I have never, in all my years of working in healthcare, seen a hospital or physicians office directly install and manage PACS. They pay a third-party - usually the vendor - to install, configure, and walk them through it. Maybe a behemoth system like Northwell has the IT bench to do it themselves, but that would be the exception.
So allow me to rephrase slightly: “technologically inept organization pays vendor to make machine go vroom. Vendor leaves keys in ignition. Damn that technologically inept organization.”
To take a 10,000-foot view of the situation, though:
Healthcare-related technologically was largely pushed on the industry via legislation. Said legislation was almost entirely stick, no carrot. The result was healthcare organizations with a gun to their head to buy from a handful of vendors, with no real ROI to be seen from it - aka, the government outsourcing its costs to private industry, and throwing pork to some major health IT firms along the way. When a technology is forced on you at a loss, from a vendor with little incentive to optimize ease of use or utility, you get a terrible piece of shit that no one wants to invest more time and money into than absolutely needed. That’s going to show itself in a myriad of ways.
Many doctors see themselves as too important to deal with security. They have an attitude of “I went to school for medicine, not computers! How dare you ask me to use a computer.” They are not only technologically inept, they are proud of it. And I’m not just talking about refusing to use complicated software. I’m talking about doctors that insist that they shouldn’t be forced to use passwords (not even complicated passwords; ANY passwords). And in most of the organizations I have dealt with, doctors are the most important people in the organization and have final say on anything, which often means that the security department’s efforts are all overridden by doctors that can’t be arsed to even type in a password before using their EMR, and don’t even dream of something more complicated like asking them to use multi-factor auth.
I once worked at a hospital where a doctor was looking at porn at work, clicked a phishing link, and gave up his network credentials. An attacker then used those credentials to breach the network and siphoned several hundred thousand dollars from the financial system (wiring money to himself). Security detected this and disabled his account. 20 minutes later the doctor had called the CEO, yelled at him (“how dare you lock me out of my account!”) who then called security to yell at us and insist we re-enable his account. The doctor was never reprimanded (for falling for phishing or for the porn) meanwhile the security team got a stern talking to and was instructed to never disable a doctor’s account again.
Healthcare is a different world for security. You have to acknowledge that yes, patient safety is more important than security, but oftentimes these doctors take it to an extreme and they are very difficult to work with. I have never met a group of people more elitist and “too important to be bothered” by security than doctors.
The answer isn't "make the doctors change and accept the inconvenience". The answer is "find a solution that actually helps them rather than hindering".
Yes, there will always be recalcitrant users who stubbornly refuse to use systems irrespective of usability and/or utility. But I'd wager most aren't in this category. Most will be only too ready to use something that actually helps them.
If passwords are a barrier to use, find a better solution.
Doctors didn't set up these systems. Doctors didn't expose them to the internet. As the other post said, vendors did. If those vendors couldn't properly communicate the needs, that's their problem.
What I think is a more rational explanation for doctor (nurse, lab technologist, etc) resistance is that the industry is rife with incompetence and vendor balkanization. So much so that every healthcare professional deals with literally dozens of logins to try to do their job. Every one of those logins has its own bizarre password policies, rotation schedules, etc. Pretty soon there is rightly hostility to whatever scheme some small niche vendor has imagined up in the illusion of security.
Some of the complexity is caused by the software itself being complex, yes, but that’s not what I’m talking about. In every organization I have worked with, doctors were always the biggest obstacle to even doing something as simple as requiring them to carry around a badge for physical access to the building. As a group, they are very resistant to anything that might add an extra step to their workflow. And yes, everyone hates and is resistant to stuff being added to their workflow, but I find most people are amenable to it as long as it’s a small interruption and it’s for a good reason (security). Doctors generally don’t have that attitude, though.
I worked in healthcare IT for years, before than going to medical school, and now in residency. My experience really does not match yours.
As mentioned earlier in the thread, I will agree that doctors in general are quite resistant to technology because they have been fucked over by implementations that are more concerned with billing and regulatory than either better patient care or improving physician quality of life/workload.
Most medical facilities use badges for access. I think what you’re calling resistance is increased scrutiny, something you might not be used to dealing with in other fields.
Based on your sweeping generalizations tinged with bitterness I can only imagine most doctors that have to work with you professionally are going to be a bit on edge. The reaction you’re getting from all these physicians you’re working with is probably related to what I can only imagine is a shitty attitude.
Regulatory paperwork and billing are the reason why you are putting in information into the computer. Without these the medical centre closes. Getting the correct information to that department is part of the role.
The hours and hours of physician time that are thrown away into mindless box-ticking, copy-pasting, button-pushing, and general head-banging is astounding.
If doctors are resistant to new IT hurdles it is, at least in part, because they're already faced with a decathlon-esque ritual to achieve their basic day's work.
