Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Physician Operates On Server, Costs His Hospital $4.8 Million

timothy posted about 6 months ago | from the s'posed-to-bury-your-mistakes dept.

Privacy 143

Hugh Pickens DOT Com (2995471) writes "Jaikumar Vijayan reports at Computerworld that a physician at Columbia University Medical Center (CU) attempted to "deactivate" a personally owned computer from a hospital network segment that contained sensitive patient health information, creating an inadvertent data leak that is going to cost the hospital $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web. The breach was discovered after the hospital received a complaint from an individual who discovered personal health information about his deceased partner on the Web. An investigation by the HHS Office for Civil Rights (OCR) found that neither Columbia University nor New York Presbyterian Hospital, who operated the network jointly, had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network. "For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," say the hospitals. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS." HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations. In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data."

Sorry! There are no comments related to the filter you selected.

Typcial (4, Insightful)

nurb432 (527695) | about 6 months ago | (#46965907)

This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

Re:Typcial (1)

TchrBabe (3589445) | about 6 months ago | (#46965931)

Not just the "I'm a doctor..." mentality, it is characteristic of the whole healthcare system - if you aren't a _____ (fill in the blank with EMT, LPN, RN, PA, PhD, hospital admin) you don't know anything (in their minds). I wonder if they even had an IT department, or if they did, if it was competent (and not composed of the relative of one of the high end staff members - some kid who "built his own computer so he knows what he is doing"). The ability of the doctor to access and alter network settings indicates that the network wasn't properly configured, whether or not it was a privately owned computer.

Re: Typcial (2)

DigiShaman (671371) | about 6 months ago | (#46965973)

I've done IT work for many clinics here in Houston, and I've never ran into that mentality before. I suppose it depends on the circles you do work with. In my case, it was next to impossible to get anything approved when they're too busy to handle anything business related. Again, these were small clinics.

What they should be using is Bitlocker. It can be overly sensitive in that any major Windows Update, driver, and BIOS will flag for the recovery key at boot. You can back the key up to AD or have it stored elsewhere however. But when using Bitlocker for an organization, you really want a competent IT admin around to deal with this solution.

BTW, you could use Linux or Mac. For the sake practicality of the discussion, I'm assuming most clinics use Windows already with an AD forest.

Re: Typcial (2)

the_B0fh (208483) | about 6 months ago | (#46966411)

How would BitLocker help in this case? Just curious why you think it'd help when it is information that's being exposed on the Internet, on a server that is running, and attached to the Internet, and not stolen laptops.

Re: Typcial (2)

otherniceman (180671) | about 6 months ago | (#46967883)

At a company I worked for the CFO had used Bitlocker to encrypt his disk and didn't tell anyone. He was the only person in the company that had done this. We went through a major domain migration which failed and so the a new domain was created and everyone moved to it. Suddenly the CFO could not access his machine anymore and they could not recover anything.

Re: Typcial (2)

cbreak (1575875) | about 6 months ago | (#46968073)

That sounds stupid. He should have used proper encryption like Apple's File Vault or TrueCrypt. Those work independently of that domain stuff. And they allow you to back up a recovery key too.

No. (1)

Anonymous Coward | about 6 months ago | (#46966299)

I have done IT work in clinic environments and every doctor I have worked with usually started the conversation with, "I'm really stupid about computers .... could you help me with ...." or something like that.

That was from a doc who was 30 something. The older they get, the more tech phobic they are.

My wife is a provider and we have a contest to see who has the most "arrogant ass" story. Or who is more arrogant: doctors or IT/Software developers/engineers.

I won hands down - technology people are the arrogant asses.

Re:No. (3, Insightful)

lagomorpha2 (1376475) | about 6 months ago | (#46966383)

I won hands down - technology people are the arrogant asses.

Though you would never guess that by reading slashdot comments.

Re:No. (4, Insightful)

greenbird (859670) | about 6 months ago | (#46966725)

I won hands down - technology people are the arrogant asses.

The difference is technology people are typically arrogant about technology, what should be their area of expertise, whereas most of the arrogant ass doctors I've encountered are arrogant about everything. The technology guy isn't going to walk into the doctor's office and start telling him about how to do doctoring stuff. A great many people will tell tell technology people all about how to do their job.

In any field I usually take arrogance as a sign of incompetence. Typically smart people think they know less then they really do and stupid people usually think they know more. The caveat being perception of arrogance is somewhat relative also. Arrogant people usually perceive anyone who knows more about something then they do as arrogant. That being said though, there are definitely a lot of incompetent technology people, almost certainly a lot more then there are incompetent doctors.

Re:No. (0)

Anonymous Coward | about 6 months ago | (#46966985)

then[ then ]
adverb
1. at that time: Prices were lower then.
2. immediately or soon afterward: The rain stopped and then started again.
3. next in order of time: We ate, then we started home.
than[ than, then; unstressed thuhn, uhn ]
conjunction
1. (used, as after comparative adjectives and adverbs, to introduce the second member of an unequal comparison): She's taller than I am.
2. (used after some adverbs and adjectives expressing choice or diversity, such as other, otherwise, else, anywhere, or different, to introduce an alternative or denote a difference in kind, place, style, identity, etc.): I had no choice other than that. You won't find such freedom anywhere else than in this country.
3. (used to introduce the rejected choice in expressions of preference): I'd rather walk than drive there.

I bet a doctor might know the difference......

Yes.... (0)

Anonymous Coward | about 6 months ago | (#46967509)

In medical, not knowing and asking questions is accepted and encouraged.

Humility in medical is a MUST.

In technology, not knowing is a sign of being stupid. It is a sign of incompetence.

