back to article Terrible infections, bad practices, unclean kit – welcome to hospital IT

When it comes to IT security, the medical world is by far the most inept at data security. So say top researchers at the first Usenix Enigma security conference, held this week in San Francisco. "As a tester who has worked in many industries, healthcare is the absolute worst in terms of security," Avi Rubin, technical director …

  1. JLV
    Paris Hilton

    This is does not compute

    In most countries IT healthcare seems to be some woefully backwards, in terms of patient record storage and connectivity/continuity of healthcare data across providers. The result is a level of duplicate data entry & paper records that would shame any other industry. It ranges from mere inconvenience to wasted millions to serious health risks on prescription abuse or adverse drug interaction.

    Despite spending billions on it, of course.

    Each and every time, the standard "don't-you-worry-your-pretty-head-about-it" answer is always that us dumb voters fail to understand how seriously the powers that be are about our confidential health data.

    p.s. Change password once an hour? Really???? password123003904 => password123003905 much?

    1. Tom Womack

      Re: This is does not compute

      The powers-that-be appear to worry much more about the confidentiality of the data than about its availability.

      Frankly I don't care if the consequence of any ambulance-operative in the country being able to discover instantly that I have blood type B is that every hacker in the world also knows my blood type.

      1. Tomato42
        Stop

        Re: This is does not compute

        if you had severe latex allergy you'd be singing to a different tune

      2. MotionCompensation

        Re: This is does not compute

        It's the integrity of the information you should be worried about then. Blood type B? Computer says you're A. So hook him up to that bag of type A! That bag with the computer printed label that says "type A"...

      3. JLV

        >blood type B hackers

        Don't misunderstand me.

        Health info is about as private as could possibly be, and rightfully so. Blood type access is not at issue and should be as easily accessible as possible. But what about things like STDs, mental disorders and long term illnesses? Disclosure of any of those could result in personal problems and work discrimination (especially in countries where the employer is on the hook for health care).

        I just find it odd that confidentiality is so often invoked to explain away health IT failures and then to see this article's findings.

  2. Fehu
    Devil

    Obvious

    Doctors always think that they're the smartest guy in the room, so if you tell them something like, "You need to use a password longer than 3 characters." They're just going to ignore you. When was the last time you removed someone's spleen on purpose? Second, they're so cheap they squeak when they walk.

    1. Lysenko

      Re: Obvious

      They have a point in some cases though. If you're in an ER you might need to pull someone's medications, allergies and blood type *NOW* and playing pin the tail on the password might kill someone (and no, you can't take off the gloves for a fingerprint scan).

      They need something more like an NFC wristband so the terminals unlock and login automatically when the user is within six inches of the keyboard. (Some) Doctors may be arrogant but they're not stupid. If IT security impedes patient care they'll find some way to subvert it.

      1. ZSn

        Re: Obvious

        I was in an A&E a week ago, and they *could* type on the keyboard because it was a solid slab of flexible plastic that obliviously could be sterilised in seconds with the spray that was bolted beside it.

        The doctor isn't usually the one pulling the information from what I've seen, it's usually somebody cheaper and further down the pecking order

        1. Lysenko

          Sure

          ...my point was IT need to implement common sense password rules (in the first instance). For example: no password should require two hands. That means no operation of the shift key. That means passwords need to be case insensitive and not involve numbers or punctuation.

      2. Anonymous Coward
        Anonymous Coward

        Re: Obvious

        IT security doesn't get in the way of patient care, this is an utter myth. lack of funding of secure systems does.

        We have implemented VDI, we use staff ID badges to authenticate (these also operate the doors - so they always have them), desktops and open apps follow them around, combine that with single sign on and bobs your uncle. Unfortunately it's very expensive and getting investment has taken literally 5 years of my life just to do a pilot.