(Protip: The key to delivering successful software is not to learn programming, it is to learn your users.)
(Oh, and good luck with your medical studies; world needs good Renaissance [Wo]Men now more than ever.)
Why now more than ever?
OP’s firsthand observation on the awful state of programmer-produced medical software, the original linked article, and notoriously lethal software disasters such as Therac-25 provide frightening cases in point. These things are not accidents. Programmers who only know how to program are as much use as managers who only know how to manage. And this world has far too many of both.
Look, any idiot can hack teh codez. Learning the problem domain; that’s the hard part. It is also the critical core of the job. Because if you don’t/won’t/can’t understand the problem, how do you possibly expect to solve it?
Especially when that problem space is something as vast, complicated, and utterly unforgiving as millions of people’s healthcare.
Do you realize these systems are designed by respected doctors and product managers? They tell the programmers exactly what to do. When something vague comes up the product manager talks to his stakeholders and decides how to proceed. When the project is done the doctor/project manager group go over everything and make changes.
They decide things like how it looks is not as important as making sure you checkmark this section if you need to.
The priority is on reducing errors never on making the experience better for the computer operator (you).
In fact the few medical IT systems I've seen that were actually built by doctors - that meaning doctors who code actually coded these systems themselves - are among the nicest (and most easy to use in a non-insane, secure, reasonable way) systems I've seen.
I think the important difference here is that it's very hard to "design" software if you are a doctor who knows a lot about medicine, and your existing paper processes, but know very little about software. It is important to understand the medium (software) as well as the domain (medicine) to build the right product.
I cut my teeth as a self-taught scripter/automator before going professional and eventually becoming a writer/educator myself, so I’ve seen plenty of every combination (and produced all of them too;). And I would much rather teach professional doctors how to make their own solutions than teach professional programmers how to write software for doctors. Because one of these audiences has a massive self-interest in getting a product that also works for themselves, while the other satisfied in taking a paycheck while ticking some boxes†.
That is to say; Incentivization is Everything.
† Which is not to say you don’t need—and want—formally-educated full-time developers in the mix as well; because good ones bring important transferable experience and insight into the more abstract aspects of system development like scalability and security. And yes, there are great devs out there who understand it is Muhammad’s job to go to the mountain, and not vice-versa. But damn, is it hard to find ’em.
And here, in a nutshell, is EVERYTHING wrong in modern software development.
Doctors are NOT programmers. If they were, they wouldn’t need to hire programmers: they’d write the solution themselves!
Doctors are the domain experts. They understand medicine, and procedures in its current practice, and the reasons why things are done the way they are.
Conversely, the programmers’ job is not to write code. Any monkey can do that. It is to learn the problem space; to extract from the domain experts sufficient knowledge and insight to understand those procedures and why they are as they are for themselves. And then, starting from there, synthesize a new solution that does it all better.
And the PMs’ job is to mediate that learning process; to ensure both parties understand these objectives and keep them on track; and otherwise keep the hell out their way.
Whereas current industry practice is for programmers to sit with their thumbs up their asses, expecting others to tell them exactly what to do so they don’t have to learn, while PMs micromanage all the minutae so never have to take responsibility for the house itself burning down.
This is like civilian government telling military how to fight their war (e.g. Iraq War, 2003…2???), or the “Official European Joke” about Heaven and Hell. And not only are in the Hell part, the Programmers and PMs—who are supposed to be the highly-paid professional problem solvers here—really seem to believe that this hell we’re in is “How Things Should Be”; and thus only serve to multiply those problems instead.
FFS, I eventually got so sick of it all that I taught myself how to program (ugh), just so I wouldn’t have to go through all these useless spanners any more.
And, it pains me to say, software development is the first (and still only) career in my half-century of life where I’ve NOT felt crippled with Impostor Syndrome. Because the impostor, I realized, was everyone else.
Can you expand on this?
Likely at go-live/vendor selection, nobody wanted to revolutionize things in a way that could only be done on computer.
The successful vendor will be the one that can « make all of your paper stuff look/function/feel the same way on a computer ».
This minimizes training, development and changing the workflow you used for 20 years. Which checks every department’s checkboxes.
So you end up with the worst aspects of paper, with few of the benefits of technology.
Anyway, ‘Doctors’ are a pretty diverse bunch, and most of them aren’t arrogant porn-fiends.
Depending on how many systems they have it integrated with that could end up being a huge undertaking for them and they've probably been cut to the point where another huge undertaking may not be in the cards right now. If they're like a lot of large enterprises they may also still be trying to get rid of Windows 7 and Server 2008R2.
Edit: for example, are you full on Microsoft 365 Enterprise with Azure AD? I believe that has ties in with Microsoft's Authenticator app. If you're strictly onsite traditional AD I think you'd need to look at Duo for 2fa that integrates nicely with AD, then also see what else you need to integrate it with that uses its own separate non - SSO authentication.
