[HN Gopher] A billion medical images are exposed online, as doct...
___________________________________________________________________
A billion medical images are exposed online, as doctors ignore
warnings
Author : OrgNet
Score : 249 points
Date : 2020-01-11 12:44 UTC (10 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| [deleted]
| [deleted]
| 7QdfBKNNfP wrote:
| Not only is transport security mostly lacking in DICOM, but there
| is little to no notion of access control for records. And I'm not
| just talking DICOM, but the apps themselves. It's no surprise
| though, when the DICOM standard has sections like this:
|
| _The DICOM Standard does not address issues of security
| policies, though clearly adherence to appropriate security
| policies is necessary for any level of security. The Standard
| only provides mechanisms that could be used to implement security
| policies with regard to the interchange of DICOM objects between
| Application Entities. For example, a security policy may dictate
| some level of access control. This Standard does not consider
| access control policies, but does provide the technological means
| for the Application Entities involved to exchange sufficient
| information to implement access control policies._
|
| http://dicom.nema.org/medical/dicom/current/output/html/part...
|
| The original DICOM TCP protocol requires that every device
| connected use an encrypted tunnel, and it's not easy to get all
| the device venders to agree on which ones to use, and then update
| their software. DICOM Web Services are a thing, and at least they
| would get HTTPS basically for free from their choice of web
| client and server.
|
| HIPAA has been out since the 90's so we need to get more fines
| against the providers to make them implement confidentiality and
| access controls. It's actually the GDPR which is now driving
| access controls rather than HIPAA.
|
| To be fair though, the DICOM folks are busy constantly trying to
| standardize new image data coming from innovations in the
| modalities (scanners).
| prostheticvamp wrote:
| An odd line from the article, wherein it states that security
| researchers don't blame vendors, but the physicians and hospitals
| that fail to properly secure the software.
|
| I have never, in all my years of working in healthcare, seen a
| hospital or physicians office directly install and manage PACS.
| They pay a third-party - usually the vendor - to install,
| configure, and walk them through it. Maybe a behemoth system like
| Northwell has the IT bench to do it themselves, but that would be
| the exception.
|
| So allow me to rephrase slightly: "technologically inept
| organization pays vendor to make machine go vroom. Vendor leaves
| keys in ignition. Damn that technologically inept organization."
|
| To take a 10,000-foot view of the situation, though:
|
| Healthcare-related technologically was largely pushed on the
| industry via legislation. Said legislation was almost entirely
| stick, no carrot. The result was healthcare organizations with a
| gun to their head to buy from a handful of vendors, with no real
| ROI to be seen from it - aka, the government outsourcing its
| costs to private industry, and throwing pork to some major health
| IT firms along the way. When a technology is forced on you at a
| loss, from a vendor with little incentive to optimize ease of use
| or utility, you get a terrible piece of shit that no one wants to
| invest more time and money into than absolutely needed. That's
| going to show itself in a myriad of ways.
| lostlogin wrote:
| > no real ROI to be seen from it.
|
| I just did a brief Google, and the situation seems to be the
| same as always - there isn't a clear win financially when a
| PACS is installed. They are expensive to buy, to run and to
| maintain and the gains are often hard to measure financially.
| Having a minimum wage worker sort old films and carry them to
| where they are needed was cheap compared to the wages and
| hardware a large hospital needs to pay for when a large PACS
| goes in.
|
| The number of people who miss hard copy film must be very small
| however, that world was archaic.
| hannob wrote:
| You're right, this is a very irritating take.
|
| From what I understand these DICOM-devices are insecure by
| default, you can just connect to them and download data, and
| they expect their users to make them secure with network
| separation etc. That's not a realistic expectation if your
| customers aren't IT security professionals. And there's no
| reason to create such a flawed design, a simple password would
| be a huge improvement.
|
| In such a case the blame should fully go to the vendor.
| humaniania wrote:
| A brand new account posting scathing anti-government anti-
| regulation content? HIPAA and HITECH and the other legislation
| that you're likely referring to pushed a stagnant industry in
| the right direction. Yes there is pain with growth but patients
| are far better off for it, which is what the end goal was.
| pjmorris wrote:
| At my annual physical, as my doctor was typing away at data
| entry on a laptop in the exam room, I asked him whether he
| felt the new electronic systems had freed up his time to
| spend more time on patients, or whether they had taken time
| away from patients. He felt the later.
|
| I realize that anecdote is not data, and I'm not sure what
| metric of 'better' you're using, but I wouldn't be too hasty
| to claim technology as an unalloyed good in health care.
| Scoundreller wrote:
| Thing is, people will overlook the elements that are faster
| and focus on the slower.
|
| Lab results for any patient at a click or two? Ignored.
|
| Changing a med order to be stopped in 27 hours? Guaranteed
| to be flagged to the nurse at the exact right time.
|
| As much as I complain about Google's changes (stop ignoring
| my double quotes!), it's probably improved overall despite
| its constant attacks.
| jtbayly wrote:
| ... he says under an article about how a billion patient
| images are publicly available... smh.
| prostheticvamp wrote:
| Yes, because I am a lurker that was moved to post by the
| degree to which I disagreed with the article. Please restrict
| yourself to actually arguing with the content of my posts,
| and not going ad hominem. It's both against the rules of HN,
| and just shitty.
|
| You say "pushed a stagnant industry", I say "hostility to
| small practices." Large hospitals were already moving onto
| EMR to better handle the volume of their data, if not already
| having done so. It's small practices that couldn't afford
| things like EPIC, and were forced to move onto free, ad-
| revenue-driven crap like PracticeFusion that just made
| everything slower and worse, without improving shit for
| patients.
|
| Are some patients better off for it? I think so. I appreciate
| web portals, which wouldn't have existed otherwise. I don't
| appreciate the death of small practices, the majority of whom
| are now selling out at cost to large hospital chains.
| aivosha wrote:
| how about those health care professionals not logging out of
| their sessions, writing up their passwords on the stickit notes
| and just generally leaving their computers unlocked for anybody
| to just browse through. Its always easy to blame the "maker"
| and say Im an idiot, make this idiot proof. Do you really want
| people to treat you, being in a mindset of an idiot ? If there
| is one field in all of universe that you cant not blame the
| tools for your own idiocracy is the health care ! I want you,
| the doctor, bend backwards to be at the top of your game
| ALWAYS, not just when you are doing a brain surgery. I want you
| to be the ONE that i can have 100% trust that you have my
| interests in mind instead of playing blame games.
