Hackers steal a hospital in Hollywood

OK good to know. I thought it was either that or Bitcoin just had a huge jump in price while the article was being written.

1 Like

Really? From my point of view, HiPAA/HITECH has been the best thing to ever hit hospital IT security.

20 years ago, I’d say “you need to use a cryptographically secured transport for this incredibly important data that you’ve promised your patient you will keep secure” and they’d say “naaaaah, we’ll use anonymous FTP to a server attached to the Internet that hasn’t been patched since 1979. It’ll be fine; we use this method for all our data!”. I’d say “no, really, you don’t want to do that” and they’d say “it’s how we’re going to do it, so you can put up or shut up” and I’d walk away. After about March 1st 2000 the line changed to “hasn’t been patched since Y2K” but otherwise was the same conversation, over and over again, hospital after hospital.

But nowadays, when they say “Oh, we’ll have a minimum wage clerk drag and drop the files and rename them manually every day over a Berkeley rsh connection through the Internet, it’ll be fine” I can just say “HIPPA/HITECH” and they’ll say “oh, dammit, now we have to do it right, he knows the magic words”.

4 Likes

It was end-to-end when I was running hospital IT shops as well. It ran on AIX and used dumb terminals and serial terminals to connect to lab and other medical devices. It was transitioned to MAGIC while I was there. MAGIC simply used a telnet like program to interface like the old dumb terms did and much like HMS does on iSeries.
I’ve been out of the medical It world for over a decade now so I’m sure there is much I’ve missed. However, no matter what has changed, you need a CIO competent enough to see the obvious problems who is also strong enough to say no to Microsoft reliant HIS.

The entire NHS runs on Windows.
I’ve never seen a hospital run on anything else.

I keep thinking that sooner or later it’s going to be the year of something-other-than-windows on the desktop, if enough horrible things keep happening.

The trouble with backups is that they can be locked up, too, if they’re always plugged in.

1 Like

For business office and such I can see Windows being used. It’s fine for office work.
For a Hospital Information System, there are other options.
Myself, I’ve never seen an HIS run on Windows, but I’m told some are these days.
I wonder if the implementation of Windows in your NHS has something to do with a Public Accounts Committee report calling the attempt to upgrade NHS computer systems in England one of the “worst and most expensive contracting fiascos”.

2 Likes

Thank goodness they had none of this newfangled technology when I was born there.

1 Like

Your mileage with HITECH/HIPAA can and will vary.

I just grabbed a local hospital and checked their website and they are still running SSL3, doesn’t support PFS (but does implement TLS_FALLBACK_SCS).

Using SSL Laps it got a C - when it should get an A.

One of the problems with “must use encryption” is that it doesn’t go far enough into how to properly implement it, if I just encrypt something with Diffie-Hellmen via SSL3 (or TLS) I’ve ticked that box an can move on. Even though that’s not secure - at all.

I just found a HIPAA doc using that as a secure example from nist.gov- and because it is based on legislation it can’t move fast enough to keep up with the threat landscape.

Edit1: typo
Edit2: usage clarity, socket or transport

2 Likes

Meditech is going cloud now


I believe “Magic” uses the Meditech Client, which is basically an antique terminal emulation (Esprit 105C, from the old Data General days, if memory serves) running over telnet. There’s also a compatible, but infinitesimally better client called “Cambridge” by end users, again if my memory isn’t rotted away from the horror of dealing with hospital computer systems in general.

Those, you can get. But


Whoops, reassigned/fired by the board on recommendation from the accounting department and all the physicians who aren’t card-carrying members of the Cult of Apple.

Mainframes are still going strong! And there’s still some VAX/VMS based systems, too, but they are increasingly rare.

I’d heard rumblings about the madness of programming M/MUMPS, but hadn’t really looked at it until now.

strings to booleans:

disturbing pattern matching syntax:

The whole document is terrifying. For the first time in my life, I am not sure if running Windows would be less horrible.

5 Likes

It takes a bit to get used to. The thing is, Meditech (which is MUMPS based) is incredibly stable and secure - at least running on mini computers. The move to micro computers astounds me.
In truth, medical systems like Meditch really require little programming work and do very little. They take basic info like demographics and store them, they record the output of lab and other medical equipment and stores it, and they provide some basic calculations and reporting. Neat functions and capability aren’t very important. What is important is stability, data integrity and security. MUMPS never failed me on those points. Even OS upgrades didn’t require reboots or shutdowns. Being up 24/7/365 was never a problem and though a Symantec enterprise exploit got our Windows systems attacked at one location, the medical data was never at risk. We shut down the entire Windows LAN and kept the hospital HIS running.

