
The assault on neurosurgeons’ privileges by software and bureaucrats - soundsop
http://blogs.law.harvard.edu/philg/2015/12/07/brain-surgeon-tortured-by-software-developers-and-hospital-bureaucrats/
======
vonklaus
> Fuck Off 45. He hates computers.’

> ‘Why forty-five?’

> ‘It’s the forty-fifth month since we signed onto that hospital’s system and
> one has to change the password every month,’ Caroline replied.

Every month is a little aggressive of a timeline. Also, stop making users do
your bizarre regex passwords.

* include caps

* include numbers

* include symbol

* eight charachters

* must be recursive backronym

Also, stop trying to keep password requirements secret. I am sick of this
guessing game. I can relate to Mr. Johnson's total indifference to the system.

~~~
serge2k
If you don't you end up with bad passwords.

Maybe we should just get rid of the damn passwords and replace them with a
system that makes it easier to remember and use without compromising security.
At the very least one password + a smartcard system would be way easier. You
enter your password once then you just have to swipe your card when you login
to another system.

~~~
gozo
Not entirely sure why you're being downvoted. Sun terminals have had smartcard
access for, what, 15 years? (Yes, for hospitals). It's a good idea. Some sort
of complementary directional RFID might be even better.

E.g.
[https://www.youtube.com/watch?v=R497CzmKyVQ&t=38s](https://www.youtube.com/watch?v=R497CzmKyVQ&t=38s)

~~~
epistasis
Pretty sure he got downvoted because of this canard:

>If you don't you end up with bad passwords.

This is a terrible fallacy that has brought so much pain on the world. The
rate of bad passwords is probably not so different, but the rate of
frustration is so much higher.

~~~
unprepare
Were these regulations created at a time when brute force password cracking
was a legitimate concern?

Password policies do definitely raise the entropy of the passwords, so if the
attack vector you're concerned about is entropy sensitive, its a decent
strategy.

As someone who has had to enforce such password policies many times, I can say
that it's almost always because of some regulatory or certification
organization that requires complex policies.

------
engi_nerd
Most working professionals who aren't software developers suffer through this
in some way or another. I mean, heck, let me count up all the passwords I need
to do my job:

* A password for the account request system

* A password for the internal services system

* My email password

* My password for the local network

* My password for the product management system

* Pass for the old product management system that we still use

* Pass to the online drawing and document retrieval system

* Password to control room computer systems

* Various maintenance laptop user names and passwords

* Various passwords to systems I'd rather not mention, call them about 10 in total

That's 25 to 30 passwords, total, that I need to remember and use on a regular
basis. I've given up NOT writing them down. And IT won't give me any kind of
secure password manager, so I resort to a password protected Excel
spreadsheet. And I'm not alone.

~~~
javajosh
Might I at least suggest using an easy-to-execute algorithm that you can apply
to your note to turn it into a real password? There are many options, from
adding a prefix, a suffix, adding a small integer to every number, or some
combination of these. This, I think, is about as secure as you can get since a
targeted attack would just install a keylogger and be done.

~~~
pdkl95
[https://www.schneier.com/blog/archives/2005/06/write_down_yo...](https://www.schneier.com/blog/archives/2005/06/write_down_your.html)

Even with an algorithm, you're still relying on human memory. As Schneier and
other have been recommending for a long time, _write down your passwords_.
People already understand some amount of _physical_ security, which is
knowledge that can can utilized for password storage.

As long as human memory is the weakest link, password strength will always be
_de facto_ limited to the amount of entropy that a human can reasonably
memorize. Unfortunately, brute-force password cracking capabilities flew past
that limit a long time ago.

------
baldfat
> " They sent the scan on a CD but because of that crap from the government
> about confidentiality they sent two taxis."

Not they sent the scan over the internet but they had to copy the scan on a CD
and rush it over to the hospital.

SORRY BELLOW is a comment I did this week and it seems just as appropriate.

Here is the discussion on Open Source Software for Developing World Hospitals
[https://news.ycombinator.com/item?id=10675275](https://news.ycombinator.com/item?id=10675275)

