Hacker News new | past | comments | ask | show | jobs | submit login
A billion medical images are exposed online (techcrunch.com)
350 points by OrgNet 11 days ago | hide | past | web | favorite | 189 comments

An odd line from the article, wherein it states that security researchers don’t blame vendors, but the physicians and hospitals that fail to properly secure the software.

I have never, in all my years of working in healthcare, seen a hospital or physicians office directly install and manage PACS. They pay a third-party - usually the vendor - to install, configure, and walk them through it. Maybe a behemoth system like Northwell has the IT bench to do it themselves, but that would be the exception.

So allow me to rephrase slightly: “technologically inept organization pays vendor to make machine go vroom. Vendor leaves keys in ignition. Damn that technologically inept organization.”

To take a 10,000-foot view of the situation, though:

Healthcare-related technologically was largely pushed on the industry via legislation. Said legislation was almost entirely stick, no carrot. The result was healthcare organizations with a gun to their head to buy from a handful of vendors, with no real ROI to be seen from it - aka, the government outsourcing its costs to private industry, and throwing pork to some major health IT firms along the way. When a technology is forced on you at a loss, from a vendor with little incentive to optimize ease of use or utility, you get a terrible piece of shit that no one wants to invest more time and money into than absolutely needed. That’s going to show itself in a myriad of ways.

I’ve been the IT vendor in this scenario. While I’m sure there are plenty of inept vendors not doing their part to ensure the systems they implement are secure, a big part of it is doctors and their work culture.

Many doctors see themselves as too important to deal with security. They have an attitude of “I went to school for medicine, not computers! How dare you ask me to use a computer.” They are not only technologically inept, they are proud of it. And I’m not just talking about refusing to use complicated software. I’m talking about doctors that insist that they shouldn’t be forced to use passwords (not even complicated passwords; ANY passwords). And in most of the organizations I have dealt with, doctors are the most important people in the organization and have final say on anything, which often means that the security department’s efforts are all overridden by doctors that can’t be arsed to even type in a password before using their EMR, and don’t even dream of something more complicated like asking them to use multi-factor auth.

I once worked at a hospital where a doctor was looking at porn at work, clicked a phishing link, and gave up his network credentials. An attacker then used those credentials to breach the network and siphoned several hundred thousand dollars from the financial system (wiring money to himself). Security detected this and disabled his account. 20 minutes later the doctor had called the CEO, yelled at him (“how dare you lock me out of my account!”) who then called security to yell at us and insist we re-enable his account. The doctor was never reprimanded (for falling for phishing or for the porn) meanwhile the security team got a stern talking to and was instructed to never disable a doctor’s account again.

Healthcare is a different world for security. You have to acknowledge that yes, patient safety is more important than security, but oftentimes these doctors take it to an extreme and they are very difficult to work with. I have never met a group of people more elitist and “too important to be bothered” by security than doctors.

On the other hand(and I'm really not trying to excuse this behaviour) some doctors are almost daily in situations where "if I had a little bit more time or did this thing a day earlier maybe the patient would still be alive". If you run into those kinds of situations frequently, then obviously any slowdown(like having to remember or type in a password) is obviously stupid. And only they understand it, no IT employee ever would.

That is why plenty of medical systems have an override in place for emergency situations allowing you to bypass all but the most basic authentication and segmentation. You will usually need to explain your override afterwards.

I'm not talking about emergencies - I'm talking about situations where someone comes in for a "routine" blood test, but it shows they have cancer, and you as a doctor end up blaming yourself for not spending 10 minutes more to look at the test the day before, and the most obvious thing to blame for not having those 10 extra minutes is anything in IT that slows you down and takes those 10 minutes away. Even if it's irrational(maybe that person would have died even if you did look at the test slightly earlier) the guilt can be very real.

This. I don't know enough about the econo-political situation gp mentions, but the idea that doctors are somehow irresponsible for not wanting to enter passwords is a perfect example of a usability fail. It's too easy to gloss over - "it's only a password". But think of your own situation: ever been a bit frustrated when your desktop/laptop times out and locks, just as you were about to start typing again? Objectively it takes seconds to enter your password again. Subjectively it's broken your flow. Convenience has a non-linear decay curve. Now take that out of your work environment, where your normal context is sitting/standing at a desk. And put it in a hospital where a doctor is mobile by default: on their rounds/attending to patients/whatever.

The answer isn't "make the doctors change and accept the inconvenience". The answer is "find a solution that actually helps them rather than hindering".

Yes, there will always be recalcitrant users who stubbornly refuse to use systems irrespective of usability and/or utility. But I'd wager most aren't in this category. Most will be only too ready to use something that actually helps them.

If passwords are a barrier to use, find a better solution.

The computing industry is quite unique in that we are so arrogant that we tend to tell everybody else how they should be doing their job, and then add insult to injury by blaming the users for the systems shortcomings.

This seems like a caricature or an exception. Doctors are very aware of HIPAA (and the equivalent in every other country), and the professional and monetary costs of non-compliance.

Doctors didn't set up these systems. Doctors didn't expose them to the internet. As the other post said, vendors did. If those vendors couldn't properly communicate the needs, that's their problem.

What I think is a more rational explanation for doctor (nurse, lab technologist, etc) resistance is that the industry is rife with incompetence and vendor balkanization. So much so that every healthcare professional deals with literally dozens of logins to try to do their job. Every one of those logins has its own bizarre password policies, rotation schedules, etc. Pretty soon there is rightly hostility to whatever scheme some small niche vendor has imagined up in the illusion of security.

It may seem so, but I’ve done security consulting work for 10+ of the largest hospital chains and insurance providers in the country and I can assure you it isn’t an exception. Doctors don’t care about HIPAA (“that’s legal’s job”). They don’t care about the company’s finances (unless it’s a small private practice, “that’s the accountant’s job”).

Some of the complexity is caused by the software itself being complex, yes, but that’s not what I’m talking about. In every organization I have worked with, doctors were always the biggest obstacle to even doing something as simple as requiring them to carry around a badge for physical access to the building. As a group, they are very resistant to anything that might add an extra step to their workflow. And yes, everyone hates and is resistant to stuff being added to their workflow, but I find most people are amenable to it as long as it’s a small interruption and it’s for a good reason (security). Doctors generally don’t have that attitude, though.

Sounds like someone has it in for doctors.

I worked in healthcare IT for years, before than going to medical school, and now in residency. My experience really does not match yours.

As mentioned earlier in the thread, I will agree that doctors in general are quite resistant to technology because they have been fucked over by implementations that are more concerned with billing and regulatory than either better patient care or improving physician quality of life/workload.

Most medical facilities use badges for access. I think what you’re calling resistance is increased scrutiny, something you might not be used to dealing with in other fields.

Based on your sweeping generalizations tinged with bitterness I can only imagine most doctors that have to work with you professionally are going to be a bit on edge. The reaction you’re getting from all these physicians you’re working with is probably related to what I can only imagine is a shitty attitude.

Also in security for a long time, spending a lot of that with hospitals and healthcare organizations. My experience matches the parents. Your points are very valid but doctors can definitely be dicks as well.

Why you are resistant is important but you must follow the rules. Bad things beyond your imagination will happen if you click on that email link. The increased scrutiny allows for better patient tracking and care. That needs to be the priority.

Regulatory paperwork and billing are the reason why you are putting in information into the computer. Without these the medical centre closes. Getting the correct information to that department is part of the role.

The better approach would be to automatically filter email containing dangerous link, or automatically prevent whatever dangerous thing that happen when that link is clicked. Is it hard ? Sure, the goal is to maintain security without creating additional burden to the user.

I'm a student doctor with a CS undergrad. I'm constantly gobsmacked by how horrible the computer systems doctors are forced to use are. They're pretty much abusive to use.

The hours and hours of physician time that are thrown away into mindless box-ticking, copy-pasting, button-pushing, and general head-banging is astounding.

If doctors are resistant to new IT hurdles it is, at least in part, because they're already faced with a decathlon-esque ritual to achieve their basic day's work.

Yep. Never blame users for raging at the system until you understand the system as well as they do. Techies have it easy: they only have one job and that’s all they ever do. It looks very different from the other side.