        The biggest problem all along wasn't security, it was the infrastructure being unable to quickly load applications and the validity and accountability of those using clinical systems. Can you imagine if you head to court because they lobbed off the wrong foot and when asked who noted which foot was to be removed in the clinical system the answer was "we don't know - we were all sharing the same credentials".. cha ching! That's the only way we hold many clinicians accountable for their actions, these people are GODS you know (in their minds).

        However working with them has given them a system they love, just hope I can get the money to roll it out in the rest of the unit now.. :(

      3. noominy.noom

        Re: Obvious

        @Lysenko

        You are absolutely on target. Not only is security always a compromise, but the various advantages and disadvantages are different in different situations. If a system can't be made both convenient and secure then it doesn't belong in an ER.

    2. Anonymous Coward
      Anonymous Coward

      Re: Obvious

      They might be the smartest people in the room most of the time but when they leave the oasis of their knowledge and enter a vast desert of ignorance, they quickly shuffle you off into another room.

  3. Anonymous Coward
    Holmes

    Sounds like the doctors I know.

    "all users to change their passwords once an hour. In response, the doctors ordered a junior nurse to go to each of their workstations every sixty minutes, change the password, and keep them logged in"

    They don't understand medical tech, and they don't like things getting between them and the patient.

  4. cd

    The password change idea was idiotic. It deserved an even more cynical response than it got. The blind arrogance was the IT peeps in that one, they should have had their spleens removed.

    Agree a solution needs to allow instant access for caregivers and lock others out. Some kind of encrypted RFID thingie?

    1. Long John Brass

      > The password change idea was idiotic. It deserved an even more cynical response than it got. The blind arrogance was the IT peeps in that one

      Very much doubt it was the IT people; Sound like something an auditor told em to do. I've had similar fights with brain dead auditors in the past; Some I won, most I lost :(

    2. NotBob

      Maybe the article has been edited, but it states that the docs would be logged out, not have to change their passwords.

      In one hospital, users would be logged out of their workstations if they left their machines idle, so the doctors told a junior nurse to go around

      Forced password changes every hour would be bad. Automatic logout for inactivity - the docs need held over the coals for subverting that one.

  5. allthecoolshortnamesweretaken

    Oh dear

    I was a bit absent minded and read it as unisex enema first (but then, after reading the article that didn't seem that far off either).

    Doctors - you gotta learn how to treat them.

  6. Anonymous Coward
    Anonymous Coward

    1. Doctors often see medical equipment like cars that should last 10 years with the occasional techie manipulating/repairing/fixing them and with someone manually writing names, ids etc with the results which can then be processed somewhere else. Devices innards should not be static, but should be "rolling" updates etc.. and patient info and records needs to be automated properly with authetication and authorization.

    2. I still remember a friend who worked in a hospital IT and who was called in after a junior doctor had inserted a USB-key in a PC and gotten infection messages. He had subsequently tried to get the USB-key to work in six or seven other machines with much noise about how inept the hospital IT was. When my friend as responsible for IT indicated to his boss (a doctor/manager) that the behaviour was against all training and policies, irresponsible, costly and the effect on morale of his staff was detrimental he was nearly sacked.

    The best way to improve the situation is to implement the secure cloud first and remove most of the manual carrying of info and the possibility of integrating devices. But it will be interesting how this will evolve. Selling hardware is just so much easier than selling integrated solutions. :-)

  7. Ashley_Pomeroy

    I'm digressing here, but with a name like Kevin Fu he was born for a life in IT.

    1. Anonymous Coward
      Anonymous Coward

      F.U. is in charge of security here.

      1. Anonymous Coward
        Trollface

        "Our information security is F.U." fits in more than a couple places I have seen :)

  8. G.Y.

    Henry Marsh's "do no harm" has a good section on hospital passwords

  9. PJF

    intRAnet ?

    Dumb question - but why don't have a(n) intra net- ie ALL "national"/ E. Union/ States have a closed off intranet for their "geographical" area?

    I get people move about, but don't most accidents/injuries happen less than 10 miles/Km.s from home or office?

