Most Healthcare Managers Admit Their IT Systems Have Been Compromised

Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.

Re:Solution:

[ewhac]

BWHA-HA-HAHAHAH!! Z0MG, you're so Hillary-ous!!

...Oh, wait: http://www.dailynewsbin.com/ne...

Looks like e-Ghazi was a big nothing-burger. Which is what we dirty fscking hippies have been saying ever since it was first trotted out. But: Please continue, Governor. Don't let minor things like facts get in the way of a good right-wing misogynistic rant. Your lives are bleak and meaningless enough as it is.

Re:Give me a choice

[Z34107]

I hear you--even within a hospital system, and even where standards exist, it's a pain. Ultrasound machines (for those that aren't imaging informaticists) are supposed to speak DICOM, but some do it creatively--one technically sent DICOM messages over the network, but most of what they contained was wrapped inside a proprietary XML blob rather than standard DICOM fields. What standard fields were implemented were implemented strangely, waffling between spelling out measurements ("centimeters") or using their abbreviations, mixing case, and reporting measurements to absurd precision (dozens of zeroes after the decimal point, for a bone measured in millimeters).

Sharing charts between hospitals is a mire of politics. There's the government's own Direct standard, which they mandated every hospital use to send charts, without any indication of what the recipient is supposed to do--a lot pipe them to /dev/null, because the vaguely defined content of the message is often useless and redundant with existing methods of communication. They're now working on legalese to require that you "do something" with the messages you receive, but exactly what that is (and how to objectively prove that you did it) they're still figuring out.

Then there are organizations like Commonwell, trying to monetize a data-sharing "standard" not even their founding members could be bothered to implement. They haven't sent a single chart as far as I know, but that doesn't stop them from issuing press releases praising their "interoperability" with the same frequency AT&T issues press releases praising their gigabit fiber.

Then there are HISPs (centralized, sometimes quasi-public, repositories of patient information). Some have managed to legislate themselves as mandatory middlemen, and, having done so, have proceeded to extract monopoly rents over the transmission of outdated and incorrect patient information. Even better is provider look-up--if they give you the wrong fax number for a physician, you are responsible for the HIPAA violation when a random gas station gets someone's medical information. This causes them to care as much as you'd expect about the integrity of the data they peddle (and that you're required to buy).

It's frustrating, because medical information has to be shared for it to be of use--there's no use having a mammography if no one will read the results, or if the people treating you can't access the study and have to order their own.

No surprise - I work in the industry

[cpm99352]

Incompetence abounds in the health care industry:

1. Legacy mainframe systems that have no data integrity - dates like 99/99/9999 are considered valid

2. Legacy mainframe systems that have no data integrity - tabs present in names & addresses, so a tab-delimited extract then proves challenging

3. IT Staff who refuse to block China and the -stans (despite having only US coverage), saying that it is not a complete solution.

4. On the database side, passwords stored in cleartext. Surprisingly, this apparently isn't a violation of PCI rules.


My advice? If you have a sensitive claim, pay cash and don't involve the insurance company. This is difficult, and may require you to use a different doctor when going this route. Bonus points if you can use fake ID. You would be absolutely astonished at where the claims data goes. Third parties get all sorts of data. HIPAA exclusions are enormous. If you think only your doctor knows about your embarassing drug addiction/sexual disease/mental health problem you are grossly mistaken.

Re:Solution:

[meta-monkey]

"It looks like healthcare IT has the same attitude towards its quality that George W Bush had towards 9-11."

What are you talking about? Healthcare IT is a disaster, but 9/11 was a smashing success for Bush.