And while it's not huge, the question of "who's paying for the $3/6/9 monthly per user charges (contact sales if you have > 500 users)?" will come up, particularly if there are hundreds or thousands of external medical office users able to sign in through a portal system as well. (this is based on pricing from the Duo website)
As it happens there is a single web property for accessing a remote desktop, not multiple systems, and the hospital down the road funded by the same entity has implemented TOTP authentication.
Might some doctors leave the smartcard in the reader for a PC they often use, then walk away? Yes, yes they might, and that is a behaviour you can start fighting with peer pressure, but doctors are right to think passwords are a waste of their time.
This is spot on and in most cases this is the way most hospitals are moving, particularly by using the already-assigned ID badges as RFID tokens. But as I mentioned in a couple of other comments farther down, I have experienced situations in which even this is something that doctors refuse (in one case, because they were upset that we were asking them to keep their ID badge with them, which they apparently had a problem with doing).
It's the most frictionless solution I've seen in widespread adoption and probably the least prone to pushback, but that doesn't mean there's no pushback, which is the unfortunate point of my original comment at the top of the thread.
> Might some doctors leave the smartcard in the reader for a PC they often use, then walk away? Yes, yes they might, and that is a behaviour you can start fighting with peer pressure, but doctors are right to think passwords are a waste of their time.
At least the hospitals I've been to this is implemented as an rfid tag on their id badge, so it doubles as access control both for physical and software systems (as well as functioning as a charge card of sorts against the employee's company account for things like the cafeteria).
As an IT or security personel your job is to support them and assure security without creating extra friction or productivity loss. Yes it is hard but that is the challenge.
This is what a often neglected by security professional and just blaming the user.
I know of exactly one case where you would have been completely wrong. Emergency surgery straight from the urologists office is what saved the patient. Some people simply go to the hospital much too late when they have issues.
So you have to come up with different method.
For the security personal, Dr is the customer, customer is king.
It is indeed the shared responsibility of the security team to keep in mind that the customer requires quality medical care, and security should not interfere with that. Similarly, it is also the shared responsibility of the doctor to keep in mind that the customer also requires that their data remain secure, and their ludditism should not interfere with that, either.
That's where I critize security professional. They often disregard this end user pain.
You have to find frictionless solution and shouldn't impact their productivity.
Ask yourself how you would feel if your bank just let someone access your account and steal your money. Would you forgive them if the bank said "well it would have been really annoying to have to check the person's identity before letting them take the money, so we chose convenience over security"? Of course not.
Security professionals are there to guide you and make security tools easier and less intrusive for you to use (and believe me, they want to make it easier for you, if only for the entirely self-serving reason of reducing the amounts of complaints they get), but even if the security tools are hard to use, it is your responsibility to still use them. You are not doing your job if you disregard them, and "it's annoying" is absolutely, 1000% not an excuse for potentially exposing the sensitive information of every one of your customers.
Then the bank is not doing a good job. Its the bank responsibility to secure my account. How they do it is up to them
. I don't really care what method they use as long as from my perspective its frictionless and not annoying.
If you make security tools that is hard to use, then you are not doing a good job, be prepare for push back and consequently less secure environment.
I'm not a (medical) doctor and I decline to use password authentication as well. Give me public key access or fuck off.
Managers who come to IT and demand we do something and show us how it affects their work/department and perhaps the rest of the business and offer to be part of the solution making process often get first class attention.
Could it be IT is blowing you off because of how you're delivering your complaint about SMS 2FA without regard for their existing workload?
They likely have more than enough on their plates as it is to simply do something because someone from a department said something about it, and IT doesn't exactly pivot on lithium battery, especially in hospitals. That doesn't mean they don't care about your issue or request, but like every other department they have objectives and goals that were likely set well before your 2FA conversation even began.
Well... yeah. Nobody is sim swapping hospital staff.
It’s not great, but this isn’t a real threat they’re facing.
Edit: I should add, I was very surprised when I got a phishing email sent by the obviously compromised email account of a colleague, and when I emailed them to say their email was hacked, the person who hacked them replied telling me everything was OK, and to open the attachment.
And how much of that flows through automated systems.
And how little of the total is actually audited on a detailed level.
I wouldn’t, I just know that the crowd targeting hospitals for wire fraud is very different from the sim swappers.
It’s possible that this may change at some point, but that hasn’t happened yet and probably isn’t going to. Phishing is so easy and successful that SIM swapping just doesn’t make sense for these targets.
Which one? You know we’re also talking about programmers, right?
1) I have never seen a health care organization ANYWHERE where the physicians determine the IT policy (including and especially the IT security policy).