(Protip: The key to delivering successful software is not to learn programming, it is to learn your users.)

(Oh, and good luck with your medical studies; world needs good Renaissance [Wo]Men now more than ever.)

> (Oh, and good luck with your medical studies; world needs good Renaissance [Wo]Men now more than ever.)

Why now more than ever?

Growing complexity. Struggling scalability. Overspecialization. Balkanization. Failures of accountability.

OP’s firsthand observation on the awful state of programmer-produced medical software, the original linked article, and notoriously lethal software disasters such as Therac-25 provide frightening cases in point. These things are not accidents. Programmers who only know how to program are as much use as managers who only know how to manage. And this world has far too many of both.

Look, any idiot can hack teh codez. Learning the problem domain; that’s the hard part. It is also the critical core of the job. Because if you don’t/won’t/can’t understand the problem, how do you possibly expect to solve it?

Especially when that problem space is something as vast, complicated, and utterly unforgiving as millions of people’s healthcare.

I've never seen a programmer produced medical system.

Do you realize these systems are designed by respected doctors and product managers? They tell the programmers exactly what to do. When something vague comes up the product manager talks to his stakeholders and decides how to proceed. When the project is done the doctor/project manager group go over everything and make changes.

They decide things like how it looks is not as important as making sure you checkmark this section if you need to.

The priority is on reducing errors never on making the experience better for the computer operator (you).

This is an interesting point.

In fact the few medical IT systems I've seen that were actually built by doctors - that meaning doctors who code actually coded these systems themselves - are among the nicest (and most easy to use in a non-insane, secure, reasonable way) systems I've seen.

I think the important difference here is that it's very hard to "design" software if you are a doctor who knows a lot about medicine, and your existing paper processes, but know very little about software. It is important to understand the medium (software) as well as the domain (medicine) to build the right product.

Yup. In an ideal world, all systems would be built by domain experts who are trained to program.

I cut my teeth as a self-taught scripter/automator before going professional and eventually becoming a writer/educator myself, so I’ve seen plenty of every combination (and produced all of them too;). And I would much rather teach professional doctors how to make their own solutions than teach professional programmers how to write software for doctors. Because one of these audiences has a massive self-interest in getting a product that also works for themselves, while the other satisfied in taking a paycheck while ticking some boxes†.

That is to say; Incentivization is Everything.


† Which is not to say you don’t need—and want—formally-educated full-time developers in the mix as well; because good ones bring important transferable experience and insight into the more abstract aspects of system development like scalability and security. And yes, there are great devs out there who understand it is Muhammad’s job to go to the mountain, and not vice-versa. But damn, is it hard to find ’em.

“Do you realize these systems are designed by respected doctors and product managers? They tell the programmers exactly what to do.”

And here, in a nutshell, is EVERYTHING wrong in modern software development.

Doctors are NOT programmers. If they were, they wouldn’t need to hire programmers: they’d write the solution themselves!

Doctors are the domain experts. They understand medicine, and procedures in its current practice, and the reasons why things are done the way they are.

Conversely, the programmers’ job is not to write code. Any monkey can do that. It is to learn the problem space; to extract from the domain experts sufficient knowledge and insight to understand those procedures and why they are as they are for themselves. And then, starting from there, synthesize a new solution that does it all better.

And the PMs’ job is to mediate that learning process; to ensure both parties understand these objectives and keep them on track; and otherwise keep the hell out their way.

Whereas current industry practice is for programmers to sit with their thumbs up their asses, expecting others to tell them exactly what to do so they don’t have to learn, while PMs micromanage all the minutae so never have to take responsibility for the house itself burning down.

This is like civilian government telling military how to fight their war (e.g. Iraq War, 2003…2???), or the “Official European Joke” about Heaven and Hell. And not only are in the Hell part, the Programmers and PMs—who are supposed to be the highly-paid professional problem solvers here—really seem to believe that this hell we’re in is “How Things Should Be”; and thus only serve to multiply those problems instead.


FFS, I eventually got so sick of it all that I taught myself how to program (ugh), just so I wouldn’t have to go through all these useless spanners any more.

And, it pains me to say, software development is the first (and still only) career in my half-century of life where I’ve NOT felt crippled with Impostor Syndrome. Because the impostor, I realized, was everyone else.

> And, it pains me to say, software development is the first (and still only) career in my half-century of life where I’ve NOT felt crippled with Impostor Syndrome. Because the impostor, I realized, was everyone else.

Can you expand on this?

I think that describes any enterprise software.

Likely at go-live/vendor selection, nobody wanted to revolutionize things in a way that could only be done on computer.

The successful vendor will be the one that can « make all of your paper stuff look/function/feel the same way on a computer ».

This minimizes training, development and changing the workflow you used for 20 years. Which checks every department’s checkboxes.

So you end up with the worst aspects of paper, with few of the benefits of technology.

does this have anything to do with Epic systems software, in your opinion?

It goes both ways. I keep telling the IT people at my hospital to stop using SMS 2-factor and they blow me off and treat me like an idiot.

Anyway, ‘Doctors’ are a pretty diverse bunch, and most of them aren’t arrogant porn-fiends.

SMS for 2FA isn't good, but it's still better than no 2FA at all.

Depending on how many systems they have it integrated with that could end up being a huge undertaking for them and they've probably been cut to the point where another huge undertaking may not be in the cards right now. If they're like a lot of large enterprises they may also still be trying to get rid of Windows 7 and Server 2008R2.

Edit: for example, are you full on Microsoft 365 Enterprise with Azure AD? I believe that has ties in with Microsoft's Authenticator app. If you're strictly onsite traditional AD I think you'd need to look at Duo for 2fa that integrates nicely with AD, then also see what else you need to integrate it with that uses its own separate non - SSO authentication.

And while it's not huge, the question of "who's paying for the $3/6/9 monthly per user charges (contact sales if you have > 500 users)?" will come up, particularly if there are hundreds or thousands of external medical office users able to sign in through a portal system as well. (this is based on pricing from the Duo website)

Yes, I’m sure they have their reasons and their own priorities and constraints. Just like the doctors who decline to use basic authentication. See my point? Hospitals are notorious for passing the buck around.

As it happens there is a single web property for accessing a remote desktop, not multiple systems, and the hospital down the road funded by the same entity has implemented TOTP authentication.

Curious, why would a doctor decline to use basic password auth?

I have had a doctor tell me that his time was too important to waste it typing passwords. I had another one tell me, quite dramatically, "someone could die" while he was typing in a password. It's a profession where many have an "interesting" perspective on information protection. I have tons of tragicomic security stories from dealing with health care providers.

And they are right. Passwords are probably the wrong thing. Give the doctors a hardware token, a smartcard (and fit smartcard readers to everything doctors might expect to use) or use biometrics.

Might some doctors leave the smartcard in the reader for a PC they often use, then walk away? Yes, yes they might, and that is a behaviour you can start fighting with peer pressure, but doctors are right to think passwords are a waste of their time.

>And they are right. Passwords are probably the wrong thing. Give the doctors a hardware token, a smartcard (and fit smartcard readers to everything doctors might expect to use) or use biometrics.

This is spot on and in most cases this is the way most hospitals are moving, particularly by using the already-assigned ID badges as RFID tokens. But as I mentioned in a couple of other comments farther down, I have experienced situations in which even this is something that doctors refuse (in one case, because they were upset that we were asking them to keep their ID badge with them, which they apparently had a problem with doing).

It's the most frictionless solution I've seen in widespread adoption and probably the least prone to pushback, but that doesn't mean there's no pushback, which is the unfortunate point of my original comment at the top of the thread.

> And they are right. Passwords are probably the wrong thing. Give the doctors a hardware token, a smartcard (and fit smartcard readers to everything doctors might expect to use) or use biometrics.

> Might some doctors leave the smartcard in the reader for a PC they often use, then walk away? Yes, yes they might, and that is a behaviour you can start fighting with peer pressure, but doctors are right to think passwords are a waste of their time.