5 Likes

From a sysadmin side I can see the advantages of high availability. So long as the security wasn’t just the obscurity from attackers having no idea what on Earth is happening on those machines that would also be a bonus. I’d still pity the guy who had to write software with that.

1 Like

Yeah, I keep hearing him say this as if it’s Moore’s law or something. Seems to me, if this is happening (and I agree that it is) it’s the result of laziness and greed and obsolete power plays, more than a drive toward efficiency and health. Not so much that it’s a good idea, but that no one has come up with a better one yet.

It’s really not that bad, and quite a fun language to program in. Dr. O’Kane’s implementation is, ummm, “unusual” would be a good word, and is not highly used in production environments. The Intersystems CachĂ© implementation (which they are allergic to calling MUMPS) is most common these days.

A really fun thing is that persistent variables (effectively database entries in a sparse heirarchical database) are created by preceding the variable name with a carat:

dog is a local variable (bonus points: its type is whatever you want it to be, and you can change it on the fly!)
^dog is a global variable and persistent until it’s deleted (“killed” in MUMPS parlance.)

The other fun thing is that you can abbreviate any keyword to uniqueness:

for use infile read recordx quit:$zeof=-1 do
can be abbreviated/obfuscated to:
f u infile r recordx q:$zeof=-1 d

Oh yeah, and see that $zeof thing? That’s a system variable, and they’re different in every implementation. That particular one checks for an end of input file in CachĂ©. :slightly_smiling:

Dr. Richard (Dick) Walters of UC Davis, wrote the book on MUMPS: M Programming - A Comprehensive Guide which is still available from Amazon.

3 Likes

I remember doing keyword abbreviation in C=64 BASIC, this is not a feature I miss in modern languages.

You started with “It’s really not that bad” but then “:f u infile r recordx q:$zeof=-1 d” came along, followed by “they’re different in every implementation” and, well, I’ll just let other people enjoy MUMPS.

3 Likes

No pity necessary. While I don’t write code on a day-to-day basis anymore, I have a couple of clients for whom I do MUMPS maintenance. I greatly enjoy it.

4 Likes

@jamesnsc, for SSL you can’t be compliant with HITECH unless you’re NIST-approved/FIPS-compliant. (And today, if you can figure out how to report the possible violation of 45 CFR 164.306 a(2) that you’ve just mentioned to the hospital IT, then if the system can be used to access patient data they’ll have 30 days to fix it or they will be liable to fairly serious fines and penalties. Before HIPAA/HITECH, they’d just stare at you blankly and say “that’s not a problem.”)

Keep in mind that iff the hospital website you sampled does not have any security requirements, because it provides no logins at all, nobody cares if it uses SSLv3.

One of the “features” of HIPAA is that the Secretary can modify it at will, with very few restrictions. It’s arguable whether this is a good thing, at least in theory - if Ms. Burwell has a rough day and decrees that “all hospitals must paint their CEO’s rear ends blue in order to meet minimum security guidelines” then that’s the law, until she changes her mind. But among the many things the Secretary has occasionally decreed are “industry best practices” so SSL3 is not valid for hospital transport level security at this time, regardless of what checkboxes anyone ticks off. The Secretary has also decreed FIPS compliance for PHI in motion, so again it doesn’t matter what yesterday’s checkboxes say, you’ll get 30 days to remediate from the time you become aware of any such problem.

@anotherone, I’ve got nothing against MUMPS or its derivatives, but I’ve had some pretty bad experiences with Meditech security and reliability - admittedly many years ago. I’m glad your experiences were better!

I caution everyone against hacking hospitals and similar medical establishments. Some of them are so poorly structured and sloppily administrated that you could easily end up responsible for the death of a patient. And the government would very likely track you down and punish you for that.

4 Likes

That’s one way


Yep, lotsa Security-aaS vendors out there ticking those boxes and maintaining the perimeter while doing f-all for the other 90% of the attack surface.

3 Likes

Yes and no, passing them through multiple tumblers in other countries can at least muddy the waters.