2) Universally, healthcare organizations use the bloated garbage that gets passed off as EMRs and affiliated garbage software. None of this is up to physicians. It's up to the administrative and bureaucratic parasites that have infested healthcare at every level and based largely (I assume) on crony relationships, because it's certainly not based on competence.
3)Healthcare IT is the most abysmal software anyone anywhere has ever devised to perform any task. Systems like EPIC are bloated, barely functional trash that systems have wasted billions of dollars on. The various components of departmental IT do not co-ordinate with one another, crash on a daily basis, are not fit for purpose and would embarrass engineers in any other industry.
It comes as no surprise that security for these systems is piss-poor, just like everything else about these systems. Blaming doctors for this administrative mess, whilst not unexpected, is disingenuous at best (of course this is what healthcare administration excel at - making a mess and blaming physicians).
"HIPAA? I'm sure we're just fine, and no you can't take away my Windows 7 PCs."
Overkill and probably the opposite of what they envision an IT department doing.
The bigger issue is how did the vendor or IT department responsible for the network allow routine internet access to interface with critical healthcare or financial infrastructure? (You don't have to be looking at porn to be on the wrong side of a phishing scam).
Clearly you've had bad experiences with (some) doctors - generalizing that experience and extrapolating it to the issue of IT security is deeply flawed reasoning.
And I'm sure on some IT admin board they talk about all of those entitled developers and this one time this one developer did something really stupid, ergo all developers are god-complex dummies.
This hasn't happened to me with any other position in any other organization, including vice presidents of Fortune 500 companies.
Instead I was pointing out that there are many fields where people resist IT-style policies, and many special snowflakes that believe (often rightly) that they are a unique situation.
Often in tales like this the worst scenarios arise because some people aren't equipped at managing expectations and communicating reasons and benefits. If yet another vendor comes in with yet another system and yet another set of demands and obligations, to someone who sees it as a hindrance to their work product there will be resistance. Understanding and communicating in a way that, to use lame corporate speak, aligns goals makes things go much smoother.
But they do push back uniquely hard. My experience and almost everyone I've talked to in Medical IT have had the same experience. Have you had a different one?
Like many IT people, I google
the heck out of a medical condition when I see doctors. Once I must have asked enough pertinent pointed questions that the doctor asked with a mix of sincerity AND condescension, “have you ever worked in a medical field?” No but like any curious individual I utilize the systems accumulating all human knowledge at our fingertips to inform myself... Doesn’t mean I can’t ultimately rely on your professional judgment, Sir
well, it is a clear voice of customer. And it has good reason behind it - time and effort that the customer would like to avoid wasting. Instead of disparaging the customers and their needs how about listening to it and trying to really solve the issues. May be doctors for example would be more happy with having RFID microchip injected under the skin than typing password in? The security industry should start solving the issues for the benefit of users instead of pushing the crap down everybody throats under the disguise of holy cow of "Security!".
>clicked a phishing link, and gave up his network credentials.
and you still continue to think that password based solutions are suitable there?
>I have never met a group of people more elitist and “too important to be bothered”
than security IT. Your post is a prrety good example of it.
Security IT is, in my experience, one of the most amenable in terms of trying to come up with new ways to serve customers because the customers require it (all customers require it, not just doctors), but doctors are on an entirely different level when it comes to resistance to change.
It didn't work, not because of technical issues, but because we didn't anticipate the high number of doctors that apparently had lost their badges and had never faced consequences for it (the culture at this hospital was "oh you forgot your badge? no worries, I'll just open the door for you"). When we then asked the medical staff to keep better track of their badges (not just for the login system but also because of general campus security) we received incredible pushback, and that's when we had to roll back the program.
IME, and as evidenced by the VA using a similar system as you mentioned, doctors are perfectly competent enough and able to use these systems and do just fine once they get used to the system. The issue is that they put up a fight more than anyone else when introducing something new, and oftentimes IME the new system never gets a chance before it's shot down.
Doctors are service providers and the service is lacking.
Or how they refused to wash their hands between morgue and delivery after Semmelweiss' discoveries.
Doctors see themselves as demigods. Not without reason, since other employees treat them as demigods, society and culture at large sees them as demigods as well.
In the US system, is the patient the customer, or the insurance company?
I work in healthcare outside the US and I’d argue that the system I’m in is also quite skewed. In private healthcare where I am, the patient is the person who turns up and pays, but their doctor holds the power to send their patients elsewhere, and so must be kept happy too.
That statement applies to about 95% of the many issues we face these days. Blaming is apparently easier than solving.
You're telling me the CEO was unfazed when they learned this was the reason you were locking down the system due to the doctor's own ineptitude and breaking company policy looking at porn and exposing them to direct financial loss and liability (lawsuits from PII data being breached and exfiltrated, etc)?