    If an "international" person does get injured, yes I can see having some sort of "global" db to point to their local community/state/region db for stats.

    Me - f. a chip, I have my dog-tag permanently engraved (ie - tattooed) to my chest. I didn't/don't trust the US Armed Services to screw up then, and a hell of a lot less now.... (that's about 28 years ago then)

  10. imanidiot Silver badge

    You would think doctors are pretty smart, but surprisingly when it comes to IT and computers a lot of them are the worst kind of raging idiot. The kind that refuses any sort of input from more expert persons because "they're a doctor and smart enough to understand this".

    I find it funny a lot of medical professionals have such problems accepting an expert opinion from others when they all expect us to trust our medical professionals blindly.

    1. Naselus

      "You would think doctors are pretty smart, but surprisingly when it comes to IT and computers a lot of them are the worst kind of raging idiot."

      Not so much tbh. I've worked in hospital IT, and generally speaking the doctors know full well that they're clueless about IT. The issues are generally more systemic problems brought about by management - doctors aren't the ones who decide to buy a 50-year life cycle scanner which only works with a 20-year old O/S, or the ones who implement idiotic password policies which are just begging for users to find workarounds for. 'Secure' doesn't have to mean 'disruptive', but poorly implemented security usually manages to fail at security AND prevents people doing their jobs properly, resulting in them finding ways to work around it (the same thing is entirely true of IT departments, where I've often found lower-level staff having to move out of bounds to try and get things done).

      1. Anonymous Coward
        Anonymous Coward

        Doctors aren't the ones who decide to buy a 50-year life cycle scanner which only works with a 20-year old O/S.

        50 year life cycle is an exaggeration but what is the alternative? A medical imaging system requires a sophisticated user interface, database and networking. The most practical way to deliver this is to build on top of a general purpose OS and the tools that come with it. There almost certainly need to be embedded real-time elements as well and you arrive at a necessarily complex system architecture with safety implications if it fails, that has a high sales price but relatively low volume. Necessarily such a device has a long development lifecycle and the design update and software upgrade lifecycle is also long. It is almost certainly the case that security patches for the underlying OS cannot be applied without extensive analysis and testing without creating functional and perhaps safety issues. This is the medical environment. The risk to such a device cannot and should not be controlled by expecting the device manufacturer perform the impossible and keep absolutely up to date with analysing checking and testing the latest security patches within a short timescale, modifying the system when this causes a problem, performing risk management, analsyis and test for every change. Upgrading the operating system to the latest version may simply not be possible on the hardware platform concerned and even if it is would be a very major project requiring significant resources and time and the execution of which will delay other activities such as improving performance or solving potential safety issues unrelated to malicous activity. Good design of the device initially, minimising the possible vulnerabilities, is important but ongoing risks have to be controlled through physical access control and good management and security of the network on which it sits. These devices have high capital costs and will have useful lifetimes in use of the order of 20 to 30 years pretending it is all the fault of whoever bought such a system towards the end of its life when the software is old ignores the reality of these systems.

        1. Tom Womack

          Yes; you need to devote a modern computer to being a filter between the scanner and the world. Scanners are staggeringly expensive and modern computers very cheap, so this isn't a terrible problem, but IT organisations seem very resistant to models which treat the symptom when they think that merely by wasting vast amounts of development effort they can treat the cause.

  11. Picky
    Windows

    Touch screens for patients

    Even doctors surgeries are using touch screens for patient login - a "Typhoid Mary" situation?

    1. Anonymous Coward
      Anonymous Coward

      Re: Touch screens for patients

      My dentists has them, next to the handcleanser.

  12. DocJames
    Coat

    A doctor writes...

    there are various issues with healthcare IT:

    1) cheapest provider wins. You don't make software cheaper (at least initially) by debugging and ensuring security

    2) interactions with the next hospital/trust/whatever your organisations are called should be easy, but they've bought a different system. No standards. Obligatory: http://www.xkcd.com/927/

    3) doctors, as mentioned, are a) bright but b) don't get that there are areas outwith our expertise. IT is usually one of them (I know enough to know I don't know).