I have worked on operating systems. I once asked about some esoteric fact about networking that would have required a week of reading and experimentation and I was told that I was "stupid" and I did not "belong here" (that was on a Cousera Networking class, BTW).

Humility in tech is a sign of "weakness" and "stupidity".

The employers follow that ideology. Like Google and everyone else in Silicon Valley.

Not knowing "everything" is a sign of stupidity.

As far as tech hiring people are concerned, all of us are stupid - and bring in the H1-bs.

I love tech but I really hate this arrogant attitude that is so pervasive in tech - and why I left - and still here because of my avocation.

Re:Yes.... (1)

greenbird (859670) | about 6 months ago | (#46968305)

Humility in medical is a MUST.

I'd say it's not. At least that's not true of a good many of the practitioners.

Not knowing "everything" is a sign of stupidity.

Only stupid people would think that. To know "everything" in the technology field is at least on par with knowing "everything" in the medical field. Only an idiot would think anyone could even remotely come anywhere near knowing "everything" in either field.

As far as tech hiring people are concerned, all of us are stupid - and bring in the H1-bs.

Hmmm...been working in this field for 25 years now and rarely have I encountered that. The few occasions I did it was quickly evident the persons involved were idiots. Being willing to admit I didn't know something has almost always earned respect rather than contempt.

Re:Typcial (1)

Anonymous Coward | about 6 months ago | (#46967065)

Reminds me of that old joke:

Q: What's the difference between God and a surgeon?
A: God doesn't think he's a surgeon.

Re:Typcial (1)

Calydor (739835) | about 6 months ago | (#46967833)

And yet he yanked a rib out of Adam. I smell a malpractice lawsuit in the making.

Re:Typcial (2)

rotorbudd (1242864) | about 6 months ago | (#46966009)

I bet this was the typical "I'm a physician. I'm the smartest person in the building. I can handle anything."
See: The most dangerous thing in the world
  "A Doctor in a Bonanza"

Re:Typcial (2)

nurb432 (527695) | about 6 months ago | (#46966053)

I used the term *doctor* for a reason, and did not want to limit it to "physician". I have seen this same attitude in other industries as well, far too often.

And sure, not all educated people are like that, but i do tend to see a lot of them get a big head at a particular point.

Re:Typcial (5, Insightful)

Kjella (173770) | about 6 months ago | (#46966147)

Except for IT of course. If you can master a computer then your impeccable logic and reasoning skills will make any other subject a piece of cake.

Re:Typcial (1)

nurb432 (527695) | about 6 months ago | (#46966257)

I have seen those people too, thus 'any industry' in my statement.

Re:Typcial (1)

StripedCow (776465) | about 6 months ago | (#46966441)

Not true. The IT people over at CERN didn't understand a bit about the subject they were working on. Thus, they decided to have some fun and invented the internet.

Re:Typcial (0)

Anonymous Coward | about 6 months ago | (#46966807)

Except they didn't.

Re:Typcial (1)

Bing Tsher E (943915) | about 6 months ago | (#46967275)

It most certainly was NOT an IT person at CERN who invented the HTT protocol. He was a practicing scientist. The 'IT" people were probably busy replacing ribbons and making sure the paper wasn't spilling off the tractor feed mechanisms.

Re:Typcial (1)

wonkey_monkey (2592601) | about 6 months ago | (#46967527)

He was a practicing scientist.

Yes; a practising computer scientist (albeit one with a degree in physics) working as an independent software contractor. I'd call him an IT person.

Re:Typcial (1)

Bing Tsher E (943915) | about 6 months ago | (#46967249)

Also, all you need to do to 'master a computer' is learn how to put together a clone using off-the-shelf parts and a phillips screwdriver. I remember how empowering it was to install Linux on a cheap clone box back in 1994, then build an 'internet' in my apartment by attaching surplus '386sx boxes on it with 3C503 cards and coax.

The biggest problem some IT people have is that they think the group of enamored people surrounding them who rely on them for help represent the whole world, and not the bubble they've created. You convinced your boss you know your stuff. Better be careful, because younger people who got their first PC when they were 4 are coming up in the ranks.

Re:Typcial (0)

Anonymous Coward | about 6 months ago | (#46968309)

Sure, building and running a PC is easy. Building a network is easy. Knowing the right way to do it to scale to your environment, making it useful, highly available and secure... that's why there are IT people, as opposed to arrogant know-it-alls who built a PC once.

You sound like the idiot who cost his hospital several million dollars in the OP-- probably by removing it from the domain, but leaving the web server (which shouldn't have been on his personal machine) still running and serving out PHI (which shouldn't have been on his web server) without authentication.

It reminds me of the joke about the plumber who came out one night to fix a customer's clogged drain. He looked at the pipes, tapped on a couple, pulls out a rubber mallet, and knocks the side of a pipe. The drain clears, he tells the homeowner "that'll be $105"-- the homeowner says "$105 just to hit a pipe with a hammer?", the plumber responds "$5 to hit the pipe-- $100 for knowing which pipe and how hard".

I'm directly responsible for about 150 servers right now-- I updated openSSL on all of them in under 5 minutes with two commands when heartbleed broke, after generating a report of which servers had vulnerable versions (so we could regenerate certificates). That's the difference between an IT professional, and someone who built a PC one time.

Besides... the up and coming kids have iPads, that they've never seen the inside of, and have no clue how it works anyway.

Re:Typcial (1)

Anonymous Coward | about 6 months ago | (#46966029)

Your "IT staff" were idiots for letting this guy have his own machine on the network. Fire those bozos too.

Re:Typcial (0)

Anonymous Coward | about 6 months ago | (#46966085)

Yeah, they screwed up, but you've clearly never tried saying "no" to an "I'm a DOCTOR, dammit!" type. We all know what SHOULD be done in a case like this, but when you're dealing with a bully who probably CAN get you fired, sometimes it's hard to stand on principle.