The doctor put the whole hospital at risk and could have cost them millions and got that cryptolocker attack holding their data hostage indefinitely.
The CEO should be thanking you guys for catching these huge security ($$$) breaches.
At the organizations I worked with, doctors really have carte blanche privilege to get away with anything as long as they claim "it's for a patient". Even the C-suite will bend over backwards for MDs.
In my opinion, they're the only bunch that gets it right.
Security should work correctly and not bother me. Period.
The fact that it doesn't is laziness on the part of the security vendors.
The bigger problem is that if security ever allows a user to make an incorrect security decision, it's probably worse than no security at all.
Ultimately these are linked; imagine ransomware blocking a medical device necessary to save lives, or tampering with settings of an x-ray machine.
It's easy to complain doctors resist (this particular workflow change), which is SO important because it affects PATIENT LIVES (because it's in the healthcare setting, so EVERYTHING DOES) damn entitled doctors. Then recall that every single time a doctor asks a nurse to do something that nurse will say "oh, just enter a communication order." And because your security set up your RFID to only work on a computer where you've already logged in earlier, and you're running around the hospital constantly, those badges aren't worth shit >half the time.
It's easy to complain about doctors' resistance to various evolutions of their digital workflow, until you realize that nearly every evolution adds complexity and time-burden to their workload in a way that does not directly improve patient care, but slows down their work, increases complexity (which does adversely impact patient care), and lengthens their workday (because their patient workload isn't reduced in the slightest by this.) I don't know a single doc that doesn't do significant unpaid after-hours work catching up to their digital bullshit; you also would resist non-mission-critical additions to your unpaid workload.
It's easy to treat physicians as entitled and resisting "just to resist", rather than understanding that the physician workflow is constantly changing, from every possible angle, and most often for reasons wildly unrelated to the immediate task of "taking care of the patient in front of me". You'd resist under those circumstances, too.
There's a reason about half of physicians nationwide (https://www.medscape.com/slideshow/2019-lifestyle-burnout-de...) are burned out. HALF. That's what happens when your ability to do your job is constantly fucked with. Perhaps you should consider what that means, and how that relates to what you're saying, rather than asserting doctors are just too damn self-important to change.
I'm not talking about complex software. I'm not talking about instances where doctors are asked to learn an entirely new records management or scheduling system. I'm not talking about the type of systems where you have to interrupt your day with an extra training session on how to navigate the interface.
I'm talking about the most basic, bare minimum interactions with security systems that every other person in every other industry has absolutely no issue with, but for some reason doctors refuse to accept. I'm talking about stuff as simple as swiping your ID badge on a reader to gain access to restricted areas. I'm talking about not using work computers to look at porn. I'm talking about basic awareness when it comes to not disclosing sensitive information to a random person in the hallway.
Another commenter brought up the number of passwords as a complaint. Again, I'm sympathetic to this. This is why one of my major areas of focus is implementing SSO solutions to cut down on the number of passwords that users have to remember. Except in one instance we had delays rolling out SSO not because the system was complicated to use, but because doctors complained that they didn't like the color of the SSO UI. They insisted it be blue rather than yellow and wanted to scrap the entire project because of it. That's the type of resistance I'm talking about.
These aren't difficult or complex things. We are talking about highly educated, highly paid individuals handling highly sensitive information. They should be held to higher standards, not treated like children just because they work long hours.
Speaking of working long hours, the second half of your post is just a minor glimpse of the elitism I'm referring to. Are you under the impression that medicine is the only profession in which people experience burnout? Do you think that only doctors have to deal with constantly changing work environments and the never-ending cycle of evolving technology?
Every profession deals with these things. Lawyers, accountants, bankers, social workers, police officers, and educators are just examples of professions that have similar or higher burnout rates than doctors. Every single one of these also has to deal with immense amounts of bureaucratic processes, regulations, and inefficient software that is constantly changing and affecting their daily workflow. And yet in my years of consulting I have never met a group that was as egotistically opposed to the use of technology as doctors are. Even investment bankers, which tend to be the most egotistical assholes with an attitude of "I make millions of dollars a day for this company, I don't have to listen to you puny IT people", still don't hold a candle to the willful ludditism of doctor's I've worked with.
Is it really the hill you want to die on?
Just change the damn widget color if it is so important to them! Client is king!!
This reminds me of the M&Ms color in rock concerts artist room: a canary in the mine for the venue having ignored more important requests.
Paywalled, but nonetheless, I wonder how that rate compares to other industries. And how much has to do with physicians usually being unable to switch industries without a massive pay cut.
Dunno if doctors are particularly too self-important to change than anyone else, but if someone was, I could see that inability itself leading to burnout when things even slightly change around you.
