Slashdot Mirror
Most Healthcare Managers Admit Their IT Systems Have Been Compromised
Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.
It's only a matter of time before real programming becomes a licensed profession.
And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.
And if you don't want actual standards and real legal responsibility, YOU ARE ONE OF THE CLOWNS.
Just relocate the servers to Hillary's basement. It's an accountability-free zone. Because obeying laws is for the little people.
Am I they only one that is completely freaked out by this ? These are some seriously scary numbers !
I wish I could request paper records. Some old systems are better than the replacement. I would rather not be entered into any electronic system.
The current electronic record systems are notoriously hard to use. Nurses and doctors end up copying and pasting and clicking through these systems with little regard to the accuracy of the data. As a result, when there is a lawsuit, the extremely poor data quality of the medical records ends up hugely supporting the plaintiff.
From a more basic perspective: when I'm the the dr.'s office watching them type in my heart rate and blood pressure and notes, I'm thinking that my data is going into a central records system somewhere in the hospital where everything is in one spot so that it is easy to steal when it is eventually all stolen ( more specifically downloaded by someone who doesn't even need to enter the building. ).
This is how databases work. They put all your eggs in one basket. Plus, you can't have openness ( e.g. the paramedics can get to your records in seconds after finding your driver's license so that they know your pre-existing conditions ) and strong security. The goal of electronic records, making it easy to let a long list of people from the pharmacy to the insurance company to the government "server you better", is completely inconsistent with data privacy. If I can log into a webpage and view my records, it is only a matter of time before those records are stolen.
Only the technically illiterate use 'cyber' in relation to the Internet. Please stop embarrassing your readers.
"those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%)."
In todays distributed, objects-in-the-cloud type of Internet, anti-virus are mostly ineffectual, so are firewalls as procedure calls can be relayed over HTML.
Healthcare records should have zero connection to your finances.
You are insulting the fine profession OF CLOWNING.
(although some folks taking up clowning instead of ...)
No, many of us have been shouting about this for so long that everyone else stopped listening.
They probably hacked her phone too.
Being licensed profession will stop clueless management from force stuff to be so easy to hack / not willing to pay the costs to have be done right.
Malware could mean something as simple as "the accountant tried to install a screensaver." This story really doesn't tell us anything about how often critical medical systems are attacked......
(and of course the systems are vulnerable, just like every other system connected to the internet).
"First they came for the slanderers and i said nothing."
The problem is, that's not something that could be realistically done. Health insurance has to have your SSN to determine identity and for tax purposes - the insurer needs to make sure they are billing the right people, and they need to make sure that their clients can verify their insurance information because of the way health insurance (especially through an employer) interacts with the tax system. Most employer-provided health insurance is paid for pre-tax, and if the IRS comes along with any questions as to whether the insurance is real or not, there has to be a way to prove it. At the same time, the hospitals and other care providers need SSNs to be able to correctly bill the insurance companies for the right person's care.
It wouldn't surprise me if the statistic held true across all industries.
Very true, unfortunately.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The company I work for, Bright Plaza, has a SAAS that can almost eliminate the risk of phishing attacks and several other threats, while improving the user login experience. (It's a proof of knowledge SAAS that can support almost any type of proof of knowledge, from text and picture passwords to cognitive self tests and others.) And, based on the number of Lamborghini's at the Healthcare IT conferences, there's no lack of money available. Even more, the HIPAA lawas make it extremely expensive to expose clients' personal data. But from our attempts to to get healthcare companies to consider actually implementing, or installing even dirt simple new features, they have zero interest in actually doing anything about this. Like lemmings, they will either keep running their own systems (often dating back years), or if they're already sucked into one of the vendor systems will just wait until EPIC, or one of the other big three vendors, provides some new halfway measures.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
So the health care provider needs a health insurance subscriber number, not an SSN to identify someone. The health provider can in turn have the SSN but that limits the surface significantly.
Custom electronics and digital signage for your business: www.evcircuits.com
20% of Healthcare CIOs are idiots or liars. Every healthcare organization has seen the basic web malware on the the inside of the firewall. If they haven't been cyptolockered at least once, the do not use the internet. Patching in healthcare sucks. Doctors do anything they want with IT systems. If you have an electronic healthcare record, someone unauthorized has seen it. Hospitals systems are busy building new sites and cutting IT 10%. I saw one EHR deployment where every client/user logged into the database as "SA". The only faith I have in the system is that it has been compromised already...
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
The only real solution is to give the whole project over to the NSA. They'll make sure nobody else has access to the data, unless they get paid.
Sleep your way to a whiter smile...date a dentist!
I have hacked into 3 different hospitals, not large ones, moderate size.
None of which took more than 15 minutes to do, And I did it with my phone because I was bored waiting in line to see the doctor.
Got all the doctors names, what surgery is where, the insurance contacts, the accounting data, how much everyone gets paid(best part) but didn't touch patient data because I knew that one has it's own criminal penalties.
Point being no one noticed, no one cares to notice, after years they still don't know.
I didn't even go after the hospitals seriously, I used a fucking phone.
