Most Healthcare Managers Admit Their IT Systems Have Been Compromised

Lucas123 writes: Eighty-one percent of healthcare IT managers say their organizations have been compromised by at least one malware, botnet or other kind of cyber attack during the past two years, and only half of those managers feel that they are adequately prepared to prevent future attacks, according to a new survey by KPMG. The KPMG survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans, and found 65% indicated malware was most frequently reported line of attack during the past 12 to 24 months. Additionally, those surveyed indicated the areas with the greatest vulnerabilities within their organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%). Top among reasons healthcare facilities are facing increased risk, was the adoption of digital patient records and the automation of clinical systems.

Re:Give me a choice

[Z34107]

I wish I could request paper records.

You really don't. I've shilled for EHRs before, but the TL;DR is

• Paper charts kill people. They don't check for drug interactions; they don't double-check that you've got the right patient when you're operating or administering medications; in the case of a recall, they can't tell you who received a bad batch of a vaccine; and they certainly can't tell a first responder that unconscious you is allergic to blue dye, unless they already happen know your regular clinic and have a fax machine in the ambulance.
• Paper charts are useless for patient care. The hospitalist trying to reconcile what you were taking at home with what they want to give you in the hospital can't actually determine whether they're about to kill you if the cardiologist treating your heart attack happened to take the only copy of the chart to enter his notes. If they made a second copy for the cardiologist, there's no guarantee his notes and medications will ever get entered into the hospitalists copy, or into pharmacy's copy, who might also wonder why two different doctors plus your PCP are trying to dose you on blood thinners, or into your regular doctor's copy, who might be totally unaware of the cardiologist's findings
• Paper charts are expensive. If nobody knows that you already had a lab or an X-Ray, they're going to order it again. If they do know you had one of the above, you're going to have to wait for a fax, or for them to mail negatives. Because handwriting and general disorganization, especially over a long admission, tends to make them write-only, it's much harder to know exactly what they gave you and why, which makes it harder to justify to the government or an insurance company why they should pay your tab.

That doesn't mean the electronic versions don't have terrible, even maddening, flaws, but even the worst are better than paper.

No surprise - I work in the industry

[cpm99352]

Incompetence abounds in the health care industry:

1. Legacy mainframe systems that have no data integrity - dates like 99/99/9999 are considered valid

2. Legacy mainframe systems that have no data integrity - tabs present in names & addresses, so a tab-delimited extract then proves challenging

3. IT Staff who refuse to block China and the -stans (despite having only US coverage), saying that it is not a complete solution.

4. On the database side, passwords stored in cleartext. Surprisingly, this apparently isn't a violation of PCI rules.


My advice? If you have a sensitive claim, pay cash and don't involve the insurance company. This is difficult, and may require you to use a different doctor when going this route. Bonus points if you can use fake ID. You would be absolutely astonished at where the claims data goes. Third parties get all sorts of data. HIPAA exclusions are enormous. If you think only your doctor knows about your embarassing drug addiction/sexual disease/mental health problem you are grossly mistaken.

Re:Holey Moley

[coofercat]

These numbers are basically bollocks. I'd be prepared to bet that 80% of any businesses, large, small or from the planet Zod have had a malware infection within the last 2 years. The point is that they're asking if they've had *any* problem - it could be that someone clicked a link, they realised their mistake and called IT to rebuild their machine, right up to confidential data transmission to parties unknown.

If they'd asked "have you lost any confidential patient data in the last 2 years?", I bet the number admitting to it would be virtually zero. For those that have lost data and know about it, they've either been out in public already, or else are doing everything they can to cover it up as it could be commercial suicide to admit such a thing. I'll bet the majority of companies of any sort couldn't be sure data had been lost unless it was a massive loss or performed by some idiot employee who got caught loading his desktop into the back of his car. Admitting you caught a virus here or there is pretty much a zero-risk thing to admit, because in most cases it causes no direct harm other than some extra work for some IT folks.

For all its worth, we could ask "has your home network been port scanned in the last year?". 80% of slashdotters would say yes, the other 20% would say no because they haven't checked, and yet nothing of value was gained or lost as a result. For extra click bait, I could then add "port scanning is the first step to far more serious hacks which could result in data loss" (which would mimic all the scaremongering in the article, all of which is attributed to KPMG).

Re:Aaaand *NOTHING* happens to them...

[Anonymous+Brave+Guy]

We could call the licensed programmers "Software Engineers", and have it actually be true.

The trouble is, it wouldn't be, because we're probably still several decades away from the kind of maturity and evidence base we'd need in the industry to actually do software development as a true engineering discipline. It's a laudable goal, but we don't know how to do it yet.