At least the hospitals I've been to this is implemented as an rfid tag on their id badge, so it doubles as access control both for physical and software systems (as well as functioning as a charge card of sorts against the employee's company account for things like the cafeteria).

Yes password are annoyance, friction and waste of time. Not to mention 2FA that is worse. For the Dr, his upmost concern is to treat the patient not deal with extra layer of annoyance.

As an IT or security personel your job is to support them and assure security without creating extra friction or productivity loss. Yes it is hard but that is the challenge.

This is what a often neglected by security professional and just blaming the user.

Hey, thanks for the condescension. You know what else our job as "security personel" (sic) is? Other than literacy, it's matching controls to risk. The guy who talked about "people dying" was a urologist; I can assure you the no one was going to die in his office because of passwords. So, yes, we should reduce friction where it's appropriate, but unless you understand the actual risk model, maybe you should keep your comments to yourself.

> The guy who talked about "people dying" was a urologist; I can assure you the no one was going to die in his office because of passwords.

I know of exactly one case where you would have been completely wrong. Emergency surgery straight from the urologists office is what saved the patient. Some people simply go to the hospital much too late when they have issues.

"people dying" might be exaggerated but nonetheless because of the password he is inconvenienced.

So you have to come up with different method.

For the security personal, Dr is the customer, customer is king.

The doctor is not the customer. The doctor and security personnel are coworkers in a business where the customer is the patient who is being treated and who's sensitive data is being stored.

It is indeed the shared responsibility of the security team to keep in mind that the customer requires quality medical care, and security should not interfere with that. Similarly, it is also the shared responsibility of the doctor to keep in mind that the customer also requires that their data remain secure, and their ludditism should not interfere with that, either.

Said much better than I could.

So the doctor has to ensure security in addition of treating patient? Why do we need security professional then ?

Yes, everyone has to participate in ensuring security; how completely divorced from reality do you have to be to think otherwise. And we need security professionals to remind everyone that security is important and we all have to be part of ensuring it.

Sure but if it become annoying then most people, including me will choose convinience over security every time.

That's where I critize security professional. They often disregard this end user pain.

You have to find frictionless solution and shouldn't impact their productivity.

It is your responsibility to participate in the security of your customer's information. It is your fault if you "choose convenience over security". It is not anyone else's fault.

Ask yourself how you would feel if your bank just let someone access your account and steal your money. Would you forgive them if the bank said "well it would have been really annoying to have to check the person's identity before letting them take the money, so we chose convenience over security"? Of course not.

Security professionals are there to guide you and make security tools easier and less intrusive for you to use (and believe me, they want to make it easier for you, if only for the entirely self-serving reason of reducing the amounts of complaints they get), but even if the security tools are hard to use, it is your responsibility to still use them. You are not doing your job if you disregard them, and "it's annoying" is absolutely, 1000% not an excuse for potentially exposing the sensitive information of every one of your customers.

Trying to shift security to end user wouldn't improve security. Most people value convenience over security.

Then the bank is not doing a good job. Its the bank responsibility to secure my account. How they do it is up to them . I don't really care what method they use as long as from my perspective its frictionless and not annoying.

If you make security tools that is hard to use, then you are not doing a good job, be prepare for push back and consequently less secure environment.

As recently as maybe 20 years ago we learned a lot patient infection in hospital was caused by patient-to-doctor-to-patient transfer. Things like disposable gloves and hand cleaning stations at every bed were resisted by doctors initially as being over the top. Now they are ubiquitous once the benefits were proven. Maybe the same approach for IT as for germ security can be demonstrated, and that everyone needs to participate.

Or maybe make it easier, less annoying to use.

If people are supposed to look after their own health, why do they need doctors?

> Curious, why would a doctor decline to use basic password auth?

I'm not a (medical) doctor and I decline to use password authentication as well. Give me public key access or fuck off.

What happens if they forget their password?

From experience, users who come to IT and simply demand we do something because 'reasons' usually aren't prioritized for follow up.

Managers who come to IT and demand we do something and show us how it affects their work/department and perhaps the rest of the business and offer to be part of the solution making process often get first class attention.

Could it be IT is blowing you off because of how you're delivering your complaint about SMS 2FA without regard for their existing workload?

They likely have more than enough on their plates as it is to simply do something because someone from a department said something about it, and IT doesn't exactly pivot on lithium battery, especially in hospitals. That doesn't mean they don't care about your issue or request, but like every other department they have objectives and goals that were likely set well before your 2FA conversation even began.

You realise what you just did there right, without a hint of irony?

I hear you and I’m sure it’s frustrating, but I’d be curious to know if the security team has any reasons for sticking with SMS 2FA. I’d be willing to bet money that the reason they blow you off is because it’s a sore spot for them. They probably have tried to implement other MFA methods but were reprimanded by the medical staff because anything other than SMS is too complicated (I’m harping on doctors a lot, but I legitimately do cringe at the thought of even asking a typical MD to download an MFA app or carry around a physical token).

No, this is not the case. Anyway, it would be good just to have the option to not use SMS, they don’t need to migrate everyone off SMS at once.

> I keep telling the IT people at my hospital to stop using SMS 2-factor and they blow me off and treat me like an idiot.

Well... yeah. Nobody is sim swapping hospital staff.

It’s not great, but this isn’t a real threat they’re facing.

There are clearly targeted phishing attempts, I wouldn’t rule it out.

Edit: I should add, I was very surprised when I got a phishing email sent by the obviously compromised email account of a colleague, and when I emailed them to say their email was hacked, the person who hacked them replied telling me everything was OK, and to open the attachment.

You'd be surprised how much money flows through the medical system.

And how much of that flows through automated systems.

And how little of the total is actually audited on a detailed level.

>You'd be surprised how much money flows through the medical system

I wouldn’t, I just know that the crowd targeting hospitals for wire fraud is very different from the sim swappers.

It’s possible that this may change at some point, but that hasn’t happened yet and probably isn’t going to. Phishing is so easy and successful that SIM swapping just doesn’t make sense for these targets.

Porn fiends? Doctors don't have the time. But you must admit that the profession brings out some very arrogant traits. They usually express the pointof view that they learned everything they needed to at med school and any new outside information is suspect and not important including IT security.

I'm not sure how to reply to your comment. I know a lot of doctors personally, and less than 1% are what I would describe as very arrogant. Some specialties probably enrich for arrogant people, particularly cardiothoracics, cardiology or neurosurgery at large prestigious institutions, and some countries have a system which tends to permit arrogance (eg the USA).

“But you must admit that the profession brings out some very arrogant traits.”

Which one? You know we’re also talking about programmers, right?

In my experience, you are way off base. Doctors can be very arrogant but I've never met someone from another profession who could point me to research articles regarding their proposed plan of action. Doctors at major hospitals are often either a) residents who are in their nth year of leaning post med school, or b) expected to publish at least case study papers regularly or communicate with those that do.

Physician here (neuroradiologist) and after working at several hospitals in the US and abroad, let me be really clear about this:

1) I have never seen a health care organization ANYWHERE where the physicians determine the IT policy (including and especially the IT security policy).

2) Universally, healthcare organizations use the bloated garbage that gets passed off as EMRs and affiliated garbage software. None of this is up to physicians. It's up to the administrative and bureaucratic parasites that have infested healthcare at every level and based largely (I assume) on crony relationships, because it's certainly not based on competence.

3)Healthcare IT is the most abysmal software anyone anywhere has ever devised to perform any task. Systems like EPIC are bloated, barely functional trash that systems have wasted billions of dollars on. The various components of departmental IT do not co-ordinate with one another, crash on a daily basis, are not fit for purpose and would embarrass engineers in any other industry.

It comes as no surprise that security for these systems is piss-poor, just like everything else about these systems. Blaming doctors for this administrative mess, whilst not unexpected, is disingenuous at best (of course this is what healthcare administration excel at - making a mess and blaming physicians).

This is why in starting up my own little IT services company I'm planning on not serving medical clients.

"HIPAA? I'm sure we're just fine, and no you can't take away my Windows 7 PCs."

I get the feeling big law is just as bad.

