Security of America's healthcare system is on the brink of catastrophic collapse

Originally published at: http://boingboing.net/2017/06/08/minutes-to-midnight.html

…

As long as the CEO’s of these “healthcare” companies can get their bonuses and such, they don’t give a rat’s ass about the security of the systems.

Well fuck, might as put in “go faster than the speed of lights” and “rainbows and unicorns for everyone”.

The problem: Congressional pressure, exerted through Medicare and Medicaid, to push hospitals and doctors into premature adoption of poorly designed and insecure electronic medical records.

The solution: “direct, meaningful, extensive government intervention”.

A-yup. That’ll work. Just fine.

Not for long!

Critically, the report says that without direct, meaningful, extensive government intervention, the problems cannot be fixed. Given the current regulatory climate, it’s unlikely that this will happen.

But…but…

“Soshalism”
“Government can’t do anything right”
“The road to serfdom”
“Standards are tyranny”
“Corporations will self-regulate”

[there, I think that’s covered the current regulatory climate in the U.S. People may die but shareholder value will be preserved.]

Without a description of the columns that chart is useless.

How good has our federal government been at protecting the integrity of its own confidential data?

Better than a lot of individual corporations that do infosec on their own, that’s for sure (sorry if that makes you and John Galt cry).

This is pretty much my day job.

I’ll make a few observations based on my everyday interactions with dozens of hospital IT teams.

It is not literally true that “Security of America’s healthcare system is on the brink of catastrophic collapse” but it’s not a huge exaggeration, either. There are certainly specific institutions that have such incredibly bad security infrastructure and practices that they are going to catastrophically collapse at some point, most likely through ransomware infestation. But as the report says, the USA’s healthcare system is a mosaic of extremely disparate parts. Your hospital or physician practice may fail, but the damage will be restricted - so, for example, in the case of the big New York and California hospitals, only a few million people will be harmed each time.

Well, it’s really more of an ivory tower syndrome than callousness, but the effect is exactly the same. When confronted with reports like this one those CEOs will command their underlings to “make it right” and fire anyone who says it has not been made right, and thus there is a built-in incentive to lie at every level, from hospital IT directors all the way down to the high school senior who is scripting file transfer jobs as an summer IT internship.

No, not really. The HIPAA and HiTech legislations were what forced adoption of poorly designed medical records (which were in fact of better design than nearly all of the morass of ad-hoc non-standards that preceded them, but I digress) and they were implemented very slowly with many delays and postponements - not at all prematurely. The HiPAA security rule, despite constantly morphing and being open to interpretation at all times, has resulted in vast improvement of patient information security across the entire health care industry.

Which is to say that medical IT used to be unbelievably bad, and now thanks to the very slow and erratic implementation of standards and rules sponsored by the Federal government starting in 1999, it is now merely appallingly bad in the industry as a whole, and some few institutions actually have quite good security now.

But I don’t want to come down too hard on your “look out, the government is going to fix this” attitude because it’s not entirely unwarranted. This report seems to commit the classic Golden Hammer fallacy - we are federal interventionists, so therefore the cure to all ills is wholesale federal intervention - and many of the burdens placed on individual health care practitioners since HiPAA have been unnecessarily onerous, particularly for small players, which has in turn driven massive health system consolidation events across the country. But it is unfair to say that standardization of health record and insurance data formats was in any way a bad thing, it is a demonstrated good thing, and publication of the security and privacy rules, despite their flaws, has directly enabled me to address and resolve many hospital security issues (for example, by eliminating anonymous FTP of patient health records).

The worst problem I come across, and it’s almost on a daily basis, is unwillingness to take responsibility for change, and unwillingness to evaluate risk realistically. For example, a very very large New York Health Care system, with many many sites and employees, might tell me “we are going to continue to use clear-password FTP to transfer files across VPN links between our sites, even though those links are using known bad encryption algorithms because we are afraid to update them, because our FTPs are working and haven’t been hacked. We cannot risk that our brilliant new technology installation will fail to meet deadlines or cost projections because we used a new technology like SFTP”. If I object to this, I will be told where the door is… and sometimes that turns out to be the best course for me.

