
Ask HN: Why is my healthcare data not more protected? Epic Systems installs - rwoll
Many major healthcare providers use Epic Systems (https:&#x2F;&#x2F;www.epic.com&#x2F;) software to manage patient records. At about half a dozen independent institutions, I’ve watched receptionists and Drs go from logging in to Epic (which contains all my and other patients health records, clinician notes, test results, etc.) to Facebook or email or general internet browsing. This smells and seems to be one phishKit or rootkit away from putting people’s health data at risk.<p>Why are these systems not airgapped or at least run on dedicated, restricted devices and networks that only allows Epic Systems activities?!
======
wallflower
One of my friends works in healthcare. She told me once about how a coworker
who worked at the hospital had gotten a certain test done there. This coworker
looked up their results through the healthcare information system, and they
were brought in to their supervisor to explain why they committed a violation
of the hospital system's HIPAA rules. In some hospitals, this might not be a
violation and, in fact, allowable.

My answer is that any rootkit or phishing schema that attempted to exfiltrate
data from a client terminal would be detected by all the deeply-ingrained
automated and formal procedures and systems for monitoring/auditing/alerting
of access and usage of the healthcare information system. Also, depriving the
doctors and nurses of Facebook/website browsing would probably be a net
negative for morale, most especially in these trying times of COVID-19.

~~~
giantg2
Have you ever heard of defense in depth? You need multiple layers of
protection. Plenty of healthcare facilities have been hit with ransomware in
recent years. This can happen from opening email or social media attachments,
among other things.

Not using Facebook is standard for any profession and will surely get you
fired at many companies (like the one I work at). They could use their
smartphone on their break for internet.

The sort of security indifference or ignorance the op describes is actually
quite common in healthcare. I know someone who works in IT at a hospital and
he would tell me about nightmare that it is to have medical staff follow
commonsense security protocols (ironic since the medical profession is all
about following established protocols).

