Another problem is that EVERYTHING is custom, we use very, very few off the shelf solutions. Need an EMR? Let's build it in MUMPS, a 51 year old language that originated on the PDP7 and call it a state of the art system like Epic or GE Healthcare. Don't like the terminal interface? Let's slap a GUI on the front that still interacts via TTY on the back end. SQL? Nah. C, C++, or any more modern language with more robust features and way more programmers? Nope.
Now, there are some EMRs and other healthcare-centric apps that are better written, but they're also terrible. Healthcare is a relatively small market, you'll never sell a million units of your app, so you charge out the wazoo for it, get a few health systems on it, and allow they to go crazy with customization to help lock them in. And then you try to add on modern security features on to a system that's been growing for 50 years and it's a nightmare. It's INCREDIBLY common for nurses and doctors to need to have administrator access on their Windows desktops for various apps.
I was about to leave IT in general when a healthcare gig landed on me, and I'm glad it did. I find it very refreshing to be in an industry where it's so far behind that there are mountains of problems to tackle, even if half of them are so stupid it makes me want to cry.
- It's direct point to point communication (over a network)
- The transport network is dedicated and not open to anyone and covered by quite strong laws in many countries
- It's easy to see the history of communications
- It's easy to see if the other end successfully received something
- It's relatively standardized and ubiquitous ( in health )
Email would be the closest thing, but it doesn't have all the advantages, and the extra add ons that would make it better (like encryption, delivery receipt, digital signatures) are not standardized and/or ubiquitous ( and often hotly argued about )
So fax is the lowest common denominator, that, if it was proposed today, would not be accepted for many of its disadvantages, but it's now hard to find a way to replace it.
And you basically file a police report, hardly anyone cares, and you are left with a bunch of paperwork to go fix it yourself. You get the money back eventually with plenty of paperwork.
At which point do thieves committing all sorts of punishable crimes actually get punished? In my case, the person signed up for a line of credit at Lowes, purchased 20k of construction goods, presumable all in a videotaped store and got off scott free.
https://research.checkpoint.com/sending-fax-back-to-the-dark...
Also, fax machines are very often just as internet connected as anything else. Email to fax, fax to email, fax-over-IP, it's not just modems dialing each other on copper anymore.
Punishable, sure, but that's CYA thinking. It's less secure, because there's no way to encrypt fax like you can encrypt email. Punishment doesn't help anyone except the CEOs, unless, of course, it was the CEO's information that got leaked.
Also, yes, phone calls are sent over the Internet just like emails. The big difference is, yes, that phone audio isn't encrypted.
Patient privacy monitoring (ensure no one peeks into patient records inappropriately) and medication analytics platform (monitors suspicious and anomalous activity related to drugs and opioids diversion).
This of course deals with multitude of different systems, EMR's, data formats, legacy-everything etc, but the GREAT about this whole thing - is opportunity.
No one really tackled a challenge of visibility across different systems and data formats in Healthcare and it's lots of fun to be part of that.
("Fun" is non-corporate word - but it still fun!)
I prototyped an access logger based on tamper evident logs, which used rolling hash codes. Precursor to this blockchain mania.
re: visibility
I'm still bullish on the Translucent Database thesis. TLDR: Use the password salt + hash technique to encrypt data at rest at the record level.
--
Source: Designed, implemented, supported 5 regional healthcare exchanges. eg Brooklyn Health Information Exchange (BHIX): https://www.itnonline.com/content/medplus-implement-clinical...
VB6/MUMPS stack is... not ergonomic to code in.
Epic is easy to hate (it's everywhere), and for good reason. However, the alternatives are not obviously better unless there's been some radical innovation. There are definitely systems designed for a particular piece of a hospital (ex, ER, or labs, etc) that are probably better than Epic is, but when it comes to having one system for the entire hospital, they're all pretty bad.
The main problem is that the customer is not the nurses, it's the legal/financial/administrative side.
But there are many systems in a hospital. And as EuphoricEmu pointed out within the hospital, admits, discharges and movements throughout the hospital are still done via HL7v2 (a delimited and structured format).
Additionally, I would absolutely NOT build a new system on HL7v2 at this point in time. I would only use it to integrate with existing systems.
Also, I do know of EHR systems that use FHIR for their internal data storage format.
RHIOs building gateways for 3rd party apps is very much the future of FHIR. But they’ll still be interacting with that crufty legacy system.