My old comment still reliant. Another story about my journey with my son while
he battled cancer. Closed Proprietary image formats and systems HURTS
patients. We used the local hospital for Chemo and everything else at the
Children's Hospital 1.5 hours away for his legs and lungs. I would always have
to wait 20-30 minutes to get a DVD of the studies (PET, CT Scan or MRI even
ultrasound, but those are worthless) and then bring them to the doctor. The
doctor would be forced to use whatever the portable image viewing program that
came on the DVD and then they had to be sent to the IT Department to be
imported into their system. We would be there to remove some horrible tumor
but before half his surgeries (I can't count how many surgeries he had) we
would have to go in the day before (3 hour round trip) to get the expensive
scan done again. One time I had a scan at 11 PM - Midnight and then drive home
around 2 AM and be back at the hospital at 7 AM check in for a 10 hour
surgery. ALL BECAUSE THE FORMATS ARE CLOSED and SYSTEMS could not connect so
that my son's records were all the same every where. I carried 20 DVDs with me
all the time just in case. In case you are wondering my son unfortunately
passed away after almost 5 years of fighting. If you are ever interested in
giving to a cancer society please consider stbaldricks.org. Most charities
give 0% or 2% to pediatric research and that is why we went over 20 years
without a new chemo for children till last year, which St Baldrick's funded
the research for this amazing new drug to fight a different type of cancer my
son did not have.

------
officialchicken
Nothing surprising here. Far and beyond IT, surgeons posses a rare and special
type of ignorance... typical of your average over-powered decision maker with
not enough time to understand or other incentives to make good IT decisions.
This is really, really common in health IT, and not rare at all, but here's
it's presented in the form of an over-entitled surgeon. Some people seem to
think that brain surgeon is supposed to add gravitas to any conversation, in
terms of understanding or something... but your average QA person is 1000x
more likely to make a better decision than a surgeon, when it comes to IT.

And the source of the problems in this article? The legal dept. So please
don't blame this one on anyone in IT.

~~~
parasubvert
My take away is close to the opposite, having worked around healthcare IT for
many years. Systems are antiquated, un-integrated, use archaic and proprietary
languages and databases, and the lack of cohesive design for usability
encourages most clinicians to keep using paper.

IT as currently and usually practised, especially in a healthcare environment,
is also mostly a disaster in terms of value for expenditure. $2 billion for an
Epic system in a regional hospital system... Which was obsolete before it was
installed. Heck, the Deustche Bank SAP core banking replacement only cost $1
billion.

Much of the "oh but it's regulated" excuses are just that, excuses to be
ignorant and stay stuck in the 1970s.

It doesn't have to be this way, but it requires a lucky administration to find
a way out of the mess given the market for lemons in IT management and systems
integrators in healthcare.

Open source and Cloud solutions (from an operating model perspective way more
than technology) appear to be the only way out of this mess of "your mess for
less" IT because it lifts the veil of sales, consultant-speak, and opaque RFP
processes in favor of actually-working-and-reliable software that anyone can
see and touch.

~~~
AnthonyMouse
> Much of the "oh but it's regulated" excuses are just that, excuses to be
> ignorant and stay stuck in the 1970s.

It is actually a serious problem.

You have a bunch of apparently sensible rules with apparently reasonable
justifications, but without a holistic understanding of what those rules cost
in terms of engineering and design trade-offs. Then compliance prohibits the
use of commodity components not designed with those specific requirements in
mind, which requires everything to be custom for the industry at extreme cost,
which in turn impairs competition and allows the vendors who do pay all the
compliance lawyers to sell low quality software for big money.

And it's not clear how open source or cloud would solve any of that, other
than possibly through some kind of regulatory avoidance shell game, which
sounds more like a loophole than a solution.

~~~
gozo
While that's true many commodity components also currently doesn't live up to
the real requirements of those environments. I have a number of friends who
work with enterprise Linux deployments. They are all doing very well
financially.

------
viraptor
> ‘I’m not starting a big meningioma at 4 p.m.,’ she declared, turning towards
> me. ‘I’ve got no childcare this evening.’

Without knowing what a "big meningioma" involves, I can only imagine it's
something like doing a tricky, manual deployment on Friday afternoon. In that
case no, this is a completely reasonable response. People have lives outside
of work. Yes, "In the pre-modern NHS consultants never counted their hours –
you just went on working until the work was done.", but that doesn't mean it's
a good thing. In pre-modern factory days people of any age worked there whole
day, 6-7 days a week. It doesn't mean that's a good idea to do it now.

~~~
OopsCriticality
> this is a completely reasonable response. People have lives outside of work.

For someone in IT, perhaps, but the professional expectations in medicine are
starkly different (although they are admittedly growing more lax, to the
chagrin of the old guard). In this particular case, the geriatric meningioma
patient had already been cancelled on once, rescheduled with the promise of
being the first procedure of the day, and then delayed to the end of the day
because she tested positive for MRSA and they needed to do a decon of the OR
after her procedure. You would seem to find it reasonable to reschedule her
yet again, but neurosurgeons don't have much room in their schedules to play
scheduling games with, and in general, patients aren't undergoing elective
brain surgery for the fun of it: they need it now.