Yowza. You may have added more value with this comment than the original article. Rare that, and why I love BB and its community.

Thanks for spending the time to write this up.

I agree with you that the HIPAA security rule has been on balance a very good thing.

It’s the Hitech act and “meaningful use” which has created conversion chaos at lots of hospitals and clinics who had perfectly good security beforehand, turned the physical exam from a face to face conversation into a box checking, stare at the screen exercise, and thrown billions of dollars into the pockets of IT CEO’s and shareholders which could instead have been used for providing actual health care.

I mean, you look up “regulatory capture” and “rent seeking” and “crony capitalism” and you’ll see the logos of Epic, Athena, Cerner and the rest.

And when it’s all said and done, do you think that your hospital’s Epic system will be interoperable with the clinic’s Cerner system and your doctor’s Centricity system? Pathetic, pathetic.

Don’t forget Soarian! Which somehow always is spelled Saurian in my head. Or Meditech.

This is why I didn’t want to be too dismissive of your original point. Most of the paperwork requirements that have resulted from HiTech, SOX, GLB, and other federal regulations that impact health care have acted to dramatically reduce the quality of care afforded to individual patients. Having each patient initial a false statement (“I have read and understood the HiPAA statement provided to me”) on every doctor’s visit is the height of this hypocrisy.

Well, I can make the first two interoperate, and have done so. And it’s much easier now that billing and insurance formats are standardized. It’s not as bad as it was when things like SAINT on VAXen still existed <shudder>.

Most healthcare administrators will read

as “Spend another ten percent of your budget on non-health care stuff, throw your clinical and financial processes into chaos for another eighteen months, and piss off your doctors and patients again.”

Most health care administrators who put privacy and security and mission above profits will see the long-term value of adhering to standards. If the health care industries aren’t going to demand that those standards for sensitive data be put in place by companies then the job falls to the government (as medievalist describes, bad and good).

Those health care administrators who can’t see past the next quarter or who are (correctly) worried that such standards put us on the slippery slope toward (you’ll forgive the profanity) single-payer universal health insurance will see it exactly as you describe it and resist, since they tend to be the types who are incapable of doing forward planning and smooth rollouts.

[also, while I agree with the quote please edit your post to attribute it to @doctorow ]

The VAX may be dead but OpenVMS still keeps kicking in healthcare, at least for a few more years.

MU/MU2 were nightmares to implement even in shops that had their act together. BUT - a number of the requirements pushed those hospitals that DIDN’T have good security to slowly move towards securing their network, which ultimately benefits everyone.

HL7 and Vendor neutral archives?

As long as it’s not running SAINT. Mixing whackadoodle religion into operating system design was detrimental to the latter if not the former.

I liked VMS a lot. Hooray for automatic versioning filesystems and the extensible editor! Linus Torvalds and I argued about it once, but he won.

I was shocked when I signed up for my doctor’s website (to access secure communications and medical records) and my password was limited to like 12 characters. I have more security on my Gap store account!

Medical software applications frequently include their own authorization and authentication subsystems, rather than relying on highly secure, frequently updated AAAA infrastructure built into the underlying operating systems they run on. Typically these subsystems are of extremely poor quality, so that you can usually break out of the app into the OS and wreak havoc on the files and data that comprise the application.

Applications should basically never do their own authentication, authorization and access controls, although per-application auditing (the fourth “A”) can be very useful and important. Use the underlying system’s toolset, always. There’s pretty much zero possibility that an application developer can both provide a useful application and also build an AAAA subsystem that will be anywhere near as good as one provided by a well maintained, competently administrated OS.

A few years ago I was lying in the CCU listening to my physician’s conversation with the nurse. He wanted to look at the reports of my blood tests. The nurse informed him that he would have to call the lab because the computer system was down for an OS update. I later told the nurse that Burroughs had developed an operating system which didn’t need to be shut down for an update–in the 1960s. I don’t think the message got through to the right people.