    4) the users (just restricted to the doctors) go from the just got out of school, through the IT illiterate and proud of it 40-something, to the late-60s-should-have-retired-a-while-ago.

    And don't expect to educate us; medical knowledge keeps on expanding and it's impossible to keep up with fields within medicine, let alone medicine + something else, where that something might be IT.

    It's the white one.

    1. HmmmYes

      Re: A doctor writes...

      Not really. The arrogance runs pretty strong the higher you get in healthcare.

      At the mo. an average GP could be beaten by google for a diagnosis.

      There's limited accountability in healthcare People pussy foot around doctors and the like whereas it should be treated like a normal job - contstantly fck up and you're fired.

      1. JamesPond
        WTF?

        Re: A doctor writes...

        "The arrogance runs pretty strong the higher you get in healthcare".

        From nearly 30 years in NHS IT I have to agree with that, there are consultants, then God, then the rest of us!

        Implementing a new system at a UK NHS hospital, I found out that a third-party supplier based in USA has a direct network connection to the hospital, in total contravention of the NHSnet security guidelines. When I challenged the supplier and asked why they didn't have their own connection to NHSnet which is allowed (and secure), I was told this is how they do it at 30+ other hospitals in England and not one of them had questioned the method of connection. When I informed the hospital's information governance office, they didn't know this connection existed because it had been there so long, no one had challenged it.

        1. Alan Brown Silver badge

          Re: A doctor writes...

          "When I informed the hospital's information governance office, they didn't know this connection existed"

          Par for the course

          "I was told this is how they do it at 30+ other hospitals in England "

          THIS should trigger a forensic investigation to find out how widespread the issue is and how to shut it down, permnanently.

      2. DocJames

        Re: A doctor writes...

        At the mo. an average GP could be beaten by google for a diagnosis.[citation needed]

        For a weird and wonderful rarity, yes. For the run of the mill routine stuff, no. And more importantly, a GP may diagnose a functional disorder but choose not to destroy the relationship by saying this upfront, and do vast amounts of work (unseen by patients) which mostly would be difficult to manage by google - the marginally abnormal results etc.

        I'd agree with your final point. But it's not often that a doctor messes up regularly, and I'd suggest they should be in a better system if that is the case - which leads to political accountability so is a no-no. And I'd also suggest the converse about pussyfooting around: doctors need to pussyfoot around their patients as otherwise they may well be in for a (career ending) complaint.

  13. Yugguy

    Pay peanuts, get monkeys

    Public sector IT generally pays much less than private.

  14. Little Mouse Silver badge
    Coat

    Vulnerable devices.

    You can compromise an X-ray machine by having your bones rearranged to spell out a SQL injection attack.

    Probably.

    1. NotBob

      Re: Vulnerable devices.

      Sounds like something they did in that horrid TV show (Bones). Not sure it was X-ray, though.

  15. Missing Semicolon Silver badge
    FAIL

    Computer infections

    It really gets me to see standard office desktops in hospitals, complete with fans circulating air and dust through the case. So any airborne nasties get dumped in a nice warm environment with a ready supply of nutrients. I wonder how many throat infections are caused by a PC being picked up, then put down heavily, letting a cloud of contaminated dust out?

    1. Alan Brown Silver badge

      Re: Computer infections

      "It really gets me to see standard office desktops in hospitals"

      The interesting thing is that there ARE medically-rated PCs, but they cost more, so accountants won't let you buy 'em.

  16. adam payne
    Joke

    "When he did a network scan, he also discovered a Windows 95 machine that was running the MRI scanner. When he asked about this, it turned out it was impossible to run the MRI software on a newer operating system without replacing the entire scanner."

    Do malware writers even support Windows 95 nowadays?

