> ‘It’s the forty-fifth month since we signed onto that hospital’s system and one has to change the password every month,’ Caroline replied.
Every month is a little aggressive of a timeline. Also, stop making users do your bizarre regex passwords.
* include caps
* include numbers
* include symbol
* eight charachters
* must be recursive backronym
Also, stop trying to keep password requirements secret. I am sick of this guessing game. I can relate to Mr. Johnson's total indifference to the system.
Yes that happens at my work - most workers have a post-it notes on the side of their monitors with various passwords written down - real secure.
Anything requiring permissions, passwords, group policy etc is a complete nightmare. I had this gem when I emailed Information Services this morning.
My email:
"XXX has left the company and I've taken over their role Can you please remove them as Owner of the following sharepoint site: YYY and make me the Owner instead."
IS's reply:
"Please fill out a trouble ticket *"
I proceed to fill in a digital form 2 hours later I get a terse reply.
"Hi ZZZZ please contact the owner of site YYY and get them to adjust your permission. We are now closing your ticket."
Assuming at least some users are going to write down their passwords, I wonder if it would be appropriate to show them more secure ways to do that. Unfortunately, my "better" way is to stuff the sticky note in my wallet.
If I could find a device (w/ touch or keyboard for input) that fit into my pocket and has no wireless capabilities, then I would probably use that as a password manager.
In this case the people who need to be educated are the sysadmin. You need to make your password policy more inspired by this XKCD https://xkcd.com/936/ than by forcing incredibly hard to remember passwords.
... when the policy is to change your password every quarter, and include a mix of case and punctuation, the policy is to use the season, the year, and an exclamation point.
I worked at a place where you could log in to just about anyone's account because our managers literally told us to take this approach so that we'd be less likely to forget what our password was.
One of the hospitals I rotate in has solved this by having you physically scan your nametag (just like unlocking any of the doors) to log in, log out, and whenever else your credentials are needed. It works pretty well, and no passwords to remember once it's set up.
Maybe we should just get rid of the damn passwords and replace them with a system that makes it easier to remember and use without compromising security. At the very least one password + a smartcard system would be way easier. You enter your password once then you just have to swipe your card when you login to another system.
You end up with bad passwords anyway (like Fuck Off 45). Or you end up with everyone using the same account, or post-it notes with passwords, or notebooks with passwords, or an email draft with passwords.
I've seen smartcards have the best impact. Yeah sure they can be swiped or forged, but compared to the real, effective security of passwords, they're much better. You also can't lock yourself out of a smartcard system. You can forget your card at home, but it's easy to just reissue a new card and invalidate the old one (throw it away when you get home, it's just a hunk of plastic now).
Not entirely sure why you're being downvoted. Sun terminals have had smartcard access for, what, 15 years? (Yes, for hospitals). It's a good idea. Some sort of complementary directional RFID might be even better.
Pretty sure he got downvoted because of this canard:
>If you don't you end up with bad passwords.
This is a terrible fallacy that has brought so much pain on the world. The rate of bad passwords is probably not so different, but the rate of frustration is so much higher.
Were these regulations created at a time when brute force password cracking was a legitimate concern?
Password policies do definitely raise the entropy of the passwords, so if the attack vector you're concerned about is entropy sensitive, its a decent strategy.
As someone who has had to enforce such password policies many times, I can say that it's almost always because of some regulatory or certification organization that requires complex policies.
Adding radio as a primary component in a security system is always going to be a bad idea. Security is hard enough without adding in the possibility of 3rd parties hearing the protoocol - or worse.
> directional
A common misunderstanding of radio is the belief that it can be contained in an area. Unless you're building a proper Faraday cage (which is hard), the ability to hear a transmmission often depends on the receiving antenna.
For convenience without involving radio, one simply has to get creative. Something like the (defunct) Java Ring[1] would allow most of the ease-of-use of RFID (possibly with a simple proximity sensor for auto-logout, if needed).
> Security is hard enough without adding in the possibility of 3rd parties hearing the protoocol
Asymmetric encryption is not that hard. In fact, you were using it while complaining about the problem it solves.
> Garaday
Faraday.
> the ability to hear a transmmission often depends on the receiving antenna
So even if you somehow get past the asymmetric crypto you need RF expertise and a special antenna to mount the attack from more than a foot away? And not even a special antenna beyond a few miles? I'd call that "defense in depth," not a flaw.
...doesn't protect against everything. Not letting people hear the asymmetric encryption is even better.
> special antenna
Cantennas are easy, and you should never underestimate the amount of technology people will throw at an attack. Consider, for example, the people that made ATM shims that captured the card data while recording the PIN being entered on the keypad.
> "defense in depth"
Defense in depth would be using cryto while requiring a physical connection.
> smartcard
A smartcard is fine - my argument is against RFID. A card that requires an electrical or inductive connection isn't going to leak everything over the radio.