| txcwpalpha wrote:
| I've been the IT vendor in this scenario. While I'm sure there
| are plenty of inept vendors not doing their part to ensure the
| systems they implement are secure, a big part of it is doctors
| and their work culture.
|
| Many doctors see themselves as too important to deal with
| security. They have an attitude of "I went to school for
| medicine, not computers! How dare you ask me to use a
| computer." They are not only technologically inept, they are
| proud of it. And I'm not just talking about refusing to use
| complicated software. I'm talking about doctors that insist
| that they shouldn't be forced to use passwords (not even
| complicated passwords; ANY passwords). And in most of the
| organizations I have dealt with, doctors are the most important
| people in the organization and have final say on anything,
| which often means that the security department's efforts are
| all overridden by doctors that can't be arsed to even type in a
| password before using their EMR, and don't even dream of
| something more complicated like asking them to use multi-factor
| auth.
|
| I once worked at a hospital where a doctor was looking at porn
| at work, clicked a phishing link, and gave up his network
| credentials. An attacker then used those credentials to breach
| the network and siphoned several hundred thousand dollars from
| the financial system (wiring money to himself). Security
| detected this and disabled his account. 20 minutes later the
| doctor had called the CEO, yelled at him ("how dare you lock me
| out of my account!") who then called security to yell at us and
| insist we re-enable his account. The doctor was never
| reprimanded (for falling for phishing or for the porn)
| meanwhile the security team got a stern talking to and was
| instructed to never disable a doctor's account again.
|
| Healthcare is a different world for security. You have to
| acknowledge that yes, patient safety is more important than
| security, but oftentimes these doctors take it to an extreme
| and they are very difficult to work with. I have never met a
| group of people more elitist and "too important to be bothered"
| by security than doctors.
| PakG1 wrote:
| This is a little off-topic, but I work in a school and
| sometimes get the same feeling from teachers. I imagine CEOs
| of companies that get breached because of stupid preventable
| reasons are also similar. My point is that I don't think this
| mindset is limited to doctors, though doctors may take it to
| another level.
| JamesBarney wrote:
| The difference is there's usually only 1 CEO, but in a
| medical organization there can be 1000's of doctors.
| endorphone wrote:
| It really applies to every industry -- people push back
| against things that they see as impediments to their work.
| Many/most HN visitors are software developers, and if
| you've worked in a Fortune 500 virtually all of us have
| gone to war with IT. "Don't they understand that we're
| special and we need special rights and privileges" etc. And
| often we have legitimate grievances because often
| arbitrary, counter-productive, productivity-sapping
| restrictions weigh us down. Often they're illusions of
| security.
|
| And I'm sure on some IT admin board they talk about all of
| those entitled developers and this one time this one
| developer did something really stupid, ergo all developers
| are god-complex dummies.
| JamesBarney wrote:
| Have you worked with doctor's? When I did I'd routinely
| sit in a room with 10-25 people and wait for hours on a
| doctor to show up to a meeting they'd schedule onlu to be
| told by a secretary he was busy. Everyone I know who has
| worked with doctor's has similar stories.
|
| This hasn't happened to me with any other position in any
| other organization, including vice presidents of Fortune
| 500 companies.
| endorphone wrote:
| I'm not claiming that doctors are interchangeable with
| other careers. Doctors often have higher priorities that
| can absolutely intrude at any time: An emergent medical
| situation is far more important than a meeting about
| document retention, for instance. For that VP, or CEO for
| that matter, those meetings are a major priority of their
| job.
|
| Instead I was pointing out that there are many fields
| where people resist IT-style policies, and many special
| snowflakes that believe (often rightly) that they are a
| unique situation.
|
| Often in tales like this the worst scenarios arise
| because some people aren't equipped at managing
| expectations and communicating reasons and benefits. If
| yet another vendor comes in with yet another system and
| yet another set of demands and obligations, to someone
| who sees it as a hindrance to their work product there
| will be resistance. Understanding and communicating in a
| way that, to use lame corporate speak, aligns goals makes
| things go much smoother.
| sizzle wrote:
| "An attacker then used those credentials to breach the
| network and siphoned several hundred thousand dollars from
| the financial system (wiring money to himself)."
|
| You're telling me the CEO was unfazed when they learned this
| was the reason you were locking down the system due to the
| doctor's own ineptitude and breaking company policy looking
| at porn and exposing them to direct financial loss and
| liability (lawsuits from PII data being breached and
| exfiltrated, etc)?
|
| The doctor put the whole hospital at risk and could have cost
| them millions and got that cryptolocker attack holding their
| data hostage indefinitely.
|
| The CEO should be thanking you guys for catching these huge
| security ($$$) breaches.
| txcwpalpha wrote:
| I wouldn't say unfazed, but as I recall the reaction was
| more that the doctor wasn't to be blamed and that it was
| security's fault for not only "allowing" the breach to
| happen, but also for inconveniencing the doctor.
|
| At the organizations I worked with, doctors really have
| carte blanche privilege to get away with anything as long
| as they claim "it's for a patient". Even the C-suite will
| bend over backwards for MDs.
| ssss11 wrote:
| That exact attitude the doctors have is so common in other
| occupations, I've experienced it with lawyers.
| trhway wrote:
| >doctors that insist that they shouldn't be forced to use
| passwords (not even complicated passwords; ANY passwords).
|
| well, it is a clear voice of customer. And it has good reason
| behind it - time and effort that the customer would like to
| avoid wasting. Instead of disparaging the customers and their
| needs how about listening to it and trying to really solve
| the issues. May be doctors for example would be more happy
| with having RFID microchip injected under the skin than
| typing password in? The security industry should start
| solving the issues for the benefit of users instead of
| pushing the crap down everybody throats under the disguise of
| holy cow of "Security!".
|
| >clicked a phishing link, and gave up his network
| credentials.
|
| and you still continue to think that password based solutions
| are suitable there?
|
| >I have never met a group of people more elitist and "too
| important to be bothered"
|
| than security IT. Your post is a prrety good example of it.
| txcwpalpha wrote:
| In another company, we tried rolling out RFID badges that
| could be scanned at any workstation to log doctors in
| rather than passwords. This proved to be too inconvenient
| for doctors as well, and the system had to be rolled back
| within a month because doctors kept forgetting to keep
| their badge with them and would then throw a hissy fit
| because they wanted to go back to the old system where all
| workstations were permanently unlocked.
