Very astute. It's hard to say which is "worse." In both cases, the information is vulnerable to compromise. In both cases, once the info is out, you can't put the genie back in the bottle.
While electronic records are vulnerable to mass exposure in a way that paper records are not, they are far less vulnerable to casual or targeted exposure, which I tend to feel gives them a security benefit. A good electronic system does not require that your information be accessible to anyone aside from care providers (and the inevitable medical billing personnel). It also allows access only to the information relevant to your care, rather than your ENTIRE history being carted around just to get you a routine blood test.
But it's definitely true that there *will* be trawling attacks, and HIT providers need to be alert for the signs and do everything they can to defeat them. I tend to think that's easier to do this if the server is *not* running Microsoft crap;-), which disqualifies a large proportion of commercial solutions out there... but anyway.
CCHIT will make sure every last EMR will do all that and more.
CCHIT can't do squat to ensure most of the things the PP listed. Auditing requires that people are looking at the reports and interpreting the results. Communication only happens when people push the right buttons to make the data available to other systems. Reporting, again, is only as good as the people generating and analyzing the reports. And error-checking relies on people to use the system intelligently, reading alerts before they're dismissed, or taking appropriate steps to correct problems the system finds.
When there's a CCHIT for HIT implementation and use, maybe it will serve the above purposes. But right now, all it does is check off that the systems exist within the software; it doesn't even evaluate how easy they are to use or whether the company documents them effectively for their users.
I can't help but feel while reading 'The Data Model That Nearly Killed Me' that the problems encountered actually had very little to do with the electronic record system at all. It seemed more like an incompetent system was in place as a whole. The data model didn't seem to do anything wrong, it was the people using it, or not using it.
But failure to take into account real-life human behavior is a major design failure all by itself..... We shouldn't excuse the software designers by blaming the medical people for their inability to use the software correctly.
All good points. Technology is a tool. There are well-made tools and poorly-made tools, but even the best-made tool is useless (or a detriment) in the hands of someone who doesn't know how to use it.
A huge part of technology implementation is policy and procedure. You have to pick or develop solutions that are going to be implementable to do the things you need to do, and you have to develop the policies that will work with the system *and* the people.
Unfortunately, most humans understand either technology solutions *or* human behavior well (if they understand either of them;-). It's very difficult to unite the two smoothly for this reason. It's not that it's a whole lot *more* difficult in HIT, just that the stakes are far higher.
There's a lot of that in the entertainment industry... you work for free to meet people, to get your name out there... and then, when you're big, you start charging big bucks. It works.
Difference? There are no big-bucks tech support jobs.
This is all very true. The issue, to me, is whether the discussion is being hosted by the manufacturer/service provider, or is in an independent forum. In an independent forum, you'll be totally honest; you'll tell people the shortcomings of a product, why they don't need such-and-such upgrade that costs $$$, etc.
If the discussion is hosted by the people selling the product, though... well. You like your standing in the community. You like your title under your forum handle or the number of stars or coffee cups or what-have-you. It makes you think twice about saying things that reflect badly on their products. You don't *lie*, you just avoid mentioning this or that.
And then, one day, said company really screws the pooch. You can't NOT say something. All of a sudden, the forum is "down for maintenance," your posts are deleted, and maybe some users are suspended or banned. Not for cussing or lying or flaming, but just for telling the truth about what's going on.
User communities are great. User communities hosted by the product providers are not bad, but they're not what you're describing here, and when they're used as a substitute for paid support, they're somewhat exploitative.
Sounds like these guys are just being exploited by their own egos.
Says the person with a +5 Informative comment. Why did you post something that might be so informative to others? I bet it was your ego that made you post.
A few years ago I was made a MVM (Much Valued Member) over a DSLReports.com/BroadbandReports.com for my contributions to several of the forums I frequented. I'm approaching close to 9k posts there, a high majority of them in response to other peoples technical questions. I never have received any compensation for my time spend on the site other then a little tag that shows up next to my name and the occasional kudos someone might send. It did give me a big of a "warm fuzzy" when I learned that I became a MVM, and it is appreciated when someone says "Thanks, you helped me out" or "Thanks for the explanation".