Just my own two cents.
The only problem is that is such a diverse way the healthcare providers are implementing it. So you end up having provider specific code :)
My ETL work in healthcare finally pushed me to treat the problem as screen scrapping. Bypassing all the attempts at formality, eg XSD.
The next step, which I prototyped but was put into purgatory by being acquired, was to simply capture all the data and use text retrieval tools, eg Lucene. Versus ingesting the data, normalizing it (to some schema) and populating database(s). Basically, postponing the translation/transformation of client data until viewing. Because, as you hinted, everyone does stuff differently, and clients generally have no idea what their data looks like until we showed them.
The proper solution would be to have direct access to source data, versus data feeds, but that ain't gonna happen until we have single payer, because the current incentive structure strongly discourages such simplicity.
I think the EMR industry is driven more by safety, liability, and revenue for hospitals (in that order) than by patient/physician desired features or security.
It's also difficult to build tooling that interconnects across all of the medical specialties - and with the amount of customization that some providers want.
- https://www.gnuhealth.org/#/download/projects
- https://savannah.gnu.org/projects/health
- https://en.wikibooks.org/wiki/GNU_Health
Can't tell if it's any good, though I hear it's been used in some medical facilities around the world.
This strikes me as the SAP problem.
Everybody hated their big company's <foo> system. Until SAP came along and somehow made it orders of magnitude worse.
It's what happens when purchasing decisions are driven from the top. Sadly, in healthcare, given all the regulations, I'm not sure there is another option.
And it's not only an IT systems problem. It's a comprehensive systems problem.
Which includes training, and counterparty expectations, and manual data entry, etc.
I have a long history in proper IT, and I'm very legally/regulationally knowledgeable, and in my two healthcare gigs I've made friends of the medical staff for improving responsiveness in IT and making things easier to use, while also reducing security problems by having both of those worlds of knowledge. Usually top IT management isn't technically knowledgeable, and frequently they're not even that good with regulatory knowledge. That makes it hard on the rank and file to be efficient. Not to pay my own back too much, but being well versed in both regs and tech helps a LOT in user satisfaction.
Even off the shelf is no solution really. Everything is proprietary, you get locked in and years later the vendor isn't maintaining shit and moving away becomes an blackhole of a cost sink.
>It's INCREDIBLY common for nurses and doctors to need to have administrator access on their Windows desktops for various apps.
Honestly, needing admin on a "user network" device isn't the worst. You can still run malware that attacks the network via non-admin context :/ The best move is to use AppLocker if it's critical.
This made me smile, because this is exactly what I did when working for a major health insurer...
It’s funny. You got Ruby guys out here who think every problem can be solved with a new DSL, and you guys actually have a DSL and want to get rid of it! Maybe the grass is always greener on the other side?
Nah. C
Also traces its roots to the PDP7 https://en.wikipedia.org/wiki/C_(programming_language)#Early...
Government promises, and thus government kills. A monopoly enforced by guns and prisons.
During the mid aughts, hospitals simply didn't have the experience to defend against predatory consultancies.
Hopefully that situation has improved with the addition of people like you.
Because they've spent the last couple decades focused on medical training.
Sure, use cousin x’s coverage. Nobody will freak out when your blood type doesn’t match the records...
Without the standards the executives don’t know who they should believe, and invariably they believe the guy who sounds and acts like themselves, which means he knows as much about cyber security as the executives.
If you know what you are doing regarding cyber security, AND you are doing all the right things, HITRUST compliance is a cinch.
If you don’t know what you are doing regarding cyber security, HITRUST at least gives you a fighting chance. But then that’s the rub, if you don’t know what you are doing why are you running cyber security.
https://www.linkedin.com/pulse/open-letter-hitrust-alliance-...
For some context, this is one of our favorite websites/datasets: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
It is a structured archive of all reported health data breaches, major or minor, over the last 15 years or so, as reported by the breached entities. They’re required to report breaches as part of HIPPA compliance, or something related to it.
It’s a fascinating quilt of stories, with patches for phishing, accidental email attachments forwarded, and rogue admins. Fun reading. You can also load it into sqlite and find some interesting results (leakiest companies, states with most breaches reported, etc).
Hospitals might be a weak spot, but at least their weaknesses are ruthlessly well documented! As opposed to, say, financial infrastructure which IME is a similar horror show of monkey patched sftp servers.
