2015 Could Be the Year of the Hospital Hack

schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."

Oh, I wouldn't worry about it.

[ColdWetDog]

EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

Re:Oh, I wouldn't worry about it.

[Kjella]

The least common denominator is the print button, it might not have any interoperability but there'll be no security by obscurity. In the hospital, you're likely to run into three kinds of systems:

1) The patient administration system (PAS) which keeps track of all the logistics like scheduling appointments, staff lists, equipment, operating rooms, cleaning of rooms and all that. It's somewhat related to the journal in the sense that when you've seen the doctor there should be journal entry for it, but for a major hospital it's also many other things. It might be integrated in the EPJ, but it might also be its own system.

2) The electronic patient journal (EPJ) which is pretty much all about record keeping but when it comes down to it is all about text. Any structured information is supposed to be supported by the text entries, in fact in the US I heard there are professional medical coders that do it so the doctor just writes the journal text. Here it's mostly the doctor itself, but those rules can get quite complicated if there's multi-trauma or symptoms of underlying conditions or complications of procedures that are typically coded differently from "simple" code lookups. Your discharge report is typically also stored here.

3) All the actual medical systems, of which there are typically thousands in a large hospital and they all keep changing all the time to support advances in medicine. The bulk of your electronic health data never leaves these systems. They have to support the record keeping requirements, but that basically just means adding auditing to the field along with the field itself. There's no requirement that they should be able to dump this data out in any format and if it were you'd end up with a hilariously huge specification that would change daily with elements like <x-$company-$product-$major-$minor-$revision> elements doing database to xml dumps.

There are lots of isolated attempts to standardize certain bits and pieces, like for example electronic referrals, prescriptions, lab requests, sending of x-ray images and to add more structured data, but they're much more limited in scope and you can certify compliance. Exporting the whole EPJ and importing it somewhere else is a huge beast. Also it's not entirely certain you'd want that. Say you have been to the hospital for an ugly STD and later for an eye infection. They want to send you to an eye specialist, does the whole journal go? Should your general practicioner have a huge hospital system? There's a lot of issues to be resolved with regards to a "global" journal.

One of the more difficult aspects is that at least here today the journal is not entirely yours. For psychiatric patients or where the doctor suspects child abuse, domestic violence or is speculating into possible conditions to check for the doctor can make private notes that are only available to themselves, not the patient itself. It has its uses but if everything flows freely it could also become a gossip column which is not the intent. The journal is also the doctor's working tool, you don't want him to start keeping a shadow system because by default the system is on broadcast. By far most doctors take their job very seriously and are just trying to help.

Re:Oh, I wouldn't worry about it.

[ColdWetDog]

Oh, I am an MD and one who has been dealing with EHRs for decades.

Unfortunately, you are partially correct. The C-level folks were told that the EHR wouldn't do what the salespeople said - even if it was tailored to a small hospital. Acutally, nobody buys stuff above their weight, it's just too damned expensive. What is commonly done is a small hospital merges with a bigger one or comes to some agreement to slave onto a big system. That can be done successfully but, as you point out, you may be using a Mack truck to delivery groceries. Done correctly, it does impress....

Workflow always changes with EHRs. The problem with a lot of them is that the workflows make no clinical sense. We still have to treat patients. Especially the cheaper ones who don't spend a lot (or any) time thinking about the user interface. Most of them look like Visual Basic programs from the 1990's. Hell, our vendor can't even be bothered to get the tab order correct. This is a common complaint. Especially with the nonsensical federal regulations even simple things like admitting a patient get convoluted and weird. Lots of EHRs just don't have the flexibility to incorporate completely illogical processes.

Fixed price? Well, even the PHBs know that isn't going to happen. The problem is that if (when) there are serious overruns, a small institution just can't spend that money. It doesn't have the capital resources. There are a number of rural hospitals that are going under because of the mandated EHR. Our employee costs doubled for 18 months trying to shoehorn the stupid thing in. That was partly a fault of the vendor, partly our fault for not streamlining work flows before the EHR, but that is a very hard thing to get any system to do. I argued for years to get our acts together but that would have taken more money and more time, things smaller hospitals don't have much of. (The theme here is that there is an enormous gap between financial health of the bigger systems and the smaller outlying hospitals. This is due to the bizarre way we bill for things in the US - you get lots more money for doing something instead of keeping a patient from needing that something. To do much these days takes a big system - think cath labs, MRIs, lots of specialty teams on call 24/7 - think money and lots of it.)

Imagination doesn't seem to be an issue. I imagine that our EHRs programming and management staff is suspended over a pool of molten iron as we speak.

It wasn't obamacare, it was the ARRA

[anjrober]

Obamacare or ACA did not mandate the use of EHR. This was in legislation long before ACA, it was part of the American Recovery and Reinvestment Act (ARRA). It was specifically called Meaningful Use. it mandates a series of electronic use requirements over three phases with initially payments for use and later penalties by CMS. The vast majority of MU certified vendors were producing EHRs long before ARRA and have reasonable security in place. Clearly though some vendors, and hospitals need some shoring up though.