I never worked for big law, but medium law is terrible. Partners can just order the IT department to do anything. We had a new head of IT that tried to implement some common sense changes for an organization that handles sensitive data. Basic stuff: Block websites that tend to be malware vectors, don't let users be admins on their own machines, restrict USB storage to certain users, etc. We were forced to override it on the partners machines almost immediately.

Restricting partners usb access? Restricting websites and restricting install permissions.

Overkill and probably the opposite of what they envision an IT department doing.

In my experience with biglaw (a single top 10 firm), their IT and in particular information security was top notch. Having a lot of available capital to work with probably helps.

Which firm?

The example you site is so egregious (and unlikely) that there isn't a hospital in the US today where a physician who did anything remotely close to what you describe wouldn't immediately be fired (appropriately I might add).

The bigger issue is how did the vendor or IT department responsible for the network allow routine internet access to interface with critical healthcare or financial infrastructure? (You don't have to be looking at porn to be on the wrong side of a phishing scam).

Clearly you've had bad experiences with (some) doctors - generalizing that experience and extrapolating it to the issue of IT security is deeply flawed reasoning.

This is a little off-topic, but I work in a school and sometimes get the same feeling from teachers. I imagine CEOs of companies that get breached because of stupid preventable reasons are also similar. My point is that I don't think this mindset is limited to doctors, though doctors may take it to another level.

It really applies to every industry -- people push back against things that they see as impediments to their work. Many/most HN visitors are software developers, and if you've worked in a Fortune 500 virtually all of us have gone to war with IT. "Don't they understand that we're special and we need special rights and privileges" etc. And often we have legitimate grievances because often arbitrary, counter-productive, productivity-sapping restrictions weigh us down. Often they're illusions of security.

And I'm sure on some IT admin board they talk about all of those entitled developers and this one time this one developer did something really stupid, ergo all developers are god-complex dummies.

Have you worked with doctor's? When I did I'd routinely sit in a room with 10-25 people and wait for hours on a doctor to show up to a meeting they'd schedule onlu to be told by a secretary he was busy. Everyone I know who has worked with doctor's has similar stories.

This hasn't happened to me with any other position in any other organization, including vice presidents of Fortune 500 companies.

I'm not claiming that doctors are interchangeable with other careers. Doctors often have higher priorities that can absolutely intrude at any time: An emergent medical situation is far more important than a meeting about document retention, for instance. For that VP, or CEO for that matter, those meetings are a major priority of their job.

Instead I was pointing out that there are many fields where people resist IT-style policies, and many special snowflakes that believe (often rightly) that they are a unique situation.

Often in tales like this the worst scenarios arise because some people aren't equipped at managing expectations and communicating reasons and benefits. If yet another vendor comes in with yet another system and yet another set of demands and obligations, to someone who sees it as a hindrance to their work product there will be resistance. Understanding and communicating in a way that, to use lame corporate speak, aligns goals makes things go much smoother.

Sorry I didn't mean to make the argument that doctor's are unique in pushing against IT policies.

But they do push back uniquely hard. My experience and almost everyone I've talked to in Medical IT have had the same experience. Have you had a different one?

The difference is there's usually only 1 CEO, but in a medical organization there can be 1000's of doctors.

I am horrified... at how plausible this sounds.

Like many IT people, I google the heck out of a medical condition when I see doctors. Once I must have asked enough pertinent pointed questions that the doctor asked with a mix of sincerity AND condescension, “have you ever worked in a medical field?” No but like any curious individual I utilize the systems accumulating all human knowledge at our fingertips to inform myself... Doesn’t mean I can’t ultimately rely on your professional judgment, Sir

99% of the time doctors are annoyed by anyone who has researched and informed themselves on what their medical problems might be. The notable exception is when the doctor has repeatedly failed to accurately determine what's wrong. Then you're "allowed" to bring up your own ideas. I can't wait until the majority of work done by doctors is replaced with a small shell script. They will fight VERY hard to stop that from happening, and they're rich. So it will be a tough fight.

>doctors that insist that they shouldn’t be forced to use passwords (not even complicated passwords; ANY passwords).

well, it is a clear voice of customer. And it has good reason behind it - time and effort that the customer would like to avoid wasting. Instead of disparaging the customers and their needs how about listening to it and trying to really solve the issues. May be doctors for example would be more happy with having RFID microchip injected under the skin than typing password in? The security industry should start solving the issues for the benefit of users instead of pushing the crap down everybody throats under the disguise of holy cow of "Security!".

>clicked a phishing link, and gave up his network credentials.

and you still continue to think that password based solutions are suitable there?

>I have never met a group of people more elitist and “too important to be bothered”

than security IT. Your post is a prrety good example of it.

In another company, we tried rolling out RFID badges that could be scanned at any workstation to log doctors in rather than passwords. This proved to be too inconvenient for doctors as well, and the system had to be rolled back within a month because doctors kept forgetting to keep their badge with them and would then throw a hissy fit because they wanted to go back to the old system where all workstations were permanently unlocked.

Security IT is, in my experience, one of the most amenable in terms of trying to come up with new ways to serve customers because the customers require it (all customers require it, not just doctors), but doctors are on an entirely different level when it comes to resistance to change.

In contrast to your experience, all VA physicians are obligated to use an ID card with a chip in order to login.

Indeed, other hospital chains do as well, which is why we viewed it as a good option and went down that path to begin with. In the case I'm referring to, everyone at the hospital already had badges and the thought was that removing password requirements and using the badges that everyone already had as a login would work well.

It didn't work, not because of technical issues, but because we didn't anticipate the high number of doctors that apparently had lost their badges and had never faced consequences for it (the culture at this hospital was "oh you forgot your badge? no worries, I'll just open the door for you"). When we then asked the medical staff to keep better track of their badges (not just for the login system but also because of general campus security) we received incredible pushback, and that's when we had to roll back the program.

IME, and as evidenced by the VA using a similar system as you mentioned, doctors are perfectly competent enough and able to use these systems and do just fine once they get used to the system. The issue is that they put up a fight more than anyone else when introducing something new, and oftentimes IME the new system never gets a chance before it's shot down.

Physicians sporadically not having badges sounds like an accreditation-threatening problem, for what it’s worth. (It depends on the institution’s self-stated standards, however.)

I'm not surprised to hear that. When I rolled off that project, the login system project was slowed down/put on hold while solving the badge situation was being prioritized. We definitely opened up a can of worms when we reported to leadership that the project was delayed because people weren't carrying their badges with them.

Doctors are not customers, patients with their expectation of privacy are. This is similar to doctors resisting keeping checklists [1] of what goes in and out of patients during operations.

Doctors are service providers and the service is lacking.

[1] https://hbr.org/2019/05/how-one-health-system-overcame-resis...

> This is similar to doctors resisting keeping checklists

Or how they refused to wash their hands between morgue and delivery after Semmelweiss' discoveries.

Doctors see themselves as demigods. Not without reason, since other employees treat them as demigods, society and culture at large sees them as demigods as well.

> Doctors are not customers, patients with their expectation of privacy are.

In the US system, is the patient the customer, or the insurance company?

I work in healthcare outside the US and I’d argue that the system I’m in is also quite skewed. In private healthcare where I am, the patient is the person who turns up and pays, but their doctor holds the power to send their patients elsewhere, and so must be kept happy too.

>Instead of disparaging the customers and their needs how about listening to it and trying to really solve the issues.

That statement applies to about 95% of the many issues we face these days. Blaming is apparently easier than solving.

"An attacker then used those credentials to breach the network and siphoned several hundred thousand dollars from the financial system (wiring money to himself)."

You're telling me the CEO was unfazed when they learned this was the reason you were locking down the system due to the doctor's own ineptitude and breaking company policy looking at porn and exposing them to direct financial loss and liability (lawsuits from PII data being breached and exfiltrated, etc)?

The doctor put the whole hospital at risk and could have cost them millions and got that cryptolocker attack holding their data hostage indefinitely.

The CEO should be thanking you guys for catching these huge security ($$$) breaches.

I wouldn't say unfazed, but as I recall the reaction was more that the doctor wasn't to be blamed and that it was security's fault for not only "allowing" the breach to happen, but also for inconveniencing the doctor.