My suggestion of "digital jewelry" is merely an example of how the form of the smartcard is flexible. Creativity in this area could allow for some easier to use devices, which could be important in places like hospitals.
But it does protect against the exact threat model you proposed.
> Defense in depth would be using cryto while requiring a physical connection.
> Consider, for example, the people that made ATM shims that captured the card data while recording the PIN being entered on the keypad.
How about you consider it?
Building a facade to intercept physical communications is very much on par with building increasingly large, awkward, and expensive antennas in terms of difficulty barriers (especially if you need enough polish to blend in). I'm a ham, I would know. I'm not sure why you are so insistent on drawing the line between these two particular techniques.
> A card that requires an electrical or inductive connection isn't going to leak everything over the radio.
Are you familiar with the distinction between near-field and far-field? Because both RFID and smartcards span that distinction while you just tried to draw a line down the middle.
> A smartcard is fine - my argument is against RFID.
Many (most?) smartcards communicate over RF. Your argument (and my rebuttal) was about
> Adding radio as a primary component in a security system
not the RFID technology in particular. So do you or don't you think RF communication in a security device is an inherent problem in and of itself?
> But it does protect against the exact threat model you proposed.
Encryption doesn't protect against traffic analysis. Knowing someone is present or that some device is in use is significant information.
Does the device you are proposing authenticate the reader before transmitting anything? If not, it's not particularly difficult (probaly by modifying a reader) to test if people have a security device on them. That only requires a ping, no crypto needed.
> I'm a ham
I used to be, for many years. (I wish I had more time for such things these days)
> large, awkward, and expensive antenna
That depends entirely on what you want to do. If you want to read the entire crypto transaction from the next building, then yes, an expensive antenna[1] will be required. If I just want to detect who is carrying a security device, you won't need a particularly accurate antenna - it just needs to have a decent gain.
My point with that example is that it's never a good idea to underestimate how much time and effort people will put into an attack. If criminals can add a man-in-the-middle chip piggybacked onto a chip-and-pin smartcard[2], they can made a decent cantenna.
> So do you or don't you think RF communication in a security device is an inherent problem in and of itself?
RF is an extra risk that should be avoided whenever possible for security devices, especially when effective alternatives are available.
In your linked video about the hospital, the smart card was slotted into a reader. This would work well and has no need for RF. It's certainly a far better solution than memorizing bad passwords.
I had this thought years ago. A smartcard coupled with a biometric seems easier to use and more secure.
Even just a card. You can only have one per person (as opposed to passwords that can have infinite copies and are likely to be unknowingly compromised) and if a card is lost, it can be expected that it will be replaced shortly so long as the replacement process is painless which seals the leak.
Most working professionals who aren't software developers suffer through this in some way or another. I mean, heck, let me count up all the passwords I need to do my job:
* A password for the account request system
* A password for the internal services system
* My email password
* My password for the local network
* My password for the product management system
* Pass for the old product management system that we still use
* Pass to the online drawing and document retrieval system
* Password to control room computer systems
* Various maintenance laptop user names and passwords
* Various passwords to systems I'd rather not mention, call them about 10 in total
That's 25 to 30 passwords, total, that I need to remember and use on a regular basis. I've given up NOT writing them down. And IT won't give me any kind of secure password manager, so I resort to a password protected Excel spreadsheet. And I'm not alone.
Single sign on solutions don't work when some of the systems you sign on to are air-gapped and will never, ever, EVER be connected to any network. Other networks I access are completely separated from the greater internet. It would be useful, but single sign on would take my 25-30 passwords and shrink it to about 15.
Which would be useful but would still require me to keep track of them manually.
Try convincing the US government of that. I wish you luck (I really do). Trying to educate program security people on computers is one of the banes of my existence.
I have one password for the Corporation (email, VPN, various online databases, dashboards and wikis). I have another one just for requesting vacation time, because that system is run by the Corporation that owns the Corporation I work for.
Then there's the password for timecards (outsourced to another company), goal setting and training (outsource to another company), 401k, medical insurance and just because, another company (that isn't our medical insurance) for handling prescriptions.
Our Corporation has one password expiration timeframe (90 days but not really because they start nagging two weeks prior and won't shut up until you change the password) and the Corporation that owns The Corporation has another timeframe (60 days, but again, they start bitching about two weeks prior) and of course, all these sites have their own ideas about "secure passwords."
Weren't certificates supposed to deal with all this?
Wait ... don't answer that. I don't think I want to know the answer.
You know what's better than single-signon? Two SSO systems! It's fantastic. Not only do you have to remember which backend each system uses, but it actually makes it harder to remember passwords for systems that don't use SSO.
Especially the ones that are used irregularly (annually, quarterly), so SSO isn't a priority.