|
| Security IT is, in my experience, one of the most amenable
| in terms of trying to come up with new ways to serve
| customers because the customers require it ( _all_
| customers require it, not just doctors), but doctors are on
| an entirely different level when it comes to resistance to
| change.
| carbocation wrote:
| In contrast to your experience, all VA physicians are
| obligated to use an ID card with a chip in order to
| login.
| txcwpalpha wrote:
| Indeed, other hospital chains do as well, which is why we
| viewed it as a good option and went down that path to
| begin with. In the case I'm referring to, everyone at the
| hospital already had badges and the thought was that
| removing password requirements and using the badges that
| everyone already had as a login would work well.
|
| It didn't work, not because of technical issues, but
| because we didn't anticipate the high number of doctors
| that apparently had lost their badges and had never faced
| consequences for it (the culture at this hospital was "oh
| you forgot your badge? no worries, I'll just open the
| door for you"). When we then asked the medical staff to
| keep better track of their badges (not just for the login
| system but also because of general campus security) we
| received incredible pushback, and that's when we had to
| roll back the program.
|
| IME, and as evidenced by the VA using a similar system as
| you mentioned, doctors are perfectly competent enough and
| able to use these systems and do just fine once they get
| used to the system. The issue is that they put up a fight
| more than anyone else when introducing something new, and
| oftentimes IME the new system never gets a chance before
| it's shot down.
| carbocation wrote:
| Physicians sporadically not having badges sounds like an
| accreditation-threatening problem, for what it's worth.
| (It depends on the institution's self-stated standards,
| however.)
| txcwpalpha wrote:
| I'm not surprised to hear that. When I rolled off that
| project, the login system project was slowed down/put on
| hold while solving the badge situation was being
| prioritized. We definitely opened up a can of worms when
| we reported to leadership that the project was delayed
| because people weren't carrying their badges with them.
| 8bitsrule wrote:
| >Instead of disparaging the customers and their needs how
| about listening to it and trying to really solve the
| issues.
|
| That statement applies to about 95% of the many issues we
| face these days. Blaming is apparently easier than solving.
| sorokod wrote:
| Doctors are not customers, patients with their expectation
| of privacy are. This is similar to doctors resisting
| keeping checklists [1] of what goes in and out of patients
| during operations.
|
| Doctors are service providers and the service is lacking.
|
| [1] https://hbr.org/2019/05/how-one-health-system-overcame-
| resis...
| bonoboTP wrote:
| > This is similar to doctors resisting keeping checklists
|
| Or how they refused to wash their hands between morgue
| and delivery after Semmelweiss' discoveries.
|
| Doctors see themselves as demigods. Not without reason,
| since other employees treat them as demigods, society and
| culture at large sees them as demigods as well.
| lostlogin wrote:
| > Doctors are not customers, patients with their
| expectation of privacy are.
|
| In the US system, is the patient the customer, or the
| insurance company?
|
| I work in healthcare outside the US and I'd argue that
| the system I'm in is also quite skewed. In private
| healthcare where I am, the patient is the person who
| turns up and pays, but their doctor holds the power to
| send their patients elsewhere, and so must be kept happy
| too.
| [deleted]
| pmarreck wrote:
| I am horrified... at how plausible this sounds.
|
| Like many IT people, I google the heck out of a medical
| condition when I see doctors. Once I must have asked enough
| pertinent pointed questions that the doctor asked with a mix
| of sincerity AND condescension, "have you ever worked in a
| medical field?" No but like any curious individual I utilize
| the systems accumulating all human knowledge at our
| fingertips to inform myself... Doesn't mean I can't
| ultimately rely on your professional judgment, Sir
| Consultant32452 wrote:
| 99% of the time doctors are annoyed by anyone who has
| researched and informed themselves on what their medical
| problems might be. The notable exception is when the doctor
| has repeatedly failed to accurately determine what's wrong.
| Then you're "allowed" to bring up your own ideas. I can't
| wait until the majority of work done by doctors is replaced
| with a small shell script. They will fight VERY hard to
| stop that from happening, and they're rich. So it will be a
| tough fight.
| prostheticvamp wrote:
| People are constantly targeting every aspect of the physician
| workflow, from CMS and private payors constantly changing
| their documentation requirements (which differ between payors
| and CMS, and results in hospitals trying to teach their docs
| to document everything to meet everyone's requirements -
| which are made intentionally lengthy and obtuse so as to
| justify denials of payment), quality improvement people and
| vendors populating the EMR with shit-tons of Alerts! meant to
| prevent medical errors (but, due to specific medical contexts
| justifying deviations from the textbook standard, the false
| positives vastly outweigh true positives, to the point where
| the alerts as a whole are utterly ignored), etc.
|
| It's easy to complain doctors resist (this particular
| workflow change), which is SO important because it affects
| PATIENT LIVES (because it's in the healthcare setting, so
| EVERYTHING DOES) damn entitled doctors. Then recall that
| every single time a doctor asks a nurse to do something that
| nurse will say "oh, just enter a communication order." And
| because your security set up your RFID to only work on a
| computer where you've already logged in earlier, and you're
| running around the hospital constantly, those badges aren't
| worth shit >half the time.
|
| It's easy to complain about doctors' resistance to various
| evolutions of their digital workflow, until you realize that
| nearly every evolution adds complexity and time-burden to
| their workload in a way that _does not directly improve
| patient care_ , but slows down their work, increases
| complexity (which _does_ adversely impact patient care), and
| lengthens their workday (because their patient workload isn
| 't reduced in the slightest by this.) I don't know a single
| doc that doesn't do significant unpaid after-hours work
| catching up to their digital bullshit; you also would resist
| non-mission-critical additions to your unpaid workload.
|
| It's easy to treat physicians as entitled and resisting "just
| to resist", rather than understanding that the physician
| workflow is _constantly_ changing, from every possible angle,
| and most often for reasons wildly unrelated to the immediate
| task of "taking care of the patient in front of me". You'd
| resist under those circumstances, too.
|
| There's a reason about half of physicians nationwide
| (https://www.medscape.com/slideshow/2019-lifestyle-burnout-
| de...) are burned out. HALF. That's what happens when your
| ability to do your job is constantly fucked with. Perhaps you
| should consider what that means, and how that relates to what
| you're saying, rather than asserting doctors are just too
| damn self-important to change.
| Scoundreller wrote:
| > There's a reason about half of physicians nationwide
| (https://www.medscape.com/slideshow/2019-lifestyle-burnout-
| de...) are burned out. HALF. That's what happens when your
| ability to do your job is constantly fucked with. Perhaps
| you should consider what that means, and how that relates
| to what you're saying, rather than asserting doctors are
| just too damn self-important to change.