At the organizations I worked with, doctors really have carte blanche privilege to get away with anything as long as they claim "it's for a patient". Even the C-suite will bend over backwards for MDs.

> I have never met a group of people more elitist and “too important to be bothered” by security than doctors.

In my opinion, they're the only bunch that gets it right.

Security should work correctly and not bother me. Period.

The fact that it doesn't is laziness on the part of the security vendors.

The bigger problem is that if security ever allows a user to make an incorrect security decision, it's probably worse than no security at all.

> patient safety is more important than security

Ultimately these are linked; imagine ransomware blocking a medical device necessary to save lives, or tampering with settings of an x-ray machine.

People are constantly targeting every aspect of the physician workflow, from CMS and private payors constantly changing their documentation requirements (which differ between payors and CMS, and results in hospitals trying to teach their docs to document everything to meet everyone's requirements - which are made intentionally lengthy and obtuse so as to justify denials of payment), quality improvement people and vendors populating the EMR with shit-tons of Alerts! meant to prevent medical errors (but, due to specific medical contexts justifying deviations from the textbook standard, the false positives vastly outweigh true positives, to the point where the alerts as a whole are utterly ignored), etc.

It's easy to complain doctors resist (this particular workflow change), which is SO important because it affects PATIENT LIVES (because it's in the healthcare setting, so EVERYTHING DOES) damn entitled doctors. Then recall that every single time a doctor asks a nurse to do something that nurse will say "oh, just enter a communication order." And because your security set up your RFID to only work on a computer where you've already logged in earlier, and you're running around the hospital constantly, those badges aren't worth shit >half the time.

It's easy to complain about doctors' resistance to various evolutions of their digital workflow, until you realize that nearly every evolution adds complexity and time-burden to their workload in a way that does not directly improve patient care, but slows down their work, increases complexity (which does adversely impact patient care), and lengthens their workday (because their patient workload isn't reduced in the slightest by this.) I don't know a single doc that doesn't do significant unpaid after-hours work catching up to their digital bullshit; you also would resist non-mission-critical additions to your unpaid workload.

It's easy to treat physicians as entitled and resisting "just to resist", rather than understanding that the physician workflow is constantly changing, from every possible angle, and most often for reasons wildly unrelated to the immediate task of "taking care of the patient in front of me". You'd resist under those circumstances, too.

There's a reason about half of physicians nationwide (https://www.medscape.com/slideshow/2019-lifestyle-burnout-de...) are burned out. HALF. That's what happens when your ability to do your job is constantly fucked with. Perhaps you should consider what that means, and how that relates to what you're saying, rather than asserting doctors are just too damn self-important to change.

I'm sympathetic to this, and in other threads I would usually be the first person coming to the defense of doctors and harping on how complex and terrible EMR and other medical software is. But that's not what I'm talking about.

I'm not talking about complex software. I'm not talking about instances where doctors are asked to learn an entirely new records management or scheduling system. I'm not talking about the type of systems where you have to interrupt your day with an extra training session on how to navigate the interface.

I'm talking about the most basic, bare minimum interactions with security systems that every other person in every other industry has absolutely no issue with, but for some reason doctors refuse to accept. I'm talking about stuff as simple as swiping your ID badge on a reader to gain access to restricted areas. I'm talking about not using work computers to look at porn. I'm talking about basic awareness when it comes to not disclosing sensitive information to a random person in the hallway.

Another commenter brought up the number of passwords as a complaint. Again, I'm sympathetic to this. This is why one of my major areas of focus is implementing SSO solutions to cut down on the number of passwords that users have to remember. Except in one instance we had delays rolling out SSO not because the system was complicated to use, but because doctors complained that they didn't like the color of the SSO UI. They insisted it be blue rather than yellow and wanted to scrap the entire project because of it. That's the type of resistance I'm talking about.

These aren't difficult or complex things. We are talking about highly educated, highly paid individuals handling highly sensitive information. They should be held to higher standards, not treated like children just because they work long hours.

Speaking of working long hours, the second half of your post is just a minor glimpse of the elitism I'm referring to. Are you under the impression that medicine is the only profession in which people experience burnout? Do you think that only doctors have to deal with constantly changing work environments and the never-ending cycle of evolving technology?

Every profession deals with these things. Lawyers, accountants, bankers, social workers, police officers, and educators are just examples of professions that have similar or higher burnout rates than doctors. Every single one of these also has to deal with immense amounts of bureaucratic processes, regulations, and inefficient software that is constantly changing and affecting their daily workflow. And yet in my years of consulting I have never met a group that was as egotistically opposed to the use of technology as doctors are. Even investment bankers, which tend to be the most egotistical assholes with an attitude of "I make millions of dollars a day for this company, I don't have to listen to you puny IT people", still don't hold a candle to the willful ludditism of doctor's I've worked with.

> Except in one instance we had delays rolling out SSO not because the system was complicated to use, but because doctors complained that they didn't like the color of the SSO UI. They insisted it be blue rather than yellow and wanted to scrap the entire project because of it. That's the type of resistance I'm talking about.

Is it really the hill you want to die on?

Just change the damn widget color if it is so important to them! Client is king!!

Ha, I agree! We were willing, able, (and did) change the color relatively easily. I'm just using it as an example of the type of pushback I've gotten. The doctors were the ones willing to die on that hill; they wanted to cancel the entire project and their reasoning was the color, and they didn't even care to hear that it could easily be changed. In that case it really did feel like resistance for resistance's sake.

Or they didn't really want the change. Or (devil advocate) maybe they had a very good reason you did not know. Like, they asked repetitively for that before. It takes a special straw to break a camel's back.

This reminds me of the M&Ms color in rock concerts artist room: a canary in the mine for the venue having ignored more important requests.

> There's a reason about half of physicians nationwide (https://www.medscape.com/slideshow/2019-lifestyle-burnout-de...) are burned out. HALF. That's what happens when your ability to do your job is constantly fucked with. Perhaps you should consider what that means, and how that relates to what you're saying, rather than asserting doctors are just too damn self-important to change.

Paywalled, but nonetheless, I wonder how that rate compares to other industries. And how much has to do with physicians usually being unable to switch industries without a massive pay cut.

Dunno if doctors are particularly too self-important to change than anyone else, but if someone was, I could see that inability itself leading to burnout when things even slightly change around you.

That exact attitude the doctors have is so common in other occupations, I’ve experienced it with lawyers.

Its the IT job to provide security without having to inconvenience the user. you can't just add extra layer of inconvenience for the sake of security. Your ultimate goal should be to provide security without adding additional inconvenience to the user or without having the user to notice it at all.

> Its the IT job to provide security without having to inconvenience the user. you can't just add extra layer of inconvenience for the sake of security. Your ultimate goal should be to provide security without adding additional inconvenience to the user or without having the user to notice it at all.

We trade convenience for security every single day. Ever get locked out of your house because you forgot your keys? Why is that level of inconvenience (requiring keys on doors) okay but it's up to a security team to only implement security solutions which are frictionless and require zero change to workflows?

Further, if we require keys on our doors, why wouldn't we require similar measures on software systems? If they are inconvenient, they are inconvenient compared to what? No security?

>We trade convenience for security every single day

Which is totally sucks.

>Ever get locked out of your house because you forgot your keys? Why is that level of inconvenience (requiring keys on doors) okay

I would not say that is okay, that is sucks too

Just curious, are you joking, or are you serious?


Putting obviously unprofessional behaviour aside, there are good reasons why they have this attitude, although it is disappointing. First of all, as we all know, passwords are actually not a good solution to the problem of authentication. So we are asking people to participate in a system which we don't think is great and has serious usability issues for the non-technical. I know this isn't what doctors are actually thinking explicitly, but the point still needs to be made.

Secondly, doctors are busy and have unpredictable workloads. They also have limited ability to delegate or ask for help if they are oversubscribed. This means if you add 10 minutes to their day, it will actually extend their working day by 10 minutes, and the things they have to do may take them until 10pm at night or worse (I semi-regularly finish documenting things after midnight, and I am not working night shift). They are understandably allergic to things which seem to increase the amount of stuff they have to do.

