[HN Gopher] A billion medical images are exposed online, as doct... ___________________________________________________________________ A billion medical images are exposed online, as doctors ignore warnings Author : OrgNet Score : 249 points Date : 2020-01-11 12:44 UTC (10 hours ago) (HTM) web link (techcrunch.com) (TXT) w3m dump (techcrunch.com) | [deleted] | [deleted] | 7QdfBKNNfP wrote: | Not only is transport security mostly lacking in DICOM, but there | is little to no notion of access control for records. And I'm not | just talking DICOM, but the apps themselves. It's no surprise | though, when the DICOM standard has sections like this: | | _The DICOM Standard does not address issues of security | policies, though clearly adherence to appropriate security | policies is necessary for any level of security. The Standard | only provides mechanisms that could be used to implement security | policies with regard to the interchange of DICOM objects between | Application Entities. For example, a security policy may dictate | some level of access control. This Standard does not consider | access control policies, but does provide the technological means | for the Application Entities involved to exchange sufficient | information to implement access control policies._ | | http://dicom.nema.org/medical/dicom/current/output/html/part... | | The original DICOM TCP protocol requires that every device | connected use an encrypted tunnel, and it's not easy to get all | the device venders to agree on which ones to use, and then update | their software. DICOM Web Services are a thing, and at least they | would get HTTPS basically for free from their choice of web | client and server. | | HIPAA has been out since the 90's so we need to get more fines | against the providers to make them implement confidentiality and | access controls. It's actually the GDPR which is now driving | access controls rather than HIPAA. | | To be fair though, the DICOM folks are busy constantly trying to | standardize new image data coming from innovations in the | modalities (scanners). | prostheticvamp wrote: | An odd line from the article, wherein it states that security | researchers don't blame vendors, but the physicians and hospitals | that fail to properly secure the software. | | I have never, in all my years of working in healthcare, seen a | hospital or physicians office directly install and manage PACS. | They pay a third-party - usually the vendor - to install, | configure, and walk them through it. Maybe a behemoth system like | Northwell has the IT bench to do it themselves, but that would be | the exception. | | So allow me to rephrase slightly: "technologically inept | organization pays vendor to make machine go vroom. Vendor leaves | keys in ignition. Damn that technologically inept organization." | | To take a 10,000-foot view of the situation, though: | | Healthcare-related technologically was largely pushed on the | industry via legislation. Said legislation was almost entirely | stick, no carrot. The result was healthcare organizations with a | gun to their head to buy from a handful of vendors, with no real | ROI to be seen from it - aka, the government outsourcing its | costs to private industry, and throwing pork to some major health | IT firms along the way. When a technology is forced on you at a | loss, from a vendor with little incentive to optimize ease of use | or utility, you get a terrible piece of shit that no one wants to | invest more time and money into than absolutely needed. That's | going to show itself in a myriad of ways. | lostlogin wrote: | > no real ROI to be seen from it. | | I just did a brief Google, and the situation seems to be the | same as always - there isn't a clear win financially when a | PACS is installed. They are expensive to buy, to run and to | maintain and the gains are often hard to measure financially. | Having a minimum wage worker sort old films and carry them to | where they are needed was cheap compared to the wages and | hardware a large hospital needs to pay for when a large PACS | goes in. | | The number of people who miss hard copy film must be very small | however, that world was archaic. | hannob wrote: | You're right, this is a very irritating take. | | From what I understand these DICOM-devices are insecure by | default, you can just connect to them and download data, and | they expect their users to make them secure with network | separation etc. That's not a realistic expectation if your | customers aren't IT security professionals. And there's no | reason to create such a flawed design, a simple password would | be a huge improvement. | | In such a case the blame should fully go to the vendor. | humaniania wrote: | A brand new account posting scathing anti-government anti- | regulation content? HIPAA and HITECH and the other legislation | that you're likely referring to pushed a stagnant industry in | the right direction. Yes there is pain with growth but patients | are far better off for it, which is what the end goal was. | pjmorris wrote: | At my annual physical, as my doctor was typing away at data | entry on a laptop in the exam room, I asked him whether he | felt the new electronic systems had freed up his time to | spend more time on patients, or whether they had taken time | away from patients. He felt the later. | | I realize that anecdote is not data, and I'm not sure what | metric of 'better' you're using, but I wouldn't be too hasty | to claim technology as an unalloyed good in health care. | Scoundreller wrote: | Thing is, people will overlook the elements that are faster | and focus on the slower. | | Lab results for any patient at a click or two? Ignored. | | Changing a med order to be stopped in 27 hours? Guaranteed | to be flagged to the nurse at the exact right time. | | As much as I complain about Google's changes (stop ignoring | my double quotes!), it's probably improved overall despite | its constant attacks. | jtbayly wrote: | ... he says under an article about how a billion patient | images are publicly available... smh. | prostheticvamp wrote: | Yes, because I am a lurker that was moved to post by the | degree to which I disagreed with the article. Please restrict | yourself to actually arguing with the content of my posts, | and not going ad hominem. It's both against the rules of HN, | and just shitty. | | You say "pushed a stagnant industry", I say "hostility to | small practices." Large hospitals were already moving onto | EMR to better handle the volume of their data, if not already | having done so. It's small practices that couldn't afford | things like EPIC, and were forced to move onto free, ad- | revenue-driven crap like PracticeFusion that just made | everything slower and worse, without improving shit for | patients. | | Are some patients better off for it? I think so. I appreciate | web portals, which wouldn't have existed otherwise. I don't | appreciate the death of small practices, the majority of whom | are now selling out at cost to large hospital chains. | aivosha wrote: | how about those health care professionals not logging out of | their sessions, writing up their passwords on the stickit notes | and just generally leaving their computers unlocked for anybody | to just browse through. Its always easy to blame the "maker" | and say Im an idiot, make this idiot proof. Do you really want | people to treat you, being in a mindset of an idiot ? If there | is one field in all of universe that you cant not blame the | tools for your own idiocracy is the health care ! I want you, | the doctor, bend backwards to be at the top of