|
| Paywalled, but nonetheless, I wonder how that rate compares
| to other industries. And how much has to do with physicians
| usually being unable to switch industries without a massive
| pay cut.
|
| Dunno if doctors are particularly too self-important to
| change than anyone else, but if someone was, I could see
| that inability itself leading to burnout when things even
| slightly change around you.
| txcwpalpha wrote:
| I'm sympathetic to this, and in other threads I would
| usually be the first person coming to the defense of
| doctors and harping on how complex and terrible EMR and
| other medical software is. But that's not what I'm talking
| about.
|
| I'm not talking about complex software. I'm not talking
| about instances where doctors are asked to learn an
| entirely new records management or scheduling system. I'm
| _not_ talking about the type of systems where you have to
| interrupt your day with an extra training session on how to
| navigate the interface.
|
| I'm talking about _the most basic, bare minimum_
| interactions with security systems that _every other person
| in every other industry_ has absolutely no issue with, but
| for some reason doctors refuse to accept. I 'm talking
| about stuff as simple as swiping your ID badge on a reader
| to gain access to restricted areas. I'm talking about not
| using work computers to look at porn. I'm talking about
| basic awareness when it comes to not disclosing sensitive
| information to a random person in the hallway.
|
| Another commenter brought up the number of passwords as a
| complaint. Again, I'm sympathetic to this. This is why one
| of my major areas of focus is implementing SSO solutions to
| cut down on the number of passwords that users have to
| remember. Except in one instance we had delays rolling out
| SSO not because the system was complicated to use, but
| because doctors complained that they didn't like _the
| color_ of the SSO UI. They insisted it be blue rather than
| yellow and wanted to scrap the _entire project_ because of
| it. That 's the type of resistance I'm talking about.
|
| These aren't difficult or complex things. We are talking
| about highly educated, highly paid individuals handling
| highly sensitive information. They should be held to higher
| standards, not treated like children just because they work
| long hours.
|
| Speaking of working long hours, the second half of your
| post is just a minor glimpse of the elitism I'm referring
| to. Are you under the impression that medicine is the only
| profession in which people experience burnout? Do you think
| that only doctors have to deal with constantly changing
| work environments and the never-ending cycle of evolving
| technology?
|
| _Every_ profession deals with these things. Lawyers,
| accountants, bankers, social workers, police officers, and
| educators are just examples of professions that have
| similar or higher burnout rates than doctors. Every single
| one of these also has to deal with immense amounts of
| bureaucratic processes, regulations, and inefficient
| software that is constantly changing and affecting their
| daily workflow. And yet in my years of consulting I have
| never met a group that was as egotistically opposed to the
| use of technology as doctors are. Even investment bankers,
| which tend to be the most egotistical assholes with an
| attitude of "I make millions of dollars a day for this
| company, I don't have to listen to you puny IT people",
| still don't hold a candle to the willful ludditism of
| doctor's I've worked with.
| 1996 wrote:
| > Except in one instance we had delays rolling out SSO
| not because the system was complicated to use, but
| because doctors complained that they didn't like the
| color of the SSO UI. They insisted it be blue rather than
| yellow and wanted to scrap the entire project because of
| it. That's the type of resistance I'm talking about.
|
| Is it really the hill you want to die on?
|
| Just change the damn widget color if it is so important
| to them! Client is king!!
| txcwpalpha wrote:
| Ha, I agree! We were willing, able, (and did) change the
| color relatively easily. I'm just using it as an example
| of the type of pushback I've gotten. The doctors were the
| ones willing to die on that hill; they wanted to cancel
| the entire project and their reasoning was the color, and
| they didn't even care to hear that it could easily be
| changed. In that case it really did feel like resistance
| for resistance's sake.
| fencepost wrote:
| This is why in starting up my own little IT services company
| I'm planning on not serving medical clients.
|
| "HIPAA? I'm sure we're just fine, and no you can't take away
| my Windows 7 PCs."
| Scoundreller wrote:
| I get the feeling big law is just as bad.
| indyz wrote:
| I never worked for big law, but medium law is terrible.
| Partners can just order the IT department to do anything.
| We had a new head of IT that tried to implement some
| common sense changes for an organization that handles
| sensitive data. Basic stuff: Block websites that tend to
| be malware vectors, don't let users be admins on their
| own machines, restrict USB storage to certain users, etc.
| We were forced to override it on the partners machines
| almost immediately.
| wolco wrote:
| Restricting partners usb access? Restricting websites and
| restricting install permissions.
|
| Overkill and probably the opposite of what they envision
| an IT department doing.
| endorphone wrote:
| This seems like a caricature or an exception. Doctors are
| very aware of HIPAA (and the equivalent in every other
| country), and the professional and monetary costs of non-
| compliance.
|
| Doctors didn't set up these systems. Doctors didn't expose
| them to the internet. As the other post said, vendors did. If
| those vendors couldn't properly communicate the needs, that's
| their problem.
|
| What I think is a more rational explanation for doctor
| (nurse, lab technologist, etc) resistance is that the
| industry is rife with incompetence and vendor balkanization.
| So much so that every healthcare professional deals with
| literally _dozens_ of logins to try to do their job. Every
| one of those logins has its own bizarre password policies,
| rotation schedules, etc. Pretty soon there is rightly
| hostility to whatever scheme some small niche vendor has
| imagined up in the illusion of security.
| txcwpalpha wrote:
| It may seem so, but I've done security consulting work for
| 10+ of the largest hospital chains and insurance providers
| in the country and I can assure you it isn't an exception.
| Doctors don't care about HIPAA ("that's legal's job"). They
| don't care about the company's finances (unless it's a
| small private practice, "that's the accountant's job").
|
| Some of the complexity is caused by the software itself
| being complex, yes, but that's not what I'm talking about.
| In every organization I have worked with, doctors were
| always the biggest obstacle to even doing something as
| simple as requiring them to carry around a badge for
| physical access to the building. As a group, they are very
| resistant to anything that might add an extra step to their
| workflow. And yes, everyone hates and is resistant to stuff
| being added to their workflow, but I find most people are
| amenable to it as long as it's a small interruption and
| it's for a good reason (security). Doctors generally don't
| have that attitude, though.
| dkdklk wrote:
| Sounds like someone has it in for doctors.