Unfortunately, if you are a small IT vendor trying to introduce a service or a product to a large hospital (the bigger it is, the bigger the problem), you are going to have a difficult time. This is just the reality, which we can complain about, but there it is.

There are strategies which can improve uptake and reduce resistance, but they only really work for large well-resourced vendors who are doing large projects:

1. Get the hospital to create a role for a doctor to be the clinical lead of whatever IT infrastructure you are trying to implement.

2. Bundle a large number of changes together, including obviously beneficial ones which save time (like an integrated EMR or paperless ordering) with important ones (like proper auth).

3. Make sure the institution has a lot of skin in the game, usually due to a large financial investment, or meeting some performance indicator, or keeping up with another competing institution.

4. Get the institution to reduce the workload when new systems are being implemented. This might sound obvious, but it makes a difference if you give doctors a bit of breathing room to adapt to a new service.

5. Publish some metric of how well each group of doctors is using a service in an email each week that gets sent to everyone.

6. Constantly remind everyone of why things are better after something has been implemented. I get hospital wide emails all the time about bake sales and other useless stuff, nobody sends emails celebrating or outlining why a recent change in IT infrastructure is making a positive difference. The only IT emails that get sent are when something is broken. Not surprisingly, this makes everyone sceptical of any new IT system.

7. Avoid direct face to face contact between doctors and the IT vendors. Doctors don't want to talk to the IT people, and IT people don't want to talk to the doctors. It just isn't useful, and everyone leaves feeling unsatisfied. Disconnect the technical expertise from people that don't understand why it matters. Find some other way to interact, through support staff, clinical leads etc.

This stuff is part of the moat which large EMR providers have, they can actually do this stuff. I have seen it at play with Epic, whatever you think about the software, they have worked out some of the sociological aspects, and they understand that once the EMR is delivered, the process doesn't end.

I completely agree. I have friends in the medical field, and they hate their computer systems. One of them spends almost as much time on data entry as he does with his patients. He has to double and sometimes triple enter data. He’s probably going to end up hiring someone to do that full time, which is so obviously a totally broken system.

> One of them spends almost as much time on data entry as he does with patients

...then he’s one of the lucky ones! One study found that for every hour a physician spends with a patient, she spends two on processing health records.


I mean, for every hour I spend writing production code - I spend an hour in agile meetings, and 2 hours chasing down obscure bugs in javascript libraries. Not that many professions are "do visible part of work 100%".

Heck, I hear bricklayers need to spend some time mixing cement and getting bricks off the truck, not just scooping mud and sticking bricks.

Health records ARE a big part of the product of a doctor. Keeping a good chart and finding trends over time is a bit part of the service you need.

> Health records ARE a big part of the product of a doctor

I long for practices that would keep no record of my issues, except what I volunteer to them at the beginning of the consult. Many countries do that just fine, but for some reason in the US I am asked to fill pages on insignificant trivia to cover their ass or follow some weird law or tradition maybe?

I don't want perfect healthcare. Good enough is fine!

So now I just see doctors when traveling. Simpler, faster, and cheaper too.

Hum. So much about healthcare is about trends. How your blood pressure is today vs a month ago matters a lot more than holding up your number to a chart. Having actual good medical history would be super helpful.

Then I will keep the records, or my smart watch or smart phone.

Your analogies would make more sense if you spent 2 hours on documentation for every hour you spent coding or bug finding.

If that documentation includes user manuals, sign me up!

A mostly functional program with amazing docs beats a more functional black box.

This was my immediate thought at the headline, doctors-who-what-now?

This feels informed from the technology side, and profoundly ignorant of how health care IT actually works (especially in the United States).

When it comes to healthcare, everything is always the doctor's fault. It's convenient to have a single target to blame for everything that goes wrong in the industry. Never mind that most physicians are just employees, with plenty of layers of management, in massive organizations, with extremely heavy regulatory oversight.

If an organization that runs three hospitals can't put together the IT to secure their PACS system with a decent password, that's the fault of the physician about as much as it's the fault of the nurse, the janitor, the cafeteria chef, etc.

WTF is with people blaming doctors for literally everything related to healthcare? Do they not understanding we haven't been in charge of anything for a couple of decades now? Since the combined rise of HMOs and Medicare/Medicaid, and the massive hospital M&A splurge, we're just line workers. We try to do our best by patients, but we ain't in charge of anything.

A brand new account posting scathing anti-government anti-regulation content? HIPAA and HITECH and the other legislation that you're likely referring to pushed a stagnant industry in the right direction. Yes there is pain with growth but patients are far better off for it, which is what the end goal was.

Yes, because I am a lurker that was moved to post by the degree to which I disagreed with the article. Please restrict yourself to actually arguing with the content of my posts, and not going ad hominem. It's both against the rules of HN, and just shitty.

You say "pushed a stagnant industry", I say "hostility to small practices." Large hospitals were already moving onto EMR to better handle the volume of their data, if not already having done so. It's small practices that couldn't afford things like EPIC, and were forced to move onto free, ad-revenue-driven crap like PracticeFusion that just made everything slower and worse, without improving shit for patients.

Are some patients better off for it? I think so. I appreciate web portals, which wouldn't have existed otherwise. I don't appreciate the death of small practices, the majority of whom are now selling out at cost to large hospital chains.

At my annual physical, as my doctor was typing away at data entry on a laptop in the exam room, I asked him whether he felt the new electronic systems had freed up his time to spend more time on patients, or whether they had taken time away from patients. He felt the later.

I realize that anecdote is not data, and I'm not sure what metric of 'better' you're using, but I wouldn't be too hasty to claim technology as an unalloyed good in health care.

Thing is, people will overlook the elements that are faster and focus on the slower.

Lab results for any patient at a click or two? Ignored.

Changing a med order to be stopped in 27 hours? Guaranteed to be flagged to the nurse at the exact right time.

As much as I complain about Google’s changes (stop ignoring my double quotes!), it’s probably improved overall despite its constant attacks.

... he says under an article about how a billion patient images are publicly available... smh.

> no real ROI to be seen from it.

I just did a brief Google, and the situation seems to be the same as always - there isn’t a clear win financially when a PACS is installed. They are expensive to buy, to run and to maintain and the gains are often hard to measure financially. Having a minimum wage worker sort old films and carry them to where they are needed was cheap compared to the wages and hardware a large hospital needs to pay for when a large PACS goes in.

The number of people who miss hard copy film must be very small however, that world was archaic.

Inasmuch as “Caveat Emptor” is the Latin to live by, physicians and hospitals are indeed responsible for making sure what they’ve just bought is safe and fit for purpose. Especially with HIPAA et al already breathing down their necks.

The big problem is that tech grifters, just like AltMed scamsters, are just way quicker and better at burying all their shit than surgeons and scientists are at digging it out again. And, to be fair, doctors do already have far more pressing things to be digging out: wood spales, fence railings, guinea worms, and so on. Hence the need to hire in [ostensible] specialists in the first place.

Still, be consoled that us countries with socialized heathcare are just as adept at Medical IT disasters as yours are. :/


“A lie can travel halfway around the world before the truth can get its boots on.” Of course, this was before we invented the networked computer.

You're right, this is a very irritating take.

From what I understand these DICOM-devices are insecure by default, you can just connect to them and download data, and they expect their users to make them secure with network separation etc. That's not a realistic expectation if your customers aren't IT security professionals. And there's no reason to create such a flawed design, a simple password would be a huge improvement.

In such a case the blame should fully go to the vendor.

how about those health care professionals not logging out of their sessions, writing up their passwords on the stickit notes and just generally leaving their computers unlocked for anybody to just browse through. Its always easy to blame the "maker" and say Im an idiot, make this idiot proof. Do you really want people to treat you, being in a mindset of an idiot ? If there is one field in all of universe that you cant not blame the tools for your own idiocracy is the health care ! I want you, the doctor, bend backwards to be at the top of your game ALWAYS, not just when you are doing a brain surgery. I want you to be the ONE that i can have 100% trust that you have my interests in mind instead of playing blame games.

If a physicians office installed something like this on their own I'd be horrified.

