Slashdot Mirror
Most Healthcare Managers Admit Their IT Systems Have Been Compromised
Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.
Just relocate the servers to Hillary's basement. It's an accountability-free zone. Because obeying laws is for the little people.
All indicators show that programming is becoming less professional, not more so.
At best, you'll get some sort of liability clauses built into big military / government contracts that will be ultimately toothless when shit goes wrong.
And as a developer who know what he's doing, I can't fucking wait for all the clowns to be weeded out of my profession.
You can't be that great if you haven't heard of Dunning-Kruger.
DATABASE WOW WOW
Cool idea. We could call the licensed programmers "Software Engineers", and have it actually be true.
None of them can see the clouds; The polished wings don't care.
I wish I could request paper records.
You really don't. I've shilled for EHRs before, but the TL;DR is
That doesn't mean the electronic versions don't have terrible, even maddening, flaws, but even the worst are better than paper.
DATABASE WOW WOW
Being licensed profession will stop clueless management from force stuff to be so easy to hack / not willing to pay the costs to have be done right.
It wouldn't surprise me if the statistic held true across all industries.
This has zero surprise value to anybody active in the IT security field. And yes, the numbers are scary, but they have been building up to today's abysmal state over several decades, as companies noticed they could get away with it and nothing was happening to them. I now even have heard the head of IT security of a large company serving a lot of customers say that a data-breach was not a reputational risk, because it happened so often these days that customers forget fast.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
So the health care provider needs a health insurance subscriber number, not an SSN to identify someone. The health provider can in turn have the SSN but that limits the surface significantly.
Custom electronics and digital signage for your business: www.evcircuits.com
20% of Healthcare CIOs are idiots or liars. Every healthcare organization has seen the basic web malware on the the inside of the firewall. If they haven't been cyptolockered at least once, the do not use the internet. Patching in healthcare sucks. Doctors do anything they want with IT systems. If you have an electronic healthcare record, someone unauthorized has seen it. Hospitals systems are busy building new sites and cutting IT 10%. I saw one EHR deployment where every client/user logged into the database as "SA". The only faith I have in the system is that it has been compromised already...
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
I hear you--even within a hospital system, and even where standards exist, it's a pain. Ultrasound machines (for those that aren't imaging informaticists) are supposed to speak DICOM, but some do it creatively--one technically sent DICOM messages over the network, but most of what they contained was wrapped inside a proprietary XML blob rather than standard DICOM fields. What standard fields were implemented were implemented strangely, waffling between spelling out measurements ("centimeters") or using their abbreviations, mixing case, and reporting measurements to absurd precision (dozens of zeroes after the decimal point, for a bone measured in millimeters).
Sharing charts between hospitals is a mire of politics. There's the government's own Direct standard, which they mandated every hospital use to send charts, without any indication of what the recipient is supposed to do--a lot pipe them to /dev/null, because the vaguely defined content of the message is often useless and redundant with existing methods of communication. They're now working on legalese to require that you "do something" with the messages you receive, but exactly what that is (and how to objectively prove that you did it) they're still figuring out.
Then there are organizations like Commonwell, trying to monetize a data-sharing "standard" not even their founding members could be bothered to implement. They haven't sent a single chart as far as I know, but that doesn't stop them from issuing press releases praising their "interoperability" with the same frequency AT&T issues press releases praising their gigabit fiber.
Then there are HISPs (centralized, sometimes quasi-public, repositories of patient information). Some have managed to legislate themselves as mandatory middlemen, and, having done so, have proceeded to extract monopoly rents over the transmission of outdated and incorrect patient information. Even better is provider look-up--if they give you the wrong fax number for a physician, you are responsible for the HIPAA violation when a random gas station gets someone's medical information. This causes them to care as much as you'd expect about the integrity of the data they peddle (and that you're required to buy).
It's frustrating, because medical information has to be shared for it to be of use--there's no use having a mammography if no one will read the results, or if the people treating you can't access the study and have to order their own.
DATABASE WOW WOW
I have hacked into 3 different hospitals, not large ones, moderate size.