Re:Typcial (0)

Anonymous Coward | about 6 months ago | (#46966541)

It's the same for some lawyers. Some of the biggest assclowns I've ever met were lawyers.

Re:Typcial (1)

symbolset (646467) | about 6 months ago | (#46967725)

I'm a doctor Jim, not a network security analyst.

doctors are independent contractors or something l (1)

Joe_Dragon (2206452) | about 6 months ago | (#46966571)

doctors are independent contractors or something like that where they work for some outside company so they may need to have there machines to get work done.

Re:doctors are independent contractors or somethin (1)

ColdWetDog (752185) | about 6 months ago | (#46967031)

Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT. I can't imagine them letting anyone have a friggin server with an outside connection. Especially a system as large as this.

The only way I can put this together is that Columbia is so large that they've lost control of their network to the point where any half bright person could just set up a server. I'm pretty sure that if the doc had said "I need a personal server to go through the firewall" (and whatever else they have) he would have been laughed out the room.

Of course, TFA has no detailed information on what exactly happened so we are just guessing.

Medical group submits to Hospital IT ... (1)

perpenso (1613749) | about 6 months ago | (#46967765)

Maybe true (some docs are independent contractors). But in any sort of hospital, anything computer related, has to go through IT.

A while ago some article around here mentioned a group of doctors who had privileges at a local hospital. The hospital required the medical group to agree to hospital IT policies, security audits and unannounced penetration tests in order to connect the group's computers to the hospital network.

Re:Typcial (0)

Anonymous Coward | about 6 months ago | (#46966047)

Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

What do pants have to do with this?

IT Fail (1)

flyingfsck (986395) | about 6 months ago | (#46966145)

"We also have continually strengthened our safeguards" - Ha ha ha...

There was no IT security, control or safeguards. The doctor should not have been able to use his personal computer on the hospital net.

Re:IT Fail (0)

Anonymous Coward | about 6 months ago | (#46966373)

The doctor should not have been able to use his personal computer on the hospital net.

I wouldn't be surprised if the "personal computer" mentioned in the article is actually a computer owned by the physician for professional use (i.e. not owned by but obviously mismanaged by the hospital IT).

Re:Typcial (0)

Anonymous Coward | about 6 months ago | (#46966333)

very common that when someone becomes an expert in something they believe themselves an expert in everything.

can't tell from fluffy article whether it was a doctor 's hubris or dysfunctional IT dept. that should take the blame.

Re:Typcial (1)

Anonymous Coward | about 6 months ago | (#46966489)

This is why you have IT staff, and you let them do their jobs. Typical "i'm a doctor, i went to school and know everything" mentality.

Too bad they didn't fine the actual doctor instead of the hospital as it was his personally irresponsible actions that caused the breech, not hospital policy.

Let's not be throwing stones here... Plenty of people on Slashdot have the "I'm an IT guy, I taught my self computers and know everything" mentality.

Re:Typcial (1)

JoeMerchant (803320) | about 6 months ago | (#46966553)

Malpractice insurance mentality....

Re:Typcial (2)

Jeremy Erwin (2054) | about 6 months ago | (#46966707)

The HHS press release [hhs.gov] says

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

So, the physician wasn't completely clueless about computers, though perhaps HHS is being deliberately vague about his exact role.

Re:Typcial (1)

Jonner (189691) | about 6 months ago | (#46967221)

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

The details are sparse, but it doesn't sound to me that the specific doctor was any more to blame than the IT people. It's hard to imagine how deactivating one machine would expose private information if that information were on properly secured systems in the first place. The scenario I'm can easily imagine is that the machines with private information were accessed with insecure protocols and all the doctor in question did was to plug them into a more public switch or router.

Re:Typcial (1)

WarJolt (990309) | about 6 months ago | (#46967507)

The answer is simple. Cloud based medical records and disallow local caching. A PC is disconnected, no problem. It scales and it allows you to consolidate security. I never understood why we trust IT staffs with medical record security. You really need a Dev Ops team for that.

wait a minute (5, Insightful)

Anonymous Coward | about 6 months ago | (#46965919)

If they're gonna blame the doctor for "attempting to deactivate" something, they have to explain wth that means...otherwise it's just a scapegoat

Re:wait a minute - personally owned computer ? (0)

Anonymous Coward | about 6 months ago | (#46966013)

In which case he was entitled to 'deactivate it'. Not necessarilly to expose the information, but that may not have been his fault.

Re: wait a minute (1)

DigiShaman (671371) | about 6 months ago | (#46966015)

Most like suspended or deactivated Bitlocker. That, and perhaps removed it from the domain and back into workgroup mode.

Re: wait a minute (1)

cbiltcliffe (186293) | about 6 months ago | (#46966413)

You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

Re: wait a minute (3, Informative)

David_Hart (1184661) | about 6 months ago | (#46967149)

You can't remove computer from the demand without the domain admin password. If they're handing out that password to end users, they've got a whole other series of problems.

Wrong, you just have to have local Admin rights.

The proper way to remove a computer from the domain is to log in as a user with local admin rights and then enter a domain account with the rights to Add/Remove Computers. This removed the computer from the domain and deletes the computer account from the domain.

However, you can also log in as a user with local admin rights and when prompted, after selecting Workgroup mode, enter a crap ID and password when prompted for domain credentials. The domain part will fail, but the computer will be switched to workgroup mode on reboot. The difference is that there is now an orphaned computer account still listed in the domain. But the client is now no longer on the domain as far as it is concerned.

The reason why this is allowed is simply because a mechanism is needed to switch a computer from domain mode to workgroup mode if, for some reason, the domain is unavailable.

