Most Healthcare Managers Admit Their IT Systems Have Been Compromised

Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.

Re:Give me a choice

[Z34107]

I wish I could request paper records.

You really don't. I've shilled for EHRs before, but the TL;DR is

• Paper charts kill people. They don't check for drug interactions; they don't double-check that you've got the right patient when you're operating or administering medications; in the case of a recall, they can't tell you who received a bad batch of a vaccine; and they certainly can't tell a first responder that unconscious you is allergic to blue dye, unless they already happen know your regular clinic and have a fax machine in the ambulance.
• Paper charts are useless for patient care. The hospitalist trying to reconcile what you were taking at home with what they want to give you in the hospital can't actually determine whether they're about to kill you if the cardiologist treating your heart attack happened to take the only copy of the chart to enter his notes. If they made a second copy for the cardiologist, there's no guarantee his notes and medications will ever get entered into the hospitalists copy, or into pharmacy's copy, who might also wonder why two different doctors plus your PCP are trying to dose you on blood thinners, or into your regular doctor's copy, who might be totally unaware of the cardiologist's findings
• Paper charts are expensive. If nobody knows that you already had a lab or an X-Ray, they're going to order it again. If they do know you had one of the above, you're going to have to wait for a fax, or for them to mail negatives. Because handwriting and general disorganization, especially over a long admission, tends to make them write-only, it's much harder to know exactly what they gave you and why, which makes it harder to justify to the government or an insurance company why they should pay your tab.

That doesn't mean the electronic versions don't have terrible, even maddening, flaws, but even the worst are better than paper.

Why just healthcare IT managers?

[QuietLagoon]

It wouldn't surprise me if the statistic held true across all industries.

Re:Holey Moley

[gweihir]

This has zero surprise value to anybody active in the IT security field. And yes, the numbers are scary, but they have been building up to today's abysmal state over several decades, as companies noticed they could get away with it and nothing was happening to them. I now even have heard the head of IT security of a large company serving a lot of customers say that a data-breach was not a reputational risk, because it happened so often these days that customers forget fast.

Re:Give me a choice

[Z34107]

I hear you--even within a hospital system, and even where standards exist, it's a pain. Ultrasound machines (for those that aren't imaging informaticists) are supposed to speak DICOM, but some do it creatively--one technically sent DICOM messages over the network, but most of what they contained was wrapped inside a proprietary XML blob rather than standard DICOM fields. What standard fields were implemented were implemented strangely, waffling between spelling out measurements ("centimeters") or using their abbreviations, mixing case, and reporting measurements to absurd precision (dozens of zeroes after the decimal point, for a bone measured in millimeters).

Sharing charts between hospitals is a mire of politics. There's the government's own Direct standard, which they mandated every hospital use to send charts, without any indication of what the recipient is supposed to do--a lot pipe them to /dev/null, because the vaguely defined content of the message is often useless and redundant with existing methods of communication. They're now working on legalese to require that you "do something" with the messages you receive, but exactly what that is (and how to objectively prove that you did it) they're still figuring out.

Then there are organizations like Commonwell, trying to monetize a data-sharing "standard" not even their founding members could be bothered to implement. They haven't sent a single chart as far as I know, but that doesn't stop them from issuing press releases praising their "interoperability" with the same frequency AT&T issues press releases praising their gigabit fiber.

Then there are HISPs (centralized, sometimes quasi-public, repositories of patient information). Some have managed to legislate themselves as mandatory middlemen, and, having done so, have proceeded to extract monopoly rents over the transmission of outdated and incorrect patient information. Even better is provider look-up--if they give you the wrong fax number for a physician, you are responsible for the HIPAA violation when a random gas station gets someone's medical information. This causes them to care as much as you'd expect about the integrity of the data they peddle (and that you're required to buy).

It's frustrating, because medical information has to be shared for it to be of use--there's no use having a mammography if no one will read the results, or if the people treating you can't access the study and have to order their own.

No surprise - I work in the industry

[cpm99352]

Incompetence abounds in the health care industry:

1. Legacy mainframe systems that have no data integrity - dates like 99/99/9999 are considered valid

2. Legacy mainframe systems that have no data integrity - tabs present in names & addresses, so a tab-delimited extract then proves challenging

3. IT Staff who refuse to block China and the -stans (despite having only US coverage), saying that it is not a complete solution.

4. On the database side, passwords stored in cleartext. Surprisingly, this apparently isn't a violation of PCI rules.


My advice? If you have a sensitive claim, pay cash and don't involve the insurance company. This is difficult, and may require you to use a different doctor when going this route. Bonus points if you can use fake ID. You would be absolutely astonished at where the claims data goes. Third parties get all sorts of data. HIPAA exclusions are enormous. If you think only your doctor knows about your embarassing drug addiction/sexual disease/mental health problem you are grossly mistaken.

Re:Holey Moley

[coofercat]

These numbers are basically bollocks. I'd be prepared to bet that 80% of any businesses, large, small or from the planet Zod have had a malware infection within the last 2 years. The point is that they're asking if they've had *any* problem - it could be that someone clicked a link, they realised their mistake and called IT to rebuild their machine, right up to confidential data transmission to parties unknown.

If they'd asked "have you lost any confidential patient data in the last 2 years?", I bet the number admitting to it would be virtually zero. For those that have lost data and know about it, they've either been out in public already, or else are doing everything they can to cover it up as it could be commercial suicide to admit such a thing. I'll bet the majority of companies of any sort couldn't be sure data had been lost unless it was a massive loss or performed by some idiot employee who got caught loading his desktop into the back of his car. Admitting you caught a virus here or there is pretty much a zero-risk thing to admit, because in most cases it causes no direct harm other than some extra work for some IT folks.

For all its worth, we could ask "has your home network been port scanned in the last year?". 80% of slashdotters would say yes, the other 20% would say no because they haven't checked, and yet nothing of value was gained or lost as a result. For extra click bait, I could then add "port scanning is the first step to far more serious hacks which could result in data loss" (which would mimic all the scaremongering in the article, all of which is attributed to KPMG).

Re:Aaaand *NOTHING* happens to them...

[Anonymous+Brave+Guy]

We could call the licensed programmers "Software Engineers", and have it actually be true.

The trouble is, it wouldn't be, because we're probably still several decades away from the kind of maturity and evidence base we'd need in the industry to actually do software development as a true engineering discipline. It's a laudable goal, but we don't know how to do it yet.

Re:Solution:

[meta-monkey]

"It looks like healthcare IT has the same attitude towards its quality that George W Bush had towards 9-11."

What are you talking about? Healthcare IT is a disaster, but 9/11 was a smashing success for Bush.