  17. Anonymous Coward
    Anonymous Coward

    The horror stories you can hear

    My dad used to work in a hospital lab and is relatively computer savvy, he would frequently tell stories about hospital systems and how bad they were.

    Having no single unique identifier for a patient was my favourite, but having 4 or 5, any one of which could be used on a test sample or chart. It made me amazed that anyone ever got the right results.

    Another was when the hospitals were all being crippled by the spread of a USB stick borne virus, he mentioned a doctor coming to copy X-ray pictures onto a USB stick, who inserted it into a PC, a few minutes later it crashed, he move onto the next PC and do the same, and the next etc, then wandered out of the room without a care in the world, or even telling anyone the whole place was shut down.

  18. Lamont Cranston

    "it was impossible to run the MRI software on a newer operating system"

    Can you please link back to this article whenever you run one about how the NHS has swathes of computers running XP and IE6? Thanks.

  19. Uncle Ron

    Disinfection

    The -entire- healthcare "industry" in the US is the largest, most expensive, most out-of-control mess in the history of mankind. It is a multi-trillion dollar behemoth presided over by corrupt hypocritical elected and appointed officials, greedy and immoral business people, egocentric medical professionals, and significantly arrogant employees and managers. It is a total mess.

    From unbelievable and convoluted and indecipherable billing practices, to the very process of actually scheduling an appointment, to selecting and paying for "insurance," to the myriad of surprises and failures at every turn, the only "cure" for this chronic infection on our society is a total make-over. We just have to have the political will to do so. But how do you develop that political will in the face of a million tons of propaganda and outright lies and paid deception that come from the profit centers and ego centers and PAC centers of the "industry?"

    1. Ammendiable to persuasion..

      Re: Disinfection

      To the individual who downvoted this post. I counter your downvote and offer the following response-

      One of the biggest expenses among health care providers (I'm talking about the hospitals, clinics, and private practices that actually DO the *medical* care part of health care.. not the insurers..) is doing the paperwork.

      Managing the sprawling vast, mind numbing, incomprehensible, Kafkaesque, bureaucracy set up by our "Health Care" industry (the insurers) costs the average hospital 25% of their expenses.

      A quick google and here's a link from 1993:

      http://www.nytimes.com/1993/08/05/us/study-links-paperwork-to-25-of-hospital-costs.html

      There have been a rash of clinic and health care walk in locations which have opened up here in the us WHICH DO NOT TAKE INSURANCE AT ALL as it raises the cost of providing their health care significantly. I heard about this from NPR a few years back.

      They take cash, check, or credit card much as most dentists do here in the great states of 'Murica. If they take insurance, they have to add a whole division of paper pushers and phone monkeys to manage the mess, and reimbursement for their work may come 6 months to a year down the line. IF they get their payments at all.

      Also. Because the hospitals often get reimbursed for only part of what they ask for, they inflate their prices routinely so they will get enough to actually cover their costs. But if I go into a hospital and offer to pay cash if I'm uninsured, the hospital will charge me the same hyper-inflated price they bill the insurance providers due to legal reasons; but, unlike the insurance folks, I do not have the leverage to pay only part of the bill without it going into collection and affecting my permanent credit record.

      This is why, when I went into an emergency room to get a contact removed several years back (total 6 minutes spent on my care versus an hour and a half of waiting in a completely empty facility), I got a call from my insurance provider (mine is state run) asking me to verify details of my treatment that day. I was floored to find out that the hospital had submitted a bill of over $2,000 DOLLARS to my insurance for those 6 or so minutes. [The reason for that was the ER was empty that morning and the hospital MUST cover costs in some manner to keep the doors open.]

      This fact *alone*, [Let's ignore the profit based insurance companies which take their cut of monies flooding through their systems and redistributing it mostly upwards to obscenely paid executives, CEO's, and lobbying efforts in Washington DC to keep this whole lurching horror running,] is reason for a dramatic change.

