Hospitals are a weak spot in U.S. cybersecurity

242 点作者 swedtrue超过 5 年前

18 条评论

burnte超过 5 年前

Healthcare CIO here. This is true. Healthcare is still using paper fax. It has a 30 year old data interchange format that no one really supports because it's more profitable to lock in customers to your EMR. Healthcare is HORRIBLE about upgrading anything, at changing processes, and technological progress in general. Healthcare is VERY backwards from a tech standpoint.Another problem is that EVERYTHING is custom, we use very, very few off the shelf solutions. Need an EMR? Let's build it in MUMPS, a 51 year old language that originated on the PDP7 and call it a state of the art system like Epic or GE Healthcare. Don't like the terminal interface? Let's slap a GUI on the front that still interacts via TTY on the back end. SQL? Nah. C, C++, or any more modern language with more robust features and way more programmers? Nope.Now, there are some EMRs and other healthcare-centric apps that are better written, but they're also terrible. Healthcare is a relatively small market, you'll never sell a million units of your app, so you charge out the wazoo for it, get a few health systems on it, and allow they to go crazy with customization to help lock them in. And then you try to add on modern security features on to a system that's been growing for 50 years and it's a nightmare. It's INCREDIBLY common for nurses and doctors to need to have administrator access on their Windows desktops for various apps.I was about to leave IT in general when a healthcare gig landed on me, and I'm glad it did. I find it very refreshing to be in an industry where it's so far behind that there are mountains of problems to tackle, even if half of them are so stupid it makes me want to cry.

评论 #21500038 未加载

评论 #21500003 未加载

评论 #21500112 未加载

评论 #21500533 未加载

评论 #21499971 未加载

评论 #21500470 未加载

评论 #21512827 未加载

评论 #21500294 未加载

评论 #21502340 未加载

评论 #21501187 未加载

评论 #21500418 未加载

评论 #21504675 未加载

评论 #21501443 未加载

评论 #21502755 未加载

评论 #21501072 未加载

评论 #21501387 未加载

评论 #21503698 未加载

评论 #21500402 未加载

Thriptic超过 5 年前

It's really tough. You have a function which is viewed purely as a cost center; you have a totally porous environment where you're required to admit tons of minimally-verified people into confidential spaces; staff and affiliates need different levels of access from all over the world; there are critical availability demands where temporary denial of service for security reasons is unacceptable; device development is optimized for safety and fault tolerance as opposed to security which isn't ever really tested for; patients need to be able to submit tons of data in myriad forms; there are few central clearing houses for transmitting data so people are all calling each other with minimal validation; etc

评论 #21500696 未加载

jtdev超过 5 年前

It seems that hospitals are overly focused on bullshit security frameworks and box-checking, i.e., HITRUST, which in my experience results in many dollars going to consultants with essentially zero tangible improvement in information security. Worse yet, the false sense of security within these hospitals due to having a HITRUST audit report with a bunch of meaninglessness check marks prevents them from actually doing the work of securing information properly. Have worked in health-tech for a number of years.

评论 #21499790 未加载

评论 #21499620 未加载

gen220超过 5 年前

I work in health tech (full stack insurance), and sit next to security and IT, so this is a frequent topic of conversation for us. :)For some context, this is one of our favorite websites/datasets: <a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf" rel="nofollow">https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf</a>.It is a structured archive of all reported health data breaches, major or minor, over the last 15 years or so, as reported by the breached entities. They’re required to report breaches as part of HIPPA compliance, or something related to it.It’s a fascinating quilt of stories, with patches for phishing, accidental email attachments forwarded, and rogue admins. Fun reading. You can also load it into sqlite and find some interesting results (leakiest companies, states with most breaches reported, etc).Hospitals might be a weak spot, but at least their weaknesses are ruthlessly well documented! As opposed to, say, financial infrastructure which IME is a similar horror show of monkey patched sftp servers.Solving this collective technical debt is a massive coordination problem. It’ll be interesting to see if we ever get there. My suspicion is that the changes will be driven by monopolistic insurers, if ever, since that’s where all the money comes from (if you go to doctor at hospital X, your coinsurance will be Y instead of Z, because doing business with X is more/less risky due to their documented data practices). But it’s just a suspicion, this kind of thing might not be solved in our lifetimes.

tyingq超过 5 年前

The central IT function in a US hospital also usually has little organizational power and funding. Admissions, radiology, etc, buy whatever hardware and software they want, and the underfunded IT department has to figure it out.