|
| I worked in healthcare IT for years, before than going to
| medical school, and now in residency. My experience
| really does not match yours.
|
| As mentioned earlier in the thread, I will agree that
| doctors in general are quite resistant to technology
| because they have been fucked over by implementations
| that are more concerned with billing and regulatory than
| either better patient care or improving physician quality
| of life/workload.
|
| Most medical facilities use badges for access. I think
| what you're calling resistance is increased scrutiny,
| something you might not be used to dealing with in other
| fields.
|
| Based on your sweeping generalizations tinged with
| bitterness I can only imagine most doctors that have to
| work with you professionally are going to be a bit on
| edge. The reaction you're getting from all these
| physicians you're working with is probably related to
| what I can only imagine is a shitty attitude.
| jcims wrote:
| Also in security for a long time, spending a lot of that
| with hospitals and healthcare organizations. My
| experience matches the parents. Your points are very
| valid but doctors can definitely be dicks as well.
| thomasfedb wrote:
| I'm a student doctor with a CS undergrad. I'm constantly
| gobsmacked by how horrible the computer systems doctors are
| forced to use are. They're pretty much abusive to use.
|
| The hours and hours of physician time that are thrown away
| into mindless box-ticking, copy-pasting, button-pushing,
| and general head-banging is astounding.
|
| If doctors are resistant to new IT hurdles it is, at least
| in part, because they're already faced with a decathlon-
| esque ritual to achieve their basic day's work.
| hhas01 wrote:
| Yep. Never blame users for raging at the system until you
| understand the system as well as they do. Techies have it
| easy: they only have one job and that's all they ever do.
| It looks _very_ different from the other side.
|
| (Protip: The key to delivering successful software is not
| to learn programming, it is to learn your users.)
|
| (Oh, and good luck with your medical studies; world needs
| good Renaissance [Wo]Men now more than ever.)
| OnlineGladiator wrote:
| > (Oh, and good luck with your medical studies; world
| needs good Renaissance [Wo]Men now more than ever.)
|
| Why now more than ever?
| hhas01 wrote:
| Growing complexity. Struggling scalability.
| Overspecialization. Balkanization. Failures of
| accountability.
|
| OP's firsthand observation on the awful state of
| programmer-produced medical software, the original linked
| article, and notoriously lethal software disasters such
| as Therac-25 provide frightening cases in point. These
| things are not accidents. Programmers who only know how
| to program are as much use as managers who only know how
| to manage. And this world has far too many of both.
|
| Look, any idiot can hack teh codez. Learning the problem
| domain; that's the hard part. It is also the _critical_
| core of the job. Because if you don't /won't/can't
| understand the problem, how do you possibly expect to
| solve it?
|
| Especially when that problem space is something as vast,
| complicated, and utterly unforgiving as millions of
| people's healthcare.
| Scoundreller wrote:
| I think that describes any enterprise software.
|
| Likely at go-live/vendor selection, nobody wanted to
| revolutionize things in a way that could only be done on
| computer.
|
| The successful vendor will be the one that can << make
| all of your paper stuff look/function/feel the same way
| on a computer >>.
|
| This minimizes training, development and changing the
| workflow you used for 20 years. Which checks every
| department's checkboxes.
|
| So you end up with the worst aspects of paper, with few
| of the benefits of technology.
| Gatsky wrote:
| It goes both ways. I keep telling the IT people at my
| hospital to stop using SMS 2-factor and they blow me off and
| treat me like an idiot.
|
| Anyway, 'Doctors' are a pretty diverse bunch, and most of
| them aren't arrogant porn-fiends.
| dvtrn wrote:
| From experience, users who come to IT and simply demand we
| do something because 'reasons' usually aren't prioritized
| for follow up.
|
| Managers who come to IT and demand we do something _and
| show us how it affects their work /department and perhaps
| the rest of the business and offer to be part of the
| solution making process_ often get first class attention.
|
| Could it be IT is blowing you off because of how you're
| delivering your complaint about SMS 2FA without regard for
| their existing workload?
|
| They likely have more than enough on their plates as it is
| to simply do something because someone from a department
| said something about it, and IT doesn't exactly pivot on
| lithium battery, especially in hospitals. That doesn't mean
| they don't _care_ about your issue or request, but like
| every other department they have objectives and goals that
| were likely set well before your 2FA conversation even
| began.
| Gatsky wrote:
| You realise what you just did there right, without a hint
| of irony?
| ryanlol wrote:
| > I keep telling the IT people at my hospital to stop using
| SMS 2-factor and they blow me off and treat me like an
| idiot.
|
| Well... yeah. Nobody is sim swapping hospital staff.
|
| It's not great, but this isn't a real threat they're
| facing.
| txcwpalpha wrote:
| I hear you and I'm sure it's frustrating, but I'd be
| curious to know if the security team has any reasons for
| sticking with SMS 2FA. I'd be willing to bet money that the
| reason they blow you off is because it's a sore spot for
| them. They probably have tried to implement other MFA
| methods but were reprimanded by the medical staff because
| anything other than SMS is too complicated (I'm harping on
| doctors a lot, but I legitimately do cringe at the thought
| of even asking a typical MD to download an MFA app or carry
| around a physical token).
| Gatsky wrote:
| No, this is not the case. Anyway, it would be good just
| to have the option to not use SMS, they don't need to
| migrate everyone off SMS at once.
| fencepost wrote:
| SMS for 2FA isn't good, but it's still better than no 2FA
| at all.
|
| Depending on how many systems they have it integrated with
| that could end up being a huge undertaking for them and
| they've probably been cut to the point where another huge
| undertaking may not be in the cards right now. If they're
| like a lot of large enterprises they may also _still_ be
| trying to get rid of Windows 7 and Server 2008R2.
|
| Edit: for example, are you full on Microsoft 365 Enterprise
| with Azure AD? I believe that has ties in with Microsoft's
| Authenticator app. If you're strictly onsite traditional AD
| I think you'd need to look at Duo for 2fa that integrates
| nicely with AD, then also see what else you need to
| integrate it with that uses its own separate non - SSO
| authentication.
|
| And while it's not huge, the question of "who's paying for
| the $3/6/9 monthly per user charges (contact sales if you
| have > 500 users)?" will come up, particularly if there are
| hundreds or thousands of external medical office users able
| to sign in through a portal system as well. (this is based
| on pricing from the Duo website)
| Gatsky wrote:
| Yes, I'm sure they have their reasons and their own
| priorities and constraints. Just like the doctors who
| decline to use basic authentication. See my point?