Re: wait a minute (1)

Rich0 (548339) | about 6 months ago | (#46967979)

As pointed out, you only need local admin access, and if you're going to let people use their own computers on the network, then it stands to reason that they'll have local admin access.

The solution to this problem is to not attach computers to the hospital systems which aren't owned and administered by the hospital.

Re: wait a minute (1)

bill_mcgonigle (4333) | about 6 months ago | (#46966643)

Most like suspended or deactivated Bitlocker. That, and perhaps removed it from the domain and back into workgroup mode.

Nah, neither of those things would have make patient information available over the World Wide Web.

It sounds like nonsense, frankly.

Probably to protect the anaesthesiologist. Oh, did the article not say it was an anaesthesiologist? But it always is.

Re: wait a minute (2)

Jeremy Erwin (2054) | about 6 months ago | (#46967027)

My guess is that he or she was developing an app for fellow doctors, and was running a backend on a personally owned server for testing purposes. When app development was complete, the physician reconfigured this machine to work on other projects, but neglected to scrub it of HIPAA data, or access rights to this data.

The computer was then opened up to the outer world for another project that didn't involve patient data.-- google searched the machine, and found the data trove.

But perhaps I'm reading too much into
"The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. "

Re:wait a minute (1)

NemoinSpace (1118137) | about 6 months ago | (#46966077)

The advantage of being vague and obtuse probably glosses over several other specific HIPPA violations that would drag several other responsible higher ups into the mud and saved them another million dollars in fines. That is why companies spend more on administrators than on IT. /What we really need is to expand H1-b's. After all, they been telling us that for years and we just don't get it/ hmmm, why did i wait till the last sentence to add a sarcasm tag?

Yeah, can someone fill in ANY blanks on this story (2)

mekkab (133181) | about 6 months ago | (#46966805)

Let's ignore how the IT dept should have some kind of network traffic scans to see this stuff, how the heck does a non-admin do something like this? And I'm not attributing it to malice, I'm sure this guy "meant well" and in the process managed to screw everything up. Otherwise, I'm going with "scapegoats" for 1000, Alex.

Re:wait a minute (3, Informative)

Mendy (468439) | about 6 months ago | (#46967579)

This [bizjournals.com] describes it in a little more detail.

My guess is that he turned off a webapp which then caused the HTTP server to provide open directory access. This doesn't explain why he was doing it though or indeed why he was able to.

The old laptop security chink (5, Insightful)

rmdingler (1955220) | about 6 months ago | (#46966005)

It's not clear why a physician had a personally owned system connected to the network, or why he was attempting to deactivate it.

Of course it is. It was more convenient for him/her personally, despite putting sensitive patient data at risk in a venue beyond the doctor's ken.

It's a commons tragedy (the Bizzaro-World Spock-doctrine): better for one at the expense of the many.

Re:The old laptop security chink (2)

mwvdlee (775178) | about 6 months ago | (#46966017)

A personally owner system doesn't come with all those annoying login password and security confirmations.

Most physicians have personally owned systems (0)

Anonymous Coward | about 6 months ago | (#46966179)

They get money that is provided to *them* to buy computers for continuing education - it's a convoluted mess and little can be done to stop it because they are required to use the things to 'learn' so many hours a day.

Re:Most physicians have personally owned systems (1)

spire3661 (1038968) | about 6 months ago | (#46966269)

Irrelevant. I.T failed in preventing him from doing it, and HR failed in letting the Dr. know exactly why this would be a bad idea. Drs. can afford their own private internet connection, there is no excuse for piggybacking on a medical care network so they can learn shit.

Re:The old laptop security chink (5, Insightful)

Bill_the_Engineer (772575) | about 6 months ago | (#46966219)

Hospitals are slow about refreshing their IT hardware and the hospital in TFA involves physicians working for both New York Presbyterian and Columbia University Medical Center. I wouldn't be surprised that the only way the physician could get a newer laptop capable of running his software in a reasonable amount of time was to order one with his own money and have the IT staff configure it for him.

The article has the smell of bullshit coming from the IT department that was ultimately responsible. Instead of saying they mishandled off boarding the physicians computer, they gave the impression that the physician was directly responsible for the breach. If a medical physician can cause a website to appear on the hospital network and have that page accessible to the internet then I think its about time to clean house and the hospital seriously needs to find new IT staff.

That's why the hospital has been fined (1)

Bruce66423 (1678196) | about 6 months ago | (#46967269)

The fact that the system allowed this to occur is the responsibility of the hospital. The advantage of this for us geeks is that we can point to it when discussing security with senior management; that sort of scale of fine does get their attention. OTOH if we don't make the effort to ensure our systems are secure, we deserve the kicking.

Re:The old laptop security chink (2)

TobinLathrop (551137) | about 6 months ago | (#46967737)

And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

Re:The old laptop security chink (1)

Rich0 (548339) | about 6 months ago | (#46968027)

And this ladies and gentlemen is why BYOD in more than a few types of work place is phenomenally fucking stupid idea. Oh I need to take this back now, let me undo the network things... oh the company data, i guess thats okay for now...

Yup. Companies want to treat "bring your own device" as if it meant "pay for the company's device" and it isn't surprising that this causes problems. They should simply provision employees with devices if they want them to work remotely/etc.

Really? (1)

scotts13 (1371443) | about 6 months ago | (#46966041)

There almost has to be more to this story than we're hearing, and I'd be interested in the details. Why dopes one have to "reconfigure" a server to disconnect a single, personally owned computer from a network? The doctors I know would pull the ethernet cable, pick up the computer and go home, without even thinking about the sever.