Perhaps the IT analogy is that neurosurgery is largely a hard real-time
system: you must execute within a given time window or you fail.

~~~
viraptor
> You would seem to find it reasonable to reschedule her yet again

No, I find it unreasonable that not everyone knew the schedule beforehand, or
that someone who knew about it didn't raise it as a problem. This should never
happen right before the operation. At that point it's too late and it's on
everyone to deal with the situation at hand. What I'm pointing out that if the
plan was a surprise then it's completely understandable that someone says no.

As for solutions, it depends on a hospital, location, patient's state,
available team, etc. Lots of possibilities. (BTW, anyone shouting at anyone
else is not even close to a solution)

~~~
doktrin
> BTW, anyone shouting at anyone else is not even close to a solution

It may not be a solution you approve of, but I've witnessed plenty of cases
where managers have effectively bullied their subordinates into doing work
they otherwise wouldn't want to do.

~~~
ryanmarsh
In matters of life and death a little bit of yelling can go a long way.

~~~
doktrin
Truth. When the stakes are that high, at least some tolerance of discomfort is
necessary.

------
kendallpark
As a programmer in my first year of med school, I can only confirm the
frustrations with medical software. As someone that gives a damn about
usability/UI/UX, most (all?) EHR systems make me want to bang my head against
a keyboard.

I honestly don't know how long I will be able to practice medicine before
deciding that I can build something better (as foolhardy a notion as that is).

~~~
smt88
> _before deciding that I can build something better_

It's very likely that something better already exists. The reason you use
something terrible is because "better" does not result in adoption. Personal
relationships, salespeople, and marketers drive adoption, not the quality of
the actual product.

~~~
kendallpark
Right, but if I have control over my practice, I also control what EHR I use.
No idea if I'll end up in private practice, but there's always that
possibility.

~~~
bbarn
Right up until insurance companies won't pay you unless you file using a
compliant system. This isn't a tech problem.

~~~
kendallpark
That's not how meaningful use works. You can use paper for all you care,
you're just going to take a hit financially from the government (and many do).
You can use whatever electronic system you want as long as it all adds up to
meaningful use. The insurance companies have nothing to do with this.

------
bobbles
I love how "mediocre software developers" are called out in the header, but
then it goes on to list about 10 different people in different roles that are
causing actual problems, all systematic, where a developer would make no
difference whatsoever.

------
bagacrap
I find it somewhat distasteful that a doctor would compare an obese patient to
a whale while implying it's less worthwhile to treat them than other patients.
It's not the job of medical professionals to pass moral judgment.

~~~
chrismartin
What if he were complaining about an influx of smokers with emphysema or
alcoholics with liver cirrhosis? Doctors are justified in their frustration
with the preventable burden that lifestyle diseases impose on their
profession.

------
such_a_casual
This is what happens when people create systems they don't have to use
(software or otherwise).

~~~
baldfat
No this what happens when people create systems over things they don't have
experience in nor understanding of how things work.

------
SeanDav
Very frustrating, I agree. I have another medical computer system horror story
- Did you know that the UK National Health Service spent 12 _Billion_ pounds
(18 Billion USD) on a computer system and ended up with....nothing to show for
it!!!

~~~
taberiand
On the other hand, sweet consulting gig if you can get it.

~~~
grrowl
This is the problem. The "if you can get it" translates to "if your company
has a huge request-for-tender team dedicated to shmoozing your way into these
kinds of contracts".

Add to it the whole tech-health ecosystem is scorched earth after countless
clueless contractors have blown their way through it (earning the tens of
millions of pounds and so on in the process), it's not a great environment for
trust, innovation, or making your way through everything to a real-world-
usable result.

------
bootload
_"... I envy the way in which the generation who trained me could relieve the
intense stress of their work by losing their temper, at times quite
outrageously, without fear of being had up for bullying and harassment. ..."_

Toxic work environments in surgery are on notice in Australia: _" Doctors must
stand up to the ‘cowardice’ that is ignoring bullying"_ Victoria Atkinson, SMH
~ [http://www.smh.com.au/comment/doctors-must-stand-up-to-
the-c...](http://www.smh.com.au/comment/doctors-must-stand-up-to-the-
cowardice-of-ignoring-bullying-20151202-gldgyl.html)

------
JabavuAdams
Was at a party with a group of friends who are physicians, surgeons, and
medical researchers. It struck me: we software types are so fucking arrogant.
I was definitely not the smartest person in the room, and yet I could see IT
and CS types mocking these people for their relative computer illiteracy. You
know, the people who are actually saving lives every day instead of figuring
out how to distract (er, engage) and bilk (er, monetize) people.

~~~
aianus
Speak for yourself. I don't know anyone in med school who would have cracked
the top quartile in my math/CS courses.

Doctors aren't smart, they're just friendly keeners with something to prove to
their helicopter parents.

Edit:

> You know, the people who are actually saving lives every day instead of
> figuring out how to distract (er, engage) and bilk (er, monetize) people.

Very few doctors do anything of the sort. Most of them just charge you $100+
to tell you what you already knew and write you a scrip or a referral.