The key takeaway from that article, for me, is that the government body that is supposed to monitor, enforce, and penalize organizations who fail to follow the HIPAA rules is basically doing nothing.

So with no consequence to these massive lapses, why would these companies care?

This is the wrong takeaway.

The article states pretty clearly from the interview with Senator Mark Warner:

> “To my knowledge, Health and Human Services has done nothing about it,” Warner told TechCrunch. “As Health and Human Services aggressively pushes to permit a wider range of parties to have access to the sensitive health information of American patients without traditional privacy protections attached to that information, HHS’s inattention to this particular incident becomes even more troubling,” he added.

It's not that they're doing nothing, they're supposedly making it worse.

They're also underfunded. OCR budget dropped to 10% of its previous budget between 2017 and 2018:


So, when you ask "why would these companies care?", I think the current federal government is trying to say "these companies _should not_ care."


My honest opinion is that they know healthcare specifically is so far behind meeting their regulator requirements they have been trying to slowly phase in penalties.

Office for Civil Rights (OCR) https://www.hhs.gov/ocr/index.html

Under funded...just like the IRS.

  % curl -L 'https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/'
  curl: (7) Failed to connect to guce.advertising.com port 443: Connection refused

I have a lying DNS server, and it's getting ridiculous.

Here's the outline for people who care about privacy/tracking/GDPR, etc. https://outline.com/Ep5u4K

For now I'd be happy if techcrunch was blocked so people had to submit other sources.

I've not been able to find a way to read content on that domain for months now.


PS: unlike many here I've little against ads as long as they aren't tracking me, but the "consent screen" on techcrunch is less "consent" and more "strongarm".

PPS: as others are mentioning it seems the whole thing seems to be compliance theater since they seem to set a tracking cookie before even displaying the consent screen :-/

I'm on Firefox Preview for Android and am having no problems with the article. No ads, popups etc. Just pure content.

Just curious, but why are you using "-L"?

Without it just doing -o to an .html opens fine in the browser for reading. I feel like I'm missing something here.

From the man page

-L, --location (HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request on the new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the initial host. If a re- direct takes curl to a different host, it won't be able to intercept the user+password. See also --location-trusted on how to change this. You can limit the amount of redirects to follow by using the --max-redirs option.

              When  curl  follows a redirect and the request is not a plain GET (for example POST or PUT), it will do the following request with a GET if the HTTP response was 301, 302, or 303. If the response code
              was any other 3xx code, curl will re-send the following request using the same unmodified method.

              You can tell curl to not change the non-GET request method to GET after a 30x response by using the dedicated options for that: --post301, --post302 and --post303.

I read the man page and I understand what -L does, but I still don't understand why the -L is needed in this particular case when the request works ok without it.

Is the user only wanting to curl from the original page and any redirects are considered bad?, etc.

When I tried to open the page on my machine (with chrome) it failed on a host I don't know (advertising.com). So I tried to see what happened: `curl -L` allows me to do that.

And yes, this kind of half-assed redirect is breaking, and a total disregard for my trying to trust the original host. This kind of behavior I expect from sites victim of an XSS, not a "normal" website.

Here is the entire curl trace: http://ix.io/277P

Yahoo/AOL/Oath want to set an advertising cookie before you visit any of their sites.

No, they redirect you to an advertizing domain.

Exactly the same here. Wow.

From Techcrunch's article it looks like it's possible to see so-called "protected health information" (PHI) in these images. PHI includes patient names, diagnoses, hospital and doctor names, contact information, and so forth. It's sometimes possible to "de-identify" medical images by scrubbing off patient info. But I bet most of these are not de-identified.

The examples in the TechCrunch article are redacted, but I guess that was done for publication and not on the stored images themselves.

In the USA, HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI. It's a crime that "pierces the corporate veil." That is, natural persons can be tried and convicted, even if they were acting on behalf of corporations.

The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached. https://www.hhs.gov/hipaa/for-professionals/breach-notificat...

CMS announces breaches involving 500 or more patient records here https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

It wouldn't surprise me if the people involved in securing these sloppily configured DICOM servers are in a state of panic. I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah, we had some panic. (Misrouted fax messages was the root cause, for what it's worth.) Also observe that I remember to this day how many records leaked out. Breaches are a big deal. It stinks to be them. I know that for sure.

I hope they get it sorted out. It will take a while. It will also take a while for the affected medical professionals and their IT providers to start responding to these breach reports rationally. Kubler-Ross's stages of grieving are still in play for them: anger, denial, negotiation, etc.

On the user side, we have to jump through hoops and sign so many onerous paper HIPAA compliance forms at dr’s offices, to just get doctors to share records about us. On the backend it’s free for anyone to access. It’s all backwards!

The signature demands that really annoy me are the ones in which I must acknowledge that the provider has informed me of their HIPAA policies, which demands are seldom accompanied by actual information about HIPAA policies, which I probably wouldn't read anyway even if they were included.

Then refuse to sign: you can't be denied care for refusing communication of your records to 3rd parties. It's certainly better for your privacy too.

It feels like the places where security is of utmost importance like in banking, security cards or health are the worst at doing it.

At least, lack of security of credit cards is understandable as banks are profiting from fraud by charging the victim a fee.

In health? This must stop. It's a failure of regulatory bodies as they throw so much junk policies around that the things that really require attention is just overlooked. The overabundance of paperwork and policies is not improving security, it's keeping away actors that could do way better.

There is the complicating factor that in health, safety can be more important than security: to keep a patient alive in an acute emergency, it is imperative that the doctor can see their data right now, while that fact that third parties can later see the data doesn’t matter too much. The problem is that people tend to use the first aspect as a cheap excuse to do nothing about the second one.

They focus on visible security more than actually securing things. Example: making it very hard for a user to log into a system “because of security “ but not using security certificates to secure their email servers.

In 2009 I was building an enterprise medical imaging SaaS for hospitals, and we would constantly come across hospital IT admins who were adamantly against trusting a cloud vendor with their sensitive healthcare data - even one that's audited, security-checked and whose sole responsibility is to take care of these images.

We always thought it was a joke that these guys questioned us, when we knew how bad their internal security practices were. At some point around 2011-2012 we seized on the idea that holding your images inside of the hospital's four walls was a liability for them, and not a point of pride.

So, not at all surprised about this, nor about the complete lack of security practices at many of these healthcare IT vendors.

> In 2009 I was building an enterprise medical imaging SaaS for hospitals, and we would constantly come across hospital IT admins who were adamantly against trusting a cloud vendor with their sensitive healthcare data

This still rings very true in 2020.

Lots of open S3 buckets full of critical data not helping the counter argument. Security is hard, proving you’re secure to others more so. How do I know you’re not just storing my data in S3, abstracting away the mechanism, but your bucket policy or acls are garbage? I don’t. Cloud does not immediately mean more secure.

The point I was making isn't that the cloud is naturally more secure, it's that the company was 100% focused on medical imaging, not the 1000 projects a typical network/system admin at a hospital has to juggle.

Sensitive data should be thrown away and the medical images could improve on the current state of the art medical image database used for machine learning.

I'd be more than happy to publish my medical images with results if it would be used for an open database.

I have been at doctors in third world countries, where doctors don't get the same level of education, but try to use the best tools available without paying too much money.

Define sensitive data.

One of the challenges is that just deleting a name, say, doesn't necessarily fully anonymize a medical record/image. In general, I actually agree with you but anonymization/privacy is a challenging problem.

Adding enough medical data to the image to make it useful for scientific research would most likely also add enough data to deanonymize the image.

Could this data be anonymized and open-sourced for training diagnostic algorithms? It’s hard to put the genie back in the bottle so why not at least make some use of the images?

Possibly, though with only the images you'd be missing some useful info, like the actual outcome. Also they are likely not "high quality" images on average.. so for example, if there is cancer present, it may not be identified in the image.

See https://www.cancerimagingarchive.net/ for some examples of carefully curated data.

Is it possible? The metadata is easy to anonymize. Uniquely identifying features shown in the images (scars, etc)? Not without destroying them.

How much is the data worth for machine learning if you do not have access to the interpretation (and annotations) for the data? That is the hard part.