Not the Doctors fault (1)

Charliemopps (1157495) | about 6 months ago | (#46966043)

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

Re:Not the Doctors fault (1)

rmdingler (1955220) | about 6 months ago | (#46966075)

Right on.

He actually deserves some bug bounty money.

Re: Network, heal thyself (2)

TheRealHocusLocus (2319802) | about 6 months ago | (#46966563)

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

Clearly the [recital 2a] Googlebot and others were spidering patient data [hhs.gov] for some time, those 6,800 records would account for a lot of traffic. EVEN IF the queries were https encrypted or the URLs contained session hashes instead of data, logs would show web spiders accessing presumably 'internal use only' functions.

It is the responsibility of the senior IT administrator to establish a 'normal' baseline and track data flows at the router level, also set up an automated system which profiles web logs to profile transactions into as narrow a 'normal' definition as possible... and flag unusual patterns. If unusual flow is spotted this responsibility includes direct content sniffing of unencrypted communications.

No real hacker would identify as Googlebot when vacuuming out an internal-use database, for fear of setting off trip wires. If only such trip wires had been in place...

Ask Slashdot: How Do You Tell a Compelling Story About IT Infrastructure? [slashdot.org]

I hereby submit this one.

Re: Network, heal thyself (1)

David_Hart (1184661) | about 6 months ago | (#46967291)

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

You missed the part where the doctor is actually a developer and was essentially working in IT....

Lock down your network dumbasses (3, Insightful)

wiredlogic (135348) | about 6 months ago | (#46966061)

What's the point in having a "secure" HIPAA compliant network that anyone can connect any old computer to? If the admins had just locked out unauthorized MAC addresses this wouldn't have happened. It would have cost them less than 4.8 million to implement even at healthcare contractor rates.

Re:Lock down your network dumbasses (0)

Anonymous Coward | about 6 months ago | (#46966347)

I bet the hospital in question has a policy of BYOD for physicians probably due to physicians being self-employed or contract employee from a different medical group. The article has the smell of an IT department taking advantage of not actually owning the computer in question in order to deflect blame away from themselves.

We have a similar arrangement where I work which involves contract employers owning the equipment but have an agreement to allow the designated IT provider manage them for us. Technically they are owned by us but the maintenance and security is handled by a central authority. Our equipment's MAC address must be whitelisted just to sign in on the network, and the equipment isn't even assigned an IP address on the "private" network until the installed inventory program reports its status and a quick port scan takes place. As part of our contract, the IT provider is responsible for decommissioning our equipment which boils down to verifying the hard drive is wiped and the MAC address taken off the whitelist.

Re:Lock down your network dumbasses (0)

Anonymous Coward | about 6 months ago | (#46966731)

What would have happened if someone, after being connected to the network, decided they need to tunnel elsewhere and disable their firewall for everything to work? Now suddenly the owner of the laptop has run-around all the security protections of the entire network and others could potentially get access to anything that person is authorized to see.

That is likely what has happened here. The doctor worked at two hospitals. He deactivated something which caused server data to be accessible out of the controlled network. How is someone supposed to stop this from happening while still letting real work get done? Lock down everything? That is the prevailing attitude here on slashdot. the new home for CS knowitalls and tech news weenies. There is some risk that must be accepted for real work to get done.

If you have the security features in place that all admins really want, you will be replaced in short order by someone willing to play ball for the sake of productivity. Christ this is a hospital. What do you think would happen when a doctor is at odds with IT? The administration will always side with their cash cow and not their cost center.

It is almost as if everyone on slashdot does not have any actual experience in IT. All the people left here are the clueless or programmers that are wasting time instead of pounding out code like they are supposed to.

Re:Lock down your network dumbasses (0)

Anonymous Coward | about 6 months ago | (#46967219)

1) They are only allowed to have superuser privileges on the machines if they took a admittedly easy class that pretty much creates a paper trail and the only firewall they would control is their own workstation not the one separating them from the internet.

2) The inventory program which is required both contractually and technically for access manages the configuration of the machine and reports the lack of a firewall in the security deficit report. The same inventory program sends a list of network connections made and reports hardware configuration. At another facility with stricter requirements, that software alerted the IT security staff of a possible breach when a USB thumb drive was inserted into a workstation.

3) The firewalls on the other hosts will alert IT security. We had an incident involving an infected laptop being attached to the network. It was flagged as soon as the malware tried to propagate.

4) Access to the external internet is provided by a network of firewalls. Judging by the paperwork that crosses my desk, it is safe to assume that any long lasting tunnels that bridge the firewall has to be explained and routed through proper channels. We had a machine that required access to a machine outside of our private network. It accomplished this with an encrypted tunnel similar to SSH. The programmer working on the machine failed to specify a source port in his configuration and allowed the TCP stack to assign a random number to it. It wouldn't have mattered to the application since the return path was hardcoded, but the router flagged it and the connection was short lived and after a number of reconnects were outright banned by the router. For long lived tunnel connections we have to specify both source IP including source port and destination IP including target port.

I admit that a hospital doesn't have to be as secure as my workplace, but after 10 years this is no longer cutting edge technology outside of the reach of businesses with lesser security requirements. Also hospitals tend to have fixed IT requirements which doesn't require the workstations having direct unfettered access to the internet. They can proxy the web and email access. If anything hospitals should be easier.

Re:Lock down your network dumbasses (0)

Anonymous Coward | about 6 months ago | (#46968343)

Unfortunately, there's an element you're overlooking-- Doctors at hospitals, bring in money. IT staff costs money. Guess who wins any arguments? The neurosurgeon who has a patent hanging on his wall for a nifty treatment method that the hospital makes a crap-ton of money from, doesn't have to listen to anyone.

Typical Scenario:
Dr.: "I want to use my computer on the network!"
IT: "that's insecure, and a really bad idea"
Dr.: "I bring more money into this hospital than you'll ever see in your lifetime. Put it on the network!"
IT: "That's a violation of our security policy. We can't do that."

*one nasty email later to CEO/CIO of hospital*

IT Boss: "Put it on the network, or you're fired".

At which point, I insist on having it in writing that I said it was a bad idea, put it in my CYA folder, and hope the doctor has more cluefulness than reasonableness.

I'd like to say this has never happened-- but I've heard or said every one of those quotes, even if they weren't all in the same conversation.

"attempting to deactivate" (1)

Blaskowicz (634489) | about 6 months ago | (#46966119)

That's why you don't let Doctor Bashir play with the ship's phasers or the self-destruct sequence. There are other qualified high-rank officers to do that kind of work (when they're not mind-controlled by aliens or trapped in another plane of existence)

This is very common (0)

Anonymous Coward | about 6 months ago | (#46966121)

A friend of mine did a job as an IT intern for a big Dutch university hospital and he and all his colleagues could access all patient records without it even getting logged.

Re:This is very common (1)

flyingfsck (986395) | about 6 months ago | (#46966167)

I thought you were going to say: "Without him even logging in", since that would be even more likely.

Free money for the government (0)

Anonymous Coward | about 6 months ago | (#46966213)

But the aggrieved patients whose information has become public knowledge get none of it. Something is wrong with that picture.

Re:Free money for the government (5, Insightful)

Anonymous Coward | about 6 months ago | (#46966323)

If, in a democracy, the government money isn't being spent as if it is the people's money, the people are doing something wrong. And the whole point of public law is that it imposes sanctions "in the public interest", not for the sake of the specific victim. (Sometimes this justifies stupidity, e.g. anti-marijuana law, but mostly it's why we have a civilisation and not a libertarian dystopia.)

Any personal damages can still be claimed in civil court.

Re:Free money for the government (1)

the_B0fh (208483) | about 6 months ago | (#46966433)

Too bad I don't have mod points, this is one AC post that's really good.

Healthcare IT in the US (5, Interesting)

maple_shaft (1046302) | about 6 months ago | (#46966261)

Having worked in IT and software development for a number of different health systems some common themes run true.

1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

2) Easy money. Money comes easy to these organizations. This plus...

3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

Re:Healthcare IT in the US (0)

Anonymous Coward | about 6 months ago | (#46966407)

Your experience doesn't match what I observed and sounds more like a disgruntled employee than insightful.

Re: Healthcare IT in the US (0)

Anonymous Coward | about 6 months ago | (#46966475)

Probably because you are not the Hero. ;)

Re: Healthcare IT in the US (0)

Anonymous Coward | about 6 months ago | (#46966649)

Exactly what I was thinking. The grand parent reads more of stereotypes than experience.

Re:Healthcare IT in the US (1)

Bill_the_Engineer (772575) | about 6 months ago | (#46966901)

There are a number of things wrong with your post:

1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect for other professionals who are not a doctor.

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

2) Easy money. Money comes easy to these organizations. This plus...

Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and concern over things such as nepotism and incompetence aren't as important as they would be in other companies.

In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

Of course with nepotism you get politics so thick you couldn't cut it with a carbide blade. This causes a technical brain drain to the point where you have a bloated IT department with 20 incompetent people for every person who knows what they are doing and is always taking the role of the Hero. The Hero can get things done and keep things secure despite all of the problems but eventually like everybody else, the Hero is a human being and has flaws like a human being. The Hero occasionally makes a mistake.

This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves having to manage tech school graduates and heroes.

Re:Healthcare IT in the US (3, Interesting)

maple_shaft (1046302) | about 6 months ago | (#46967303)

Allow my rebuttal...

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

Really? Their budgets have been shrinking for well over a decade. With medicare payouts being lowered, unfunded mandates to provide "life saving" care to indigents which includes triaging cold and flu cases in ERs, increasing budget reserves in order to offset the growing malpractice risks (self insured hospitals) or paying higher premiums (non-self insured hospitals), and increase labor costs for staff I'd like to know where this easy money is coming from.

You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like

Your arguments about malpractice risks and insurance for that are negligible.

In my region the nonprofit medical centers tend to be the regional charity or university based hospitals and they are outnumbered by the growing number of for-profit medical centers that offer specialized care. In plain english this means that the high-markup services are being performed by for-profit outpatient centers leaving the hospitals with convalescence services and indigent care.

This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

This doesn't sound like any of the hospitals that I know about. I have friends and colleagues that are in the medical software business or an employee of a hospital throughout the southeast. My graduating class of engineers took advantage of the changes that HIPAA brought and a large portion of them work in the industry. We stay in touch and some of them are known to vent their frustration but none of it involved nepotism, mostly it involves having to manage tech school graduates and heroes.

I will grant you that medical software businesses have less of this good ol' boys club that I speak about but it certainly is a real thing in all three health systems in the north east that I have worked for directly or indirectly. Perhaps it is a regional thing?

Re:Healthcare IT in the US (1)

Bill_the_Engineer (772575) | about 6 months ago | (#46967911)

Allow my rebuttal...

Always...

If you haven't noticed, the nature of healthcare is changing because of IT. With analytics, data warehouses and artificial intelligence like IBM's Watson diagnosing patients with stunning accuracy, the role of doctor centric patient care is going the way of the dodo. Granted we are not there yet but in the next 20 years we will see computers diagnosing patients, medical breakthroughs occurring through the use of analytics as opposed to traditional medical research, and doctors just basically being delegated to QA on patient care. The point is that all of this will be patient-centric where IT begins to see the patient as the client.

In 80 some years of cardiac medicine, about the single most effective treatment that all doctors agree on is Aspirin. Healthcare breakthroughs move slowly if you haven't noticed. Now with analytics, doctors, researchers and analysts will be able to interpret correlations in a way never allowed before.

Well technology always outpace ethics so I'm in favor of anything that reasonably slows down advancement in order to make sure all the pitfalls are accounted for.

In your example, IBM Watson would fall in the realm of medical research and doesn't necessarily have real-time patient data. My understanding was that they would get some sort of aggregate data in their research. One of the largest hospitals that I'm familiar with has a live telemetry department which gather realtime patient stats (including EKG) into a single "war room" environment to keep patient monitoring costs low. They carry the data on a network physically separated from the rest of the hospital infrastructure.

In addition, I place this upcoming equipment in the realm of medical diagnostic equipment that happens to be a computer. It may help the doctor with his practice but it wouldn't necessarily replace him/her outright.

I would also assume that medical diagnostic equipment would be handled differently from the basic tools of the trade that are data entry points found at nurses stations, patient bedside (e-quip is catching on down here), doctor's iPad, and admissions that are handled by IT today. Regardless, IT will still be working on behalf of the staff of the hospital not the patients directly.

You make it seem as if the non-profit centers see this charity care as a bad thing. To the contrary, they are allowed to write off this "free" care that they are required to give mind you, as charity towards the requirements for them to maintain non-profit tax status. I promise you the cost of free care is a pittance compared to the corporate taxes they otherwise must pay as well as state and local property taxes and the like.

You're talking about tax benefits now. Earlier you were talking about "easy money" which is revenue. You can't pay your expenses with "write offs", instead you lower your tax burden. You still need to make enough revenue to remain solvent.

This for profit, non-profit line is increasingly blurry though as I see the large non-profit health systems continue to act in ways that are increasingly similar to for profit companies. The chair-persons at such health systems often encourage for-profit ventures to be incubated in the healthsystem and with the support of it so that they have vehicles to move profits into investments towards these for profit institutions. Guess who the board of directors tend to be at these for profit institutions that operate under the non-profit umbrella? Profits find their way into the chair-persons hands in a very indirect way. You may not realize who is really calling the shots and who actually owns these for profit institutions but I do and you would be surprised.

Ive seen this. However the money still isn't "easy". You insinuated an endless of supply of easy money earlier, now you may be unintentionally changing the topic to what to do with the money after it is gotten. I hate to be a stickler on this but I'm trying (not always succeeding) to get in the habit of staying on topic which is admittedly hard to do on slashdot.

I will grant you that medical software businesses have less of this good ol' boys club that I speak about but it certainly is a real thing in all three health systems in the north east that I have worked for directly or indirectly. Perhaps it is a regional thing?

It may be a size thing. Fiefdoms aren't unique to medical centers and if they are like most industries the larger the institution the more departmentalized the fief. By that I mean that the smaller centers have institutional wide fiefs and as the institution gets larger the fiefs breakup and become more localized into departments. I noticed that nepotism is frowned upon in larger institutions where smaller ones due to being rural may have little choice.

Re:Healthcare IT in the US (1)

Rich0 (548339) | about 6 months ago | (#46968057)

The doctors are IT's customers not the patient. The patients are the doctor's customers not yours. It's the doctor's job to care for the patients. It's IT's job to make sure the computers doesn't get in the doctor's way while remaining secure and HIPAA compliant. I can see why the doctors would disrespect an IT department that doesn't cater to the customer's (as in doctors) needs.

Are you a doctor? IT isn't paid by the doctors - they're paid by the HOSPITAL. Doctors and IT workers are just two classes of people working at the hospital to take care of the HOSPITAL's cusomters - the patients. There is a legal fiction designed to shield hospitals from liability/etc which also makes the patients the doctor's customer's as well, but if you subscribe to that fiction then the doctors aren't even legally associated with the IT department at all.

I work in an IT department for a for-profit corporation and while I certainly have internal clients, ultimately we all work for the corporation and are supposed to look after its interests. Usually making my clients happy is the best thing for the company, but when their personal interests do not coincide with what is best for the company, then it is time to escalate issues and let the executives earn their pay. When a client wants me to spend $1M to save $20k/yr of their organization's time, then it is time to tell them to just live with the processes they have today. (And yes, I realize that there are reasons to do IT work besides productivity.)

Re:Healthcare IT in the US (2)

Trax (93121) | about 6 months ago | (#46967815)

As an emergency physician and former IT engineer with Unix system administration background, I'll say that most of the important software and hardware choices are made by the IT department and C-level executives without any input by physicians what-so-ever. I'll reply to your points line by line:

> 1) Over emphasis on the needs of the physicians over the needs of the patients and the other areas of the healthsystems. Many important IT choices are > made by doctors and not the professionals who were hired to be experts in these areas. That and the physicians are notorious for having almost no respect > for other professionals who are not a doctor.

The healthsystem SHOULD EMPHASIS the need of the PHYSICIAN over that of the patient when we are the ones using the EMR, PACS (picture archiving and communication system), network drive, intranet, and other features day in and day out. The needs of the patient come into play when interfacing with these systems to retrieve their laboratory and imaging results, physician communication, and others when at home or elsewhere. If the IT department doesn't like this, then too bad as the users needs outweigh yours -- remember that this is coming from a practicing clinician.

Just keep trotting out the old-line about how physicians have no respect for any other professionals as there's no basis for it in the real world. If you look around at the landscape of healthcare in the US, you'll see that it's the physicians that are dis-respected every day at the hands of the administration, fellow professionals, and patients.

http://www.thedailybeast.com/a... [thedailybeast.com]

> 2) Easy money. Money comes easy to these organizations. This plus...

Money does not come easy to any of these organizations unless your are a huge health system such as Mount Sinai in NYC or Mayo Clinic or any of the other health systems around the country. If you're that big, you can tell the insurance companies how much they will need to pay up. However, the majority of hospitals are 1-2 hospitals and have a very limited budget for many things including EMRs, IT staff and departments, and ultimately hardware and software. It's not like they have money to burn...

> 3) Non-profit tax status and requirements to spend or invest profits earned. This creates an environment of plentiful budgets where waste runs rampant, and > concern over things such as nepotism and incompetence aren't as important as they would be in other companies

IT departments in hospitals are rampant with nepotism, incompetence, and wastefullness. The heads of the security, network, and support divisions have no clue when it comes to support clinicians including physicians, nurses, LPNs, or any other staff that requires using the computer for any health related work.

Re:Healthcare IT in the US (1)

maple_shaft (1046302) | about 6 months ago | (#46968015)

Thank you for giving your input as a physician. It is nice to hear from your perspective. I admit that I was unfairly categorizing all physicians into this category of being disrespectful to other professions. It is a real thing though but admittedly small in the grander scheme of the problems at play here.

IT departments in hospitals are rampant with nepotism, incompetence, and wastefullness. The heads of the security, network, and support divisions have no clue when it comes to support clinicians including physicians, nurses, LPNs, or any other staff that requires using the computer for any health related work.

I see this in health systems big and small. You recognize the problem too, but you didn't really address my theory as to why this is, easy money and low accountability. Why in your opinion do you believe this is? I am very curious about your perspective.

Cause = Arrogance of doctors (1)

fygment (444210) | about 6 months ago | (#46966263)

There is no cure.

Re:Cause = Arrogance of doctors (1)

StripedCow (776465) | about 6 months ago | (#46966445)

The cure is to teach some math or CS classes in medical school.
Not really to teach them math or CS, but to teach them not to be arrogant.

Re:Cause = Arrogance of doctors (1)

HornWumpus (783565) | about 6 months ago | (#46967243)

That's supposed to be why they take physics and chemistry in pre-med. That and keeping the memorizers out of medical school.

My dad taught a chemistry class for medical students track. Those professors where very conscious of their duty to keep morons from becoming doctors. A C did that. Some of these dweebs couldn't plug and chug formulas or balance a redox equation. Yet they had all already gotten As in high school chemistry. Great memorizers, hard workers, some just couldn't think. All _needed_ an A. They all just wanted to get on to organic, where they could memorize naming rules.

Make them take P-chem.

Amateurs that do not know their limits (1)

gweihir (88907) | about 6 months ago | (#46966353)

Would a surgeon let an amateur operate on a patient? No. Do they think they are as good as competent CS experts? Yes. Pathetic.

Re:Amateurs that do not know their limits (2)

sconeu (64226) | about 6 months ago | (#46967183)

"Hey, doc! I've done some first aid before. Mind if I treat your patient?"
"Hell no!"
"Why not?"
"Because I spent years obtaining an advanced degree, and have spent years since practicing and keeping my skills up to date."
"Well, then, doc, for the exact same reason, KEEP YOUR HANDS OFF OF MY NETWORK".

He was just "practicing" (1)

AcerbusNoir (1257586) | about 6 months ago | (#46966375)

The perfect example of a practicing doctor.

Which is worse? (1)

jettoblack (683831) | about 6 months ago | (#46966429)

One branch of government profits from hospitals unintentionally misusing your private information, then another branch of government takes those profits to fund the intentional and illegal misuse of your private information.

Exploited Laptop (0)

Anonymous Coward | about 6 months ago | (#46966447)

In Ludlum's Bourne universe, I would conclude that the laptop has been viraled out. Fly those doctors to Malaysia!

An Assumption of Competence (2)

Rambo Tribble (1273454) | about 6 months ago | (#46966469)

In their education, professionals, whether physicians or IT admins, are often inculcated with a professional swagger to the effect that they assume superiority in any situation. It is wise not to trust the judgement of those who exhibit this characteristic. They are commonly blind to their own failings and dismissive to others' concerns. Sadly, many are most impressed by this phenomenon, which they misapprehend as, "confidence".

Re:An Assumption of Competence (0)

Anonymous Coward | about 6 months ago | (#46968317)

I agree with the above, especially 'many are most impressed by this phenomenon, which they misapprehend as, "confidence"'

B-E-T-A IS BACK (0)

Anonymous Coward | about 6 months ago | (#46966517)

I surf only "anonymously" on slashdot(no account/login). Every time I load /. I use the following url:

http://slashdot.org/?nobeta=1 [slashdot.org]

It 'generally remembers my preference' but more and more as I click the article/comment page I am redirected to beta version.

I can then manually change the url to remove the beta. in the url but that becomes a drag.

Did any of the boasters about alternative/new /. sites ever get off the ground?

informative Dol7Doll (-1)

Anonymous Coward | about 6 months ago | (#46966655)

Is the group that chronic abuse of Th!eo de Raadt, one a BSD box that

This is the result of IT Janitor/Plumber talk (0)

Anonymous Coward | about 6 months ago | (#46967179)

When Joe Office Worker gets it in his head that IT are not professional white collar workers who are their coworkers and not their lackies, this is the result. "I own a computer at home, I can do this better than some dumb IT Janitor/Plumber" And people wonder why IT thinks they're idiots.

And we wonder (0)

Anonymous Coward | about 6 months ago | (#46967339)

And we wonder why doctor costs keep going up. Stuff like this comes back and costs patients money. Insurance pays for it, hospitals pay to be insured, patients pay to visit doctor.

pluS 5, troll) (-1)

Anonymous Coward | about 6 months ago | (#46968017)

CorpO8ate
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?