This is pretty much my day job.
I’ll make a few observations based on my everyday interactions with dozens of hospital IT teams.
It is not literally true that “Security of America’s healthcare system is on the brink of catastrophic collapse” but it’s not a huge exaggeration, either. There are certainly specific institutions that have such incredibly bad security infrastructure and practices that they are going to catastrophically collapse at some point, most likely through ransomware infestation. But as the report says, the USA’s healthcare system is a mosaic of extremely disparate parts. Your hospital or physician practice may fail, but the damage will be restricted - so, for example, in the case of the big New York and California hospitals, only a few million people will be harmed each time.
Well, it’s really more of an ivory tower syndrome than callousness, but the effect is exactly the same. When confronted with reports like this one those CEOs will command their underlings to “make it right” and fire anyone who says it has not been made right, and thus there is a built-in incentive to lie at every level, from hospital IT directors all the way down to the high school senior who is scripting file transfer jobs as an summer IT internship.
No, not really. The HIPAA and HiTech legislations were what forced adoption of poorly designed medical records (which were in fact of better design than nearly all of the morass of ad-hoc non-standards that preceded them, but I digress) and they were implemented very slowly with many delays and postponements - not at all prematurely. The HiPAA security rule, despite constantly morphing and being open to interpretation at all times, has resulted in vast improvement of patient information security across the entire health care industry.
Which is to say that medical IT used to be unbelievably bad, and now thanks to the very slow and erratic implementation of standards and rules sponsored by the Federal government starting in 1999, it is now merely appallingly bad in the industry as a whole, and some few institutions actually have quite good security now.
But I don’t want to come down too hard on your “look out, the government is going to fix this” attitude because it’s not entirely unwarranted. This report seems to commit the classic Golden Hammer fallacy - we are federal interventionists, so therefore the cure to all ills is wholesale federal intervention - and many of the burdens placed on individual health care practitioners since HiPAA have been unnecessarily onerous, particularly for small players, which has in turn driven massive health system consolidation events across the country. But it is unfair to say that standardization of health record and insurance data formats was in any way a bad thing, it is a demonstrated good thing, and publication of the security and privacy rules, despite their flaws, has directly enabled me to address and resolve many hospital security issues (for example, by eliminating anonymous FTP of patient health records).
The worst problem I come across, and it’s almost on a daily basis, is unwillingness to take responsibility for change, and unwillingness to evaluate risk realistically. For example, a very very large New York Health Care system, with many many sites and employees, might tell me “we are going to continue to use clear-password FTP to transfer files across VPN links between our sites, even though those links are using known bad encryption algorithms because we are afraid to update them, because our FTPs are working and haven’t been hacked. We cannot risk that our brilliant new technology installation will fail to meet deadlines or cost projections because we used a new technology like SFTP”. If I object to this, I will be told where the door is… and sometimes that turns out to be the best course for me.