Solving this collective technical debt is a massive coordination problem. It’ll be interesting to see if we ever get there. My suspicion is that the changes will be driven by monopolistic insurers, if ever, since that’s where all the money comes from (if you go to doctor at hospital X, your coinsurance will be Y instead of Z, because doing business with X is more/less risky due to their documented data practices). But it’s just a suspicion, this kind of thing might not be solved in our lifetimes.
(Edit: My first job was hospital IT for a few months, and my boss was actually a pretty skilled programmer with a good grasp on security. So there are definitely exceptions.)
I imagine not many hospitals hire security talent either, or that they do much security beyond the "change your password" email every 6 months. Oh, and doctors/nurses/etc tend to ignore those emails.
Don't assume your medical data is secure. Systems that conform to HIPAA regulations are just one part of their computing infrastructure, and it's trivial to maliciously access a huge surface area outside of those specific pieces of hardware and software--and once a malicious actor has that access, it's not too hard to cross the gap.
Upper level IT management doesn't communicate with the team when large changes are made, and pretty much treat them disrespectfully, even though they have their fingers on the pulse of what's going wrong from the medical staff. There's also a lot of waste from poorly implemented/delayed projects (there are more PMs than IT staff to implement the projects). Definitely a frustrating and bureaucratic area to be in.
I find that hard to believe in an age of $100 saline bags, $20,000 childbirths, and 15-minute-long $500 specialist visits.
That said I agree (based on 1st hand experience) that the larger healthcare multibillion dollar systems in the US can afford to pay more for better IT/engineering. There is simply little incentive to do so. And further it’s more than just hiring a few engineers with FAANG pay... these institutions are organizationally not suited to engineering. Changing this would not be easy for them...and no, we don’t need a hospital run like Facebook or Uber.
Then there are the tons of smaller systems in the US.. they cannot afford high priced engineers regardless of the pre-insurance line charge for a bag of saline.
In medicine, doctors are king. Everyone else is a peon.
Of course hospitals are a security weak spot: They're full of sensitive patient health data shared over computer systems whose users and procurers are not very security-literate, and often absent-minded about such issues due to the grinding, stressful work.
un protected desktops are another issue, there is a tide of duties and an attacker can pattern the staff and get a good idea when they will have time to do an inside job of some sort.
At least they have their own on-site security that’s experienced in taking people down.
I continue to believe the real threats are actual insiders and remote attacks.
Dunno how far someone will get with a USB key versus sending everyone a plausible email.
We had one user who called after filling in every email address she had into a very plausible looking O365 login page. She admitted she initially distrusted the email/link that led her to this page and had replied saying so. The hackers on the other end told her to go ahead and do so. I mean, who she to question when it's coming directly from the hospital's lawyer?
Insiders still can be threats. There was a machine that was deployed in a hospital for clinical imaging that some rad tech who guessed the administrator password put folding@home on without telling anyone which crippled that machine's ability to perform its function.
The physical security layer at alot of hospitals is almost entirely absent, sadly.
They make you verify your phone number and address. Every. Single. Time. In public.
It's a shame how silly it all is.
[1]: https://www.eesti.ee/eng/services/citizen/tervis_ja_tervisek...
Hospital IT depts are pulled between many competing interests which lead up to this.
https://www.reddit.com/r/msp/comments/dnd7aq/ransomware_atta...
From that thread: Avimark is an old style load the EXE from a share program with a flat file structure for the data. Most clinics are not in a domain, just workgroup, and the share is read/write access for Everyone. So, yeah.
Note: Avimark itself is not at fault here. The Avimark issue that the practices are having is related to NVA not having a solid DR plan with working backups. Part of the problem there is that because of Avimark's architecture, most practices have an on-prem server that each workstation RDPs into for using Avimark. Because this equates to 500 or so Avimark SQL Server instances spread around the United States, it's perhaps not surprising that NVA's unsophisticated IT department did not have working backups for each instance.
Dr. Paul DVM and AVImark Consultant and Trainer since 1998.
I could pile on; all I want for now is encrypted and signed email with my doctors. I have an S/MIME certificate; can’t see why the IT staff at the hospitals I deal with can’t make sure my doctors have the same.
-Duple? https://www.duple.io/en/
-Nextcloud? https://nextcloud.com/