your game | ALWAYS, not just when you are doing a brain surgery. I want you | to be the ONE that i can have 100% trust that you have my | interests in mind instead of playing blame games. | txcwpalpha wrote: | I've been the IT vendor in this scenario. While I'm sure there | are plenty of inept vendors not doing their part to ensure the | systems they implement are secure, a big part of it is doctors | and their work culture. | | Many doctors see themselves as too important to deal with | security. They have an attitude of "I went to school for | medicine, not computers! How dare you ask me to use a | computer." They are not only technologically inept, they are | proud of it. And I'm not just talking about refusing to use | complicated software. I'm talking about doctors that insist | that they shouldn't be forced to use passwords (not even | complicated passwords; ANY passwords). And in most of the | organizations I have dealt with, doctors are the most important | people in the organization and have final say on anything, | which often means that the security department's efforts are | all overridden by doctors that can't be arsed to even type in a | password before using their EMR, and don't even dream of | something more complicated like asking them to use multi-factor | auth. | | I once worked at a hospital where a doctor was looking at porn | at work, clicked a phishing link, and gave up his network | credentials. An attacker then used those credentials to breach | the network and siphoned several hundred thousand dollars from | the financial system (wiring money to himself). Security | detected this and disabled his account. 20 minutes later the | doctor had called the CEO, yelled at him ("how dare you lock me | out of my account!") who then called security to yell at us and | insist we re-enable his account. The doctor was never | reprimanded (for falling for phishing or for the porn) | meanwhile the security team got a stern talking to and was | instructed to never disable a doctor's account again. | | Healthcare is a different world for security. You have to | acknowledge that yes, patient safety is more important than | security, but oftentimes these doctors take it to an extreme | and they are very difficult to work with. I have never met a | group of people more elitist and "too important to be bothered" | by security than doctors. | PakG1 wrote: | This is a little off-topic, but I work in a school and | sometimes get the same feeling from teachers. I imagine CEOs | of companies that get breached because of stupid preventable | reasons are also similar. My point is that I don't think this | mindset is limited to doctors, though doctors may take it to | another level. | JamesBarney wrote: | The difference is there's usually only 1 CEO, but in a | medical organization there can be 1000's of doctors. | endorphone wrote: | It really applies to every industry -- people push back | against things that they see as impediments to their work. | Many/most HN visitors are software developers, and if | you've worked in a Fortune 500 virtually all of us have | gone to war with IT. "Don't they understand that we're | special and we need special rights and privileges" etc. And | often we have legitimate grievances because often | arbitrary, counter-productive, productivity-sapping | restrictions weigh us down. Often they're illusions of | security. | | And I'm sure on some IT admin board they talk about all of | those entitled developers and this one time this one | developer did something really stupid, ergo all developers | are god-complex dummies. | JamesBarney wrote: | Have you worked with doctor's? When I did I'd routinely | sit in a room with 10-25 people and wait for hours on a | doctor to show up to a meeting they'd schedule onlu to be | told by a secretary he was busy. Everyone I know who has | worked with doctor's has similar stories. | | This hasn't happened to me with any other position in any | other organization, including vice presidents of Fortune | 500 companies. | endorphone wrote: | I'm not claiming that doctors are interchangeable with | other careers. Doctors often have higher priorities that | can absolutely intrude at any time: An emergent medical | situation is far more important than a meeting about | document retention, for instance. For that VP, or CEO for | that matter, those meetings are a major priority of their | job. | | Instead I was pointing out that there are many fields | where people resist IT-style policies, and many special | snowflakes that believe (often rightly) that they are a | unique situation. | | Often in tales like this the worst scenarios arise | because some people aren't equipped at managing | expectations and communicating reasons and benefits. If | yet another vendor comes in with yet another system and | yet another set of demands and obligations, to someone | who sees it as a hindrance to their work product there | will be resistance. Understanding and communicating in a | way that, to use lame corporate speak, aligns goals makes | things go much smoother. | sizzle wrote: | "An attacker then used those credentials to breach the | network and siphoned several hundred thousand dollars from | the financial system (wiring money to himself)." | | You're telling me the CEO was unfazed when they learned this | was the reason you were locking down the system due to the | doctor's own ineptitude and breaking company policy looking | at porn and exposing them to direct financial loss and | liability (lawsuits from PII data being breached and | exfiltrated, etc)? | | The doctor put the whole hospital at risk and could have cost | them millions and got that cryptolocker attack holding their | data hostage indefinitely. | | The CEO should be thanking you guys for catching these huge | security ($$$) breaches. | txcwpalpha wrote: | I wouldn't say unfazed, but as I recall the reaction was | more that the doctor wasn't to be blamed and that it was | security's fault for not only "allowing" the breach to | happen, but also for inconveniencing the doctor. | | At the organizations I worked with, doctors really have | carte blanche privilege to get away with anything as long | as they claim "it's for a patient". Even the C-suite will | bend over backwards for MDs. | ssss11 wrote: | That exact attitude the doctors have is so common in other | occupations, I've experienced it with lawyers. | trhway wrote: | >doctors that insist that they shouldn't be forced to use | passwords (not even complicated passwords; ANY passwords). | | well, it is a clear voice of customer. And it has good reason | behind it - time and effort that the customer would like to | avoid wasting. Instead of disparaging the customers and their | needs how about listening to it and trying to really solve | the issues. May be doctors for example would be more happy | with having RFID microchip injected under the skin than | typing password in? The security industry should start | solving the issues for the benefit of users instead of | pushing the crap down everybody throats under the disguise of | holy cow of "Security!". | | >clicked a phishing link, and gave up his network | credentials. | | and you still continue to think that password based solutions | are suitable there? | | >I have never met a group of people more elitist and "too | important to be bothered" | | than security IT. Your post is a prrety good example of it. | txcwpalpha wrote: | In another company, we tried rolling out RFID badges that | could be scanned at any workstation to log doctors in | rather than passwords. This proved to be too inconvenient | for doctors as well, and the system had to be rolled back | within a month because doctors kept forgetting to keep | their badge with them and would then throw a hissy fit | because they wanted to go back to the old system where all | workstations were permanently unlocked. | | Security IT is, in my experience, one of the most amenable | in terms of trying to come up with new ways to serve | customers because the customers require it ( _all_ | customers require it, not just doctors), but doctors are on | an entirely different level when it comes to resistance to | change. | carbocation wrote: | In contrast to your experience, all VA physicians are | obligated to use an ID card with a chip in order to | login. | txcwpalpha wrote: | Indeed, other hospital chains do as well, which is why we | viewed it as a good option and went down that path to | begin with. In the case I'm referring to, everyone at the | hospital already had badges and the thought was that | removing password requirements and using the badges that | everyone already had as a login would work well. | | It didn't work, not because of technical issues, but | because we didn't anticipate the high number of doctors | that apparently had lost their badges and had never faced | consequences for it (the culture at this hospital was "oh | you forgot your badge? no worries, I'll just open the | door for you"). When we then asked the medical staff to | keep better track of their badges (not just for the login | system but also because of general campus security) we | received incredible pushback, and that's when we had to | roll back the program. | | IME, and as evidenced by the VA using a similar system as | you mentioned, doctors are perfectly competent enough and | able to use these systems and do just fine once they get | used to the system. The issue is that they put up a fight | more than anyone else when introducing something new, and | oftentimes IME the new system never gets a chance before | it's shot down. | carbocation wrote: | Physicians sporadically not having badges sounds like an | accreditation-threatening problem, for what it's worth. | (It depends on the institution's self-stated standards, | however.) | txcwpalpha wrote: | I'm not surprised to hear that. When I rolled off that | project, the login system project was slowed down/put on | hold while solving the badge situation was being | prioritized. We definitely opened up a can of worms when | we reported to leadership that the project was delayed | because people weren't carrying their badges with them. | 8bitsrule wrote: | >Instead of disparaging the customers and their needs how | about listening to it and trying to really solve the | issues. | | That statement applies to about 95% of the many issues we | face these days. Blaming is apparently easier than solving. | sorokod wrote: | Doctors are not customers, patients with their expectation | of privacy are. This is similar to doctors resisting | keeping checklists [1] of what goes in and out of patients | during operations. | | Doctors are service providers and the service is lacking. | | [1] https://hbr.org/2019/05/how-one-health-system-overcame- | resis... | bonoboTP wrote: | > This is similar to doctors resisting keeping checklists | | Or how they refused to wash their hands between morgue | and delivery after Semmelweiss' discoveries. | | Doctors see themselves as demigods. Not without reason, | since other employees treat them as demigods, society and | culture at large sees them as demigods as well. | lostlogin wrote: | > Doctors are not customers, patients with their | expectation of privacy are. | | In the US system, is the patient the customer, or the | insurance company? | | I work in healthcare outside the US and I'd argue that | the system I'm in is also quite skewed. In private | healthcare where I am, the patient is the person who | turns up and pays, but their doctor holds the power to | send their patients elsewhere, and so must be kept happy | too. | [deleted] | pmarreck wrote: | I am horrified... at how plausible this sounds. | | Like many IT people, I google the heck out of a medical | condition when I see doctors. Once I must have asked enough | pertinent pointed questions that the doctor asked with a mix | of sincerity AND condescension, "have you ever worked in a | medical field?" No but like any curious individual I utilize | the systems accumulating all human knowledge at our | fingertips to inform myself... Doesn't mean I can't | ultimately rely on your professional judgment, Sir | Consultant32452 wrote: | 99% of the time doctors are annoyed by anyone who has | researched and informed themselves on what their medical | problems might be. The notable exception is when the doctor | has repeatedly failed to accurately determine what's wrong. | Then you're "allowed" to bring up your own ideas. I can't | wait until the majority of work done by doctors is replaced | with a small shell script. They will fight VERY hard to | stop that from happening, and they're rich. So it will be a | tough fight. | prostheticvamp wrote: | People are constantly targeting every aspect of the physician | workflow, from CMS and private payors constantly changing | their documentation requirements (which differ between payors | and CMS, and results in hospitals trying to teach their docs | to document everything to meet everyone's requirements - | which are made intentionally lengthy and obtuse so as to | justify denials of payment), quality improvement people and | vendors populating the EMR with shit-tons of Alerts! meant to | prevent medical errors (but, due to specific medical contexts | justifying deviations from the textbook standard, the false | positives vastly outweigh true positives, to the point where | the alerts as a whole are utterly ignored), etc. | | It's easy to complain doctors resist (this particular | workflow change), which is SO important because it affects | PATIENT LIVES (because it's in the healthcare setting, so | EVERYTHING DOES) damn entitled doctors. Then recall that | every single time a doctor asks a nurse to do something that | nurse will say "oh, just enter a communication order." And | because your security set up your RFID to only work on a | computer where you've already logged in earlier, and you're | running around the hospital constantly, those badges aren't | worth shit >half the time. | | It's easy to complain about doctors' resistance to various | evolutions of their digital workflow, until you realize that | nearly every evolution adds complexity and time-burden to | their workload in a way that _does not directly improve | patient care_ , but slows down their work, increases | complexity (which _does_ adversely impact patient care), and | lengthens their workday (because their patient workload isn | 't reduced in the slightest by this.) I don't know a single | doc that doesn't do significant unpaid after-hours work | catching up to their digital bullshit; you also would resist | non-mission-critical additions to your unpaid workload. | | It's easy to treat physicians as entitled and resisting "just | to resist", rather than understanding that the physician | workflow is _constantly_ changing, from every possible angle, | and most often for reasons wildly unrelated to the immediate | task of "taking care of the patient in front of me". You'd | resist under those circumstances, too. | | There's a reason about half of physicians nationwide | (https://www.medscape.com/slideshow/2019-lifestyle-burnout- | de...) are burned out. HALF. That's what happens when your | ability to do your job is