OK good to know. I thought it was either that or Bitcoin just had a huge jump in price while the article was being written.
1 Like
Really? From my point of view, HiPAA/HITECH has been the best thing to ever hit hospital IT security.
20 years ago, Iâd say âyou need to use a cryptographically secured transport for this incredibly important data that youâve promised your patient you will keep secureâ and theyâd say ânaaaaah, weâll use anonymous FTP to a server attached to the Internet that hasnât been patched since 1979. Itâll be fine; we use this method for all our data!â. Iâd say âno, really, you donât want to do thatâ and theyâd say âitâs how weâre going to do it, so you can put up or shut upâ and Iâd walk away. After about March 1st 2000 the line changed to âhasnât been patched since Y2Kâ but otherwise was the same conversation, over and over again, hospital after hospital.
But nowadays, when they say âOh, weâll have a minimum wage clerk drag and drop the files and rename them manually every day over a Berkeley rsh connection through the Internet, itâll be fineâ I can just say âHIPPA/HITECHâ and theyâll say âoh, dammit, now we have to do it right, he knows the magic wordsâ.
4 Likes
It was end-to-end when I was running hospital IT shops as well. It ran on AIX and used dumb terminals and serial terminals to connect to lab and other medical devices. It was transitioned to MAGIC while I was there. MAGIC simply used a telnet like program to interface like the old dumb terms did and much like HMS does on iSeries.
Iâve been out of the medical It world for over a decade now so Iâm sure there is much Iâve missed. However, no matter what has changed, you need a CIO competent enough to see the obvious problems who is also strong enough to say no to Microsoft reliant HIS.
The entire NHS runs on Windows.
Iâve never seen a hospital run on anything else.
I keep thinking that sooner or later itâs going to be the year of something-other-than-windows on the desktop, if enough horrible things keep happening.
The trouble with backups is that they can be locked up, too, if theyâre always plugged in.
1 Like
For business office and such I can see Windows being used. Itâs fine for office work.
For a Hospital Information System, there are other options.
Myself, Iâve never seen an HIS run on Windows, but Iâm told some are these days.
I wonder if the implementation of Windows in your NHS has something to do with a Public Accounts Committee report calling the attempt to upgrade NHS computer systems in England one of the âworst and most expensive contracting fiascosâ.
2 Likes
Thank goodness they had none of this newfangled technology when I was born there.
1 Like
Your mileage with HITECH/HIPAA can and will vary.
I just grabbed a local hospital and checked their website and they are still running SSL3, doesnât support PFS (but does implement TLS_FALLBACK_SCS).
Using SSL Laps it got a C - when it should get an A.
One of the problems with âmust use encryptionâ is that it doesnât go far enough into how to properly implement it, if I just encrypt something with Diffie-Hellmen via SSL3 (or TLS) Iâve ticked that box an can move on. Even though thatâs not secure - at all.
I just found a HIPAA doc using that as a secure example from nist.gov- and because it is based on legislation it canât move fast enough to keep up with the threat landscape.
Edit1: typo
Edit2: usage clarity, socket or transport
2 Likes
Meditech is going cloud nowâŠ
I believe âMagicâ uses the Meditech Client, which is basically an antique terminal emulation (Esprit 105C, from the old Data General days, if memory serves) running over telnet. Thereâs also a compatible, but infinitesimally better client called âCambridgeâ by end users, again if my memory isnât rotted away from the horror of dealing with hospital computer systems in general.
Those, you can get. ButâŠ
Whoops, reassigned/fired by the board on recommendation from the accounting department and all the physicians who arenât card-carrying members of the Cult of Apple.
Mainframes are still going strong! And thereâs still some VAX/VMS based systems, too, but they are increasingly rare.
Iâd heard rumblings about the madness of programming M/MUMPS, but hadnât really looked at it until now.
strings to booleans:
disturbing pattern matching syntax:
The whole document is terrifying. For the first time in my life, I am not sure if running Windows would be less horrible.
5 Likes
It takes a bit to get used to. The thing is, Meditech (which is MUMPS based) is incredibly stable and secure - at least running on mini computers. The move to micro computers astounds me.