~~~
JabavuAdams
> Doctors aren't smart, they're just friendly keeners with something to prove
> to their helicopter parents.

See, that's what I mean. I wasn't writing about the general population of
doctors, I was writing about the specific doctors who were in the room with
me, who you so arrogantly dismiss.

It's really an ugly and limiting mindset.

------
nickysielicki
I live in Madison, where Epic is stationed. I run into a lot of people that
work there.

They hold the records of over 50% of the US. It's pretty scary when you think
about it.

~~~
officialchicken
I just don't think that's true, but I'd love to be wrong.

Any given time 1/3rd of the user-base is dead... and it's growing because the
data has to remain in the system for 60 months (HIPAA). It's not scary because
it's B.S... No single or group of health provider in the world is close to
having access to 125 million active patient-users on an annual basis.

Until Epic disclose any numbers in their 10Q/10K, realize that they're
probably taking about "rows" in a db table or nonesuch, not actual patients or
anything that will get them in trouble with the SEC/FDA.

I'd guess the reality is Nike is much closer in having shoes on half of the US
pedestrian population than Epic having HL7/PII data.

~~~
nickysielicki
> Health care groups using Epic electronic health records serve 54 percent of
> patients in the U.S. and 2.5 percent of patients worldwide, CEO Judy
> Faulkner said at Epic’s users group meeting in September.

Source: [http://host.madison.com/news/local/govt-and-politics/epic-
sy...](http://host.madison.com/news/local/govt-and-politics/epic-systems-
draws-on-literature-greats-for-its-next-
expansion/article_4d1cf67c-2abf-5cfd-8ce1-2da60ed84194.html)

You're probably right though. It's still scary to think that it's possible for
them to be centralized to that degree at all.

------
sopooneo
All systems within a medical establishment should be forced to work with a
single-sign-on system. That might sound like a lot of effort for a small
improvement, but I believe it would be the single highest value change that
could be made.

------
dbwest
I see opportunity. Let's make this better.

~~~
LoSboccacc
Hire redundant staff and organize shifts? His frustrated tantrum is wildly
misdirected.

Anyway good luck with that. It's a job that comes with massive liabilities,
unprecedented complexity and loads of political infighting.

------
yeison
Everything that Epic touches turns to dust.

------
marshray
When I read the title I was thinking something different.

Torture is a real and a nightmarish thing, and in this ever shrinking world of
ours, we (i.e., Westerners) can no longer think of such horrors as existing
only for other people in faraway lands.

Am I the only one who's a bit uncomfortable tossing around the term to apply
to a well paid professional who's facing bureaucratic inefficiencies at work?

Or am I just being a sensitive ninny-nanny?

~~~
grrowl
If someone is literally dying in your duty of care because noone can access
any patient records, that sounds tortuous to me. A bit like the Stanford
prison experiment, but replace the guards with IT contractors, and the
prisoners with surgeons, doctors, and nurses.

~~~
marshray
Doctors, particularly trauma and tumor surgeons, have dying patients all the
time.

Often there are additional treatments available but for resource constraints.
Ordinary folk die of heart disease every day, but somehow Dick Cheney lives on
with an artificial heart.

I know being a doctor can be quite a stressful job and requires a certain
class of personality. But still it has gone with the territory of being a
doctor since the beginning of civilization.

~~~
codyb
Well perhaps that is true, but having someone who is dieing because the
surgery is failing is a bit different than someone who's dieing because you
can't remember some login's passcode.

And of course then these delays compound over time and adversely affect the
entire system.

Designing good software which meets government legalese constraints (which are
guaranteeedly absurd in certain instances, in wording, and nature (while
others will make perfect sense and still be just as hard to implement)) in
extremely complex situations (health care systems with millions of users with
an outstanding number of providers of different sizes, with different
conditions, and medications, and the stringency of the privacy requirements).

That's tough.

It'll be really neat to see the progression of software through time. It'll be
neat if what we see today is the Model T to the Tesla (X?) of tomorrow (+~110
Years).

