
Hospitals are a weak spot in U.S. cybersecurity - swedtrue
https://www.axios.com/hospitals-cybersecurity-medical-information-hacking-076cb826-fc69-4ba6-b3fd-57ce19ab00c6.html
======
burnte
Healthcare CIO here. This is true. Healthcare is still using paper fax. It has
a 30 year old data interchange format that no one really supports because it's
more profitable to lock in customers to your EMR. Healthcare is HORRIBLE about
upgrading anything, at changing processes, and technological progress in
general. Healthcare is VERY backwards from a tech standpoint.

Another problem is that EVERYTHING is custom, we use very, very few off the
shelf solutions. Need an EMR? Let's build it in MUMPS, a 51 year old language
that originated on the PDP7 and call it a state of the art system like Epic or
GE Healthcare. Don't like the terminal interface? Let's slap a GUI on the
front that still interacts via TTY on the back end. SQL? Nah. C, C++, or any
more modern language with more robust features and way more programmers? Nope.

Now, there are some EMRs and other healthcare-centric apps that are better
written, but they're also terrible. Healthcare is a relatively small market,
you'll never sell a million units of your app, so you charge out the wazoo for
it, get a few health systems on it, and allow they to go crazy with
customization to help lock them in. And then you try to add on modern security
features on to a system that's been growing for 50 years and it's a nightmare.
It's INCREDIBLY common for nurses and doctors to need to have administrator
access on their Windows desktops for various apps.

I was about to leave IT in general when a healthcare gig landed on me, and I'm
glad it did. I find it very refreshing to be in an industry where it's so far
behind that there are mountains of problems to tackle, even if half of them
are so stupid it makes me want to cry.

~~~
rubatuga
People need to stop hating on fax. Hospitals still use fax because it is a
much more punishable crime to tap phone lines which requires physical access,
as opposed to a server that could be infected from a hacker halfway across the
world.

~~~
keithnz
Fax is odd, it was a fantastic thing when it first came about, and it has some
desirable properties.

\- It's direct point to point communication (over a network)

\- The transport network is dedicated and not open to anyone and covered by
quite strong laws in many countries

\- It's easy to see the history of communications

\- It's easy to see if the other end successfully received something

\- It's relatively standardized and ubiquitous ( in health )

Email would be the closest thing, but it doesn't have all the advantages, and
the extra add ons that would make it better (like encryption, delivery
receipt, digital signatures) are not standardized and/or ubiquitous ( and
often hotly argued about )

So fax is the lowest common denominator, that, if it was proposed today, would
not be accepted for many of its disadvantages, but it's now hard to find a way
to replace it.

~~~
analog31
\- It's easy to see if the other end successfully received something

I think this is a biggie. It means your workflow doesn't need to include going
back later and checking to see if your document was received, and then trying
to send it some different way. You don't have to guess which way the recipient
is capable of receiving a message.

It's the original e-mail. ;-)

~~~
XaspR8d
Except seeing it was digitally received is often quite insufficient to seeing
it was received by a human it was intended for. All too often in dealing with
healthcare and gov't orgs our faxes get lost with no way of identifying where
they went. Presumably it is a mismanaged shared fax inbox where individuals
are not actually being alerted to their messages...

------
Thriptic
It's really tough. You have a function which is viewed purely as a cost
center; you have a totally porous environment where you're required to admit
tons of minimally-verified people into confidential spaces; staff and
affiliates need different levels of access from all over the world; there are
critical availability demands where temporary denial of service for security
reasons is unacceptable; device development is optimized for safety and fault
tolerance as opposed to security which isn't ever really tested for; patients
need to be able to submit tons of data in myriad forms; there are few central
clearing houses for transmitting data so people are all calling each other
with minimal validation; etc

~~~
ethbro
Oh, and you're ultimately sourcing truth from people who are minimally trained
on (and have minimal time for training on) the system.

Because they've spent the last couple decades focused on medical training.

~~~
Scoundreller
And patients that lie / dirty input.