Might I at least suggest using an easy-to-execute algorithm that you can apply to your note to turn it into a real password? There are many options, from adding a prefix, a suffix, adding a small integer to every number, or some combination of these. This, I think, is about as secure as you can get since a targeted attack would just install a keylogger and be done.
Even with an algorithm, you're still relying on human memory. As Schneier and other have been recommending for a long time, write down your passwords. People already understand some amount of physical security, which is knowledge that can can utilized for password storage.
As long as human memory is the weakest link, password strength will always be de facto limited to the amount of entropy that a human can reasonably memorize. Unfortunately, brute-force password cracking capabilities flew past that limit a long time ago.
My last work sent around a cardboard triangle "stand" thing which was supposed to remind us all about how much we loved working there and how important such and such policies were. So my password was set as the first 3 letters of the first 3 lines (inc capitalisation) followed by a fairly standard & [incrementing number]. It was written down right next to my computer for the first two weeks whilst I learnt it and then every other password was just a derivation of it.
Then I'm carrying around sensitive work information on a device that I control. Sure, my password protected Excel spreadsheet isn't really protected, either, but if it gets compromised on my work machine, IT at work takes the heat, not me.
My old comment still reliant.
Another story about my journey with my son while he battled cancer.
Closed Proprietary image formats and systems HURTS patients. We used the local hospital for Chemo and everything else at the Children's Hospital 1.5 hours away for his legs and lungs. I would always have to wait 20-30 minutes to get a DVD of the studies (PET, CT Scan or MRI even ultrasound, but those are worthless) and then bring them to the doctor. The doctor would be forced to use whatever the portable image viewing program that came on the DVD and then they had to be sent to the IT Department to be imported into their system.
We would be there to remove some horrible tumor but before half his surgeries (I can't count how many surgeries he had) we would have to go in the day before (3 hour round trip) to get the expensive scan done again. One time I had a scan at 11 PM - Midnight and then drive home around 2 AM and be back at the hospital at 7 AM check in for a 10 hour surgery. ALL BECAUSE THE FORMATS ARE CLOSED and SYSTEMS could not connect so that my son's records were all the same every where. I carried 20 DVDs with me all the time just in case.
In case you are wondering my son unfortunately passed away after almost 5 years of fighting. If you are ever interested in giving to a cancer society please consider stbaldricks.org. Most charities give 0% or 2% to pediatric research and that is why we went over 20 years without a new chemo for children till last year, which St Baldrick's funded the research for this amazing new drug to fight a different type of cancer my son did not have.
Nothing surprising here. Far and beyond IT, surgeons posses a rare and special type of ignorance... typical of your average over-powered decision maker with not enough time to understand or other incentives to make good IT decisions. This is really, really common in health IT, and not rare at all, but here's it's presented in the form of an over-entitled surgeon. Some people seem to think that brain surgeon is supposed to add gravitas to any conversation, in terms of understanding or something... but your average QA person is 1000x more likely to make a better decision than a surgeon, when it comes to IT.
And the source of the problems in this article? The legal dept. So please don't blame this one on anyone in IT.
My take away is close to the opposite, having worked around healthcare IT for many years. Systems are antiquated, un-integrated, use archaic and proprietary languages and databases, and the lack of cohesive design for usability encourages most clinicians to keep using paper.
IT as currently and usually practised, especially in a healthcare environment, is also mostly a disaster in terms of value for expenditure. $2 billion for an Epic system in a regional hospital system... Which was obsolete before it was installed. Heck, the Deustche Bank SAP core banking replacement only cost $1 billion.
Much of the "oh but it's regulated" excuses are just that, excuses to be ignorant and stay stuck in the 1970s.
It doesn't have to be this way, but it requires a lucky administration to find a way out of the mess given the market for lemons in IT management and systems integrators in healthcare.
Open source and Cloud solutions (from an operating model perspective way more than technology) appear to be the only way out of this mess of "your mess for less" IT because it lifts the veil of sales, consultant-speak, and opaque RFP processes in favor of actually-working-and-reliable software that anyone can see and touch.
In my experience of trying to sell software to healthcare organizations, they are practically immunized against better software.
They are institutionally allergic to agile, iterative improvement. It sounds too scary. They want big-design-up-front, even though that's guaranteed to deliver unusable software that's far more dangerous to patients than any transient bug.
This x100. Though I think it is changing as a younger generation grows into leadership positions, this will likely happen far later than other industries :(
> Much of the "oh but it's regulated" excuses are just that, excuses to be ignorant and stay stuck in the 1970s.
It is actually a serious problem.
You have a bunch of apparently sensible rules with apparently reasonable justifications, but without a holistic understanding of what those rules cost in terms of engineering and design trade-offs. Then compliance prohibits the use of commodity components not designed with those specific requirements in mind, which requires everything to be custom for the industry at extreme cost, which in turn impairs competition and allows the vendors who do pay all the compliance lawyers to sell low quality software for big money.
