It's a shame that a citizen can not disagree with their government's policy without being labeled a racist, a terrorist or "unAmerican".
I pointed out flaws in the U.S. health care system and suggested areas to be focused on that might have a greater impact on patient care than a nice catch phrase like EMR.
My own political views were not expressed in my post for a reason. I actually find it humorous that you would question my affiliations and/or optimism.
The administration either has an undisclosed agenda or no idea what is really wrong with the health care industry. I work for a large medical institution in their IS department and I spend most of my time moving medical data around. In the short time I've been here, I have run across several roadblocks to providing efficient, safe and effective medical treatment.
The most detrimental entity in all of health care has to be the private health insurance industry. Insurance companies have spent a great deal of time and money developing strategies to MAKE MONEY. They are not in the business of making people well, they are constructed to make profits and protect those profits at all costs. They have nearly perfected the art of delaying or denying treatment for sick people all in the name of the almighty dollar.
The lack of standards is truly astonishing as well. There are dozens of large companies vying for stimulus money to develop electronic medical records. Do you really think they'll be working together to provide a single solution that can be transported all over the country? These companies are also out to make a buck and it better serves their interests to develop the one standard format and be the holders of the golden goose than to work collaboratively on a solution that fits all (or most) needs. See: Blue Ray vs. HD-DVD or VHS vs. Beta-max. I would estimate that 9/10s of the stimulus money directed to these companies will be an utter waste, and the remaining 10th will got to produce fortune for a single organization.
Whenever a format *is* declared the winner, it will likely be so inadequate that it will be routinely altered and hacked to fit the specific needs of each institution. It will be rendered nearly useless. HL7 is great example of this. It's designed as the de facto format for transmitting health care information from one site to another, however, I have yet to see two institutions or vendors do it alike.
Pricing and billing are two other concerns. Both are seemingly completely arbitrary and vary widely from one facility and/or patient to the next. A simple lab procedure, let's say a white blood cell count (literally counting white blood cells), could be done in one location for X while in another location for 6X. The worst part, you have no way of knowing what that charge will be until you are billed. Then, if you have insurance, they get to choose whether to pay all, part or none of the bill based on what loopholes are available to them.
My personal opinion, I represent no one other than myself, is that the single most effective action that any government can do to help solve the health care problems is to do away with privatized health insurance as we Americans know it today and replace it with a system that is much more socially responsible. A standardized digital medical record will be a good thing, but it will likely show very little impact on patient care.
...their primary goal when it comes to information assurance is to pass audits.
This is exactly what I saw throughout the banking industry for 5 years. Most institutions hire out to a firm like Icons, Inc yearly for an automated scan that returns what amounts to a report card for the corporate officers to first overreact to and then utterly ignore. They turn it over to their developers who assure them the holes are closed and they forget about it until next year; when they undoubtedly receive a very similar report.
I have not seen many organizations who were willing to do more than what the FDIC or NCUA minimally require.
I fear it will take a *very* destructive event for them to get the message on their. Unfortunately it will be their customers or members who take the bigger beating in the long run as it's commonplace for them to simply pass on costs instead of taking responsibility for their actions or inaction. I'd suggest the FDIC and NCUA stop playing politics and take security seriously instead of pandering to the lowest common denominator. They seem to be the only real motivator that the institutions listen to.
Velex, due to continuing NDAs and whatnot it would be unwise for me to comment on any one institution. Generally speaking though, the larger banks and CUs have more liability and more money to spend on security. However, they are larger targets too. I believe that it's just about even between the large and the small.
Personally, I think all financial institutions are vile dens of short-sighted and small-minded trolls. No hacker I've heard of can break into a combination safe cemented into your basement floor. Store cash, precious metals and plenty of ammunition. Trolls are most suceptible to #4 Buckshot from a short-barreled 12ga.
I worked as a web developer for scores of Credit Unions all over the US. In the last 4 years the NCUA (like the fed for CUs) became freakishly paranoid, and like most "governing" bodies, took no time to understand buzz-words. They started implementing draconian requirements that forced the CUs, large and small, to spend great deals of money on website security. That money would have gone into members' accounts at year end.
While working for the CUs, I found that the most damaging attacks were often nothing the NCUA could have dreamed of. They worried about open ports and front page extensions while the Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS). In one case I was involved with, the attackers were able to compromise a content management system via SQL injection and dynamically change the links to home banking for dozens of CUs.
My advice is for these banks and credit unions would be to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals and to not rely on the scanning services unless they just want a warm fuzzy feeling.