constantly fucked with. Perhaps you | should consider what that means, and how that relates to what | you're saying, rather than asserting doctors are just too | damn self-important to change. | Scoundreller wrote: | > There's a reason about half of physicians nationwide | (https://www.medscape.com/slideshow/2019-lifestyle-burnout- | de...) are burned out. HALF. That's what happens when your | ability to do your job is constantly fucked with. Perhaps | you should consider what that means, and how that relates | to what you're saying, rather than asserting doctors are | just too damn self-important to change. | | Paywalled, but nonetheless, I wonder how that rate compares | to other industries. And how much has to do with physicians | usually being unable to switch industries without a massive | pay cut. | | Dunno if doctors are particularly too self-important to | change than anyone else, but if someone was, I could see | that inability itself leading to burnout when things even | slightly change around you. | txcwpalpha wrote: | I'm sympathetic to this, and in other threads I would | usually be the first person coming to the defense of | doctors and harping on how complex and terrible EMR and | other medical software is. But that's not what I'm talking | about. | | I'm not talking about complex software. I'm not talking | about instances where doctors are asked to learn an | entirely new records management or scheduling system. I'm | _not_ talking about the type of systems where you have to | interrupt your day with an extra training session on how to | navigate the interface. | | I'm talking about _the most basic, bare minimum_ | interactions with security systems that _every other person | in every other industry_ has absolutely no issue with, but | for some reason doctors refuse to accept. I 'm talking | about stuff as simple as swiping your ID badge on a reader | to gain access to restricted areas. I'm talking about not | using work computers to look at porn. I'm talking about | basic awareness when it comes to not disclosing sensitive | information to a random person in the hallway. | | Another commenter brought up the number of passwords as a | complaint. Again, I'm sympathetic to this. This is why one | of my major areas of focus is implementing SSO solutions to | cut down on the number of passwords that users have to | remember. Except in one instance we had delays rolling out | SSO not because the system was complicated to use, but | because doctors complained that they didn't like _the | color_ of the SSO UI. They insisted it be blue rather than | yellow and wanted to scrap the _entire project_ because of | it. That 's the type of resistance I'm talking about. | | These aren't difficult or complex things. We are talking | about highly educated, highly paid individuals handling | highly sensitive information. They should be held to higher | standards, not treated like children just because they work | long hours. | | Speaking of working long hours, the second half of your | post is just a minor glimpse of the elitism I'm referring | to. Are you under the impression that medicine is the only | profession in which people experience burnout? Do you think | that only doctors have to deal with constantly changing | work environments and the never-ending cycle of evolving | technology? | | _Every_ profession deals with these things. Lawyers, | accountants, bankers, social workers, police officers, and | educators are just examples of professions that have | similar or higher burnout rates than doctors. Every single | one of these also has to deal with immense amounts of | bureaucratic processes, regulations, and inefficient | software that is constantly changing and affecting their | daily workflow. And yet in my years of consulting I have | never met a group that was as egotistically opposed to the | use of technology as doctors are. Even investment bankers, | which tend to be the most egotistical assholes with an | attitude of "I make millions of dollars a day for this | company, I don't have to listen to you puny IT people", | still don't hold a candle to the willful ludditism of | doctor's I've worked with. | 1996 wrote: | > Except in one instance we had delays rolling out SSO | not because the system was complicated to use, but | because doctors complained that they didn't like the | color of the SSO UI. They insisted it be blue rather than | yellow and wanted to scrap the entire project because of | it. That's the type of resistance I'm talking about. | | Is it really the hill you want to die on? | | Just change the damn widget color if it is so important | to them! Client is king!! | txcwpalpha wrote: | Ha, I agree! We were willing, able, (and did) change the | color relatively easily. I'm just using it as an example | of the type of pushback I've gotten. The doctors were the | ones willing to die on that hill; they wanted to cancel | the entire project and their reasoning was the color, and | they didn't even care to hear that it could easily be | changed. In that case it really did feel like resistance | for resistance's sake. | fencepost wrote: | This is why in starting up my own little IT services company | I'm planning on not serving medical clients. | | "HIPAA? I'm sure we're just fine, and no you can't take away | my Windows 7 PCs." | Scoundreller wrote: | I get the feeling big law is just as bad. | indyz wrote: | I never worked for big law, but medium law is terrible. | Partners can just order the IT department to do anything. | We had a new head of IT that tried to implement some | common sense changes for an organization that handles | sensitive data. Basic stuff: Block websites that tend to | be malware vectors, don't let users be admins on their | own machines, restrict USB storage to certain users, etc. | We were forced to override it on the partners machines | almost immediately. | wolco wrote: | Restricting partners usb access? Restricting websites and | restricting install permissions. | | Overkill and probably the opposite of what they envision | an IT department doing. | endorphone wrote: | This seems like a caricature or an exception. Doctors are | very aware of HIPAA (and the equivalent in every other | country), and the professional and monetary costs of non- | compliance. | | Doctors didn't set up these systems. Doctors didn't expose | them to the internet. As the other post said, vendors did. If | those vendors couldn't properly communicate the needs, that's | their problem. | | What I think is a more rational explanation for doctor | (nurse, lab technologist, etc) resistance is that the | industry is rife with incompetence and vendor balkanization. | So much so that every healthcare professional deals with | literally _dozens_ of logins to try to do their job. Every | one of those logins has its own bizarre password policies, | rotation schedules, etc. Pretty soon there is rightly | hostility to whatever scheme some small niche vendor has | imagined up in the illusion of security. | txcwpalpha wrote: | It may seem so, but I've done security consulting work for | 10+ of the largest hospital chains and insurance providers | in the country and I can assure you it isn't an exception. | Doctors don't care about HIPAA ("that's legal's job"). They | don't care about the company's finances (unless it's a | small private practice, "that's the accountant's job"). | | Some of the complexity is caused by the software itself | being complex, yes, but that's not what I'm talking about. | In every organization I have worked with, doctors were | always the biggest obstacle to even doing