And it's not clear how open source or cloud would solve any of that, other than possibly through some kind of regulatory avoidance shell game, which sounds more like a loophole than a solution.
While that's true many commodity components also currently doesn't live up to the real requirements of those environments. I have a number of friends who work with enterprise Linux deployments. They are all doing very well financially.
How much of the problem is Epic, and how much is the desire of each client to develop their own unique byzantine workflows, that Epic has to implement? I wonder if this is like blaming C because so many programs written in C are bad.
I would say a mix of both, but more the problem is with the way the software fights your desire for custom workflow rather than encourage it or make it cheap.
I had a similar reaction to the piece, which painted doctors as not being part of the problem - when they have a profound amount of political power.
I had a friend who worked as a QA engineer (hospital processes) for a presitigious children's hospital. The QA department came up with any number of potential, well-conceived plans, but the falling-down point was always the doctors. One of the primary pain points was the lack of interoperability between different departments' record-keeping. Each department head had their favourite vendor, who would give them all sorts of goodies on the side, and as such, none of them wanted to change.
So, you'd have a heads of department meeting where the new QA plan would be discussed, which necessitated regularising the software across departments. The standard refutation was "If I can't use software X, children will die". Everyone knew this was utter bullshit, but there's nothing you can do when the head of department is considered the final domain expert. "Children will die", uttered by doctors and surgeons, killed more efficient processes in that hospital.
Another story of his was at another meeting where one specialist ventured an opinion. It was derided by one of the old-school, a veteran of nearly 30 years: "We don't do things that way; you'd know that if you'd been here any length of time". Said the opinion-venturer: "I've been here 17 years". That is one insular society...
The difference between doctors and engineers is that doctors indeed know which parts of the workflow are critical, and which will indeed cause children to die.
To this date, I'm not aware of any record-keeping software that's at least half as useful and efficient as the old and tried handwritten paper records.
There were only three useful IT innovations in medicine : (a) PACS [1] allows to easily compare and transmit X-rays; (b) lab work records; (c) appointments software.
My wife had some complications after childbirth that kept her hospitalized for a few days. Watching the staff fuck around with 3-4 EMRs to figure out what happened when was a ridiculous comedy of errors. It actually undermined my confidence in the medical staff -- they really struggled between shifts.
In the old days, the information was available at a glance, on a clipboard.
I worked on a healthcare IT system at one point as a consultant. I tried to the best of my ability to improve upon the UI or the software, at least for the small tasks commissioned to me. I think that most of the other programmers tried to do the same.
It was extremely difficult because the software was written over a long period of time by multiple generations of programming teams and programming styles. It was hodge-podge to say the least. Take that system and integrate it with another equally hodge-podge system. Then add a couple more hodge-podge systems to that. There were just lots of redundancies and disconnects. I did feel sorry for the people who were going to have to use that system.
I'd say that medical administrative software is ripe for "disruption" just because it sucks so badly. Except for the fact that the systems are a) huge b) require extensive domain knowledge c) are regulated d) sales of such systems are extremely political and e) there's no way to do an end-run around the administrators who are purchasing these systems. It doesn't seem very suited for a "move quickly and break things" scrappy startup.
> ‘I’m not starting a big meningioma at 4 p.m.,’ she declared, turning towards me. ‘I’ve got no childcare this evening.’
Without knowing what a "big meningioma" involves, I can only imagine it's something like doing a tricky, manual deployment on Friday afternoon. In that case no, this is a completely reasonable response. People have lives outside of work. Yes, "In the pre-modern NHS consultants never counted their hours – you just went on working until the work was done.", but that doesn't mean it's a good thing. In pre-modern factory days people of any age worked there whole day, 6-7 days a week. It doesn't mean that's a good idea to do it now.
> this is a completely reasonable response. People have lives outside of work.
For someone in IT, perhaps, but the professional expectations in medicine are starkly different (although they are admittedly growing more lax, to the chagrin of the old guard). In this particular case, the geriatric meningioma patient had already been cancelled on once, rescheduled with the promise of being the first procedure of the day, and then delayed to the end of the day because she tested positive for MRSA and they needed to do a decon of the OR after her procedure. You would seem to find it reasonable to reschedule her yet again, but neurosurgeons don't have much room in their schedules to play scheduling games with, and in general, patients aren't undergoing elective brain surgery for the fun of it: they need it now.
Perhaps the IT analogy is that neurosurgery is largely a hard real-time system: you must execute within a given time window or you fail.
> You would seem to find it reasonable to reschedule her yet again
No, I find it unreasonable that not everyone knew the schedule beforehand, or that someone who knew about it didn't raise it as a problem. This should never happen right before the operation. At that point it's too late and it's on everyone to deal with the situation at hand. What I'm pointing out that if the plan was a surprise then it's completely understandable that someone says no.