I guess you can call it ego, but I'd say it's just people that want to help others and have the time to do so. If that help turns into a power trip though, then it become egotistical.
dslreports.com is a user community, though. Their revenue comes not from selling connectivity, but from ads from traffic to the site. Sure, it's about ego, and posters like you do help them generate revenue... but they never set out to sell a service.
Verizon, though? It's their JOB to give people communications connections that work. Part of that is support. People are, theoretically, paying for support when they pay for their connection... they're not paying a lower price for crappy support. And then some guy is volunteering to fill in the gap they've left. In essence, they're selling his free labor. That's where it becomes exploitation, and the reason they're able to exploit him is his ego.
(Says the one who was once well-known on the Everquest Tech Support forum, and who used to volunteer as a sysop on the MSN Gaming Zone a decade ago. Yeah, BTDT, I have an ego too.;-)
I'm irrationally excited about this proposed legislation. I work for a safety-net clinic, and we basically have a mandate to get onto an electronic system by 2012 or our reimbursement levels go down. Unfortunately, the funding currently available all but requires CCHIT-certified solutions... which are all expensive proprietary works, built to run on Windows servers, yadda yadda. Color me unreassured by their promises of safety.
I just hope they make the funding available in time for us to be able to choose an open source solution. This is so very needed.
Even if they now store your data in 'free software' it still means you are now less free.
As opposed to how "free" you are when someone making $8/hour has to run your entire, plain-text paper chart to and from the front office, nurse's station, doctor's office, and file it back in the medical records room?
Yes, your record should be private. It's far, far easier to control access to an electronic chart than a paper one.
This bill provides funds for certain providers that would cover the cost of implementing and maintain EHR systems using open source software for up to five years, with a potential for another 5 year renewal.
The idea is to (1) assure that the providers can afford the cost of implementing EHR by putting up federal funds, and (2) simultaneously to get the maximum public benefit for the buck by only providing those subsidies where the iplementation is done using OSS, and providing support for interoperability workgroups, and doing a number of other things to promote standards.
Well, almost. There is quite a bit of funding available for (safety-net) clinics to implement EHRs. Unfortunately, it all has strings attached that make it virtually impossible to implement an non-proprietary solution. This legislation seeks to address that imbalance (for very good reasons as you've stated).
Isn't an EHR just a file format? That goes for both the files and the interfaces.
No, it's not. An EHR (a good one) is an intricate interface to a complex database containing text, statistics, images, and receiving data from a variety of systems including labs, pharmacies, and imaging systems. EHRs contain a lot of built-in structures for the data they contain, for auto-coding, decision support, drug-drug interaction, etc.
Then there's the whole user access/permissions/security component, too... you need to make as sure as possible that only the people with a need to see the information can. You can build some of that into a file format, but not to the extent required for your doctor, nurse, receptionist, and all the folks in medical billing to each see everything they need and ONLY what they need of your health record.
I've got two dollars that says you didn't RTFA, since you're talking about something entirely different.
This bill will put forth funding for the implementation of OSS EHR systems in medical clinics, particularly safety-net clinics that can't currently get funding for non-CCHIT (i.e. non-proprietary) systems. It doesn't open anyone's record, or require anyone to use Open Source; it just requires the gov't to put some money toward building out OSS solutions.
I don't see why it matters who implements someone's electronic health records (open source, Joe's Software Shack, Bill's Multi-National Software Emporium, etc.)
Because you're talking about highly sensitive data, and it's reasonable to know just what is happening with it. A doctor's office can't just hire Joe's Software Shack to whip them up an EHR; they need certain guarantees that the data is secure (HIPAA final security rule). To this end, there's a certification program... but of course, it's quite pricey to get certification, so only the folks making lots of money off of proprietary systems have done so.
Health care is expensive in this country. We all know that. When we (or our insurance companies) pay the doctor, we're paying her compensation for the education, hours, and care she's putting in; we're paying for the office space; we're paying for the proper handling of sharps and medical waste; we're paying for malpractice insurance. Now, if they have an EHR, we're also paying an extra $8/visit plus pro-rated one-time costs... or we're paying a per-provider license fee that's a few thousand a year... or whatever pricing scheme their vendor uses. Unless they use an open source solution, in which case, there are no license fees. Plus, because it's open source, you actually know what it's doing with your data (or at least, you have the ability to inspect it if you have the skill to understand it).