Sure, use cousin x’s coverage. Nobody will freak out when your blood type
doesn’t match the records...

------
jtdev
It seems that hospitals are overly focused on bullshit security frameworks and
box-checking, i.e., HITRUST, which in my experience results in many dollars
going to consultants with essentially zero tangible improvement in information
security. Worse yet, the false sense of security within these hospitals due to
having a HITRUST audit report with a bunch of meaninglessness check marks
prevents them from actually doing the work of securing information properly.
Have worked in health-tech for a number of years.

~~~
watertom
Cyber security standards are in place to make the process easier to understand
for the non-technical executives, who approve the budgets.

Without the standards the executives don’t know who they should believe, and
invariably they believe the guy who sounds and acts like themselves, which
means he knows as much about cyber security as the executives.

If you know what you are doing regarding cyber security, AND you are doing all
the right things, HITRUST compliance is a cinch.

If you don’t know what you are doing regarding cyber security, HITRUST at
least gives you a fighting chance. But then that’s the rub, if you don’t know
what you are doing why are you running cyber security.

~~~
lstroud
I think they are intended to be helpful, but they are adopted as CYA that have
the side benefit of improving security.

~~~
TeMPOraL
> _that have the side benefit of improving security_

Sometimes. Other times they have the side effect of worsening security, as
line employees have to deal with bullshit "security" rules and invent
undocumented, untracked workarounds just to be able to do their jobs at all.

------
gen220
I work in health tech (full stack insurance), and sit next to security and IT,
so this is a frequent topic of conversation for us. :)

For some context, this is one of our favorite websites/datasets:
[https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf).

It is a structured archive of all reported health data breaches, major or
minor, over the last 15 years or so, as reported by the breached entities.
They’re required to report breaches as part of HIPPA compliance, or something
related to it.

It’s a fascinating quilt of stories, with patches for phishing, accidental
email attachments forwarded, and rogue admins. Fun reading. You can also load
it into sqlite and find some interesting results (leakiest companies, states
with most breaches reported, etc).

Hospitals might be a weak spot, but at least their weaknesses are ruthlessly
well documented! As opposed to, say, financial infrastructure which IME is a
similar horror show of monkey patched sftp servers.

Solving this collective technical debt is a massive coordination problem.
It’ll be interesting to see if we ever get there. My suspicion is that the
changes will be driven by monopolistic insurers, if ever, since that’s where
all the money comes from (if you go to doctor at hospital X, your coinsurance
will be Y instead of Z, because doing business with X is more/less risky due
to their documented data practices). But it’s just a suspicion, this kind of
thing might not be solved in our lifetimes.

------
tyingq
The central IT function in a US hospital also usually has little
organizational power and funding. Admissions, radiology, etc, buy whatever
hardware and software they want, and the underfunded IT department has to
figure it out.

~~~
oneepic
This may vary by hospital, but in general many hospital IT staff tend not to
be very good with computers, from my experience. Many are more focused on
business/bureaucracy, or maybe they're just unskilled. I don't mean to attack
their character, but instead to make the point that some very unqualified
people are in charge of very important systems.

(Edit: My first job was hospital IT for a few months, and my boss was actually
a pretty skilled programmer with a good grasp on security. So there are
definitely exceptions.)

I imagine not many hospitals hire security talent either, or that they do much
security beyond the "change your password" email every 6 months. Oh, and
doctors/nurses/etc tend to ignore those emails.

~~~
sidlls
Agreed with this. IT in hospitals is perpetually underfunded and basically a
playground for creatures of corporate politics. Between administrative staff
who think their medical credentials qualify them to micromanage IT decisions
and perpetually under-funded departments I'm actually shocked that their
systems aren't regularly crippled or destroyed by malicious entities.

Don't assume your medical data is secure. Systems that conform to HIPAA
regulations are just one part of their computing infrastructure, and it's
trivial to maliciously access a huge surface area outside of those specific
pieces of hardware and software--and once a malicious actor has that access,
it's not too hard to cross the gap.

------
Mountain_Skies
Recently saw an ad for an IT support position at a hospital. The list of
potential hazards in the work environment listed in the ad likely scares off
many who have plenty of other employment opportunities. And most hospitals
can't jack up the pay to compensate so attracting good talent is going to be a
problem.