As for solutions, it depends on a hospital, location, patient's state, available team, etc. Lots of possibilities. (BTW, anyone shouting at anyone else is not even close to a solution)
> No, I find it unreasonable that not everyone knew the schedule beforehand, or that someone who knew about it didn't raise it as a problem.
The problem in this case was that the meningioma's MRSA positive culture results (from the first, cancelled procedure day) came back on the day of the rescheduled procedure, and that necessitated a schedule rearrangement (placing the meningioma at the end of the day) that the substitute anesthesiologist objected to. The author points out the absurdity of the situation re the MRSA culture when, if they had performed the procedure on the day originally planned, they would not have the culture results and so would not have done a post-op decontamination, but the rescheduling had forced the additional step. I think one does the best they can to budget for unexpected problems as had happened in this case, but in an overworked system, that cushion is among the first things to go.
> This should never happen right before the operation. At that point it's too late and it's on everyone to deal with the situation at hand.
Ideally, yes, one catches complications before they are a problem. Experience suggests complications still occur, and the only solution is to "be like water" and adapt.
> What I'm pointing out that if the plan was a surprise then it's completely understandable that someone says no.
Not for a physician. It is understandable for a physician to be ticked off, it's understandable for a physician to call in a favor and find someone to cover for them, but it is not understandable for them to say "no". The substitute anesthesiologist not only said no, but was apathetic to finding someone to cover for her. To that, I respond as I did before, the expectation from what I term the old guard of medicine is that your duty is to attend to your patients. Younger physicians, such as the anesthesiologist in question, would seem to share your perspectives on work scheduling, and the old guard say that the result is decreased quality of care.
> As for solutions, it depends on a hospital, location, patient's state, available team, etc. Lots of possibilities. (BTW, anyone shouting at anyone else is not even close to a solution)
That's a lot of handwaving. Keep in mind that in medicine, you can only kick the can down the road for so long, and that in this case, the patient's family had rattled legal sabers over the first cancellation. I suspect the possibility space is not as large as you think.
Irrelevant, the nature of your reason to refuse to work outside of scheduled hours is between you and your conscience. Be it a child, a dog, opera tickets, or Friday Night Magic - the rules have to be the same. Being a parent doesn't absolve you of responsibilities to patients nor does not being a parent increase your obligations to work additional hours.
Her disinterest in finding someone to cover is disappointing in a healthcare professional - but otherwise "I can't stay late tonight" is fine unless contractually you are on call.
> "I can't stay late tonight" is fine unless contractually you are on call.
This is potentially a reasonable point. If the surgeon can't make a compelling case to the on-call anesthetist that the case needs to be done, then the anesthetist present has a reasonable argument. That said, I've found that day shift staff may well stay late to handle a case they had already prepped for if that would prevent an up-prepped on-call from having to come in an hour later.
Bluntly, I don't care what they do so long as they do their job, and frankly, their personal lives are none of my business; they're a highly-educated mature adult capable of figuring it out just like their peers in the profession are somehow able to do. Some do a childcare service, some have nannies or babysitters, some have a stay-at-home partner… Surgeries run long all the time due to unforeseen complications, and I find it difficult to believe that this anesthesiologist didn't have a backup plan for those occasions. They may not have wanted to use it, and that is what I object to.
One of my parents is a physician and I didn't get to see them much when I was growing up (or even now); I intimately understand the point of view of those advocating for greater work-life balance in medicine. What I find lacking in the push for greater work-life balance is an acknowledgment that quality of care may be changing for the worse as a result.
> BTW, anyone shouting at anyone else is not even close to a solution
It may not be a solution you approve of, but I've witnessed plenty of cases where managers have effectively bullied their subordinates into doing work they otherwise wouldn't want to do.
Depends what you want to call a solution. Sure, if a manager bullies me into something I'll either do it or not. But I'm definitely raising this with his manager and/or looking for another position at that point. I'd call it a bad workaround for a current problem, not a solution.
Well, in that case the hospital should pay for extra childcare that evening (including possibly relocating the child to another child care location, which is no fun for the child either), and give them extra time off to have time together with their child at another time. Times have changed, people often live alone with their children (or their partner may be working), and you just don't leave a child alone.
When you got the meningioma, you better hope that your surgeon will work until the work is done, instead of delaying it because somebody's unable to find a babysitter.
Medicine was always about putting the patients' needs above your own, and I sure hope it stays that way for the foreseeable future.
I agree. It's a little frustrating to see so many argue so fervently of favor of work life balance literally at all costs.
Professionals in western society don't just magically find themselves in the position of regularly making life and death decisions. Those who do are there by choice. At least some tolerance of discomfort is both expected and required.