It's really not a long article... you could have spent a couple minutes reading it and finding out that this is only providing for Open Source *alternatives* to conventional proprietary EHR systems. Most importantly, it's providing funding to safety-net clinics who want to implement open source EHRs; most of the existing funding for EHR implementation available to safety-net clinics practically requires them to choose a solution that is CCHIT certified, and you *know* that costs $$$. Not even VistA (the particular OSS solution mentioned in the article) is CCHIT certified, and it's a totally built-out EHR developed by the US Government.
It's not a troll... it's just totally off-topic. Google Health has nothing to do with TFA or Electronic Health Records. It's a *personal* health record, and a totally different animal in that respect.
If they did secure it, you can get the same end result WITHOUT HACKING it.
No, you can't.
The end result of this attack is a machine which is booted from the regular hard drive, in the user's usual account... but is *remotely* accessible.
So, in your typical office environment with fairly pathetic physical security, you could slip in at 5:00 a.m., boot someone's computer with this doohickey, then leave. When they get to work in the morning, they thing "Huh, thought I shut my machine down last night... oh well" and go on about their day. You capture every username and password they type, all the data they access... everything they do.
It's a niche exploit, but it's not *totally* useless.
Thanks. The problem with "preview" is that the brain tends to read what it thought it wrote, rather than what it actually did write. It is my hope that Slashdot would allow post-preview editing at some point. Ah, well.
Or perhaps someone just needs to invent the right virus for Slashdot.
If you're going to be brazen enough to change the root password with a live CD, why not take the extra step of cracking open the case and resetting the BIOS?
A lot of cases support an external physical lock, and for those that don't, there's aftermarket products available.
Again, though, it gets back to making the computer physically secure.
If you get a call from someone who refuses to identify themselves asking you if you'd be willing to edit a couple hidden configuration files and restart your system, but screams "RTFA" when you ask how to locate those files, then you have the Slashdot version.
I'm sorry but that house analogy dcoesn't work for me, can you explain it using cars?
They can follow you around and record where you go without a warrant. If they want to use your OnStar tracking system to listen in on you inside the car, though, they need a warrant... or at least a court order.
So he bought these books, and now because Amazon doesn't like his behavior, they're denying him access to books that he bought.
Not exactly...
The books he doesn't have access to are books that, while he did buy them, he had archived on Amazon's servers.
If you buy a bunch of books at B&N, and they have a "library" storage service available to you as a customer, and you elect to leave books you bought on their shelves, and then they ban you from their store, you can't retrieve your books. *If* the banning was for legitimate reasons, it's kinda hard not to say "Well, dumbass, why didn't you take your books with you?" (As it happens, they'd probably hand them to you or a friend you sent in your place... but still.)
The Kindle comes with instructions on how to *locally* back up your purchases onto your home computer. As a convenience, they also offer the ability to re-download any purchased books anytime from your Kindle account.
The biggest problems with what happened to this "Ian" are that:
1) There's no stated policy or warning system; he had no expectation that his behavior might lose his account. Yes, I can see why Amazon wouldn't want to tip off potential fraudsters about exactly how to game their system, but an email that says "We're concerned about the high level of return activity on your account, and regret to inform you that, should this activity continue, we will need to close your account. This will lose you access to your Kindle account as well..." would that be so hard? His response would likely be to not purchase any more electronics from them, and that seems like a good idea in any event.
2) He wasn't actually defrauding them. Their fraud detection algorithm may be too sensitive, and they may not have actual humans reviewing the evidence before issuing a cancellation.
3) There's the warranty issue, too. Apparently he has no means of acting on the warranty anymore.
Slashdot Mirror
Um. If someone uses your credit info to deny you credit, collect on something, etc., you're already entitled to a free copy of that report.
In many states, you're entitled to free credit freezes too, and nationwide you're entitled to a freeze but may have to pay a small fee.
So... what is your point? You don't want to pay $7 to get your credit report?