| Hospitals are notorious for passing the buck around.
|
| As it happens there is a single web property for
| accessing a remote desktop, not multiple systems, and the
| hospital down the road funded by the same entity has
| implemented TOTP authentication.
| endothrowho333 wrote:
| Curious, why would a doctor decline to use basic password
| auth?
| kjs3 wrote:
| I have had a doctor tell me that his time was too
| important to waste it typing passwords. I had another one
| tell me, quite dramatically, "someone could die" while he
| was typing in a password. It's a profession where many
| have an "interesting" perspective on information
| protection. I have tons of tragicomic security stories
| from dealing with health care providers.
| wolco wrote:
| Porn fiends? Doctors don't have the time. But you must
| admit that the profession brings out some very arrogant
| traits. They usually express the pointof view that they
| learned everything they needed to at med school and any new
| outside information is suspect and not important including
| IT security.
| egocodedinsol wrote:
| In my experience, you are way off base. Doctors can be
| very arrogant but I've never met someone from another
| profession who could point me to research articles
| regarding their proposed plan of action. Doctors at major
| hospitals are often either a) residents who are in their
| nth year of leaning post med school, or b) expected to
| publish at least case study papers regularly or
| communicate with those that do.
| hhas01 wrote:
| "But you must admit that the profession brings out some
| very arrogant traits."
|
| Which one? You know we're also talking about programmers,
| right?
| gambiting wrote:
| On the other hand(and I'm really not trying to excuse this
| behaviour) some doctors are almost daily in situations where
| "if I had a little bit more time or did this thing a day
| earlier maybe the patient would still be alive". If you run
| into those kinds of situations frequently, then obviously
| _any_ slowdown(like having to remember or type in a password)
| is _obviously_ stupid. And only they understand it, no IT
| employee ever would.
| hhas01 wrote:
| Inasmuch as "Caveat Emptor" is the Latin to live by, physicians
| and hospitals are indeed responsible for making sure what
| they've just bought is safe and fit for purpose. Especially
| with HIPAA et al already breathing down their necks.
|
| The big problem is that tech grifters, just like AltMed
| scamsters, are just way quicker and better at burying all their
| shit than surgeons and scientists are at digging it out again.
| And, to be fair, doctors do already have far more pressing
| things to be digging out: wood spales, fence railings, guinea
| worms, and so on. Hence the need to hire in [ostensible]
| specialists in the first place.
|
| Still, be consoled that us countries with socialized heathcare
| are just as adept at Medical IT disasters as yours are. :/
|
| --
|
| "A lie can travel halfway around the world before the truth can
| get its boots on." Of course, this was _before_ we invented the
| networked computer.
| trackofalljades wrote:
| This was my immediate thought at the headline, doctors-who-
| what-now?
|
| This feels informed from the technology side, and profoundly
| ignorant of how health care IT actually works (especially in
| the United States).
| prostheticvamp wrote:
| When it comes to healthcare, everything is always the
| doctor's fault. It's convenient to have a single target to
| blame for everything that goes wrong in the industry. Never
| mind that most physicians are just employees, with plenty of
| layers of management, in massive organizations, with
| extremely heavy regulatory oversight.
|
| If an organization that runs three hospitals can't put
| together the IT to secure their PACS system with a decent
| password, that's the fault of the physician about as much as
| it's the fault of the nurse, the janitor, the cafeteria chef,
| etc.
|
| WTF is with people blaming doctors for literally everything
| related to healthcare? Do they not understanding we haven't
| been in charge of anything for a couple of decades now? Since
| the combined rise of HMOs and Medicare/Medicaid, and the
| massive hospital M&A splurge, we're just line workers. We try
| to do our best by patients, but we ain't in charge of
| anything.
| christophilus wrote:
| I completely agree. I have friends in the medical field, and
| they hate their computer systems. One of them spends almost as
| much time on data entry as he does with his patients. He has to
| double and sometimes triple enter data. He's probably going to
| end up hiring someone to do that full time, which is so
| obviously a totally broken system.
| blueboo wrote:
| > One of them spends almost as much time on data entry as he
| does with patients
|
| ...then he's one of the lucky ones! One study found that for
| every hour a physician spends with a patient, she spends two
| on processing health records.
|
| https://www.jwatch.org/fw111995/2016/09/06/half-physician-
| ti...
| brianwawok wrote:
| I mean, for every hour I spend writing production code - I
| spend an hour in agile meetings, and 2 hours chasing down
| obscure bugs in javascript libraries. Not that many
| professions are "do visible part of work 100%".
|
| Heck, I hear bricklayers need to spend some time mixing
| cement and getting bricks off the truck, not just scooping
| mud and sticking bricks.
|
| Health records ARE a big part of the product of a doctor.
| Keeping a good chart and finding trends over time is a bit
| part of the service you need.
| 1996 wrote:
| > Health records ARE a big part of the product of a
| doctor
|
| I long for practices that would keep no record of my
| issues, except what I volunteer to them at the beginning
| of the consult. Many countries do that just fine, but for
| some reason in the US I am asked to fill pages on
| insignificant trivia to cover their ass or follow some
| weird law or tradition maybe?
|
| I don't want perfect healthcare. Good enough is fine!
|
| So now I just see doctors when traveling. Simpler,
| faster, and cheaper too.
| egocodedinsol wrote:
| Your analogies would make more sense if you spent 2 hours
| on documentation for every hour you spent coding or bug
| finding.
| chiefalchemist wrote:
| Clickbait-y headline that they forget to mention hospitals as
| well. Yes doctors should be more responsive and responsible. But
| they're (only) doctors.
|
| Hospitals on the other have have staff dedicated to technology
| and such infrastructure.
|
| Dr X being unaware of the implications is understandable. Perhaps
| not forgivable but certainly no surprise. But hospitals? They
| have no excuse.
| reaperducer wrote:
| I work in health, and I sometimes have to interact with the
| federal database of doctors. It's amazing the things you see in
| there.
|
| There are doctors who don't know their own addresses. Can't
| spell the name of their town. Don't know their ZIP Code. Don't
| know the difference between a mailing address and a physical
| address. Don't keep their information current. Or sometimes
| don't even know what town they're in, putting a neighborhood or
| region on federal paperwork because "everybody knows where that
| is."
|
| We assume that because doctors are smart at medicine, they
| should also be smart at computers. They're not. Just like my
| commercial airline pilot neighbor is great at flying
| transcontinental jumbo jets, but every few days has to shout
| across the street at me to ask if today's the day to put out
| the trash bins.