We trade convenience for security every single day. Ever get locked out of your house because you forgot your keys? Why is that level of inconvenience (requiring keys on doors) okay but it's up to a security team to only implement security solutions which are frictionless and require zero change to workflows?
Further, if we require keys on our doors, why wouldn't we require similar measures on software systems? If they are inconvenient, they are inconvenient compared to what? No security?
Which is totally sucks.
>Ever get locked out of your house because you forgot your keys? Why is that level of inconvenience (requiring keys on doors) okay
I would not say that is okay, that is sucks too
Secondly, doctors are busy and have unpredictable workloads. They also have limited ability to delegate or ask for help if they are oversubscribed. This means if you add 10 minutes to their day, it will actually extend their working day by 10 minutes, and the things they have to do may take them until 10pm at night or worse (I semi-regularly finish documenting things after midnight, and I am not working night shift). They are understandably allergic to things which seem to increase the amount of stuff they have to do.
Unfortunately, if you are a small IT vendor trying to introduce a service or a product to a large hospital (the bigger it is, the bigger the problem), you are going to have a difficult time. This is just the reality, which we can complain about, but there it is.
There are strategies which can improve uptake and reduce resistance, but they only really work for large well-resourced vendors who are doing large projects:
1. Get the hospital to create a role for a doctor to be the clinical lead of whatever IT infrastructure you are trying to implement.
2. Bundle a large number of changes together, including obviously beneficial ones which save time (like an integrated EMR or paperless ordering) with important ones (like proper auth).
3. Make sure the institution has a lot of skin in the game, usually due to a large financial investment, or meeting some performance indicator, or keeping up with another competing institution.
4. Get the institution to reduce the workload when new systems are being implemented. This might sound obvious, but it makes a difference if you give doctors a bit of breathing room to adapt to a new service.
5. Publish some metric of how well each group of doctors is using a service in an email each week that gets sent to everyone.
6. Constantly remind everyone of why things are better after something has been implemented. I get hospital wide emails all the time about bake sales and other useless stuff, nobody sends emails celebrating or outlining why a recent change in IT infrastructure is making a positive difference. The only IT emails that get sent are when something is broken. Not surprisingly, this makes everyone sceptical of any new IT system.
7. Avoid direct face to face contact between doctors and the IT vendors. Doctors don't want to talk to the IT people, and IT people don't want to talk to the doctors. It just isn't useful, and everyone leaves feeling unsatisfied. Disconnect the technical expertise from people that don't understand why it matters. Find some other way to interact, through support staff, clinical leads etc.
This stuff is part of the moat which large EMR providers have, they can actually do this stuff. I have seen it at play with Epic, whatever you think about the software, they have worked out some of the sociological aspects, and they understand that once the EMR is delivered, the process doesn't end.
...then he’s one of the lucky ones! One study found that for every hour a physician spends with a patient, she spends two on processing health records.
Heck, I hear bricklayers need to spend some time mixing cement and getting bricks off the truck, not just scooping mud and sticking bricks.
Health records ARE a big part of the product of a doctor. Keeping a good chart and finding trends over time is a bit part of the service you need.
I long for practices that would keep no record of my issues, except what I volunteer to them at the beginning of the consult. Many countries do that just fine, but for some reason in the US I am asked to fill pages on insignificant trivia to cover their ass or follow some weird law or tradition maybe?
I don't want perfect healthcare. Good enough is fine!
So now I just see doctors when traveling. Simpler, faster, and cheaper too.
A mostly functional program with amazing docs beats a more functional black box.
This feels informed from the technology side, and profoundly ignorant of how health care IT actually works (especially in the United States).
If an organization that runs three hospitals can't put together the IT to secure their PACS system with a decent password, that's the fault of the physician about as much as it's the fault of the nurse, the janitor, the cafeteria chef, etc.
WTF is with people blaming doctors for literally everything related to healthcare? Do they not understanding we haven't been in charge of anything for a couple of decades now? Since the combined rise of HMOs and Medicare/Medicaid, and the massive hospital M&A splurge, we're just line workers. We try to do our best by patients, but we ain't in charge of anything.
You say "pushed a stagnant industry", I say "hostility to small practices." Large hospitals were already moving onto EMR to better handle the volume of their data, if not already having done so. It's small practices that couldn't afford things like EPIC, and were forced to move onto free, ad-revenue-driven crap like PracticeFusion that just made everything slower and worse, without improving shit for patients.
Are some patients better off for it? I think so. I appreciate web portals, which wouldn't have existed otherwise. I don't appreciate the death of small practices, the majority of whom are now selling out at cost to large hospital chains.
I realize that anecdote is not data, and I'm not sure what metric of 'better' you're using, but I wouldn't be too hasty to claim technology as an unalloyed good in health care.
Lab results for any patient at a click or two? Ignored.