Well, when you pit "brain surgery" against "babysitter", it seems pretty clear cut. But imagine if you're that anesthesiologist, or one of a half dozen nurses required for the surgery, or whatever, and you've had to ask your parents to pick your kid up from school for the 12th time this semester because you won't be home before bedtime. Kids tend to not understand these kinds of things, parents know that, and they're rightly frustrated when their job unreasonably demands that their kids get short shrift.
That said, this sounds like a hospital procedure/scheduling fuck up. I don't think the anesthesiologist should be blamed at all, she stood up to unreasonable demands just as she should have. The hospital failed the staff and the patient here.
Would you be happy to be handled by an anesthesiologist who's in a hurry to get out as soon as possible, because they don't know what's happening with their children? Yeah, it's a bad choice, or a bad choice.
I'm not sure why you think "Medicine was always about putting the patients' needs above your own". Many hospital employees do. But I've never heard of medicine as a whole having that rule.
If you expect doctors to act like everyone's needs are above theirs, you'll end up with a current situation in the UK. Junior doctors who are overworked, hate the situation, government that wants to pay them even less for more hours (they've got patients to see, right?), and are more and more likely to move abroad - rather than just treat with respect like any other normal employee. And that's not even mentioning the dangerous situations created by tired doctors.
"the dangerous situations created by tired doctors."
These concerns are seriously overblown. Most errors from fatigue occurs on routine, non critical tasks, whereas I have never seen any evidence of a significant increase in critical errors.
A well-fed, rested doctors who abides by regulation is way more dangerous than a tired, hungry one who puts patients first.
"you'll end up with a current situation in the UK"
Poor remuneration is in no way related to great bedside skills, but is due to poor negotiation skills and State control.
> I have never seen any evidence of a significant increase in critical errors.
Google: study fatigue doctors. It's literally there on the first page.
> Poor remuneration is in no way related to great bedside skills
I'm not sure you're familiar with the issue in the UK. It's both about extra work and what counts as "unsocial hours". Considering the first to emigrate will be (were, actually) the doctors with better skills... yes, all skills are very related to how they're treated.
> all skills are very related to how they're treated.
Of course not, and that's my point.
Doctors are all paid the same in the UK, without any consideration for skills. Those who emigrate and get better pay, are paid better because they emigrate, and not because they do or do not put patients first.
> Besides, surgeons can no longer get away with such behaviour. I envy the way in which the generation who trained me could relieve the intense stress of their work by losing their temper, at times quite outrageously, without fear of being had up for bullying and harassment.
This is a good thing. Good lord, the ego of some professionals never fails to astound. Treating people like people in the workplace and not harassing them shouldn't be a difficult concept to come to terms with.
Many of the hospitals in Boston have surgeons so specialized that they're literally the only surgeon in the US that does their particular type of surgery.
For appendix removal, and trauma surgery, sure, your statement is correct. For brain surgery your statement is a bit ridiculous.
But the problem wasn't finding a surgeon. It was finding an anesthesiologist, who from the story's own description, isn't extra specialised.
Unless that person is on call, it sounds like someone screwed up the schedules by putting an anesthesiologist on a surgery that would take longer than they were still scheduled for.
They are a large growth in your brain or spinal cord. With this one, think softball sized. Though the link states that they may not be harmful if left to themselves, for a few days, I'd want it out asap. They can cause brain damage or paralysis in the spine. I know this as my PI had one and could only speak Spanish for a few days as his meningoma was pushing hard on his Broca's Area, the part responsible for a lot of speech.
That the lady was complaining of childcare is unacceptable and she should be reprimanded for it. Health care as a profession comes with costs that you know about when you sign up for the job. One of those is irregular hours. I can't imagine how she thought it was ok to put a person and their family through more costly time in a hospital over having her kid stay at daycare a little longer.
>> ‘I’m not starting a big meningioma at 4 p.m.,’ she declared, turning towards me. ‘I’ve got no childcare this evening.’
so with the scale of the money involved, the system can't deal with several hours of unscheduled in advance childcare? No intern around to send take care of it?
Ehhhhh, I don't really think anyone should be asked to work into the evening unannounced. Sure the stakes at hospitals are high, but that's all the more reason staff shouldn't be stressed, overworked, or distracted. The 40th time you ask your anesthesiologist to work late and put their child in night care from 5-9pm, they're gonna be pretty resentful, and rightly so. Do you want a resentful anesthesiologist? I sure don't.
As a programmer in my first year of med school, I can only confirm the frustrations with medical software. As someone that gives a damn about usability/UI/UX, most (all?) EHR systems make me want to bang my head against a keyboard.
I honestly don't know how long I will be able to practice medicine before deciding that I can build something better (as foolhardy a notion as that is).
> before deciding that I can build something better
It's very likely that something better already exists. The reason you use something terrible is because "better" does not result in adoption. Personal relationships, salespeople, and marketers drive adoption, not the quality of the actual product.
Right, but if I have control over my practice, I also control what EHR I use. No idea if I'll end up in private practice, but there's always that possibility.