In truth, medical systems like Meditch really require little programming work and do very little. They take basic info like demographics and store them, they record the output of lab and other medical equipment and stores it, and they provide some basic calculations and reporting. Neat functions and capability arenât very important. What is important is stability, data integrity and security. MUMPS never failed me on those points. Even OS upgrades didnât require reboots or shutdowns. Being up 24/7/365 was never a problem and though a Symantec enterprise exploit got our Windows systems attacked at one location, the medical data was never at risk. We shut down the entire Windows LAN and kept the hospital HIS running.
5 Likes
From a sysadmin side I can see the advantages of high availability. So long as the security wasnât just the obscurity from attackers having no idea what on Earth is happening on those machines that would also be a bonus. Iâd still pity the guy who had to write software with that.
1 Like
Yeah, I keep hearing him say this as if itâs Mooreâs law or something. Seems to me, if this is happening (and I agree that it is) itâs the result of laziness and greed and obsolete power plays, more than a drive toward efficiency and health. Not so much that itâs a good idea, but that no one has come up with a better one yet.
Itâs really not that bad, and quite a fun language to program in. Dr. OâKaneâs implementation is, ummm, âunusualâ would be a good word, and is not highly used in production environments. The Intersystems CachĂ© implementation (which they are allergic to calling MUMPS) is most common these days.
A really fun thing is that persistent variables (effectively database entries in a sparse heirarchical database) are created by preceding the variable name with a carat:
dog is a local variable (bonus points: its type is whatever you want it to be, and you can change it on the fly!)
^dog is a global variable and persistent until itâs deleted (âkilledâ in MUMPS parlance.)
The other fun thing is that you can abbreviate any keyword to uniqueness:
for use infile read recordx quit:$zeof=-1 do
can be abbreviated/obfuscated to:
f u infile r recordx q:$zeof=-1 d
Oh yeah, and see that $zeof thing? Thatâs a system variable, and theyâre different in every implementation. That particular one checks for an end of input file in CachĂ©. 
Dr. Richard (Dick) Walters of UC Davis, wrote the book on MUMPS: M Programming - A Comprehensive Guide which is still available from Amazon.
3 Likes
I remember doing keyword abbreviation in C=64 BASIC, this is not a feature I miss in modern languages.
You started with âItâs really not that badâ but then â:f u infile r recordx q:$zeof=-1 dâ came along, followed by âtheyâre different in every implementationâ and, well, Iâll just let other people enjoy MUMPS.
3 Likes
No pity necessary. While I donât write code on a day-to-day basis anymore, I have a couple of clients for whom I do MUMPS maintenance. I greatly enjoy it.
4 Likes
@jamesnsc, for SSL you canât be compliant with HITECH unless youâre NIST-approved/FIPS-compliant. (And today, if you can figure out how to report the possible violation of 45 CFR 164.306 a(2) that youâve just mentioned to the hospital IT, then if the system can be used to access patient data theyâll have 30 days to fix it or they will be liable to fairly serious fines and penalties. Before HIPAA/HITECH, theyâd just stare at you blankly and say âthatâs not a problem.â)
Keep in mind that iff the hospital website you sampled does not have any security requirements, because it provides no logins at all, nobody cares if it uses SSLv3.
One of the âfeaturesâ of HIPAA is that the Secretary can modify it at will, with very few restrictions. Itâs arguable whether this is a good thing, at least in theory - if Ms. Burwell has a rough day and decrees that âall hospitals must paint their CEOâs rear ends blue in order to meet minimum security guidelinesâ then thatâs the law, until she changes her mind. But among the many things the Secretary has occasionally decreed are âindustry best practicesâ so SSL3 is not valid for hospital transport level security at this time, regardless of what checkboxes anyone ticks off. The Secretary has also decreed FIPS compliance for PHI in motion, so again it doesnât matter what yesterdayâs checkboxes say, youâll get 30 days to remediate from the time you become aware of any such problem.
@anotherone, Iâve got nothing against MUMPS or its derivatives, but Iâve had some pretty bad experiences with Meditech security and reliability - admittedly many years ago. Iâm glad your experiences were better!
I caution everyone against hacking hospitals and similar medical establishments. Some of them are so poorly structured and sloppily administrated that you could easily end up responsible for the death of a patient. And the government would very likely track you down and punish you for that.
4 Likes
Thatâs one wayâŠ
Yep, lotsa Security-aaS vendors out there ticking those boxes and maintaining the perimeter while doing f-all for the other 90% of the attack surface.
3 Likes
Yes and no, passing them through multiple tumblers in other countries can at least muddy the waters.
