Showing posts with label computer security. Show all posts
Showing posts with label computer security. Show all posts

Wednesday, 30 March 2016

Bad health IT at Medstar Health: FBI probing virus behind outage (And: ka-ching! ka-ching!  EHR costs continue their upward spiral)

Bad health IT at Medstar Health: FBI probing virus behind outage (And: ka-ching! ka-ching! EHR costs continue their upward spiral)

Once again, a definition of bad health IT:

Bad Health IT ("BHIT") is defined as IT that is ill-suited to purpose, hard to use, unreliable, loses data or provides incorrect data, is difficult and/or prohibitively expensive to customize to the needs of different medical specialists and subspecialists, causes cognitive overload, slows rather than facilitates users, lacks appropriate alerts, creates the need for hypervigilance (i.e., towards avoiding IT-related mishaps) that increases stress, is lacking in security, compromises patient privacy or evidentiary fitness, or otherwise demonstrates suboptimal design and/or implementation. (http://cci.drexel.edu/faculty/ssilverstein/cases/)

I observed bad health IT leading to HIT compromise, hospital chaos and paying of a ransom demand at my Feb. 18, 2016 post "Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised" at http://hcrenewal.blogspot.com/2016/02/hollywood-presbyterian-medical-center.html.

It's happened again, at least with regard to publicly-disclosed stories (there is no requirement for hospital disclosure, more on that below).

FBI probing virus behind outage at MedStar Health facilities - AP
By JACK GILLUM, DAVID DISHNEAU and TAMI ABDOLLAH March 28, 2016 10:04 pm
http://wtop.com/consumer-tech/2016/03/fbi-probing-virus-behind-outage-at-medstar-health-facilities/


WASHINGTON (AP) — Hackers crippled computer systems Monday at a major hospital chain, MedStar Health Inc., forcing records systems offline for thousands of patients and doctors. The FBI said it was investigating whether the unknown hackers demanded a ransom to restore systems.

A computer virus paralyzed some operations at Washington-area hospitals and doctors’ offices, leaving patients unable to book appointments and staff locked out of their email accounts. Some employees were required to turn off all computers since Monday morning.

A law enforcement official said the FBI was assessing whether the virus was so-called ransomware, in which hackers extort money in exchange for returning a victim’s systems to normal. The official spoke on condition of anonymity because the person was not authorized to discuss publicly details about the ongoing criminal investigation.


Not discussed is corporate accountability for deficient IT security.

“We can’t do anything at all. There’s only one system we use, and now it’s just paper,” said one MedStar employee who, like others, spoke on condition of anonymity because this person was not authorized to speak to reporters.

I note that if the cybernetic pundits were listened to, patients would now be considered at deadly risk due to paper records being used - not due to critical IT infrastructure being hacked and disabled.  Yet it's impossible to disable paper charts en masse.

MedStar said in a statement that the virus prevented some employees from logging into systems. It said all of its clinics remain open and functioning and there was no immediate evidence that patient information had been stolen.

These must be honest thieves.

Of course, we hear the "patient care has not been compromised" line once more (http://hcrenewal.blogspot.com/search/label/Patient%20care%20has%20not%20been%20compromised).

Company spokeswoman Ann Nickels said she couldn’t say whether it was a ransomware attack. She said patient care was not affected and the hospitals were using a paper backup system.

The absurdity of this claim is that if patient care is not affected by returning to paper, then why did the hospital invest hundreds of millions on EHRs?

(Considering a increasing evidence base of clinician distraction and disaffection e.g., the Jan. 2015 Medical Societies letter to ONC as at http://hcrenewal.blogspot.com/2015/01/meaningful-use-not-so-meaningul.html, EHR-related errors, many of which would likely not occur under a well-staffed paper system e.g., as at http://hcrenewal.blogspot.com/2014/04/fda-on-health-it-risk-reckless-or.html, and plentiful security breaches e.g., the many posts at http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy, I would also ask if patient care is in fact improved by the return to paper [1].)

When asked whether hackers demanded payment, Nickels said: “I don’t have an answer to that,” and referred to the company’s statement.