Changing a med order to be stopped in 27 hours? Guaranteed to be flagged to the nurse at the exact right time.
As much as I complain about Google’s changes (stop ignoring my double quotes!), it’s probably improved overall despite its constant attacks.
I just did a brief Google, and the situation seems to be the same as always - there isn’t a clear win financially when a PACS is installed. They are expensive to buy, to run and to maintain and the gains are often hard to measure financially.
Having a minimum wage worker sort old films and carry them to where they are needed was cheap compared to the wages and hardware a large hospital needs to pay for when a large PACS goes in.
The number of people who miss hard copy film must be very small however, that world was archaic.
The big problem is that tech grifters, just like AltMed scamsters, are just way quicker and better at burying all their shit than surgeons and scientists are at digging it out again. And, to be fair, doctors do already have far more pressing things to be digging out: wood spales, fence railings, guinea worms, and so on. Hence the need to hire in [ostensible] specialists in the first place.
Still, be consoled that us countries with socialized heathcare are just as adept at Medical IT disasters as yours are. :/
“A lie can travel halfway around the world before the truth can get its boots on.” Of course, this was before we invented the networked computer.
From what I understand these DICOM-devices are insecure by default, you can just connect to them and download data, and they expect their users to make them secure with network separation etc. That's not a realistic expectation if your customers aren't IT security professionals. And there's no reason to create such a flawed design, a simple password would be a huge improvement.
In such a case the blame should fully go to the vendor.
So with no consequence to these massive lapses, why would these companies care?
The article states pretty clearly from the interview with Senator Mark Warner:
> “To my knowledge, Health and Human Services has done nothing about it,” Warner told TechCrunch. “As Health and Human Services aggressively pushes to permit a wider range of parties to have access to the sensitive health information of American patients without traditional privacy protections attached to that information, HHS’s inattention to this particular incident becomes even more troubling,” he added.
It's not that they're doing nothing, they're supposedly making it worse.
They're also underfunded. OCR budget dropped to 10% of its previous budget between 2017 and 2018:
So, when you ask "why would these companies care?", I think the current federal government is trying to say "these companies _should not_ care."
My honest opinion is that they know healthcare specifically is so far behind meeting their regulator requirements they have been trying to slowly phase in penalties.
% curl -L 'https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/'
curl: (7) Failed to connect to guce.advertising.com port 443: Connection refused
I have a lying DNS server, and it's getting ridiculous.
Here's the outline for people who care about privacy/tracking/GDPR, etc. https://outline.com/Ep5u4K
I've not been able to find a way to read content on that domain for months now.
PS: unlike many here I've little against ads as long as they aren't tracking me, but the "consent screen" on techcrunch is less "consent" and more "strongarm".
PPS: as others are mentioning it seems the whole thing seems to be compliance theater since they seem to set a tracking cookie before even displaying the consent screen :-/
Without it just doing -o to an .html opens fine in the browser for reading. I feel like I'm missing something here.
(HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request on the
new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the initial host. If a re-
direct takes curl to a different host, it won't be able to intercept the user+password. See also --location-trusted on how to change this. You can limit the amount of redirects to follow by using the
When curl follows a redirect and the request is not a plain GET (for example POST or PUT), it will do the following request with a GET if the HTTP response was 301, 302, or 303. If the response code
was any other 3xx code, curl will re-send the following request using the same unmodified method.
You can tell curl to not change the non-GET request method to GET after a 30x response by using the dedicated options for that: --post301, --post302 and --post303.
Is the user only wanting to curl from the original page and any redirects are considered bad?, etc.
And yes, this kind of half-assed redirect is breaking, and a total disregard for my trying to trust the original host. This kind of behavior I expect from sites victim of an XSS, not a "normal" website.
The examples in the TechCrunch article are redacted, but I guess that was done for publication and not on the stored images themselves.
In the USA, HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI. It's a crime that "pierces the corporate veil." That is, natural persons can be tried and convicted, even if they were acting on behalf of corporations.
The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached. https://www.hhs.gov/hipaa/for-professionals/breach-notificat...
CMS announces breaches involving 500 or more patient records here https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
It wouldn't surprise me if the people involved in securing these sloppily configured DICOM servers are in a state of panic. I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah, we had some panic. (Misrouted fax messages was the root cause, for what it's worth.) Also observe that I remember to this day how many records leaked out. Breaches are a big deal. It stinks to be them. I know that for sure.
I hope they get it sorted out. It will take a while. It will also take a while for the affected medical professionals and their IT providers to start responding to these breach reports rationally. Kubler-Ross's stages of grieving are still in play for them: anger, denial, negotiation, etc.
At least, lack of security of credit cards is understandable as banks are profiting from fraud by charging the victim a fee.