Very astute. It's hard to say which is "worse." In both cases, the information is vulnerable to compromise. In both cases, once the info is out, you can't put the genie back in the bottle.
While electronic records are vulnerable to mass exposure in a way that paper records are not, they are far less vulnerable to casual or targeted exposure, which I tend to feel gives them a security benefit. A good electronic system does not require that your information be accessible to anyone aside from care providers (and the inevitable medical billing personnel). It also allows access only to the information relevant to your care, rather than your ENTIRE history being carted around just to get you a routine blood test.
But it's definitely true that there *will* be trawling attacks, and HIT providers need to be alert for the signs and do everything they can to defeat them. I tend to think that's easier to do this if the server is *not* running Microsoft crap ;-), which disqualifies a large proportion of commercial solutions out there... but anyway.
CCHIT will make sure every last EMR will do all that and more.
CCHIT can't do squat to ensure most of the things the PP listed. Auditing requires that people are looking at the reports and interpreting the results. Communication only happens when people push the right buttons to make the data available to other systems. Reporting, again, is only as good as the people generating and analyzing the reports. And error-checking relies on people to use the system intelligently, reading alerts before they're dismissed, or taking appropriate steps to correct problems the system finds.
When there's a CCHIT for HIT implementation and use, maybe it will serve the above purposes. But right now, all it does is check off that the systems exist within the software; it doesn't even evaluate how easy they are to use or whether the company documents them effectively for their users.
I can't help but feel while reading 'The Data Model That Nearly Killed Me' that the problems encountered actually had very little to do with the electronic record system at all. It seemed more like an incompetent system was in place as a whole. The data model didn't seem to do anything wrong, it was the people using it, or not using it.
But failure to take into account real-life human behavior is a major design failure all by itself. .... We shouldn't excuse the software designers by blaming the medical people for their inability to use the software correctly.
All good points. Technology is a tool. There are well-made tools and poorly-made tools, but even the best-made tool is useless (or a detriment) in the hands of someone who doesn't know how to use it.
A huge part of technology implementation is policy and procedure. You have to pick or develop solutions that are going to be implementable to do the things you need to do, and you have to develop the policies that will work with the system *and* the people.
Unfortunately, most humans understand either technology solutions *or* human behavior well (if they understand either of them ;-). It's very difficult to unite the two smoothly for this reason. It's not that it's a whole lot *more* difficult in HIT, just that the stakes are far higher.
There's a lot of that in the entertainment industry... you work for free to meet people, to get your name out there... and then, when you're big, you start charging big bucks. It works.
Difference? There are no big-bucks tech support jobs.
Allow me to say.... WHOOSH.
This is all very true. The issue, to me, is whether the discussion is being hosted by the manufacturer/service provider, or is in an independent forum. In an independent forum, you'll be totally honest; you'll tell people the shortcomings of a product, why they don't need such-and-such upgrade that costs $$$, etc.
If the discussion is hosted by the people selling the product, though... well. You like your standing in the community. You like your title under your forum handle or the number of stars or coffee cups or what-have-you. It makes you think twice about saying things that reflect badly on their products. You don't *lie*, you just avoid mentioning this or that.
And then, one day, said company really screws the pooch. You can't NOT say something. All of a sudden, the forum is "down for maintenance," your posts are deleted, and maybe some users are suspended or banned. Not for cussing or lying or flaming, but just for telling the truth about what's going on.
User communities are great. User communities hosted by the product providers are not bad, but they're not what you're describing here, and when they're used as a substitute for paid support, they're somewhat exploitative.
"...And for each McMurry out there there is one less paid job at Verizon.
Ha! Are you fucking kidding me?!? One less paid job at Verizon? Yeah, with the amount of jobs they've already outsourced to India...
Ooops, you're right. More like FIVE paid jobs in Bangalore. ;-)
Says the person with a +5 Informative comment. Why did you post something that might be so informative to others? I bet it was your ego that made you post.
A few years ago I was made a MVM (Much Valued Member) over a DSLReports.com/BroadbandReports.com for my contributions to several of the forums I frequented. I'm approaching close to 9k posts there, a high majority of them in response to other peoples technical questions. I never have received any compensation for my time spend on the site other then a little tag that shows up next to my name and the occasional kudos someone might send. It did give me a big of a "warm fuzzy" when I learned that I became a MVM, and it is appreciated when someone says "Thanks, you helped me out" or "Thanks for the explanation".