Dr. Richard Alcorta, medical director for Maryland’s emergency medical services network, said he suspects it was a ransomware attack. He said his suspicion was based on multiple earlier ransomware attempts on individual hospitals in the state. Alcorta said he was unaware of any ransoms paid by Maryland hospitals or health care systems.

The rather calmly-stated "multiple earlier ransomware attempts on individual hospitals in the state" suggests that

  • Hospitals are being targeted in an organized fashion, and
  • Costs to implement proper security will draw even more capital and resources from direct patient care and from real brick and mortar facilities, such as entire new hospital wings that would cost less than an EHR, to cybernetics of increasingly dubious value.  (Past projected cost benefits are certainly being proven even more naive.)

Terrorism or just plain old crime, the medical driector asks...

“People view this, I think, as a form of terrorism and are attempting to extort money by attempting to infect them with this type of virus,” he said.

God help us if true terrorists get in the act of cybernetically paralyzing hospitals.

Alcorta said his agency first learned of MedStar’s problems about 10:30 a.m., when the company’s Good Samaritan Hospital in Baltimore called in a request to divert emergency medical services traffic from that facility. He said that was followed by a similar request from Union Memorial, another MedStar hospital in Baltimore. The diversions were lifted as the hospitals’ backup systems started operating, he said.

It used to be that patient diversions were due to doctors and nurses having too many sick patients they are caring for.  Here it seems due to doctors having to many sick computers to deliver proper patient care.

MedStar operates 10 hospitals in Maryland and Washington, including the MedStar Georgetown University Hospital, along with other facilities. It employs 30,000 staff and has 6,000 affiliated physicians.

That's a lot of paralysis.

Monday’s hacking at MedStar came one month after a Los Angeles hospital paid hackers $17,000 to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.

Hollywood Presbyterian Medical Center, which is owned by CHA Medical Center of South Korea, paid 40 bitcoins — or about $420 per coin of the digital currency — to restore normal operations and disclosed the attack publicly. That hack was first noticed Feb. 5 and operations didn’t fully recover until 10 days later.

Hospitals are considered critical infrastructure, but unless patient data is impacted there is no requirement to disclose such hackings even if operations are disrupted.

I won't even comment on why a US hospital is owned by a Korean medical center.  The statement "unless patient data is impacted there is no requirement to disclose such hackings even if operations are disrupted" implies yet another blind spot in the unregulated health IT industry.  Add that to the blindness towards close-calls and actual harms, and you have a field being pushed on the population under penalty by those somewhat deaf, dumb and blind to the downsides.


Computer security of the hospital industry is generally regarded as poor, and the federal Health and Human Services Department regularly publishes a list of health care providers that have been hacked with patient information stolen. The agency said Monday it was aware of the MedStar incident.

All I can hear is "ka-ching! ka-ching!" as the costs to fix the poor computer security in the hospital industry accrues. 

How much will patient care suffer as a result of the diversion of yet more resources to cybernetics?

As I've written before, stories like this support a serious rethinking of the entire healthcare IT hyper-enthusiast movement to whom the considerable downsides (even patient death) are just an unfortunate "bump in the road" (http://hcrenewal.blogspot.com/2012/03/doctors-and-ehrs-reframing-modernists-v.html), or perhaps more accurately, the healthcare IT hyper-enthusiast religion.

-- SS

[1] I've written that paper for many clinical settings, including highly specialized forms as I implemented highly successfully in invasive cardiology (http://cci.drexel.edu/faculty/ssilverstein/cases/?loc=cases&sloc=Cardiology%20story), needs reconsideration, relieving clinicians of clerical work and employing data entry clerks to enter the data.  This would be supplemented by far less expensive document imaging systems for 24/7 availability, and computerized lab results retrieval - the latter with appropriate humans on the receiving end to prevent the "silent silo" syndrome of lab results returned to a computer silo but missed by clinicians due to being very busy and due to unreliable/fatiguing cybernetic alerting.  A lot of workers can be paid for by saving $50 or $100 million on software.

3/30/2016 Addendum:

This is not the first time for EHR outages at MedStar.