None of which took more than 15 minutes to do, And I did it with my phone because I was bored waiting in line to see the doctor.
Got all the doctors names, what surgery is where, the insurance contacts, the accounting data, how much everyone gets paid(best part) but didn't touch patient data because I knew that one has it's own criminal penalties.
Point being no one noticed, no one cares to notice, after years they still don't know.
I didn't even go after the hospitals seriously, I used a fucking phone.
I don't know how much harder it can be to penetrate insurance companies or large hospital chains. but it can be done in a timely manner. I beleive You can actually have a timetable for hacking them because they all use the same crappy software vendors.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Incompetence abounds in the health care industry:
1. Legacy mainframe systems that have no data integrity - dates like 99/99/9999 are considered valid
2. Legacy mainframe systems that have no data integrity - tabs present in names & addresses, so a tab-delimited extract then proves challenging
3. IT Staff who refuse to block China and the -stans (despite having only US coverage), saying that it is not a complete solution.
4. On the database side, passwords stored in cleartext. Surprisingly, this apparently isn't a violation of PCI rules.
My advice? If you have a sensitive claim, pay cash and don't involve the insurance company. This is difficult, and may require you to use a different doctor when going this route. Bonus points if you can use fake ID. You would be absolutely astonished at where the claims data goes. Third parties get all sorts of data. HIPAA exclusions are enormous. If you think only your doctor knows about your embarassing drug addiction/sexual disease/mental health problem you are grossly mistaken.
Would be nice if we could have 2-3 National ID numbers of varying security so that we could give the low security one to places like that, reserving the high security one for things like finances.
These numbers are basically bollocks. I'd be prepared to bet that 80% of any businesses, large, small or from the planet Zod have had a malware infection within the last 2 years. The point is that they're asking if they've had *any* problem - it could be that someone clicked a link, they realised their mistake and called IT to rebuild their machine, right up to confidential data transmission to parties unknown.
If they'd asked "have you lost any confidential patient data in the last 2 years?", I bet the number admitting to it would be virtually zero. For those that have lost data and know about it, they've either been out in public already, or else are doing everything they can to cover it up as it could be commercial suicide to admit such a thing. I'll bet the majority of companies of any sort couldn't be sure data had been lost unless it was a massive loss or performed by some idiot employee who got caught loading his desktop into the back of his car. Admitting you caught a virus here or there is pretty much a zero-risk thing to admit, because in most cases it causes no direct harm other than some extra work for some IT folks.
For all its worth, we could ask "has your home network been port scanned in the last year?". 80% of slashdotters would say yes, the other 20% would say no because they haven't checked, and yet nothing of value was gained or lost as a result. For extra click bait, I could then add "port scanning is the first step to far more serious hacks which could result in data loss" (which would mimic all the scaremongering in the article, all of which is attributed to KPMG).
We could call the licensed programmers "Software Engineers", and have it actually be true.
The trouble is, it wouldn't be, because we're probably still several decades away from the kind of maturity and evidence base we'd need in the industry to actually do software development as a true engineering discipline. It's a laudable goal, but we don't know how to do it yet.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You make a good point, but it applies beyond healthcare too.
May I introduce you to the auto industry? They'd like to sell you a new car that is always on-line, accepts OTA updates, and runs the safety-critical vehicle control systems on the same bus as the infotainment controls. What could possibly go wrong? (It's ironic that among the reports of hacks and abuses over recent months, there was also a report suggesting that many customers didn't use or actively didn't want a lot of these new electronic gadgets in their vehicles anyway. The only developments that almost everyone seemed to support were the directly safety-related driver aids.)
Then we have the financial and insurance industries, whose only requirement for any software they make sometimes seems to be "minimise fraud". Obviously that's an important commercial requirement, but meanwhile, they still can't reliably do basic things like sending money from person A to person B, providing secure and usable on-line banking facilities, providing working IT for their in-branch staff, or sometimes even keeping accurate records of who is authorised to access an account or facility.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.