something as | simple as requiring them to carry around a badge for | physical access to the building. As a group, they are very | resistant to anything that might add an extra step to their | workflow. And yes, everyone hates and is resistant to stuff | being added to their workflow, but I find most people are | amenable to it as long as it's a small interruption and | it's for a good reason (security). Doctors generally don't | have that attitude, though. | dkdklk wrote: | Sounds like someone has it in for doctors. | | I worked in healthcare IT for years, before than going to | medical school, and now in residency. My experience | really does not match yours. | | As mentioned earlier in the thread, I will agree that | doctors in general are quite resistant to technology | because they have been fucked over by implementations | that are more concerned with billing and regulatory than | either better patient care or improving physician quality | of life/workload. | | Most medical facilities use badges for access. I think | what you're calling resistance is increased scrutiny, | something you might not be used to dealing with in other | fields. | | Based on your sweeping generalizations tinged with | bitterness I can only imagine most doctors that have to | work with you professionally are going to be a bit on | edge. The reaction you're getting from all these | physicians you're working with is probably related to | what I can only imagine is a shitty attitude. | jcims wrote: | Also in security for a long time, spending a lot of that | with hospitals and healthcare organizations. My | experience matches the parents. Your points are very | valid but doctors can definitely be dicks as well. | thomasfedb wrote: | I'm a student doctor with a CS undergrad. I'm constantly | gobsmacked by how horrible the computer systems doctors are | forced to use are. They're pretty much abusive to use. | | The hours and hours of physician time that are thrown away | into mindless box-ticking, copy-pasting, button-pushing, | and general head-banging is astounding. | | If doctors are resistant to new IT hurdles it is, at least | in part, because they're already faced with a decathlon- | esque ritual to achieve their basic day's work. | hhas01 wrote: | Yep. Never blame users for raging at the system until you | understand the system as well as they do. Techies have it | easy: they only have one job and that's all they ever do. | It looks _very_ different from the other side. | | (Protip: The key to delivering successful software is not | to learn programming, it is to learn your users.) | | (Oh, and good luck with your medical studies; world needs | good Renaissance [Wo]Men now more than ever.) | OnlineGladiator wrote: | > (Oh, and good luck with your medical studies; world | needs good Renaissance [Wo]Men now more than ever.) | | Why now more than ever? | hhas01 wrote: | Growing complexity. Struggling scalability. | Overspecialization. Balkanization. Failures of | accountability. | | OP's firsthand observation on the awful state of | programmer-produced medical software, the original linked | article, and notoriously lethal software disasters such | as Therac-25 provide frightening cases in point. These | things are not accidents. Programmers who only know how | to program are as much use as managers who only know how | to manage. And this world has far too many of both. | | Look, any idiot can hack teh codez. Learning the problem | domain; that's the hard part. It is also the _critical_ | core of the job. Because if you don't /won't/can't | understand the problem, how do you possibly expect to | solve it? | | Especially when that problem space is something as vast, | complicated, and utterly unforgiving as millions of | people's healthcare. | Scoundreller wrote: | I think that describes any enterprise software. | | Likely at go-live/vendor selection, nobody wanted to | revolutionize things in a way that could only be done on | computer. | | The successful vendor will be the one that can << make | all of your paper stuff look/function/feel the same way | on a computer >>. | | This minimizes training, development and changing the | workflow you used for 20 years. Which checks every | department's checkboxes. | | So you end up with the worst aspects of paper, with few | of the benefits of technology. | Gatsky wrote: | It goes both ways. I keep telling the IT people at my | hospital to stop using SMS 2-factor and they blow me off and | treat me like an idiot. | | Anyway, 'Doctors' are a pretty diverse bunch, and most of | them aren't arrogant porn-fiends. | dvtrn wrote: | From experience, users who come to IT and simply demand we | do something because 'reasons' usually aren't prioritized | for follow up. | | Managers who come to IT and demand we do something _and | show us how it affects their work /department and perhaps | the rest of the business and offer to be part of the | solution making process_ often get first class attention. | | Could it be IT is blowing you off because of how you're | delivering your complaint about SMS 2FA without regard for | their existing workload? | | They likely have more than enough on their plates as it is | to simply do something because someone from a department | said something about it, and IT doesn't exactly pivot on | lithium battery, especially in hospitals. That doesn't mean | they don't _care_ about your issue or request, but like | every other department they have objectives and goals that | were likely set well before your 2FA conversation even | began. | Gatsky wrote: | You realise what you just did there right, without a hint | of irony? | ryanlol wrote: | > I keep telling the IT people at my hospital to stop using | SMS 2-factor and they blow me off and treat me like an | idiot. | | Well... yeah. Nobody is sim swapping hospital staff. | | It's not great, but this isn't a real threat they're | facing. | txcwpalpha wrote: | I hear you and I'm sure it's frustrating, but I'd be | curious to know if the security team has any reasons for | sticking with SMS 2FA. I'd be willing to bet money that the | reason they blow you off is because it's a sore spot for | them. They probably have tried to implement other MFA | methods but were reprimanded by the medical staff because | anything other than SMS is too complicated (I'm harping on | doctors a lot, but I legitimately do cringe at the thought | of even asking a typical MD to download an MFA app or carry | around a physical token). | Gatsky wrote: | No, this is not the case. Anyway, it would be good just | to have the option to not use SMS, they don't need to | migrate everyone off SMS at once. | fencepost wrote: | SMS for 2FA isn't good, but it's still better than no 2FA | at all. | | Depending on how many systems they have it integrated with | that could end up being a huge undertaking for them and | they've probably been cut to the point where another huge | undertaking may not be in the cards right now. If they're | like a lot of large enterprises they may also _still_ be | trying to get rid of Windows 7 and Server 2008R2. | | Edit: for example, are you full on Microsoft 365 Enterprise | with Azure AD? I believe that has ties in with Microsoft's | Authenticator app. If you're strictly onsite traditional AD | I think you'd need to look at Duo for 2fa that integrates | nicely with AD, then also see what else you need to | integrate it with that uses its own separate non - SSO | authentication. | | And while it's not huge, the question of "who's paying for | the $3/6/9 monthly per user charges (contact sales if you | have > 500 users)?" will come