I guess you can call it ego, but I'd say it's just people that want to help others and have the time to do so. If that help turns into a power trip though, then it become egotistical.
dslreports.com is a user community, though. Their revenue comes not from selling connectivity, but from ads from traffic to the site. Sure, it's about ego, and posters like you do help them generate revenue... but they never set out to sell a service.
Verizon, though? It's their JOB to give people communications connections that work. Part of that is support. People are, theoretically, paying for support when they pay for their connection... they're not paying a lower price for crappy support. And then some guy is volunteering to fill in the gap they've left. In essence, they're selling his free labor. That's where it becomes exploitation, and the reason they're able to exploit him is his ego.
(Says the one who was once well-known on the Everquest Tech Support forum, and who used to volunteer as a sysop on the MSN Gaming Zone a decade ago. Yeah, BTDT, I have an ego too. ;-)
I'm irrationally excited about this proposed legislation. I work for a safety-net clinic, and we basically have a mandate to get onto an electronic system by 2012 or our reimbursement levels go down. Unfortunately, the funding currently available all but requires CCHIT-certified solutions... which are all expensive proprietary works, built to run on Windows servers, yadda yadda. Color me unreassured by their promises of safety.
I just hope they make the funding available in time for us to be able to choose an open source solution. This is so very needed.
That's because this is entirely about EHR systems, not PHR systems.
Your medical records should be PRIVATE.
Even if they now store your data in 'free software' it still means you are now less free.
As opposed to how "free" you are when someone making $8/hour has to run your entire, plain-text paper chart to and from the front office, nurse's station, doctor's office, and file it back in the medical records room?
Yes, your record should be private. It's far, far easier to control access to an electronic chart than a paper one.
This bill provides funds for certain providers that would cover the cost of implementing and maintain EHR systems using open source software for up to five years, with a potential for another 5 year renewal.
The idea is to (1) assure that the providers can afford the cost of implementing EHR by putting up federal funds, and (2) simultaneously to get the maximum public benefit for the buck by only providing those subsidies where the iplementation is done using OSS, and providing support for interoperability workgroups, and doing a number of other things to promote standards.
Well, almost. There is quite a bit of funding available for (safety-net) clinics to implement EHRs. Unfortunately, it all has strings attached that make it virtually impossible to implement an non-proprietary solution. This legislation seeks to address that imbalance (for very good reasons as you've stated).
Isn't an EHR just a file format? That goes for both the files and the interfaces.
No, it's not. An EHR (a good one) is an intricate interface to a complex database containing text, statistics, images, and receiving data from a variety of systems including labs, pharmacies, and imaging systems. EHRs contain a lot of built-in structures for the data they contain, for auto-coding, decision support, drug-drug interaction, etc.
Then there's the whole user access/permissions/security component, too... you need to make as sure as possible that only the people with a need to see the information can. You can build some of that into a file format, but not to the extent required for your doctor, nurse, receptionist, and all the folks in medical billing to each see everything they need and ONLY what they need of your health record.
I've got two dollars that says you didn't RTFA, since you're talking about something entirely different.
This bill will put forth funding for the implementation of OSS EHR systems in medical clinics, particularly safety-net clinics that can't currently get funding for non-CCHIT (i.e. non-proprietary) systems. It doesn't open anyone's record, or require anyone to use Open Source; it just requires the gov't to put some money toward building out OSS solutions.
I don't see why it matters who implements someone's electronic health records (open source, Joe's Software Shack, Bill's Multi-National Software Emporium, etc.)
Because you're talking about highly sensitive data, and it's reasonable to know just what is happening with it. A doctor's office can't just hire Joe's Software Shack to whip them up an EHR; they need certain guarantees that the data is secure (HIPAA final security rule). To this end, there's a certification program... but of course, it's quite pricey to get certification, so only the folks making lots of money off of proprietary systems have done so.