评论 #21499275 未加载

评论 #21569981 未加载

评论 #21499198 未加载

评论 #21499455 未加载

Mountain_Skies超过 5 年前

Recently saw an ad for an IT support position at a hospital. The list of potential hazards in the work environment listed in the ad likely scares off many who have plenty of other employment opportunities. And most hospitals can't jack up the pay to compensate so attracting good talent is going to be a problem.

评论 #21499616 未加载

评论 #21499726 未加载

einpoklum超过 5 年前

"Sky is blue, news at 11:00"...Of course hospitals are a security weak spot: They're full of sensitive patient health data shared over computer systems whose users and procurers are not very security-literate, and often absent-minded about such issues due to the grinding, stressful work.

rolph超过 5 年前

waiting rooms are a gaping hole. nobody seems to see a problem with blabbing out your final 4 and first,last name when thier at a desk in a room full of whoever walked in and sat down.un protected desktops are another issue, there is a tide of duties and an attacker can pattern the staff and get a good idea when they will have time to do an inside job of some sort.

评论 #21499196 未加载

评论 #21499516 未加载

评论 #21500461 未加载

评论 #21499403 未加载

评论 #21499787 未加载

bagacrap超过 5 年前

It seems the biggest reason they're a weak spot is that the data they store make them a target. Retailers are also weak on security -- really, I wouldn't trust any company that wasn't a specialist in the space, i.e. finance and tech -- but most entities don't know so much about their clientele. Retailers don't need to keep as much info as they do (aside from profit motives), but hospitals probably do, so I can see this being a vulnerability that's never closed.

评论 #21499865 未加载

评论 #21499553 未加载

swader999超过 5 年前

So are vet hospitals. At this very moment there's a chance you'll walk into one that has fallen back to paper records and billing due to a continent wide ransom ware attack.<a href="https://www.reddit.com/r/msp/comments/dnd7aq/ransomware_attack_against_national_veterinary" rel="nofollow">https://www.reddit.com/r/msp/comments/dnd7aq/ransomware_atta...</a>From that thread: Avimark is an old style load the EXE from a share program with a flat file structure for the data. Most clinics are not in a domain, just workgroup, and the share is read/write access for Everyone. So, yeah.

评论 #21500553 未加载

keiferski超过 5 年前

I feel like Mr. Robot may have highlighted this fact (along with others) to the general population rather effectively.<a href="https://www.youtube.com/watch?v=g6gG-6Co_v4" rel="nofollow">https://www.youtube.com/watch?v=g6gG-6Co_v4</a>

crispyambulance超过 5 年前

Given the state of cybersecurity right now, is there any organization or domain AT ALL which is strong and model-worthy when it comes to cybersecurity?

评论 #21499672 未加载

adamnemecek超过 5 年前

Everything in US is targetable. The main problem is that say the power/health/<fundamental infrastructure> are all managed by 1000 different companies who are all at different wavelength as far as OPSEC.

z3ugma超过 5 年前

For those interested, I wrote a primer on M aka MUMPS at <a href="https://learnxinyminutes.com/docs/m/" rel="nofollow">https://learnxinyminutes.com/docs/m/</a>

aasasd超过 5 年前

Possibly in one part because I see people on freelancer marketplaces making software for hospitals, with job budgets of a couple hundred bucks. I'm ok with freelancers in general, but I feel that integrating code from disparate small jobs while keeping security in mind isn't gonna be so simple.

alwillis超过 5 年前

I’m an IT guy; I cringe almost every time I interact with the healthcare system.I could pile on; all I want for now is encrypted and signed email with my doctors. I have an S/MIME certificate; can’t see why the IT staff at the hospitals I deal with can’t make sure my doctors have the same.

评论 #21501301 未加载

dang超过 5 年前

A different hospital/security thread from a couple days ago: <a href="https://news.ycombinator.com/item?id=21483337" rel="nofollow">https://news.ycombinator.com/item?id=21483337</a>

Classicaldj34超过 5 年前

How do they store their data? Why don't they use private clouds?-Duple? <a href="https://www.duple.io/en/" rel="nofollow">https://www.duple.io/en/</a>-Nextcloud? <a href="https://nextcloud.com/" rel="nofollow">https://nextcloud.com/</a>

评论 #21499587 未加载