As in my May 16, 2015 post "Another day, another EHR outage: MEDSTAR EHR goes dark for days" at http://hcrenewal.blogspot.com/2015/05/another-day-another-ehr-outage-medstar.html, I cited Politico. 

The doctor's observation I highlighted below is of interest.

4/9/15
http://www.politico.com/morningehealth/0415/morningehealth17818.html

MEDSTAR EHR GOES DARK FOR DAYS: MedStar’s outpatient clinics in the D.C. and Baltimore area lost access to their EHRs Monday and Tuesday when the GE Centricity EHR system crashed. The system went offline for scheduled maintenance on Friday and had come back on Monday when it suffered a “severe” malfunction, according to an email from Medstar management that was shared with Morning eHealth.

“All of a sudden the screens lit up with a giant text warning telling us to log off immediately,” a doctor said. “They kept saying it would be back up in an hour, but when I left work Tuesday night it was still down.”

This doctor told us that the outage was “disruptive and liberating at the same time. I wrote prescriptions on a pad for two days instead of clicking 13 times to send an e-script. And I got to talk to my patients much more than I usually do.

But of course we didn’t have access to any notes or medication history, and that was problematic.” MedStar notified clinicians in the email that any information entered in the EHR after Friday was lost.

-- SS


Baca selengkapnya

Friday, 19 February 2016

Hollywood Presbyterian Medical Center:  Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised

Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised

To the cybernetic idealists out there who think computers are the greatest thing next to sliced bread in the healthcare environment, I say, pray you are not on the operating table when something like this happens:

Hackers’ Ransom Attack On California Hospital More Proof Healthcare Cybersecurity Is Floundering
International Business Times
Jeff Stone
02/17/16
http://www.ibtimes.com/hackers-ransom-attack-california-hospital-more-proof-healthcare-cybersecurity-2309720

Who would have thought that, for healthcare professionals, performing surgery, working long hours and navigating the dense world of U.S. health law would be easier than protecting hospital computer networks? That, however, appears to be the case after yet another hospital was victimized in a cyberattack. It’s just the latest example of a U.S. medical provider on the wrong end of a digital assault made possible by a lack of security measures.

I, for one, would have thought that.  In fact, I've been writing about these issues for years (see my many posts at query links http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality and http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy).

Doctors at Hollywood Presbyterian Medical Center, in southern California, have been suffering serious computer issues for at least a week, the CEO announced Sunday. Doctors have been unable to digitally access patients’ medical records, staff has been communicating via fax machines and patients have reported long delays in receiving care. It’s all the result of a cyberattack carried out by unknown hackers who are demanding 9,000 bitcoins (roughly $3.4 million) to restore the system to normal.

Ransom for access to EHRs.  The hospital's IT leadership should be held accountable for this invasion of the clinic by cybercriminals.  It's not like the issue is unknown:

... “Hospitals are a veritable bullseye for hackers,” said Grayson Milbourne, security intelligence director at the cybersecurity company Webroot, which works with a number of hospitals and healthcare companies. Milbourne added that the value of patient records is an irresistible target for cybercriminals. “For starters, [hospitals] run on a tight budget and their IT infrastructure is often a very low priority when compared to affording new medical devices and staff. 

More from techtimes.com at http://www.techtimes.com/articles/133874/20160216/hackers-hold-hollywood-hospital-s-computer-system-hostage-demand-3-6-million-as-patients-transferred.htm:

... According to NBC, the damage has caused the hospital to be unable to continue day-to-day operations. To keep up activity at the medical center, the staff has turned to manual documentation using pen and paper to take down patient information and jammed fax lines and telephones to communicate from one department to another. The administration has forbidden the use of other computers for fear that the harmful software could spread to more workstations.  Allen Stefanek, President and CEO of the hospital, says that "significant IT issues" began to emerge last week, leading to a declaration of "internal emergency." He also mentions that the attack was random, not malicious, noting that the emergency rooms have been "sporadically impacted since Friday."

The realities of IT in 2016, when hospitals are increasingly dependent on IT command-and-control systems through which every transaction of care must pass, lead to the conclusion that "IT infrastructure is often a very low priority" reflects negligence.