up, particularly if there are | hundreds or thousands of external medical office users able | to sign in through a portal system as well. (this is based | on pricing from the Duo website) | Gatsky wrote: | Yes, I'm sure they have their reasons and their own | priorities and constraints. Just like the doctors who | decline to use basic authentication. See my point? | Hospitals are notorious for passing the buck around. | | As it happens there is a single web property for | accessing a remote desktop, not multiple systems, and the | hospital down the road funded by the same entity has | implemented TOTP authentication. | endothrowho333 wrote: | Curious, why would a doctor decline to use basic password | auth? | kjs3 wrote: | I have had a doctor tell me that his time was too | important to waste it typing passwords. I had another one | tell me, quite dramatically, "someone could die" while he | was typing in a password. It's a profession where many | have an "interesting" perspective on information | protection. I have tons of tragicomic security stories | from dealing with health care providers. | wolco wrote: | Porn fiends? Doctors don't have the time. But you must | admit that the profession brings out some very arrogant | traits. They usually express the pointof view that they | learned everything they needed to at med school and any new | outside information is suspect and not important including | IT security. | egocodedinsol wrote: | In my experience, you are way off base. Doctors can be | very arrogant but I've never met someone from another | profession who could point me to research articles | regarding their proposed plan of action. Doctors at major | hospitals are often either a) residents who are in their | nth year of leaning post med school, or b) expected to | publish at least case study papers regularly or | communicate with those that do. | hhas01 wrote: | "But you must admit that the profession brings out some | very arrogant traits." | | Which one? You know we're also talking about programmers, | right? | gambiting wrote: | On the other hand(and I'm really not trying to excuse this | behaviour) some doctors are almost daily in situations where | "if I had a little bit more time or did this thing a day | earlier maybe the patient would still be alive". If you run | into those kinds of situations frequently, then obviously | _any_ slowdown(like having to remember or type in a password) | is _obviously_ stupid. And only they understand it, no IT | employee ever would. | hhas01 wrote: | Inasmuch as "Caveat Emptor" is the Latin to live by, physicians | and hospitals are indeed responsible for making sure what | they've just bought is safe and fit for purpose. Especially | with HIPAA et al already breathing down their necks. | | The big problem is that tech grifters, just like AltMed | scamsters, are just way quicker and better at burying all their | shit than surgeons and scientists are at digging it out again. | And, to be fair, doctors do already have far more pressing | things to be digging out: wood spales, fence railings, guinea | worms, and so on. Hence the need to hire in [ostensible] | specialists in the first place. | | Still, be consoled that us countries with socialized heathcare | are just as adept at Medical IT disasters as yours are. :/ | | -- | | "A lie can travel halfway around the world before the truth can | get its boots on." Of course, this was _before_ we invented the | networked computer. | trackofalljades wrote: | This was my immediate thought at the headline, doctors-who- | what-now? | | This feels informed from the technology side, and profoundly | ignorant of how health care IT actually works (especially in | the United States). | prostheticvamp wrote: | When it comes to healthcare, everything is always the | doctor's fault. It's convenient to have a single target to | blame for everything that goes wrong in the industry. Never | mind that most physicians are just employees, with plenty of | layers of management, in massive organizations, with | extremely heavy regulatory oversight. | | If an organization that runs three hospitals can't put | together the IT to secure their PACS system with a decent | password, that's the fault of the physician about as much as | it's the fault of the nurse, the janitor, the cafeteria chef, | etc. | | WTF is with people blaming doctors for literally everything | related to healthcare? Do they not understanding we haven't | been in charge of anything for a couple of decades now? Since | the combined rise of HMOs and Medicare/Medicaid, and the | massive hospital M&A splurge, we're just line workers. We try | to do our best by patients, but we ain't in charge of | anything. | christophilus wrote: | I completely agree. I have friends in the medical field, and | they hate their computer systems. One of them spends almost as | much time on data entry as he does with his patients. He has to | double and sometimes triple enter data. He's probably going to | end up hiring someone to do that full time, which is so | obviously a totally broken system. | blueboo wrote: | > One of them spends almost as much time on data entry as he | does with patients | | ...then he's one of the lucky ones! One study found that for | every hour a physician spends with a patient, she spends two | on processing health records. | | https://www.jwatch.org/fw111995/2016/09/06/half-physician- | ti... | brianwawok wrote: | I mean, for every hour I spend writing production code - I | spend an hour in agile meetings, and 2 hours chasing down | obscure bugs in javascript libraries. Not that many | professions are "do visible part of work 100%". | | Heck, I hear bricklayers need to spend some time mixing | cement and getting bricks off the truck, not just scooping | mud and sticking bricks. | | Health records ARE a big part of the product of a doctor. | Keeping a good chart and finding trends over time is a bit | part of the service you need. | 1996 wrote: | > Health records ARE a big part of the product of a | doctor | | I long for practices that would keep no record of my | issues, except what I volunteer to them at the beginning | of the consult. Many countries do that just fine, but for | some reason in the US I am asked to fill pages on | insignificant trivia to cover their ass or follow some | weird law or tradition maybe? | | I don't want perfect healthcare. Good enough is fine! | | So now I just see doctors when traveling. Simpler, | faster, and cheaper too. | egocodedinsol wrote: | Your analogies would make more sense if you spent 2 hours | on documentation for every hour you spent coding or bug | finding. | chiefalchemist wrote: | Clickbait-y headline that they forget to mention hospitals as | well. Yes doctors should be more responsive and responsible. But | they're (only) doctors. | | Hospitals on the other have have staff dedicated to technology | and such infrastructure. | | Dr X being unaware of the implications is understandable. Perhaps | not forgivable but certainly no surprise. But hospitals? They | have no excuse. | reaperducer wrote: | I work in health, and I sometimes have to interact with the | federal database of doctors. It's amazing the things you see in | there. | | There are doctors who don't know their own addresses. Can't | spell the name of their town. Don't know their ZIP Code. Don't | know the difference between a mailing address and a physical | address. Don't keep their information current. Or sometimes | don't even know what town they're in, putting a neighborhood or | region on federal paperwork because "everybody knows where that | is." | | We