A day in the life of “medical IT security”

This article is an excellent description of some of the serious problems related to IT security in healthcare.

Even though medical staff actively circumvent “security” in a myriad inventive ways, it’s pretty clear that 99% of the blame lies with IT staff and vendors being completely out of touch with the actual institutional mission. To be able to create working and useable systems, you *must* understand and be part of the medical work. So far, I’ve met very few technologists even remotely interested in learning more about the profession they’re ostensibly meant to be serving. It boggles the mind, but not in a good way.

Some quotes:

“Unfortunately, all too often, with these tools, clinicians cannot do their job—and the medical mission trumps the security mission.”

“During a 14-hour day, the clinician estimated he spent almost 1.5 hours merely logging in.”

“…where clinicians view cyber security as an annoyance rather than as an essential part of patient safety and organizational mission.”

“A nurse reports that one hospital’s EMR prevented users from logging in if they were already logged in somewhere else, although it would not meaningfully identify where the offending session was.” 

This one, I’ve personally experienced when visiting another clinic. Time and time again. You then have to call back to the office and ask someone to reboot or even unplug the office computer, since it’s locked to my account and noone at the office is trusted with an admin password… Yes, I could have logged out before leaving, assuming I even knew I was going to be called elsewhere then. Yes, I could log out every time I left the office, but logging in took 5-10 minutes. So screen lock was the only viable solution.

“Many workarounds occur because the health IT itself can undermine the central mission of the clinician: serving patients.”

“As in other domains, clinicians would also create shadow systems operating in parallel to the health IT.”

Over here, patients are given full access to medical records over the ‘net, which leads physicians to write down less in the records. Think this through to its logical conclusion…

Somewhat dumb credit card region lock

Visa has a neat feature where you can determine in which regions the card can be used. In my case, it’s “internet”, “Sweden”, “Nordic countries”, “Europe”, “North and central America”, “South America”, “Africa”, “Asia”, “Oceania”. You can set these through the credit card app (mine is from Volvo, of course).

So I disabled all regions except “Internet” and “Sweden”, planning on enabling other regions when I travel. 

Today I got a message from Netflix that they couldn’t charge my card. No explanation why. I called the card issuer and after some digging they explained to me that since I disabled “Europe”, Netflix got refused. Turns out that Netflix charges from region “Europe”, not “Internet”. More specifically from The Netherlands. Once I reenabled “Europe”, the charge went through.

Now, there are several problems with this. First of all, an internet based service like Netflix should be in the region “Internet”. Secondly, if it isn’t in “Internet”, they should at the very least tell us from which region they charge. I had no idea Netflix charges from The Netherlands. How could I? It’s not reasonable to expect us to check with the card issuer every time this happens, and have them go dig through logs (took them 10 minutes to find, so it wasn’t trivial).

Worst of all, this kind of thing implies that you’d better open up a lot of regions you’re not travelling to, since you don’t know from which regions different internet based companies do their charging.

Having the card processor issue meaningful error messages, not just “sorry we failed”, would definitely help a lot, too.

Now I hate Microsoft even more, part II

Started my Win 10 instance under Parallels, and just one minute into working with it, I got this:

 

parallels-desktopscreensnapz095

That gave me 8 minutes to get my stuff in order. The time when this showed up was 21:18. So I clicked “Close” and just got the close box on my accounting program and the system rebooted. So much for the eight minutes, which turned into more like 10 seconds.

Note, BTW, no way to postpone this at all. Nothing.

The evil and arrogant fuckers.

Oh, lest you think Microsoft really let me save correctly, I got this after restart from my accounting program:

 

parallels-desktopscreensnapz096

It says, in Swedish: “The company wasn’t closed correctly. The company will now be optimized.” Meaning the index files will be rebuilt.

Microsoft really doesn’t give a shit about our data. Fortunately, I hadn’t started entering anything so the rebuild worked out fine.

Apple quality control needs work

Just wasted several hours trying to find out why home sharing stopped working on my Apple TV. I’ve got the one with optical audio output, can’t remember if that is called the gen 2 or 3, but you know which one I mean.

Duck-ducked it thoroughly, finding a truckload of similar complaints over the last two years, which in itself wasn’t too encouraging. Most recommended logging out and in from home sharing, changing the computer name in system settings, and so on. Nothing helped.

Finally I changed the wireless from my very current tower Airport Extreme to a slightly older, flat square, Airport Extreme, and lo, all the misery resolved itself. Which reminded me that the Extreme did an update maybe two days ago.

I’m getting increasingly bad vibes about Apple quality, or lack thereof. 

Now I hate Microsoft even more

Went to start up my iMac to Bootcamp Windows 10. This is what happened:

IMG 2783

No question if I wanted to upgrade, no warning, no option to cancel, no effing nothing. What a total dick move. After 10 minutes, it has gotten to 10%, so if this goes on at the same rate, I’m looking at between one and two hours of this. Interrupting it probably bombs the whole thing. MS effectively hijacked the machine without my permission. I had something I wanted to do, but MS clearly doesn’t give a flying shit about that. If they’d done this at shutdown, I could have, maybe, somehow, a little bit, lived with it. But at startup? Are they completely out of their minds?

And, if you wonder, this is a paid full version of Windows 10, not the free upgrade kind.

I wonder what this huge update is for. No idea. Windows 95?

Update: it took a total of around 50 minutes, then another 10 minutes to update Apple’s Bootcamp video driver. The “copying of files” took about 30 minutes of that time, which probably corresponds to downloading time. Why doesn’t Windows download this stuff beforehand? 

All this on a 20 Mbit/s download ADSL and on a pretty darn fast machine (i7, 4GHz, 16 GB RAM, and a 1TB SSD). What this would be on an average machine, I can only have nightmares about.

Horrible little law

Feinstein-Burr senate bill, it’s getting crazier by the day:

No, this slippery little act says that when a company or person gets a court order asking for encrypted emails or files to be handed over and decrypted, compliance is the law.

How compliance actually happens isn’t specified. They don’t care how user security was broken (or if it were nonexistent), and the senators are making it clear that from now on, this isn’t their problem.