I don't know how much harder it can be to penetrate insurance companies or large hospital chains. but it can be done in a timely manner. I beleive You can actually have a timetable for hacking them because they all use the same crappy software vendors.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Incompetence abounds in the health care industry:
1. Legacy mainframe systems that have no data integrity - dates like 99/99/9999 are considered valid
2. Legacy mainframe systems that have no data integrity - tabs present in names & addresses, so a tab-delimited extract then proves challenging
3. IT Staff who refuse to block China and the -stans (despite having only US coverage), saying that it is not a complete solution.
4. On the database side, passwords stored in cleartext. Surprisingly, this apparently isn't a violation of PCI rules.
My advice? If you have a sensitive claim, pay cash and don't involve the insurance company. This is difficult, and may require you to use a different doctor when going this route. Bonus points if you can use fake ID. You would be absolutely astonished at where the claims data goes. Third parties get all sorts of data. HIPAA exclusions are enormous. If you think only your doctor knows about your embarassing drug addiction/sexual disease/mental health problem you are grossly mistaken.
Would be nice if we could have 2-3 National ID numbers of varying security so that we could give the low security one to places like that, reserving the high security one for things like finances.
Ad hominem all the way!
The ACA system is about as far from socialism as you can get. Parroting that canard only reflects poorly on you.
The good thing is that licensed professionals have to adhere to professional standards or become liable.
The problem is who sets those standards.
No-one knows how to write perfect software, because there is no such thing. Even with technically perfect implementation, there are always questions of requirements and design where at some point the specification of what you need isn't in a neat, unambiguous, technical form.
Very few people in the world know how to write highly robust and secure software, and the cost of doing so is often high. A few more people are exploring various potentially better ways of doing things, which might improve the situation in the long term, but for now there isn't a large and reliable body of evidence to support most of these ideas. Crucially, in many cases today, even skilled and diligent professionals who will all do good work may genuinely disagree about which tools and techniques they prefer to use and why.
Regulation and licensing would most likely be based on "best practices" determined by some central organisation, but there is a tiny pool of candidates who are even remotely qualified to make such judgements and a tiny body of evidence to support it. Realistically, that means the people settings the standards probably won't be the real experts, such as they are. No, the regulators will more likely be people like those consultants who sell a different trendy methodology every few years, and the idea of giving those vacuous salespeople a louder voice than already have and actual legal powers over how other professionals develop software is more terrifying than any bug.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You make a good point, but it applies beyond healthcare too.
May I introduce you to the auto industry? They'd like to sell you a new car that is always on-line, accepts OTA updates, and runs the safety-critical vehicle control systems on the same bus as the infotainment controls. What could possibly go wrong? (It's ironic that among the reports of hacks and abuses over recent months, there was also a report suggesting that many customers didn't use or actively didn't want a lot of these new electronic gadgets in their vehicles anyway. The only developments that almost everyone seemed to support were the directly safety-related driver aids.)
Then we have the financial and insurance industries, whose only requirement for any software they make sometimes seems to be "minimise fraud". Obviously that's an important commercial requirement, but meanwhile, they still can't reliably do basic things like sending money from person A to person B, providing secure and usable on-line banking facilities, providing working IT for their in-branch staff, or sometimes even keeping accurate records of who is authorised to access an account or facility.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Why is this surprising to anyone? I am sure it is quite similar in every industry. Between businesses cutting their IT staff (especially common between 2008-2012), moving from dedicated security people to having the admins be responsible for security as a secondary responsibility, to having dedicated security people from certificate factories who are more interested in checklists and getting shiny new toys from whichever vendor gets them the best bribe (movie tickets, sports game tickets, etc.); how is anyone surprised. I don't work in IT security, but I find there are not very many good security people out there, and even the good ones can struggle to find jobs as security people were easy to let go when companies don't value it as a "mission critical" headcount for RIFs. I suppose the only surprising thing in this article is that there aren't more data breaches that have occurred in healthcare.
It really depends.
Are we talking 'true' socialism is big fat quotes.
Or are we talking the kind of system that tend to occur when socialists implement their policies.
It's the same communism or capitalism as abstract ideals.
We can theorize that the Soviet Union was not truly communist. But there never was an ideal communist state.
We can theorize what an ideal libertarian state could be, but there never was such a state.
Yet in the end of the day, what actually matters is the policy that comes out.
The ACA is in line with modern socialist policies. ...
1. Forces your participation
2. Attempts to provide a service to the poor via subsidies
3. Reduces choice in the kinds of coverage you can have. The minimum is not just a basic minimum for emergencies so hospitals emergencies don't go unpaid.
4. various pricing control mechanism on providers
5. attempts to control an industry via the state
The ACA might not be ideal socialism, but
saying that the ACA is about as far from socialism as you can get is simply parroting a canard that only reflects poorly on you.
Would be nice if we could have 2-3 National ID numbers of varying security so that we could give the low security one to places like that, reserving the high security one for things like finances.
No, we need to fundamentally change the system so that its "security" doesn't rely on the secrecy of a few widely distributed numbers.