assume that because doctors are smart at medicine, they | should also be smart at computers. They're not. Just like my | commercial airline pilot neighbor is great at flying | transcontinental jumbo jets, but every few days has to shout | across the street at me to ask if today's the day to put out | the trash bins. | DataWorker wrote: | Not smart at computers, but maybe they are smart _about_ | computers. Everyone thinks old people can't use tech but what | if they don't want to and that resistance is a manifestation | of wisdom that's incomprehensible to those without the same | wisdom. To believe doctors as a class of people are less | intelligent than average is silly and probably ego defensive. | As a group doctors are of above average intelligence and | certainly smarter than most of the people they work with in | IT. | | I think it's the academic and professional institutions that | are most culpable for the current state of things. They | should have been the ones who foisted tech requirements on | doctors, instead it was done through federal regulation. Most | of the blame for most of today's problems comes back to | universities. If using tech is part of the job if being a | doctor, then make it so from inside the profession. | mewpmewp2 wrote: | There are different types of intelligence. Both fields | require totally different talent, interests and skills. One | is solving very abstract problems, the other is talking to | people and learning a huge amount of information about how | humans work. | | I am good with abstract stuff, but in no way I could | remember that amount of information about people as doctors | too. I still have no idea what most of my bones or other | things within me are named and I have zero interest in it. | I can imagine one could be also the other way around. Have | huge amount of interest in people, but despise techy | knowledge. | | In the end both doctors and it workers are so different | from each other that they have so much trouble | understanding one another. Remember doctors never asked for | all this abstract shit. Also as you age you will get more | set in the field you choose. That is just the way people | work. Not an excuse or why one should not keep improving | themselves. | jessaustin wrote: | You're really blaming the subjects of a database for errors | in that database? There are many reasons for errors that have | nothing to do with anything a physician might or might not | have done. | reaperducer wrote: | Those subjects fill out the forms that end up in the | database. It isn't some faceless government agency reading | their minds. The data comes from what the doctors write | down. | salad77 wrote: | From the article : | | "We're not naming the affected organizations to limit the risk of | exposing patient data." | | However, a google inurl:dicom search sure shows up the affected | organizations on the first page (and plenty pages after that). | | And the sites are still fully open. Absolutely zero hacking | required. | | A lot of organizations had better get to work fast on this. | | (edit: no images were viewed in the making of this post) | cornflake wrote: | https://picsafe.com is a HIPAA compliant tool that solves this. | Until penalties are applied, health organizations won't act on | this. | savrajsingh wrote: | On the user side, we have to jump through hoops and sign so many | onerous paper HIPAA compliance forms at dr's offices, to just get | doctors to share records about us. On the backend it's free for | anyone to access. It's all backwards! | jessaustin wrote: | The signature demands that really annoy me are the ones in | which I must acknowledge that the provider has informed me of | their HIPAA policies, which demands are seldom accompanied by | actual information about HIPAA policies, which I probably | wouldn't read anyway even if they were included. | 1996 wrote: | Then refuse to sign: you can't be denied care for refusing | communication of your records to 3rd parties. It's certainly | better for your privacy too. | Spooky23 wrote: | I wish one of my past providers was impacted by this a few years | ago. I had to waste hours and thousands on MRIs when a practice | closed and they made getting imagery impossible. | selimnairb wrote: | Yet another reason to create a nationalized NHS-like system. | gridlockd wrote: | What exactly makes you think government institutions would do a | better job here? I quote: | | _"...one unprotected server at one of the largest military | hospitals in the United States exposed the names of military | personnel and medical images "_ | basilgohar wrote: | Theoretically, there would/should be a unified system and | standards applied. Realistically, it'll probably still be | first attempted through vendors with exclusive contracts, | which is basically the current system but with extra steps. | reaperducer wrote: | _Theoretically, there would /should be a unified system and | standards applied._ | | So, a nice convenient one stop shop for hackers. | | I'd rather a thief had to break into a thousand homes than | one great big home. | zpallin wrote: | One stop shop? Even with an assumed "unified system" | there is absolutely no way that even an incompetent group | of IT engineers would be able to construct a single | unified network with a single doorway into it to make a | "one stop shop experience." It would still be "breaking | into a thousand homes", but at least the difference is -- | given a unified set of controls -- that reconciliation of | a breach could be automated. | alecco wrote: | NHS has plenty of data breaches. | cookie_monsta wrote: | "anyone with an internet connection and free-to-download | software to access over 1 billion medical images of patients | across the world." | | Breaches on that scale? | alecco wrote: | images != people. NHS had a 150k patients breach not long | ago. And many other of smaller scale in the thousands. It's | definitely not an organization renowned for being good | handling patient data. | | On top of that, they made recently a deal to share with | Amazon and Google. They clearly don't care. | | Also, it's a monopoly. You can't chose something else. And | never mind the politics of both the administration (who | chose them to be in power?) and political pressure from | whatever party is in control of funding. Pass. | incone123 wrote: | The NHS does seem to force doctors to follow security rules. | But we have a different problem where the government thinks it | owns my data and has the right to sell it. | OliverJones wrote: | From Techcrunch's article it looks like it's possible to see so- | called "protected health information" (PHI) in these images. PHI | includes patient names, diagnoses, hospital and doctor names, | contact information, and so forth. It's sometimes possible to | "de-identify" medical images by scrubbing off patient info. But I | bet most of these are not de-identified. | | The examples in the TechCrunch article are redacted, but I guess | that was done for publication and not on the stored images | themselves. | | In the USA, HIPAA and ARRA 2009 (followon legislation) made it a | federal crime to knowingly or negligently disclose PHI. It's a | crime that "pierces the corporate veil." That is, natural persons | can be tried and convicted, even if they were acting on behalf of | corporations. | | The Centers for Medicare and Medicaid Services (CMS) has a Breach | Notification Rule, requiring holders of data to notify patients | and CMS themselves if PHI is breached. | https://www.hhs.gov/hipaa/for-professionals/breach-notificat... | | CMS announces