In health? This must stop. It's a failure of regulatory bodies as they throw so much junk policies around that the things that really require attention is just overlooked. The overabundance of paperwork and policies is not improving security, it's keeping away actors that could do way better.
We always thought it was a joke that these guys questioned us, when we knew how bad their internal security practices were. At some point around 2011-2012 we seized on the idea that holding your images inside of the hospital's four walls was a liability for them, and not a point of pride.
So, not at all surprised about this, nor about the complete lack of security practices at many of these healthcare IT vendors.
This still rings very true in 2020.
I'd be more than happy to publish my medical images with results if it would be used for an open database.
I have been at doctors in third world countries, where doctors don't get the same level of education, but try to use the best tools available without paying too much money.
One of the challenges is that just deleting a name, say, doesn't necessarily fully anonymize a medical record/image. In general, I actually agree with you but anonymization/privacy is a challenging problem.
See https://www.cancerimagingarchive.net/ for some examples of carefully curated data.
How much is the data worth for machine learning if you do not have access to the interpretation (and annotations) for the data? That is the hard part.
But. Is it ethical or even legal to do so without patient consent? No (at least not in my country).
The de-id part was actually really easy since DICOM is a very standardized format and this hospital system had good practices in place to only input certain information about each patient.
Hospitals on the other have have staff dedicated to technology and such infrastructure.
Dr X being unaware of the implications is understandable. Perhaps not forgivable but certainly no surprise. But hospitals? They have no excuse.
There are doctors who don't know their own addresses. Can't spell the name of their town. Don't know their ZIP Code. Don't know the difference between a mailing address and a physical address. Don't keep their information current. Or sometimes don't even know what town they're in, putting a neighborhood or region on federal paperwork because "everybody knows where that is."
We assume that because doctors are smart at medicine, they should also be smart at computers. They're not. Just like my commercial airline pilot neighbor is great at flying transcontinental jumbo jets, but every few days has to shout across the street at me to ask if today's the day to put out the trash bins.
I think it’s the academic and professional institutions that are most culpable for the current state of things. They should have been the ones who foisted tech requirements on doctors, instead it was done through federal regulation. Most of the blame for most of today’s problems comes back to universities. If using tech is part of the job if being a doctor, then make it so from inside the profession.
I am good with abstract stuff, but in no way I could remember that amount of information about people as doctors too. I still have no idea what most of my bones or other things within me are named and I have zero interest in it. I can imagine one could be also the other way around. Have huge amount of interest in people, but despise techy knowledge.
In the end both doctors and it workers are so different from each other that they have so much trouble understanding one another. Remember doctors never asked for all this abstract shit. Also as you age you will get more set in the field you choose. That is just the way people work. Not an excuse or why one should not keep improving themselves.
To those making excuses for doctors, you should be ashamed of yourselves. There is enough blame for everyone in this case.
"We’re not naming the affected organizations to limit the risk of exposing patient data."
However, a google inurl:dicom search sure shows up the affected organizations on the first page (and plenty pages after that).
And the sites are still fully open. Absolutely zero hacking required.
A lot of organizations had better get to work fast on this.
(edit: no images were viewed in the making of this post)
It's also worth noting that the types of systems mentioned in the article (unsecured PACS) would not show up on Google anyway. They must be accessed using one of the DICOM network protocols.
The DICOM Standard does not address issues of security policies, though clearly adherence to appropriate security policies is necessary for any level of security. The Standard only provides mechanisms that could be used to implement security policies with regard to the interchange of DICOM objects between Application Entities. For example, a security policy may dictate some level of access control. This Standard does not consider access control policies, but does provide the technological means for the Application Entities involved to exchange sufficient information to implement access control policies.
The original DICOM TCP protocol requires that every device connected use an encrypted tunnel, and it's not easy to get all the device venders to agree on which ones to use, and then update their software. DICOM Web Services are a thing, and at least they would get HTTPS basically for free from their choice of web client and server.
HIPAA has been out since the 90's so we need to get more fines against the providers to make them implement confidentiality and access controls. It's actually the GDPR which is now driving access controls rather than HIPAA.
To be fair though, the DICOM folks are busy constantly trying to standardize new image data coming from innovations in the modalities (scanners).
As to insurance company exposure, almost all of these imaging procedures were paid by health insurance companies and already know all your ailments.
"...one unprotected server at one of the largest military hospitals in the United States exposed the names of military personnel and medical images"
So, a nice convenient one stop shop for hackers.
I'd rather a thief had to break into a thousand homes than one great big home.
Breaches on that scale?
On top of that, they made recently a deal to share with Amazon and Google. They clearly don't care.
Also, it's a monopoly. You can't chose something else. And never mind the politics of both the administration (who chose them to be in power?) and political pressure from whatever party is in control of funding. Pass.