But. Is it ethical or even legal to do so without patient consent? No (at least not in my country).

In theory, yes. I was working on doing this (for internal data) at a large healthcare system some time ago.

The de-id part was actually really easy since DICOM is a very standardized format and this hospital system had good practices in place to only input certain information about each patient.

Does it need to be anonymized since it is now public? maybe just don't publish identifying information in your results

DICOM is a standard that does too much. They should scrub everything related to networking and focus solely on encoding/decoding medical images.

As someone who deals with it every day, I completely agree. In fact, I mostly pretend the networking part doesn't exist anyway, and do all networking the normal way..

> DICOM It’s a great standard compared to HL7 though. That ‘standard’ is the bane of radiology’s existence.

I work for one of the largest health care networks in the northeast US. Nearly all of our PACS use the default installer password - which in at least two cases is literally just the name of the company that makes it.

Clickbait-y headline that they forget to mention hospitals as well. Yes doctors should be more responsive and responsible. But they're (only) doctors.

Hospitals on the other have have staff dedicated to technology and such infrastructure.

Dr X being unaware of the implications is understandable. Perhaps not forgivable but certainly no surprise. But hospitals? They have no excuse.

I work in health, and I sometimes have to interact with the federal database of doctors. It's amazing the things you see in there.

There are doctors who don't know their own addresses. Can't spell the name of their town. Don't know their ZIP Code. Don't know the difference between a mailing address and a physical address. Don't keep their information current. Or sometimes don't even know what town they're in, putting a neighborhood or region on federal paperwork because "everybody knows where that is."

We assume that because doctors are smart at medicine, they should also be smart at computers. They're not. Just like my commercial airline pilot neighbor is great at flying transcontinental jumbo jets, but every few days has to shout across the street at me to ask if today's the day to put out the trash bins.

Not smart at computers, but maybe they are smart about computers. Everyone thinks old people can’t use tech but what if they don’t want to and that resistance is a manifestation of wisdom that’s incomprehensible to those without the same wisdom. To believe doctors as a class of people are less intelligent than average is silly and probably ego defensive. As a group doctors are of above average intelligence and certainly smarter than most of the people they work with in IT.

I think it’s the academic and professional institutions that are most culpable for the current state of things. They should have been the ones who foisted tech requirements on doctors, instead it was done through federal regulation. Most of the blame for most of today’s problems comes back to universities. If using tech is part of the job if being a doctor, then make it so from inside the profession.

There are different types of intelligence. Both fields require totally different talent, interests and skills. One is solving very abstract problems, the other is talking to people and learning a huge amount of information about how humans work.

I am good with abstract stuff, but in no way I could remember that amount of information about people as doctors too. I still have no idea what most of my bones or other things within me are named and I have zero interest in it. I can imagine one could be also the other way around. Have huge amount of interest in people, but despise techy knowledge.

In the end both doctors and it workers are so different from each other that they have so much trouble understanding one another. Remember doctors never asked for all this abstract shit. Also as you age you will get more set in the field you choose. That is just the way people work. Not an excuse or why one should not keep improving themselves.

You're really blaming the subjects of a database for errors in that database? There are many reasons for errors that have nothing to do with anything a physician might or might not have done.

Those subjects fill out the forms that end up in the database. It isn't some faceless government agency reading their minds. The data comes from what the doctors write down.

It sounds as if the physicians are not using the database themselves. Why would they expend extra effort to ensure its accuracy? Data that must be accurate must be carefully curated, and that isn't free. When we expect others to do work to make our lives easy, we may be disappointed.

I've contracted for some medical orgs and I can tell you there is plenty of blame to go around, and most of it belongs on the heads of administration (C-levels), who let doctors get away with things they shouldn't while at the same time underfund and generally shit on their IT departments. IT directors without the backbone or knowledge to speak boardroom and convince the C-levels to have their back are failing, doctors are failing, and administrations are failing when it comes to IT, add all that to a complex regulatory scheme in which some vendors are basically immune to being dropped, overworked doctors and nurses because congress keeps them artificially scarce, and it's a recipe for disaster.

To those making excuses for doctors, you should be ashamed of yourselves. There is enough blame for everyone in this case.

From the article :

"We’re not naming the affected organizations to limit the risk of exposing patient data."

However, a google inurl:dicom search sure shows up the affected organizations on the first page (and plenty pages after that).

And the sites are still fully open. Absolutely zero hacking required.

A lot of organizations had better get to work fast on this.

(edit: no images were viewed in the making of this post)

It's hard to know what Google returns for a different person these days, but inurl:dicom does not return anything suspect for me.

It's also worth noting that the types of systems mentioned in the article (unsecured PACS) would not show up on Google anyway. They must be accessed using one of the DICOM network protocols.

Fun experiment: use google maps API to search a major US metro area for medical practices. Pick out any websites that don't use TLS. Crawl them for HTML forms that include common PHI keywords. You'll find a lot. Those same practices are usually going to have a whole mess of more serious HIPAA issues.

Not only is transport security mostly lacking in DICOM, but there is little to no notion of access control for records. And I'm not just talking DICOM, but the apps themselves. It's no surprise though, when the DICOM standard has sections like this:

The DICOM Standard does not address issues of security policies, though clearly adherence to appropriate security policies is necessary for any level of security. The Standard only provides mechanisms that could be used to implement security policies with regard to the interchange of DICOM objects between Application Entities. For example, a security policy may dictate some level of access control. This Standard does not consider access control policies, but does provide the technological means for the Application Entities involved to exchange sufficient information to implement access control policies.


The original DICOM TCP protocol requires that every device connected use an encrypted tunnel, and it's not easy to get all the device venders to agree on which ones to use, and then update their software. DICOM Web Services are a thing, and at least they would get HTTPS basically for free from their choice of web client and server.

HIPAA has been out since the 90's so we need to get more fines against the providers to make them implement confidentiality and access controls. It's actually the GDPR which is now driving access controls rather than HIPAA.

To be fair though, the DICOM folks are busy constantly trying to standardize new image data coming from innovations in the modalities (scanners).

https://picsafe.com is a HIPAA compliant tool that solves this. Until penalties are applied, health organizations won't act on this.

No, picsafe does not solve the issues described in the article. What makes you think it does?

If this article is correct, it's such a huge problem that health systems are likely to hesitate to take steps toward basic imaging security, because they won't know what to do first.

I think what to do first is really quite simple: Do not let back-end servers face the internet.

I wish one of my past providers was impacted by this a few years ago. I had to waste hours and thousands on MRIs when a practice closed and they made getting imagery impossible.

Knock. Knock. The average human body is rather boring. especially for the 3/4ths that outside the young adult age range of 15-35.

As to insurance company exposure, almost all of these imaging procedures were paid by health insurance companies and already know all your ailments.


The NHS does seem to force doctors to follow security rules. But we have a different problem where the government thinks it owns my data and has the right to sell it.

What exactly makes you think government institutions would do a better job here? I quote:

"...one unprotected server at one of the largest military hospitals in the United States exposed the names of military personnel and medical images"

Theoretically, there would/should be a unified system and standards applied. Realistically, it'll probably still be first attempted through vendors with exclusive contracts, which is basically the current system but with extra steps.

Theoretically, there would/should be a unified system and standards applied.

So, a nice convenient one stop shop for hackers.

I'd rather a thief had to break into a thousand homes than one great big home.

One stop shop? Even with an assumed "unified system" there is absolutely no way that even an incompetent group of IT engineers would be able to construct a single unified network with a single doorway into it to make a "one stop shop experience." It would still be "breaking into a thousand homes", but at least the difference is -- given a unified set of controls -- that reconciliation of a breach could be automated.

NHS has plenty of data breaches.

"anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world."

Breaches on that scale?

images != people. NHS had a 150k patients breach not long ago. And many other of smaller scale in the thousands. It's definitely not an organization renowned for being good handling patient data.

On top of that, they made recently a deal to share with Amazon and Google. They clearly don't care.

Also, it's a monopoly. You can't chose something else. And never mind the politics of both the administration (who chose them to be in power?) and political pressure from whatever party is in control of funding. Pass.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact