Forgot your password?
typodupeerror
Privacy Medicine

Physician Operates On Server, Costs His Hospital $4.8 Million 143

Posted by timothy
from the s'posed-to-bury-your-mistakes dept.
Hugh Pickens DOT Com (2995471) writes "Jaikumar Vijayan reports at Computerworld that a physician at Columbia University Medical Center (CU) attempted to "deactivate" a personally owned computer from a hospital network segment that contained sensitive patient health information, creating an inadvertent data leak that is going to cost the hospital $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web. The breach was discovered after the hospital received a complaint from an individual who discovered personal health information about his deceased partner on the Web. An investigation by the HHS Office for Civil Rights (OCR) found that neither Columbia University nor New York Presbyterian Hospital, who operated the network jointly, had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network. "For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," say the hospitals. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS." HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations. In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data."
This discussion has been archived. No new comments can be posted.

Physician Operates On Server, Costs His Hospital $4.8 Million

Comments Filter:
  • Typcial (Score:4, Insightful)

    by nurb432 (527695) on Saturday May 10, 2014 @07:34AM (#46965907) Homepage Journal

    This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

    Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

    • by TchrBabe (3589445)
      Not just the "I'm a doctor..." mentality, it is characteristic of the whole healthcare system - if you aren't a _____ (fill in the blank with EMT, LPN, RN, PA, PhD, hospital admin) you don't know anything (in their minds). I wonder if they even had an IT department, or if they did, if it was competent (and not composed of the relative of one of the high end staff members - some kid who "built his own computer so he knows what he is doing"). The ability of the doctor to access and alter network settings in
      • I've done IT work for many clinics here in Houston, and I've never ran into that mentality before. I suppose it depends on the circles you do work with. In my case, it was next to impossible to get anything approved when they're too busy to handle anything business related. Again, these were small clinics.

        What they should be using is Bitlocker. It can be overly sensitive in that any major Windows Update, driver, and BIOS will flag for the recovery key at boot. You can back the key up to AD or have it stored

        • by the_B0fh (208483)

          How would BitLocker help in this case? Just curious why you think it'd help when it is information that's being exposed on the Internet, on a server that is running, and attached to the Internet, and not stolen laptops.

        • At a company I worked for the CFO had used Bitlocker to encrypt his disk and didn't tell anyone. He was the only person in the company that had done this. We went through a major domain migration which failed and so the a new domain was created and everyone moved to it. Suddenly the CFO could not access his machine anymore and they could not recover anything.

          • by cbreak (1575875)
            That sounds stupid. He should have used proper encryption like Apple's File Vault or TrueCrypt. Those work independently of that domain stuff. And they allow you to back up a recovery key too.
          • by kbg (241421)

            Yes the mistake was using Microsoft software, which has these major bugs. You don't have the encryption connected to the domain...period.

            • by Anonymous Coward

              No, the mistake was using an incompetent admin who wasn't able to perform a simple domain migration. Bitlocker did its job, protect the data, the fault lies with the admin.

      • by Anonymous Coward

        I have done IT work in clinic environments and every doctor I have worked with usually started the conversation with, "I'm really stupid about computers .... could you help me with ...." or something like that.

        That was from a doc who was 30 something. The older they get, the more tech phobic they are.

        My wife is a provider and we have a contest to see who has the most "arrogant ass" story. Or who is more arrogant: doctors or IT/Software developers/engineers.

        I won hands down - technology people are the arrog

        • Re:No. (Score:4, Insightful)

          by lagomorpha2 (1376475) on Saturday May 10, 2014 @09:25AM (#46966383)

          I won hands down - technology people are the arrogant asses.

          Though you would never guess that by reading slashdot comments.

        • Re:No. (Score:5, Insightful)

          by greenbird (859670) on Saturday May 10, 2014 @10:22AM (#46966725)

          I won hands down - technology people are the arrogant asses.

          The difference is technology people are typically arrogant about technology, what should be their area of expertise, whereas most of the arrogant ass doctors I've encountered are arrogant about everything. The technology guy isn't going to walk into the doctor's office and start telling him about how to do doctoring stuff. A great many people will tell tell technology people all about how to do their job.

          In any field I usually take arrogance as a sign of incompetence. Typically smart people think they know less then they really do and stupid people usually think they know more. The caveat being perception of arrogance is somewhat relative also. Arrogant people usually perceive anyone who knows more about something then they do as arrogant. That being said though, there are definitely a lot of incompetent technology people, almost certainly a lot more then there are incompetent doctors.

          • I have probably forgotten more about IT than most even know. However, while I think I am competent in what I do, I do not know everything, nor is it really reasonable to do so. That is why specializations exist. Don't talk to the Network guy regarding your DB problems, or your DB guy about your Coding issues... Sure they may have some related experience and overlap, but likely won't be as knowledgeable as someone that does that as their core. Same with Doctors, they will all have a common background, but as

      • by Anonymous Coward

        Reminds me of that old joke:

        Q: What's the difference between God and a surgeon?
        A: God doesn't think he's a surgeon.

    • I bet this was the typical "I'm a physician. I'm the smartest person in the building. I can handle anything."
      See: The most dangerous thing in the world
        "A Doctor in a Bonanza"

      • by nurb432 (527695)

        I used the term *doctor* for a reason, and did not want to limit it to "physician". I have seen this same attitude in other industries as well, far too often.

        And sure, not all educated people are like that, but i do tend to see a lot of them get a big head at a particular point.

        • Re:Typcial (Score:5, Insightful)

          by Kjella (173770) on Saturday May 10, 2014 @08:41AM (#46966147) Homepage

          Except for IT of course. If you can master a computer then your impeccable logic and reasoning skills will make any other subject a piece of cake.

          • by nurb432 (527695)

            I have seen those people too, thus 'any industry' in my statement.

          • Not true. The IT people over at CERN didn't understand a bit about the subject they were working on. Thus, they decided to have some fun and invented the internet.

            • It most certainly was NOT an IT person at CERN who invented the HTT protocol. He was a practicing scientist. The 'IT" people were probably busy replacing ribbons and making sure the paper wasn't spilling off the tractor feed mechanisms.

              • He was a practicing scientist.

                Yes; a practising computer scientist (albeit one with a degree in physics) working as an independent software contractor. I'd call him an IT person.

          • Also, all you need to do to 'master a computer' is learn how to put together a clone using off-the-shelf parts and a phillips screwdriver. I remember how empowering it was to install Linux on a cheap clone box back in 1994, then build an 'internet' in my apartment by attaching surplus '386sx boxes on it with 3C503 cards and coax.

            The biggest problem some IT people have is that they think the group of enamored people surrounding them who rely on them for help represent the whole world, and not the bubble the

            • 3C503 cards

              As I type I'm resting my feet on a machine with one of those in it. Still worked last time I fired it up (which was probably last year...).

              They don't make 'em like that anymore.

        • This kind of arrogance comes from literally being the smartest person in the room most of the time and from talking to idiots all day - something doctors do all the time. don't blame the doctors, look at the patients...

    • by Anonymous Coward

      Your "IT staff" were idiots for letting this guy have his own machine on the network. Fire those bozos too.

      • doctors are independent contractors or something like that where they work for some outside company so they may need to have there machines to get work done.

        • Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT. I can't imagine them letting anyone have a friggin server with an outside connection. Especially a system as large as this.

          The only way I can put this together is that Columbia is so large that they've lost control of their network to the point where any half bright person could just set up a server. I'm pretty sure that if the doc had said "I need a personal server to go thr

          • Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT.

            A while ago some article around here mentioned a group of doctors who had privileges at a local hospital. The hospital required the medical group to agree to hospital IT policies, security audits and unannounced penetration tests in order to connect the group's computers to the hospital network.

      • by nurb432 (527695)

        No matter how competent you are, or wrong it is to do it, when the guy that writes your paycheck says 'do this', you have 3 basic choices:

        1 - Do it ( and if you are smart, document it )
        2 - Leave
        3 - Refuse ( and get fired )

        Also not everyone has option 2 available to them on a whim, so often times 1 and 2 are tied together, in a delayed fashion. 3 is never the best option.

    • "We also have continually strengthened our safeguards" - Ha ha ha...

      There was no IT security, control or safeguards. The doctor should not have been able to use his personal computer on the hospital net.

    • by Anonymous Coward

      This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

      Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

      Let's not be throwing stones here... Plenty of people on Slashdot have the "I'm an IT guy, I taught my self computers and know everything" mentality.

    • Malpractice insurance mentality....

    • The HHS press release [hhs.gov] says

      The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

      So, the physician wasn't completely clueless about computers, though perhaps HHS is being deliberately vague about his exact role.

      • by nurb432 (527695)

        Even if you aren't 'completely clueless' you should let the experts that you pay to do their jobs and stay out of the way. ( regardless of what that job is )

    • by Jonner (189691)

      In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

      The details are sparse, but it doesn't sound to me that the specific doctor was any more to blame than the IT people. It's hard to imagine how deactivating one machine would expose private information if that information were on properly secured systems in the first place. The scenario I'm can easily imagine is that the machines with private information were accessed with insecure protocols and all the doctor in question did was to plug them into a more public switch or router.

    • by WarJolt (990309)

      The answer is simple. Cloud based medical records and disallow local caching. A PC is disconnected, no problem. It scales and it allows you to consolidate security. I never understood why we trust IT staffs with medical record security. You really need a Dev Ops team for that.

    • by nhat11 (1608159)

      Who +1 nurb432 for insightful? If you met any average doctor, most don't care to tell you they don't know anything about computers because they only want to focus on medicine. The ignorance in this post lol

  • wait a minute (Score:5, Insightful)

    by Anonymous Coward on Saturday May 10, 2014 @07:38AM (#46965919)

    If they're gonna blame the doctor for "attempting to deactivate" something, they have to explain wth that means...otherwise it's just a scapegoat

    • Most like suspended or deactivated Bitlocker. That, and perhaps removed it from the domain and back into workgroup mode.

      • You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

        • Re: wait a minute (Score:4, Informative)

          by David_Hart (1184661) on Saturday May 10, 2014 @11:19AM (#46967149)

          You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

          Wrong, you just have to have local Admin rights.

          The proper way to remove a computer from the domain is to log in as a user with local admin rights and then enter a domain account with the rights to Add/Remove Computers. This removed the computer from the domain and deletes the computer account from the domain.

          However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials. The domain part will fail, but the computer will be switched to workgroup mode on reboot. The difference is that there is now an orphaned computer account still listed in the domain. But the client is now no longer on the domain as far as it is concerned.

          The reason why this is allowed is simply because a mechanism is needed to switch a computer from domain mode to workgroup mode if, for some reason, the domain is unavailable.

          • by mpe (36238)
            However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials.

            In practice all you need to do is enter anything, including a single space, into the username box.
        • by Rich0 (548339)

          As pointed out, you only need local admin access, and if you're going to let people use their own computers on the network, then it stands to reason that they'll have local admin access.

          The solution to this problem is to not attach computers to the hospital systems which aren't owned and administered by the hospital.

        • You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

          Bloody autocorrect. That's what I get for typing posts using my phone.

          Can't say that I've ever tried it on a system with local admin rights. Usually I don't set up my domains in such a manner, because users can't resist the fuzzy kitten videos that come with free....ahem...."screensavers".

      • Most like suspended or deactivated Bitlocker. That, and perhaps removed it from the domain and back into workgroup mode.

        Nah, neither of those things would have make patient information available over the World Wide Web.

        It sounds like nonsense, frankly.

        Probably to protect the anaesthesiologist. Oh, did the article not say it was an anaesthesiologist? But it always is.

        • My guess is that he or she was developing an app for fellow doctors, and was running a backend on a personally owned server for testing purposes. When app development was complete, the physician reconfigured this machine to work on other projects, but neglected to scrub it of HIPAA data, or access rights to this data.

          The computer was then opened up to the outer world for another project that didn't involve patient data.-- google searched the machine, and found the data trove.

          But perhaps I'm reading too much

    • The advantage of being vague and obtuse probably glosses over several other specific HIPPA violations that would drag several other responsible higher ups into the mud and saved them another million dollars in fines. That is why companies spend more on administrators than on IT. /What we really need is to expand H1-b's. After all, they been telling us that for years and we just don't get it/ hmmm, why did i wait till the last sentence to add a sarcasm tag?
    • Let's ignore how the IT dept should have some kind of network traffic scans to see this stuff, how the heck does a non-admin do something like this? And I'm not attributing it to malice, I'm sure this guy "meant well" and in the process managed to screw everything up. Otherwise, I'm going with "scapegoats" for 1000, Alex.
    • Re:wait a minute (Score:4, Informative)

      by Mendy (468439) on Saturday May 10, 2014 @12:11PM (#46967579)

      This [bizjournals.com] describes it in a little more detail.

      My guess is that he turned off a webapp which then caused the HTTP server to provide open directory access. This doesn't explain why he was doing it though or indeed why he was able to.

  • by rmdingler (1955220) on Saturday May 10, 2014 @08:02AM (#46966005)

    It's not clear why a physician had a personally owned system connected to the network, or why he was attempting to deactivate it.

    Of course it is. It was more convenient for him/her personally, despite putting sensitive patient data at risk in a venue beyond the doctor's ken.

    It's a commons tragedy (the Bizzaro-World Spock-doctrine): better for one at the expense of the many.

    • by mwvdlee (775178)

      A personally owner system doesn't come with all those annoying login password and security confirmations.

    • by Bill_the_Engineer (772575) on Saturday May 10, 2014 @08:55AM (#46966219)

      Hospitals are slow about refreshing their IT hardware and the hospital in TFA involves physicians working for both New York Presbyterian and Columbia University Medical Center. I wouldn't be surprised that the only way the physician could get a newer laptop capable of running his software in a reasonable amount of time was to order one with his own money and have the IT staff configure it for him.

      The article has the smell of bullshit coming from the IT department that was ultimately responsible. Instead of saying they mishandled off boarding the physicians computer, they gave the impression that the physician was directly responsible for the breach. If a medical physician can cause a website to appear on the hospital network and have that page accessible to the internet then I think its about time to clean house and the hospital seriously needs to find new IT staff.

      • The fact that the system allowed this to occur is the responsibility of the hospital. The advantage of this for us geeks is that we can point to it when discussing security with senior management; that sort of scale of fine does get their attention. OTOH if we don't make the effort to ensure our systems are secure, we deserve the kicking.
    • And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

      • by Rich0 (548339)

        And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

        Yup. Companies want to treat "bring your own device" as if it meant "pay for the company's device" and it isn't surprising that this causes problems. They should simply provision employees with devices if they want them to work remotely/etc.

  • There almost has to be more to this story than we're hearing, and I'd be interested in the details. Why dopes one have to "reconfigure" a server to disconnect a single, personally owned computer from a network? The doctors I know would pull the ethernet cable, pick up the computer and go home, without even thinking about the sever.

  • No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

    • Right on.

      He actually deserves some bug bounty money.

    • No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

      I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

      Clearly the [recital 2a] Googlebot and others were spidering patient data [hhs.gov] for some time, those 6,800 records would account for a lot of traffic. EVEN IF the queries were https encrypted or the URLs contained session hashes instead of data, logs would show web spiders accessing presumably 'internal use only' fu

      • No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

        I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

        You missed the part where the doctor is actually a developer and was essentially working in IT....

  • by wiredlogic (135348) on Saturday May 10, 2014 @08:20AM (#46966061)

    What's the point in having a "secure" HIPAA compliant network that anyone can connect any old computer to? If the admins had just locked out unauthorized MAC addresses this wouldn't have happened. It would have cost them less than 4.8 million to implement even at healthcare contractor rates.

  • That's why you don't let Doctor Bashir play with the ship's phasers or the self-destruct sequence. There are other qualified high-rank officers to do that kind of work (when they're not mind-controlled by aliens or trapped in another plane of existence)

  • by maple_shaft (1046302) on Saturday May 10, 2014 @09:03AM (#46966261)

    Having worked in IT and software development for a number of different health systems some common themes run true.

    1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

    2) Easy money. Money comes easy to these organizations. This plus...

    3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

    Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

    • There are a number of things wrong with your post:

      1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

      The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doc

      • by maple_shaft (1046302) on Saturday May 10, 2014 @11:40AM (#46967303)

        Allow my rebuttal...

        The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

        If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

        In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

        Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

        You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like

        Your arguments about malpractice risks and insurance for that are negligible.

        In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

        This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

        This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves hav

        • Allow my rebuttal...

          Always...

          If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors

      • by Rich0 (548339)

        The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

        Are you a doctor? IT isn't paid by the doctors - they're paid by the HOSPITAL. Doctors and IT workers are just two classes of people working at the hospital to take care of the HOSPITAL's cusomters - the patients. There is a legal fiction designed to shield hospitals from liability/etc which also makes the patients the doctor's customer's as well, but if you subscribe to that fiction then the doctors aren't even legally associated with the IT department at all.

        I work in an IT department for a for-profit

        • by Cederic (9623)

          I work in an IT department for a for-profit corporation and while I certainly have internal clients, ultimately we all work for the corporation and are supposed to look after its interests. Usually making my clients happy is the best thing for the company, but when their personal interests do not coincide with what is best for the company, then it is time to escalate issues and let the executives earn their pay.

          Nicely put. The doctors' customers are IT's customers because without them the doctors don't need IT.

          Looking out for the interests of the doctors is impossible without understanding their own obligations and requirements around patients. Preventing a doctor from alienating his entire patient base through poor IT implementation sounds like a pretty reasonable IT contribution.

        • Are you a doctor? IT isn't paid by the doctors - they're paid by the HOSPITAL. Doctors and IT workers are just two classes of people working at the hospital to take care of the HOSPITAL's cusomters - the patients. There is a legal fiction designed to shield hospitals from liability/etc which also makes the patients the doctor's customer's as well, but if you subscribe to that fiction then the doctors aren't even legally associated with the IT department at all.

          No I'm not a doctor. You are completely correct

          • by Rich0 (548339)

            So, I get what you're saying about IT needs to look out for more than just its own needs.

            However, hospital management isn't really a "customer" in most cases. If you're talking about the CEOs email account, then the CEO is a customer like anybody else. However, if you're talking about the CEO telling IT than nobody can start a project without approval, then the CEO isn't a customer - he's the manager.

            Ultimately, internal divisions like "doctors," "IT," "HR," etc are all conveniences. Legally, there is a

            • However, hospital management isn't really a "customer" in most cases. If you're talking about the CEOs email account, then the CEO is a customer like anybody else. However, if you're talking about the CEO telling IT than nobody can start a project without approval, then the CEO isn't a customer - he's the manager.

              Hospital management is always the IT's customer. They pay your department to perform services and protect the infrastructure. Everytime you perform work for any staff member, you are performing a s

              • by Rich0 (548339)

                Hospital management is always the IT's customer. They pay your department to perform services and protect the infrastructure. Everytime you perform work for any staff member, you are performing a service for (and on the behalf of) management.

