The only way to stay perfectly anonymous is to get care out of the country or stay healthy.

It wasn't obamacare, it was the ARRA

[anjrober]

Obamacare or ACA did not mandate the use of EHR. This was in legislation long before ACA, it was part of the American Recovery and Reinvestment Act (ARRA). It was specifically called Meaningful Use. it mandates a series of electronic use requirements over three phases with initially payments for use and later penalties by CMS. The vast majority of MU certified vendors were producing EHRs long before ARRA and have reasonable security in place. Clearly though some vendors, and hospitals need some shoring up though.

Hospitals are a stupid target

[Stargoat]

Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend. In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with. You can try to get more info from all that PII, but again, it's a pain in the ass and available elsewhere. Other stuff is more lucrative for the investment of time, criminal risk, and energy.

If you were a terrorist, a hospital might be a bit more interesting, but the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.

No, hospitals are a stupid place to expend effort.

Re:Hospitals are a stupid target

The glut of credit card data on the market means that the going rate for credit card data on the black market right now is about $1/account. Contrast this to $10/health record. (http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924)

Why?

1) health records have excellent data to facilitate identity theft
2) banks have much more rigorous anti-fraud systems in place, and consumers know to check credit reports
3) Because of #2, fraudulent health insurance claims schemes are going to be able to make more money over a longer period of time
4) health records of federal employees or political figures provide excellent data for politically motivated attackers, including state-sponsored threat operators acting as part of, or on behalf of a foreign intelligence service, who would use this information for blackmail/extortion, or to influence the outcome of an election.

I am an infosec guy at a large health insurance company, and these (among other things) are the sorts of motivations that we are concerned with, which is why I am posting anonymously. However, I will say that in order to adequately defend any asset, you have to have a circumspect view of the value of that data to an adversary. Some things are worth more than others to different people. Recognizing that fact is an important step in developing a proper defensive strategy. If I were you I would not so quickly write something off just because I didn't immediately see the value in it myself. Just sayin'.

Re:Cash Doctors

[ColdWetDog]

And the minute his malpractice carrier sees that, he will never be insured again.

You both may be big boys, but you're not lawyers. And lawyers trump big boys in this system.

Re:No

[nbauman]

easy and fast access to medical information often trumps security."

That's the attitude of a lot of corporations, and that's why there is so much successful hacking going on.

In a medical situation, that might be the right decision. If your patient turns up unconscious in the ER at 2am, or if you're covering for your partner and his patient turns up unconscious in the ER at 2am, easy and fast access might trump security.

There was a study a few years ago in which a hospital tried an electronic records system in a pediatric ICU, and the death rate went up. The system was too hard to use. Instead of just writing a prescription on a prescription pad, they had to log into the system and go through screens.

I don't think there's a practicing pediatrician in the country who would let a patient die in order to improve security.

Re:Oh, I wouldn't worry about it. BULLSHIT

[uslurper]

Thats just bullshit.

Meaningful Use is NOT a requirement. It is NOT Obamacare.
It is an incentive that actually gives money to organizations to help them implement EHR infrastructure.
In order to qualify, and to make sure that money is NOT WASTED, there are a number of requirements that must be met. Stage 1 MU is bone-headedly simple, and Stage 2 is pretty straight-forward. Stage 3 is not even written yet, but is likely to include reporting to show how it affects patient outcomes.

The idea of it all is to actively manage your patient population and to use analytics to improve patient outcomes. -And by doing so, you can actually reduce the total cost of healthcare.

The problems are 1: blood-sucking EHR vendors that charge millions and provide crap products. 2: dumbass healthcare administrators who are so involved with political back-stabbing that they totally fail to even attempt to get the free money available from MU

I've worked for a number of healthcare organizations over the last 10 years, and I've seen organizations both large and small not only succeed in MU funding, but thrive as well. (I've also witnessed others utterly fail)

I'm lucky to be part of one of the good organizations right now. yay!