Back to the IBT article.  The CEO at this hospital proffers the usual BS:

Hollywood Presbyterian’s CEO [Allen Stefanek] told NBC, “Patient privacy has not been compromised."  ...The intrusion  has been described as a ransomware attack, which is typically defined as an attack that involves a hacker infiltrating a victim’s computer, and encrypting their data until the victim agrees to pay a bitcoin ransom. The hospital denies any patient data has been compromised.

Right.  Hackers take control of information systems, but patient data has neither been altered, nor its privacy impaired.

From the second article:

... the patients are not safe from harm. Stefanek insists that the incident has no impact on the overall care for the patients, but some have spoken out to say otherwise. Jackie Mendez and her 87-year-old mother say that they have to drive to Palmdale to pick up medical tests, which takes them over one hour to do so. "It's bad. She's an older person. It's not right she has to do this," she says. Another patient named Belmont West is also affected by the incident. Belmont says he went to the hospital to get his grandmother's medical test results to no avail.

and there's this:

... some patients had to be transferred to other hospitals, as some of the medical equipment that need computers at the Hollywood Presbyterian Medical Center were rendered inoperable, including apparatuses for X-ray and CT scans, documentation and pharmacy and lab work.

These ridiculous executive canned lines, including "the incident has no impact on the overall care for the patients" a.k.a. "patient safety had not been compromised" (see query link http://hcrenewal.blogspot.com/search/label/Patient%20care%20has%20not%20been%20compromised), are increasingly absurd, non-credible, and tiring.

The urgency [for hospitals to meet standards of care for IT security -ed.] is growing. One in three Americans had their health records breached in 2015, according to multiple reports released last month. Many of those records were breached as part of the nation-state hacks on health insurers Anthem and Primera, though experts predict hospitals will become more attractive targets as they begin to rely on insulin pumps, intravenous flows and other machines that are connected to the Internet.

I note that if hospitals cannot afford the required diligence, they need to get out of the IT business.  Paper cannot be hacked or held for ransom en masse.

In the end, the hospital appeased the hackers:

Hospital paid 17K ransom to hackers of its computer network
By ANDREW DALTON
Associated Press
http://bigstory.ap.org/article/d89e63ffea8b46d98583bfe06cf2c5af/hospital-paid-17k-ransom-hackers-its-computer-network
Feb. 17, 2016 11:44 PM EST

LOS ANGELES (AP) — A Los Angeles hospital paid a ransom of about $17,000 to hackers who infiltrated and disabled its computer network because paying was in the best interest of the hospital and the most efficient way to solve the problem, the medical center's chief executive said Wednesday.  Hollywood Presbyterian Medical Center paid the demanded ransom of 40 bitcoins — currently worth $16,664 dollars — after the network infiltration that began Feb. 5, CEO Allen Stefanek said in a statement. ... "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Stefanek said. "In the best interest of restoring normal operations, we did this."

They got off cheap for their negligence, relative to the initial demands.

Questions remain, however:

  • Was any patient data altered or corrupted, either deliberately or as a result of the hack?
  • Was any patient data copied or stolen?
  • Was any malicious code left behind by the hackers on any computer on the network, e.g., "back doors" or other malware that could cause future problems?  Put another way, after paying the ransom, does the hospital believe it is dealing with 'honorable criminals'?
  • One might presume the hospital, in an abundance of caution, is now paying after-the-fact for the expertise required to fully assure the integrity of its networks, computers and EHR and other business systems, but is this truly the case?
  • Were any patients harmed as a result of the disruptions to information flows, and of so, are the IT leaders in part liable? 
  • Will any patients suffer harm moving forward as a result of lost computer information during the episode, incomplete backloads of data on the paper that was resorted to during the crisis, or other factors?  Medical errors due to lost data can propagate forward in time, as I can attest to both personally and professionally.

It is my belief that, until and unless hospital leadership is held fully accountable for incidents such as this, such incidents will be one of many more moving forward.

Incidents like this are made more tragic by the increasing evidence that the benefits from healthcare cybernetics are not exactly what the zealots, pundits and industry opportunists advertised.

-- SS

Baca selengkapnya