Health care is expensive in this country. We all know that. When we (or our insurance companies) pay the doctor, we're paying her compensation for the education, hours, and care she's putting in; we're paying for the office space; we're paying for the proper handling of sharps and medical waste; we're paying for malpractice insurance. Now, if they have an EHR, we're also paying an extra $8/visit plus pro-rated one-time costs... or we're paying a per-provider license fee that's a few thousand a year... or whatever pricing scheme their vendor uses. Unless they use an open source solution, in which case, there are no license fees. Plus, because it's open source, you actually know what it's doing with your data (or at least, you have the ability to inspect it if you have the skill to understand it).
It's really not a long article... you could have spent a couple minutes reading it and finding out that this is only providing for Open Source *alternatives* to conventional proprietary EHR systems. Most importantly, it's providing funding to safety-net clinics who want to implement open source EHRs; most of the existing funding for EHR implementation available to safety-net clinics practically requires them to choose a solution that is CCHIT certified, and you *know* that costs $$$. Not even VistA (the particular OSS solution mentioned in the article) is CCHIT certified, and it's a totally built-out EHR developed by the US Government.
It's not a troll... it's just totally off-topic. Google Health has nothing to do with TFA or Electronic Health Records. It's a *personal* health record, and a totally different animal in that respect.
If they did secure it, you can get the same end result WITHOUT HACKING it.
No, you can't.
The end result of this attack is a machine which is booted from the regular hard drive, in the user's usual account... but is *remotely* accessible.
So, in your typical office environment with fairly pathetic physical security, you could slip in at 5:00 a.m., boot someone's computer with this doohickey, then leave. When they get to work in the morning, they thing "Huh, thought I shut my machine down last night... oh well" and go on about their day. You capture every username and password they type, all the data they access... everything they do.
It's a niche exploit, but it's not *totally* useless.
Thanks. The problem with "preview" is that the brain tends to read what it thought it wrote, rather than what it actually did write. It is my hope that Slashdot would allow post-preview editing at some point. Ah, well.
Or perhaps someone just needs to invent the right virus for Slashdot.
If you're going to be brazen enough to change the root password with a live CD, why not take the extra step of cracking open the case and resetting the BIOS?
A lot of cases support an external physical lock, and for those that don't, there's aftermarket products available.
Again, though, it gets back to making the computer physically secure.
Eight is at least six...
If you get a call from someone who refuses to identify themselves asking you if you'd be willing to edit a couple hidden configuration files and restart your system, but screams "RTFA" when you ask how to locate those files, then you have the Slashdot version.
Fixed that for you.
Fixed that for you.
I'm sorry but that house analogy dcoesn't work for me, can you explain it using cars?
They can follow you around and record where you go without a warrant. If they want to use your OnStar tracking system to listen in on you inside the car, though, they need a warrant... or at least a court order.
So he bought these books, and now because Amazon doesn't like his behavior, they're denying him access to books that he bought.
Not exactly...
The books he doesn't have access to are books that, while he did buy them, he had archived on Amazon's servers.
If you buy a bunch of books at B&N, and they have a "library" storage service available to you as a customer, and you elect to leave books you bought on their shelves, and then they ban you from their store, you can't retrieve your books. *If* the banning was for legitimate reasons, it's kinda hard not to say "Well, dumbass, why didn't you take your books with you?" (As it happens, they'd probably hand them to you or a friend you sent in your place... but still.)
The Kindle comes with instructions on how to *locally* back up your purchases onto your home computer. As a convenience, they also offer the ability to re-download any purchased books anytime from your Kindle account.
The biggest problems with what happened to this "Ian" are that:
1) There's no stated policy or warning system; he had no expectation that his behavior might lose his account. Yes, I can see why Amazon wouldn't want to tip off potential fraudsters about exactly how to game their system, but an email that says "We're concerned about the high level of return activity on your account, and regret to inform you that, should this activity continue, we will need to close your account. This will lose you access to your Kindle account as well..." would that be so hard? His response would likely be to not purchase any more electronics from them, and that seems like a good idea in any event.
2) He wasn't actually defrauding them. Their fraud detection algorithm may be too sensitive, and they may not have actual humans reviewing the evidence before issuing a cancellation.
3) There's the warranty issue, too. Apparently he has no means of acting on the warranty anymore.