That's not how meaningful use works. You can use paper for all you care, you're just going to take a hit financially from the government (and many do). You can use whatever electronic system you want as long as it all adds up to meaningful use. The insurance companies have nothing to do with this.
I would still implore you not to write your own EHR unless you are a tried-and-true data-security expert.
If you aren't positive that you are one or you haven't had this tested in the real world, then you aren't one.
It's not fair to patients to play fast and loose with their data, nor is it at all easy to develop and design usable software. It's not something you could do in your spare time while also working as a doctor. You'd most likely need to start a company and put together a team.
If my doctors are anything to go by, you shouldn't worry too much. You'll be able to make your supporting nurses deal with the computer systems for you ...
Not that I'm advocating this as a good thing. I only report a pattern that I've seen across a number of offices. I can also report that the nurses hate the computer system as much as the doctors, probably more.
It's not that bad. You can get api access to a lot of things and automate your work to a large degree, particularly in radiology. Just not a lot of doctors know what to ask for and what is possible.
I love how "mediocre software developers" are called out in the header, but then it goes on to list about 10 different people in different roles that are causing actual problems, all systematic, where a developer would make no difference whatsoever.
I find it somewhat distasteful that a doctor would compare an obese patient to a whale while implying it's less worthwhile to treat them than other patients. It's not the job of medical professionals to pass moral judgment.
What if he were complaining about an influx of smokers with emphysema or alcoholics with liver cirrhosis? Doctors are justified in their frustration with the preventable burden that lifestyle diseases impose on their profession.
I find it distasteful that your tangential comment is upvoted in a presumably Chomsky-esque noone-is-accountable-for-the-consequence summary from which further discussion ensues.
As someone here whose primary job is not programming, the tendency for posts critical of programmers to have a discussion led by minimizers is quite obvious.
You are not the issue. The hordes of upvoters are the issue.
The whole blog entry read like a tantrum. A comment on the site from "SuperMike" says this:
"Anyone with even a passing familiarity with the world of medicine will be amused by the surgeon being forced by circumstances to treat staff like actual human beings. (And he complains about it!)"
Sounds about right to me. IT issues can definitely be frustrating, but this blog reads like a libertarian rant.
It's also just a lot of legacy stuff that no one wants to touch because it currently works and brings in money. Good design and practices compared to today just weren't around 10-15-20 years ago. Building a large and robust EHR and/or practice management solution from scratch using good techniques and design (and good security practices like, stupidly enough, parameterized queries instead of string concat) would be great if it wasn't astronomically expensive and risky from a business standpoint. Then by the time you were ready to hit the market you'd be five years behind or something.
Plus everyone will ask "Can you convert some other EHR's notes/data into your system's notes and vice versa?" and now you get to inherit all of that system's bad decisions in that area.
Very frustrating, I agree. I have another medical computer system horror story - Did you know that the UK National Health Service spent 12 Billion pounds (18 Billion USD) on a computer system and ended up with....nothing to show for it!!!
This is the problem. The "if you can get it" translates to "if your company has a huge request-for-tender team dedicated to shmoozing your way into these kinds of contracts".
Add to it the whole tech-health ecosystem is scorched earth after countless clueless contractors have blown their way through it (earning the tens of millions of pounds and so on in the process), it's not a great environment for trust, innovation, or making your way through everything to a real-world-usable result.
"... I envy the way in which the generation who trained me could relieve the intense stress of their work by losing their temper, at times quite outrageously, without fear of being had up for bullying and harassment. ..."
Was at a party with a group of friends who are physicians, surgeons, and medical researchers. It struck me: we software types are so fucking arrogant. I was definitely not the smartest person in the room, and yet I could see IT and CS types mocking these people for their relative computer illiteracy. You know, the people who are actually saving lives every day instead of figuring out how to distract (er, engage) and bilk (er, monetize) people.
There are a lot of people who mock others simply because they don't know a domain of knowledge. You can bet that doctors also mock those who don't successfully take care of their health, especially fat diabetics. Anecdotally, I think fat diabetics are the favorite humiliation punching bag for doctors.
Anyways, the issue that stuck out most saliently to me was the cultural expectation placed upon medical staff to work through any issue regardless of personal life, and what must be a tacit management understanding of the situation. Somebody in management screwed up, and now the doctor is left holding the bag, and this doctor unfortunately feels some responsibility to manage the situation. This doctor is frustrated that the anesthesiologist did not make the same sacrifice, and wanted to tend to family.
I don't blame either of them. Kudos to the doctor for holding the bag that management dropped, and congrats for the anesthesiologist who won't submit to exploitive cultural expectations.
> Doctors aren't smart, they're just friendly keeners with something to prove to their helicopter parents.
See, that's what I mean. I wasn't writing about the general population of doctors, I was writing about the specific doctors who were in the room with me, who you so arrogantly dismiss.