| DataWorker wrote:
| Not smart at computers, but maybe they are smart _about_
| computers. Everyone thinks old people can't use tech but what
| if they don't want to and that resistance is a manifestation
| of wisdom that's incomprehensible to those without the same
| wisdom. To believe doctors as a class of people are less
| intelligent than average is silly and probably ego defensive.
| As a group doctors are of above average intelligence and
| certainly smarter than most of the people they work with in
| IT.
|
| I think it's the academic and professional institutions that
| are most culpable for the current state of things. They
| should have been the ones who foisted tech requirements on
| doctors, instead it was done through federal regulation. Most
| of the blame for most of today's problems comes back to
| universities. If using tech is part of the job if being a
| doctor, then make it so from inside the profession.
| mewpmewp2 wrote:
| There are different types of intelligence. Both fields
| require totally different talent, interests and skills. One
| is solving very abstract problems, the other is talking to
| people and learning a huge amount of information about how
| humans work.
|
| I am good with abstract stuff, but in no way I could
| remember that amount of information about people as doctors
| too. I still have no idea what most of my bones or other
| things within me are named and I have zero interest in it.
| I can imagine one could be also the other way around. Have
| huge amount of interest in people, but despise techy
| knowledge.
|
| In the end both doctors and it workers are so different
| from each other that they have so much trouble
| understanding one another. Remember doctors never asked for
| all this abstract shit. Also as you age you will get more
| set in the field you choose. That is just the way people
| work. Not an excuse or why one should not keep improving
| themselves.
| jessaustin wrote:
| You're really blaming the subjects of a database for errors
| in that database? There are many reasons for errors that have
| nothing to do with anything a physician might or might not
| have done.
| reaperducer wrote:
| Those subjects fill out the forms that end up in the
| database. It isn't some faceless government agency reading
| their minds. The data comes from what the doctors write
| down.
| salad77 wrote:
| From the article :
|
| "We're not naming the affected organizations to limit the risk of
| exposing patient data."
|
| However, a google inurl:dicom search sure shows up the affected
| organizations on the first page (and plenty pages after that).
|
| And the sites are still fully open. Absolutely zero hacking
| required.
|
| A lot of organizations had better get to work fast on this.
|
| (edit: no images were viewed in the making of this post)
| cornflake wrote:
| https://picsafe.com is a HIPAA compliant tool that solves this.
| Until penalties are applied, health organizations won't act on
| this.
| savrajsingh wrote:
| On the user side, we have to jump through hoops and sign so many
| onerous paper HIPAA compliance forms at dr's offices, to just get
| doctors to share records about us. On the backend it's free for
| anyone to access. It's all backwards!
| jessaustin wrote:
| The signature demands that really annoy me are the ones in
| which I must acknowledge that the provider has informed me of
| their HIPAA policies, which demands are seldom accompanied by
| actual information about HIPAA policies, which I probably
| wouldn't read anyway even if they were included.
| 1996 wrote:
| Then refuse to sign: you can't be denied care for refusing
| communication of your records to 3rd parties. It's certainly
| better for your privacy too.
| Spooky23 wrote:
| I wish one of my past providers was impacted by this a few years
| ago. I had to waste hours and thousands on MRIs when a practice
| closed and they made getting imagery impossible.
| selimnairb wrote:
| Yet another reason to create a nationalized NHS-like system.
| gridlockd wrote:
| What exactly makes you think government institutions would do a
| better job here? I quote:
|
| _"...one unprotected server at one of the largest military
| hospitals in the United States exposed the names of military
| personnel and medical images "_
| basilgohar wrote:
| Theoretically, there would/should be a unified system and
| standards applied. Realistically, it'll probably still be
| first attempted through vendors with exclusive contracts,
| which is basically the current system but with extra steps.
| reaperducer wrote:
| _Theoretically, there would /should be a unified system and
| standards applied._
|
| So, a nice convenient one stop shop for hackers.
|
| I'd rather a thief had to break into a thousand homes than
| one great big home.
| zpallin wrote:
| One stop shop? Even with an assumed "unified system"
| there is absolutely no way that even an incompetent group
| of IT engineers would be able to construct a single
| unified network with a single doorway into it to make a
| "one stop shop experience." It would still be "breaking
| into a thousand homes", but at least the difference is --
| given a unified set of controls -- that reconciliation of
| a breach could be automated.
| alecco wrote:
| NHS has plenty of data breaches.
| cookie_monsta wrote:
| "anyone with an internet connection and free-to-download
| software to access over 1 billion medical images of patients
| across the world."
|
| Breaches on that scale?
| alecco wrote:
| images != people. NHS had a 150k patients breach not long
| ago. And many other of smaller scale in the thousands. It's
| definitely not an organization renowned for being good
| handling patient data.
|
| On top of that, they made recently a deal to share with
| Amazon and Google. They clearly don't care.
|
| Also, it's a monopoly. You can't chose something else. And
| never mind the politics of both the administration (who
| chose them to be in power?) and political pressure from
| whatever party is in control of funding. Pass.
| incone123 wrote:
| The NHS does seem to force doctors to follow security rules.
| But we have a different problem where the government thinks it
| owns my data and has the right to sell it.
| OliverJones wrote:
| From Techcrunch's article it looks like it's possible to see so-
| called "protected health information" (PHI) in these images. PHI
| includes patient names, diagnoses, hospital and doctor names,
| contact information, and so forth. It's sometimes possible to
| "de-identify" medical images by scrubbing off patient info. But I
| bet most of these are not de-identified.
|
| The examples in the TechCrunch article are redacted, but I guess
| that was done for publication and not on the stored images
| themselves.
|
| In the USA, HIPAA and ARRA 2009 (followon legislation) made it a
| federal crime to knowingly or negligently disclose PHI. It's a
| crime that "pierces the corporate veil." That is, natural persons
| can be tried and convicted, even if they were acting on behalf of
| corporations.
|
| The Centers for Medicare and Medicaid Services (CMS) has a Breach
| Notification Rule, requiring holders of data to notify patients
| and CMS themselves if PHI is breached.
| https://www.hhs.gov/hipaa/for-professionals/breach-notificat...
|
| CMS announces breaches involving 500 or more patient records here
| https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
|
| It wouldn't surprise me if the people involved in securing these
| sloppily configured DICOM servers are in a state of panic. I was
| involved in dealing with an unintentional breach of 44 patient
| records a few years back, and yeah, we had some panic. (Misrouted
| fax messages was the root cause, for what it's worth.) Also
| observe that I remember to this day how many records leaked out.