Slashdot Mirror
It's a shame that a citizen can not disagree with their government's policy without being labeled a racist, a terrorist or "unAmerican".
I pointed out flaws in the U.S. health care system and suggested areas to be focused on that might have a greater impact on patient care than a nice catch phrase like EMR.
My own political views were not expressed in my post for a reason. I actually find it humorous that you would question my affiliations and/or optimism.
The administration either has an undisclosed agenda or no idea what is really wrong with the health care industry. I work for a large medical institution in their IS department and I spend most of my time moving medical data around. In the short time I've been here, I have run across several roadblocks to providing efficient, safe and effective medical treatment.
The most detrimental entity in all of health care has to be the private health insurance industry. Insurance companies have spent a great deal of time and money developing strategies to MAKE MONEY. They are not in the business of making people well, they are constructed to make profits and protect those profits at all costs. They have nearly perfected the art of delaying or denying treatment for sick people all in the name of the almighty dollar.
The lack of standards is truly astonishing as well. There are dozens of large companies vying for stimulus money to develop electronic medical records. Do you really think they'll be working together to provide a single solution that can be transported all over the country? These companies are also out to make a buck and it better serves their interests to develop the one standard format and be the holders of the golden goose than to work collaboratively on a solution that fits all (or most) needs. See: Blue Ray vs. HD-DVD or VHS vs. Beta-max. I would estimate that 9/10s of the stimulus money directed to these companies will be an utter waste, and the remaining 10th will got to produce fortune for a single organization.
Whenever a format *is* declared the winner, it will likely be so inadequate that it will be routinely altered and hacked to fit the specific needs of each institution. It will be rendered nearly useless. HL7 is great example of this. It's designed as the de facto format for transmitting health care information from one site to another, however, I have yet to see two institutions or vendors do it alike.
Pricing and billing are two other concerns. Both are seemingly completely arbitrary and vary widely from one facility and/or patient to the next. A simple lab procedure, let's say a white blood cell count (literally counting white blood cells), could be done in one location for X while in another location for 6X. The worst part, you have no way of knowing what that charge will be until you are billed. Then, if you have insurance, they get to choose whether to pay all, part or none of the bill based on what loopholes are available to them.
My personal opinion, I represent no one other than myself, is that the single most effective action that any government can do to help solve the health care problems is to do away with privatized health insurance as we Americans know it today and replace it with a system that is much more socially responsible. A standardized digital medical record will be a good thing, but it will likely show very little impact on patient care.
...their primary goal when it comes to information assurance is to pass audits.
This is exactly what I saw throughout the banking industry for 5 years. Most institutions hire out to a firm like Icons, Inc yearly for an automated scan that returns what amounts to a report card for the corporate officers to first overreact to and then utterly ignore. They turn it over to their developers who assure them the holes are closed and they forget about it until next year; when they undoubtedly receive a very similar report.
I have not seen many organizations who were willing to do more than what the FDIC or NCUA minimally require.
I fear it will take a *very* destructive event for them to get the message on their. Unfortunately it will be their customers or members who take the bigger beating in the long run as it's commonplace for them to simply pass on costs instead of taking responsibility for their actions or inaction. I'd suggest the FDIC and NCUA stop playing politics and take security seriously instead of pandering to the lowest common denominator. They seem to be the only real motivator that the institutions listen to.
My $0.02
Velex, due to continuing NDAs and whatnot it would be unwise for me to comment on any one institution. Generally speaking though, the larger banks and CUs have more liability and more money to spend on security. However, they are larger targets too. I believe that it's just about even between the large and the small.
Personally, I think all financial institutions are vile dens of short-sighted and small-minded trolls. No hacker I've heard of can break into a combination safe cemented into your basement floor. Store cash, precious metals and plenty of ammunition. Trolls are most suceptible to #4 Buckshot from a short-barreled 12ga.
I worked as a web developer for scores of Credit Unions all over the US. In the last 4 years the NCUA (like the fed for CUs) became freakishly paranoid, and like most "governing" bodies, took no time to understand buzz-words. They started implementing draconian requirements that forced the CUs, large and small, to spend great deals of money on website security. That money would have gone into members' accounts at year end. While working for the CUs, I found that the most damaging attacks were often nothing the NCUA could have dreamed of. They worried about open ports and front page extensions while the Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS). In one case I was involved with, the attackers were able to compromise a content management system via SQL injection and dynamically change the links to home banking for dozens of CUs. My advice is for these banks and credit unions would be to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals and to not rely on the scanning services unless they just want a warm fuzzy feeling.