I just don't think that's true, but I'd love to be wrong.
Any given time 1/3rd of the user-base is dead... and it's growing because the data has to remain in the system for 60 months (HIPAA). It's not scary because it's B.S... No single or group of health provider in the world is close to having access to 125 million active patient-users on an annual basis.
Until Epic disclose any numbers in their 10Q/10K, realize that they're probably taking about "rows" in a db table or nonesuch, not actual patients or anything that will get them in trouble with the SEC/FDA.
I'd guess the reality is Nike is much closer in having shoes on half of the US pedestrian population than Epic having HL7/PII data.
> Health care groups using Epic electronic health records serve 54 percent of patients in the U.S. and 2.5 percent of patients worldwide, CEO Judy Faulkner said at Epic’s users group meeting in September.
I have no idea what the actual number is, but I remember reading that Epic is in about 20% of hospitals. and in many/most academic centers. Given the number of people who've been seen in an academic center at least once (whether for their own birth, a consultation at some point in life, ER visit, etc), Epic systems likely have entries on a substantial portion of the population, though the amount of people they have complete medical records for is likely much smaller
A friend of mine used to work there but he left last year. When I asked him why he said "because I want to make software that people actually enjoy using."
All systems within a medical establishment should be forced to work with a single-sign-on system. That might sound like a lot of effort for a small improvement, but I believe it would be the single highest value change that could be made.
When I read the title I was thinking something different.
Torture is a real and a nightmarish thing, and in this ever shrinking world of ours, we (i.e., Westerners) can no longer think of such horrors as existing only for other people in faraway lands.
Am I the only one who's a bit uncomfortable tossing around the term to apply to a well paid professional who's facing bureaucratic inefficiencies at work?
If someone is literally dying in your duty of care because noone can access any patient records, that sounds tortuous to me. A bit like the Stanford prison experiment, but replace the guards with IT contractors, and the prisoners with surgeons, doctors, and nurses.
And the person responsible is not the guy without password, bit a coward who didn't push for 5x 9 SLA.
Yes, this includes hard real life access time analysis. If failing to remember a silly password takes longer than k minutes, it should be a breach of contract. Likewise if total disruption due to password changes is too high.
It's silly to implement a horde of govt rules while neglecting the basics.
Doctors, particularly trauma and tumor surgeons, have dying patients all the time.
Often there are additional treatments available but for resource constraints. Ordinary folk die of heart disease every day, but somehow Dick Cheney lives on with an artificial heart.
I know being a doctor can be quite a stressful job and requires a certain class of personality. But still it has gone with the territory of being a doctor since the beginning of civilization.
Well perhaps that is true, but having someone who is dieing because the surgery is failing is a bit different than someone who's dieing because you can't remember some login's passcode.
And of course then these delays compound over time and adversely affect the entire system.
Designing good software which meets government legalese constraints (which are guaranteeedly absurd in certain instances, in wording, and nature (while others will make perfect sense and still be just as hard to implement)) in extremely complex situations (health care systems with millions of users with an outstanding number of providers of different sizes, with different conditions, and medications, and the stringency of the privacy requirements).
That's tough.
It'll be really neat to see the progression of software through time. It'll be neat if what we see today is the Model T to the Tesla (X?) of tomorrow (+~110 Years).
"I sat through a 3 hour meeting today and it was pure torture."
"I skipped breakfast today. I'm starving."
If you are truly uncomfortable with these sentences then it's possible that you are either a bit overly sensitive, or else you have trouble differentiating between literal statements and common english expressions.
When we describe mundane things as extreme "I'm _starving_ the slow service at this restaurant is torture" or extreme things as mundane "enhanced interrogation techniques" we lose a little bit of our ability to correctly communicate and even experience the world.
Being in awe should be a rare and wonderful state, but instead it's apt to describe a free sandwich as awesome.
The problem: lazy people with poor vocabulary (and education) and bad journalism and editorial work.
After reading the title, I too expected to find a peculiar story about a covert team made up of software developers and hospital bureaucrats kidnapping and torturing a brain surgeon (which would have been a fascinating article). Instead the "torture" here appears to be a complaint about password policies and paperwork...the word "torture" does seem to be overkill in this context.
It's not a minor inconvenience when a patient can't get a needed surgery because someone can't sort his personal life out. Medicine is (or should be) a profession, which is to say, a lifestyle and an ethic as much as it is a career.
> ‘Why forty-five?’
> ‘It’s the forty-fifth month since we signed onto that hospital’s system and one has to change the password every month,’ Caroline replied.
Every month is a little aggressive of a timeline. Also, stop making users do your bizarre regex passwords.
* include caps
* include numbers
* include symbol
* eight charachters
* must be recursive backronym
Also, stop trying to keep password requirements secret. I am sick of this guessing game. I can relate to Mr. Johnson's total indifference to the system.