| Breaches are a big deal. It stinks to be them. I know that for
| sure.
|
| I hope they get it sorted out. It will take a while. It will also
| take a while for the affected medical professionals and their IT
| providers to start responding to these breach reports rationally.
| Kubler-Ross's stages of grieving are still in play for them:
| anger, denial, negotiation, etc.
| sbarre wrote:
| The key takeaway from that article, for me, is that the
| government body that is supposed to monitor, enforce, and
| penalize organizations who fail to follow the HIPAA rules is
| basically doing nothing.
|
| So with no consequence to these massive lapses, why would these
| companies care?
| modmans2nd wrote:
| Under funded...just like the IRS.
| WC3w6pXxgGd wrote:
| No, just inept like all government agencies.
| humaniania wrote:
| Office for Civil Rights (OCR)
| https://www.hhs.gov/ocr/index.html
| lunchables wrote:
| https://compliancy-group.com/hipaa-fines-directory-year/
|
| My honest opinion is that they know healthcare specifically is
| so far behind meeting their regulator requirements they have
| been trying to slowly phase in penalties.
| zpallin wrote:
| This is the wrong takeaway.
|
| The article states pretty clearly from the interview with
| Senator Mark Warner:
|
| > "To my knowledge, Health and Human Services has done nothing
| about it," Warner told TechCrunch. "As Health and Human
| Services aggressively pushes to permit a wider range of parties
| to have access to the sensitive health information of American
| patients without traditional privacy protections attached to
| that information, HHS's inattention to this particular incident
| becomes even more troubling," he added.
|
| It's not that they're doing nothing, they're supposedly making
| it worse.
|
| They're also underfunded. OCR budget dropped to 10% of its
| previous budget between 2017 and 2018:
|
| https://www.hhs.gov/about/budget/fy2018/budget-in-brief/ocr/...
|
| So, when you ask "why would these companies care?", I think the
| current federal government is trying to say "these companies
| _should not_ care."
| [deleted]
| pg_bot wrote:
| DICOM is a standard that does too much. They should scrub
| everything related to networking and focus solely on
| encoding/decoding medical images.
| lostlogin wrote:
| > DICOM It's a great standard compared to HL7 though. That
| 'standard' is the bane of radiology's existence.
| jasonlaramburu wrote:
| Could this data be anonymized and open-sourced for training
| diagnostic algorithms? It's hard to put the genie back in the
| bottle so why not at least make some use of the images?
| windyaskew wrote:
| In theory, yes. I was working on doing this (for internal data)
| at a large healthcare system some time ago.
|
| The de-id part was actually really easy since DICOM is a very
| standardized format and this hospital system had good practices
| in place to only input certain information about each patient.
| dave_aiello wrote:
| If this article is correct, it's such a huge problem that health
| systems are likely to hesitate to take steps toward basic imaging
| security, because they won't know what to do first.
| wswope wrote:
| Fun experiment: use google maps API to search a major US metro
| area for medical practices. Pick out any websites that don't use
| TLS. Crawl them for HTML forms that include common PHI keywords.
| You'll find a lot. Those same practices are usually going to have
| a whole mess of more serious HIPAA issues.
| xiphias2 wrote:
| Sensitive data should be thrown away and the medical images could
| improve on the current state of the art medical image database
| used for machine learning.
|
| I'd be more than happy to publish my medical images with results
| if it would be used for an open database.
|
| I have been at doctors in third world countries, where doctors
| don't get the same level of education, but try to use the best
| tools available without paying too much money.
| ghaff wrote:
| Define sensitive data.
|
| One of the challenges is that just deleting a name, say,
| doesn't necessarily fully anonymize a medical record/image. In
| general, I actually agree with you but anonymization/privacy is
| a challenging problem.
| fhars wrote:
| Adding enough medical data to the image to make it useful for
| scientific research would most likely also add enough data to
| deanonymize the image.
| moviuro wrote:
| % curl -L 'https://techcrunch.com/2020/01/10/medical-images-
| exposed-pacs/' curl: (7) Failed to connect to
| guce.advertising.com port 443: Connection refused
|
| WTF?
|
| I have a lying DNS server, and it's getting ridiculous.
|
| Here's the outline for people who care about
| privacy/tracking/GDPR, etc. https://outline.com/Ep5u4K
| llacb47 wrote:
| Yahoo/AOL/Oath want to set an advertising cookie before you
| visit any of their sites.
| moviuro wrote:
| No, they _redirect_ you to an advertizing domain.
| eitland wrote:
| For now I'd be happy if techcrunch was blocked so people had to
| submit other sources.
|
| I've not been able to find a way to read content on that domain
| for months now.
|
| Edit:
|
| PS: unlike many here I've little against ads as long as they
| aren't tracking me, but the "consent screen" on techcrunch is
| less "consent" and more "strongarm".
|
| PPS: as others are mentioning it seems the whole thing seems to
| be compliance theater since they seem to set a tracking cookie
| before even displaying the consent screen :-/
| [deleted]
| uponcoffee wrote:
| I'm on Firefox Preview for Android and am having no problems
| with the article. No ads, popups etc. Just pure content.
| moviuro wrote:
| Here is the entire curl trace: http://ix.io/277P
| Eikon wrote:
| It feels like the places where security is of utmost importance
| like in banking, security cards or health are the worst at doing
| it.
|
| At least, lack of security of credit cards is understandable as
| banks are profiting from fraud by charging the victim a fee.
|
| In health? This must stop. It's a failure of regulatory bodies as
| they throw so much junk policies around that the things that
| really require attention is just overlooked. The overabundance of
| paperwork and policies is not improving security, it's keeping
| away actors that could do way better.
| modmans2nd wrote:
| They focus on visible security more than actually securing
| things. Example: making it very hard for a user to log into a
| system "because of security " but not using security
| certificates to secure their email servers.
| Eikon wrote:
| Related: https://en.wikipedia.org/wiki/Security_theater
| fhars wrote:
| There is the complicating factor that in health, safety can be
| more important than security: to keep a patient alive in an
| acute emergency, it is imperative that the doctor can see their
| data right now, while that fact that third parties can later
| see the data doesn't matter too much. The problem is that
| people tend to use the first aspect as a cheap excuse to do
| nothing about the second one.
___________________________________________________________________
(page generated 2020-01-11 23:00 UTC)