~~~
vkou
> And most hospitals can't jack up the pay to compensate

I find that hard to believe in an age of $100 saline bags, $20,000
childbirths, and 15-minute-long $500 specialist visits.

~~~
Spooky23
Earlier in my career I interviewed for a health IT job that was basically a
director level position. The pay ended up being less than I was making as a
government employee for a smaller scoped job. The government gig was probably
less than an intern makes at a FAANG.

In medicine, doctors are king. Everyone else is a peon.

~~~
pasttense01
Doctors don't feel like they are kings--while they make very good money there
are massive amounts of red tape, filling out Epic...

It's the bureaucrats who are kings.

~~~
JBlue42
My doctor friends confirm. They would rather spend their time on patient care
but have to make a lot more time for the paperwork.

------
einpoklum
"Sky is blue, news at 11:00"...

Of course hospitals are a security weak spot: They're full of sensitive
patient health data shared over computer systems whose users and procurers are
not very security-literate, and often absent-minded about such issues due to
the grinding, stressful work.

------
rolph
waiting rooms are a gaping hole. nobody seems to see a problem with blabbing
out your final 4 and first,last name when thier at a desk in a room full of
whoever walked in and sat down.

un protected desktops are another issue, there is a tide of duties and an
attacker can pattern the staff and get a good idea when they will have time to
do an inside job of some sort.

~~~
Scoundreller
As with most environments, there’s a lot of trust based in a hospital running
successfully.

At least they have their own on-site security that’s experienced in taking
people down.

I continue to believe the real threats are actual insiders and remote attacks.

Dunno how far someone will get with a USB key versus sending everyone a
plausible email.

~~~
pharrington
You plug in the USB key, then you pull out the USB key.

The physical security layer at alot of hospitals is almost entirely absent,
sadly.

~~~
chapium
USB keys are blocked mostly these days. There are other huge vulnerabilities
if you have physical access and are motivated.

~~~
Bnshsysjab
From experience in plenty of industries, your statement is incorrect. Most
places suck at security and blocking removable storage, but likewise suck at
far more important controls (eg application whitelisting) for it to really
mitigate much in the first place

------
bagacrap
It seems the biggest reason they're a weak spot is that the data they store
make them a target. Retailers are also weak on security -- really, I wouldn't
trust any company that wasn't a specialist in the space, i.e. finance and tech
-- but most entities don't know so much about their clientele. Retailers don't
need to keep as much info as they do (aside from profit motives), but
hospitals probably do, so I can see this being a vulnerability that's never
closed.

~~~
sidlls
The data they have are sensitive, but that's just the reason they're a target.
They're a weak spot because of poor security practices, which is due to poorly
managed IT organizations, which is due largely to the egos of administrative
management and poor funding.

------
swader999
So are vet hospitals. At this very moment there's a chance you'll walk into
one that has fallen back to paper records and billing due to a continent wide
ransom ware attack.

[https://www.reddit.com/r/msp/comments/dnd7aq/ransomware_atta...](https://www.reddit.com/r/msp/comments/dnd7aq/ransomware_attack_against_national_veterinary)

From that thread: Avimark is an old style load the EXE from a share program
with a flat file structure for the data. Most clinics are not in a domain,
just workgroup, and the share is read/write access for Everyone. So, yeah.

~~~
heartbreak
It's worse than that thread reveals. NVA was hit by a ransomware attack in
May. They're now in a _second_ attack that began in late October (ongoing).
The latest one was described by CIO Joe Leggio as a "coordinated and
sophisticated" attack in an internal email. He said it was designed to breach
the NVA system specifically and that the attackers had three separate entry
points. Only _this week_ did NVA deploy endpoint security software to every
computer in their 500+ veterinary practices.

Note: Avimark itself is not at fault here. The Avimark issue that the
practices are having is related to NVA not having a solid DR plan with working
backups. Part of the problem there is that because of Avimark's architecture,
most practices have an on-prem server that each workstation RDPs into for
using Avimark. Because this equates to 500 or so Avimark SQL Server instances
spread around the United States, it's perhaps not surprising that NVA's
unsophisticated IT department did not have working backups for each instance.