breaches involving 500 or more patient records here | https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf | | It wouldn't surprise me if the people involved in securing these | sloppily configured DICOM servers are in a state of panic. I was | involved in dealing with an unintentional breach of 44 patient | records a few years back, and yeah, we had some panic. (Misrouted | fax messages was the root cause, for what it's worth.) Also | observe that I remember to this day how many records leaked out. | Breaches are a big deal. It stinks to be them. I know that for | sure. | | I hope they get it sorted out. It will take a while. It will also | take a while for the affected medical professionals and their IT | providers to start responding to these breach reports rationally. | Kubler-Ross's stages of grieving are still in play for them: | anger, denial, negotiation, etc. | sbarre wrote: | The key takeaway from that article, for me, is that the | government body that is supposed to monitor, enforce, and | penalize organizations who fail to follow the HIPAA rules is | basically doing nothing. | | So with no consequence to these massive lapses, why would these | companies care? | modmans2nd wrote: | Under funded...just like the IRS. | WC3w6pXxgGd wrote: | No, just inept like all government agencies. | humaniania wrote: | Office for Civil Rights (OCR) | https://www.hhs.gov/ocr/index.html | lunchables wrote: | https://compliancy-group.com/hipaa-fines-directory-year/ | | My honest opinion is that they know healthcare specifically is | so far behind meeting their regulator requirements they have | been trying to slowly phase in penalties. | zpallin wrote: | This is the wrong takeaway. | | The article states pretty clearly from the interview with | Senator Mark Warner: | | > "To my knowledge, Health and Human Services has done nothing | about it," Warner told TechCrunch. "As Health and Human | Services aggressively pushes to permit a wider range of parties | to have access to the sensitive health information of American | patients without traditional privacy protections attached to | that information, HHS's inattention to this particular incident | becomes even more troubling," he added. | | It's not that they're doing nothing, they're supposedly making | it worse. | | They're also underfunded. OCR budget dropped to 10% of its | previous budget between 2017 and 2018: | | https://www.hhs.gov/about/budget/fy2018/budget-in-brief/ocr/... | | So, when you ask "why would these companies care?", I think the | current federal government is trying to say "these companies | _should not_ care." | [deleted] | pg_bot wrote: | DICOM is a standard that does too much. They should scrub | everything related to networking and focus solely on | encoding/decoding medical images. | lostlogin wrote: | > DICOM It's a great standard compared to HL7 though. That | 'standard' is the bane of radiology's existence. | jasonlaramburu wrote: | Could this data be anonymized and open-sourced for training | diagnostic algorithms? It's hard to put the genie back in the | bottle so why not at least make some use of the images? | windyaskew wrote: | In theory, yes. I was working on doing this (for internal data) | at a large healthcare system some time ago. | | The de-id part was actually really easy since DICOM is a very | standardized format and this hospital system had good practices | in place to only input certain information about each patient. | dave_aiello wrote: | If this article is correct, it's such a huge problem that health | systems are likely to hesitate to take steps toward basic imaging | security, because they won't know what to do first. | wswope wrote: | Fun experiment: use google maps API to search a major US metro | area for medical practices. Pick out any websites that don't use | TLS. Crawl them for HTML forms that include common PHI keywords. | You'll find a lot. Those same practices are usually going to have | a whole mess of more serious HIPAA issues. | xiphias2 wrote: | Sensitive data should be thrown away and the medical images could | improve on the current state of the art medical image database | used for machine learning. | | I'd be more than happy to publish my medical images with results | if it would be used for an open database. | | I have been at doctors in third world countries, where doctors | don't get the same level of education, but try to use the best | tools available without paying too much money. | ghaff wrote: | Define sensitive data. | | One of the challenges is that just deleting a name, say, | doesn't necessarily fully anonymize a medical record/image. In | general, I actually agree with you but anonymization/privacy is | a challenging problem. | fhars wrote: | Adding enough medical data to the image to make it useful for | scientific research would most likely also add enough data to | deanonymize the image. | moviuro wrote: | % curl -L 'https://techcrunch.com/2020/01/10/medical-images- | exposed-pacs/' curl: (7) Failed to connect to | guce.advertising.com port 443: Connection refused | | WTF? | | I have a lying DNS server, and it's getting ridiculous. | | Here's the outline for people who care about | privacy/tracking/GDPR, etc. https://outline.com/Ep5u4K | llacb47 wrote: | Yahoo/AOL/Oath want to set an advertising cookie before you | visit any of their sites. | moviuro wrote: | No, they _redirect_ you to an advertizing domain. | eitland wrote: | For now I'd be happy if techcrunch was blocked so people had to | submit other sources. | | I've not been able to find a way to read content on that domain | for months now. | | Edit: | | PS: unlike many here I've little against ads as long as they | aren't tracking me, but the "consent screen" on techcrunch is | less "consent" and more "strongarm". | | PPS: as others are mentioning it seems the whole thing seems to | be compliance theater since they seem to set a tracking cookie | before even displaying the consent screen :-/ | [deleted] | uponcoffee wrote: | I'm on Firefox Preview for Android and am having no problems | with the article. No ads, popups etc. Just pure content. | moviuro wrote: | Here is the entire curl trace: http://ix.io/277P | Eikon wrote: | It feels like the places where security is of utmost importance | like in banking, security cards or health are the worst at doing | it. | | At least, lack of security of credit cards is understandable as | banks are profiting from fraud by charging the victim a fee. | | In health? This must stop. It's a failure of regulatory bodies as | they throw so much junk policies around that the things that | really require attention is just overlooked. The overabundance of | paperwork and policies is not improving security, it's keeping | away actors that could do way better. | modmans2nd wrote: | They focus on visible security more than actually securing | things. Example: making it very hard for a user to log into a | system "because of security " but not using security | certificates to secure their email servers. | Eikon wrote: | Related: https://en.wikipedia.org/wiki/Security_theater | fhars wrote: | There is the complicating factor that in health, safety can be | more important than security: to keep a patient alive in an | acute emergency, it is imperative that the doctor can see their | data right now, while that fact that third parties can later | see the data doesn't matter too much. The problem is that | people tend to use the first aspect as a cheap excuse to do | nothing about the second one. ___________________________________________________________________ (page generated 2020-01-11 23:00 UTC)