      When the 2012 London Olympics was held I watched the opening ceremonies as I usually do.. However, I now search out a video stream days after the fact, from other places in the world (BBC and Australia are good places) as I'm fed up with the stupidity of overpaid announcers and cuts to the program for advertisements and sensibility reasons.

      You guys in Europe have no idea how bad TV has gotten here.. I mean, the Olympics are not broadcast live or anything where you have to cut things out if you are going to extol the virtues of McDonalds or Nike.

      In the US, they cut out your "Poppies" remembrance segment out of the closing ceremonies completely except for the last few bars of music in coming back from an important advertisement.

      http://gawker.com/5934199/here-are-the-closing-ceremony-performances-from-the-who-muse-and-ray-davies-that-nbc-didnt-broadcast/

      I was also not shocked to see the part of the performance where your NIH was praised by the stadium announcer saying something along the lines of "..our wonderful socialized medical system" (sorry, I'm paraphrasing here) and this part ended up being discussed briefly on FOX news over here.

      Yes. There were things in your program that were completely indigestible to the minds of some here in the US.

      It's shameful.

      Unfortunately completely unreported here in the US mainstream news, was the fact that anyone attending those Olympics, whether local, or foreign born, were treated by that same NIH while they were in London if they had a medical problem. Not only the athletes mind you, but the spectators! And they payed the same almost non-existent cost that you folks do.

      The opposite is NOT the case.

      Micheal Moore made the film "Sicko" a few years back where he pointed out that friends and family from Canada (another Communist nation according to Fox) simply must buy special medical insurance before visiting these great grain swept fields of the US because if (deity forbid) they have an injury or a health problem HERE, they can be put into bankruptcy.

      We do have one (actually two) socialist medical system(s) here in the US. It's the Veterans Administration system here in the great states..

      A quick google gives this:

      http://economistsview.typepad.com/economistsview/2006/08/va_hospitals_vs.html

      ..the second socialistic medical program here in the US is the one the Senate, Congress, and the President get after working here in our government!

      It beats the alternative as spelled out in Sicko, where they have camera footage of a hospital dumping a patient out of a cab in front of some building (still wearing their medical gown) because the insurance system would no longer pay for their upkeep at the hospital.

      Sicko. Go watch it. Still pertinent.

      I thank you for your time in viewing this rant.

      Ps. A discussion from one of your own (sorry about the source. Make sure you have AdBlock or alternatives up..), about the NIH controversy:

      http://www.dailymail.co.uk/news/article-2180227/London-2012-Olympics-Some-Americans-left-baffled-tribute-NHS-Mary-Poppins-Opening-Ceremony.html

      Pps. I sure wish we had Weekly Wipe over here..

  20. JCitizen
    FAIL

    Here's a couple..

    A friend of mine brought his MRI DVD to me to view it on the computer. Just as soon as I put it in the tray and ran it. Up popped my anti-virus saying it was infected! I wasn't a bit surprised. They wouldn't hire me at the hospital because I was over qualified. Jeese! Where else was I going to run off to in the desert?

    The second incident was receiving a few used PCs from the hospital which were being salvaged. I hooked it up to a monitor to see if it would boot, and guess what? There was hundreds of patient records still on the hard drive! Needless to say, I destroyed the hard drive, but I still said, "Why am I not surprised?"

    1. Anonymous Coward
      Anonymous Coward

      Re: Here's a couple..

      But did you report these instances to the relevant people?

      Not necessarily just the hospital admin, but any government bodies who are supposed to know about these things.

      1. JCitizen
        Meh

        Re: Here's a couple..

        Yes I reported it, but though back channels, because I didn't want the competent people that were there to get fired. Things have a way of going off half cocked like that in a HIPAA panic!

        Plus I didn't want them knowing who was reporting it, because they'd think it was just me being resentful for not being hired, which I am, but only because it is my community hospital and I want the best for our own. There really is no reason for much bitterness, as all involved have gone, and utter chaos has ensued since the last CEO left.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022