~~~
imglorp
This sounds ideal for a SaaS. Why is each practice messing around with an IT
dept and SQL and DR when it could be hosted and managed at low cost for all
them at once?

~~~
heartbreak
The industry has been really slow to move to SaaS. Avimark's primary
competitor has a strong SaaS offering with Idexx Neo [0], but NVA requires the
practices they buy to switch to Avimark.

[0] [https://www.idexx.com/en/veterinary/software-
services/neo/](https://www.idexx.com/en/veterinary/software-services/neo/)

------
keiferski
I feel like _Mr. Robot_ may have highlighted this fact (along with others) to
the general population rather effectively.

[https://www.youtube.com/watch?v=g6gG-6Co_v4](https://www.youtube.com/watch?v=g6gG-6Co_v4)

------
crispyambulance
Given the state of cybersecurity right now, is there any organization or
domain AT ALL which is strong and model-worthy when it comes to cybersecurity?

~~~
cm2012
Big tech. Google, especially.

~~~
xyst
To be honest, Google is the last company I want handling my health data. If
you don't check the right boxes, it could end up being "anonymized", and sold
off.

~~~
baroffoos
Google is very good at precisely controlling what happens to the data. You
never hear about some huge leak where 1B google accounts had their whole data
taken.

~~~
dredmorbius
There _have_ been two reported Google breaches, both small.

[https://www.oag.ca.gov/privacy/databreach/list?field_sb24_or...](https://www.oag.ca.gov/privacy/databreach/list?field_sb24_org_name_value=google&field_sb24_breach_date_value%5Bmin%5D%5Bdate%5D=&field_sb24_breach_date_value%5Bmax%5D%5Bdate%5D=)

Curiously, the "data breach" for which Google+ was supposedly shut down ... is
not listed.

------
adamnemecek
Everything in US is targetable. The main problem is that say the
power/health/<fundamental infrastructure> are all managed by 1000 different
companies who are all at different wavelength as far as OPSEC.

------
z3ugma
For those interested, I wrote a primer on M aka MUMPS at
[https://learnxinyminutes.com/docs/m/](https://learnxinyminutes.com/docs/m/)

------
aasasd
Possibly in one part because I see people on freelancer marketplaces making
software for hospitals, with job budgets of a couple hundred bucks. I'm ok
with freelancers in general, but I feel that integrating code from disparate
small jobs while keeping security in mind isn't gonna be so simple.

------
alwillis
I’m an IT guy; I cringe almost every time I interact with the healthcare
system.

I could pile on; all I want for now is encrypted and signed email with my
doctors. I have an S/MIME certificate; can’t see why the IT staff at the
hospitals I deal with can’t make sure my doctors have the same.

~~~
burnte
Because doctors are spoiled children. Were rolling out keyfobs for 2FA for our
e-prescribe solution, but I'm keeping the fobs because I KNOW the docs will
forget them/lose them. Docs only get soft-tokens on their phones because they
never forget their phones.

------
dang
A different hospital/security thread from a couple days ago:
[https://news.ycombinator.com/item?id=21483337](https://news.ycombinator.com/item?id=21483337)

------
Classicaldj34
How do they store their data? Why don't they use private clouds?

-Duple? [https://www.duple.io/en/](https://www.duple.io/en/)

-Nextcloud? [https://nextcloud.com/](https://nextcloud.com/)

~~~
chapium
IBM,Cerner,Dell