                Well, they're your customer in the same sense that your boss is your "customer." If you look at it from the standpoint that you personally are a business that sells your labor, then your boss is a customer, and so is some guy who bribes you to share your company's secrets with them. However, that really isn't a great way of defining the term in practice.

                The customer-centric attitude is generally advisable when dealing with just about anybody. However, I prefer to use the term customer to refer to somebod

    • by Trax (93121)

      As an emergency physician and former IT engineer with Unix system administration background, I'll say that most of the important software and hardware choices are made by the IT department and C-level executives without any input by physicians what-so-ever. I'll reply to your points line by line:

      > 1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are > made by doctors and not the professionals who were hi

      • Thank you for giving your input as a physician. It is nice to hear from your perspective. I admit that I was unfairly categorizing all physicians into this category of being disrespectful to other professions. It is a real thing though but admittedly small in the grander scheme of the problems at play here.

        IT departments in hospitals are rampant with nepotism, incompetence, and wastefullness. The heads of the security, network, and support divisions have no clue when it comes to support clinicians including physicians, nurses, LPNs, or any other staff that requires using the computer for any health related work.

        I see this in health systems big and small. You recognize the problem too, but you didn't really address my theory as to why this is, easy money and low accountability. Why in your opinion do you bel

        • I see it as an issue of low accountability for the most part, having different IT areas budgeted and the need to spend that budget before the year is out or otherwise we won't get the same amount of money next year. That's the mentality that most organizations take with silo-ing of budgets but to me seems to be a waste.

          In my organization, they have outsourced the servers and support for the EMR to the EMR manufacturer for them to host in the "cloud" while adding more Citrix redirections and latency for the

      • by Cederic (9623)

        If the IT department doesn't like this, then too bad as the users needs outweigh yours -- remember that this is coming from a practicing clinician.

        Yeah, we can tell.

        The users are fucking lucky to get an IT system. IT departments run under-funded, with stupid regulation, no authority and no appreciation. You've exemplified most of that in one Slashdot post.

        I don't give a flying fuck how hard it is for you to access PACS, the network drive, the intranet or any other IT system if the alternative is sharing patient records over the Internet.

        So I'm going to inconvenience you to assure secure access. Note how I've already immediately compromised you, as a u

  • There is no cure.

    • The cure is to teach some math or CS classes in medical school.
      Not really to teach them math or CS, but to teach them not to be arrogant.

      • That's supposed to be why they take physics and chemistry in pre-med. That and keeping the memorizers out of medical school.

        My dad taught a chemistry class for medical students track. Those professors where very conscious of their duty to keep morons from becoming doctors. A C did that. Some of these dweebs couldn't plug and chug formulas or balance a redox equation. Yet they had all already gotten As in high school chemistry. Great memorizers, hard workers, some just couldn't think. All _needed_ an A. T

  • Would a surgeon let an amateur operate on a patient? No. Do they think they are as good as competent CS experts? Yes. Pathetic.

    • by sconeu (64226)

      "Hey, doc! I've done some first aid before. Mind if I treat your patient?"
      "Hell no!"
      "Why not?"
      "Because I spent years obtaining an advanced degree, and have spent years since practicing and keeping my skills up to date."
      "Well, then, doc, for the exact same reason, KEEP YOUR HANDS OFF OF MY NETWORK".

  • The perfect example of a practicing doctor.
  • One branch of government profits from hospitals unintentionally misusing your private information, then another branch of government takes those profits to fund the intentional and illegal misuse of your private information.

  • by Rambo Tribble (1273454) on Saturday May 10, 2014 @09:41AM (#46966469)
    In their education, professionals, whether physicians or IT admins, are often inculcated with a professional swagger to the effect that they assume superiority in any situation. It is wise not to trust the judgement of those who exhibit this characteristic. They are commonly blind to their own failings and dismissive to others' concerns. Sadly, many are most impressed by this phenomenon, which they misapprehend as, "confidence".

nohup rm -fr /&

Working...