Re: Medical Devices

heh, a topic near and dear to my (current) industry.

In my experience (with several hospitals nationwide) despite the existence of a thorough change-control process management, "security" teams, many levels of red tape and apparently abundant technical talent (you should see some of the titles) security doesn't even seem to factor into the decision making process. Watching the amount and types of data that are transmitted via insecure methods (think CIFS...), the wide open networks, flat topologies, lack of proper firewall configuration, outdated unpatched equipment I for one am totally stunned that the theft of medical data isn't a common every day occurrence. When talk of integration between man and machine comes around I cringe. When people talk about the benefits of using electronic medical records I cringe.

Don't even get me started on physical security, I've wondered the bowels of facilities without a badge on and security guards would walk right by me and not even bat an eye. It would not a difficult task to walk right into the center of a hospital with all your gear, or even worse...

Re: Medical Devices

Interesting. This is an important issue to me since my company produces several products used by hospitals and we're looking into solutions for solving problems caused by HIPPA. Just a few weeks ago, I heard the "other side of the story" from a doctor turned patient. He is dying of cancer and he explained how people like him no longer care about their privacy, they care about living. He explained how the lack of electronic records and the bureaucracy involved in transferring his own medical records from one specialist to another might have literally killed him, he just isn't done dying yet. For the average patient, it takes months, frequently critical months, just to have a single electron body scan viewed by a specialist because of the lack of electronic records.

If you have more information on this topic, I would be very interested in reading more.

Re: Medical Devices

Alberta (Canada) is making a massive push to electronic records and I happen to be involved in some of the post-implementation stuff. While a very small role, it's given me some insight as to EMR systems.

I can say for certain that EMR's are the way to go *if* deployed correctly.

In many cases a hospital or clinic will have an EMR but it's either some in-house solution or a commercial product bashed into shape to use in their situation. Alberta is dumping a bunch of money to have a standardized record system where transfer is easy(ier) and things like imaging can be passed along quickly and easily.

It's purely my opinion but having seen it from the inside and the outside, it's defiantly the way to go.

However, as with any IT project of this scale, there's alot that can go wrong and Alberta decided to be the guinea pig. There will be issues, but I think overall, the benefits outweigh the potential pains *if* done right.

If anyone wants to discuss EMR's talk to me offline.

Now, when it comes to medical devices and security, there's a terrifying topic. I've heard alot of anecdotal stories from people who find some very scary vulnerabilities but either can't or won't report them and even if they do, they are ignored. Unfortunately it's not like your average basement researcher who might have one of these devices is going to hack it too much considering it is keeping them alive, or spend hundreds or thousands on another one just to take a whack at it.

Medical device security is something I think is untapped territory for the future of security vulnerability research.

Re: Medical Devices

You can expect to hear from me! Maybe in 3 weeks?

In America the technological problems are compounded by laws that were passed to protect the privacy of the patient, which currently prevent the use of EMR. Unfortunately, these privacy laws are also killing the patients who have time sensitive life threatening medical issues. With great frustration, this doctor explained how a single file, the only file he needed to get the medical help he needed, an electron body scan that he could have personally carried on a thumb drive from one doctor to the specialist he needed was impossible because of the bureaucracy set in place to protect his own privacy. We would like to solve this problem so that people like him don't need to die stupid deaths.

Re: Medical Devices

Which is the greater evil? Thousands (10k, 100k, 100m) of people denied their privacy, or some (presumably lesser) number of deaths due to privacy laws being obstructive?

Re: Medical Devices

oh, I can fully understand and appreciate the fact that the system as it is, is nothing short of utter crap. I'm just fearful of the "HOW" it EMR will be implemented, not the "WHY".

BTW, my experience is purely anecdotal, only based off the sampling of hospitals I've interacted with.

Re: Medical Devices

Find me at con and your buying the first round. It's a topic I'd like to explore more at/for Defcon in the future because it's defiantly the way of the future and could make for a good talk(s).

As far as policy, I'm no expert in it. I tried at one point to get into some of it and found I have no head for it. I now try to stay as far away as possible from policy.

I will however ask around about the data sharing privacy policies just to clarify for those interested.

EDIT: Emailed our privacy guru about such a scenario and how it plays up here

Re: Medical Devices

I would like to join the both of you. I have some questions and some potential solutions. One of my clients is involved in healthcare.

Regards,

valkyrie
__________________________________________________ _
sapere aude

Re: Medical Devices


Anyone know if there's a skybox/meeting room/bathroom stall available for booking for an hour to maybe expand the discussion?

Re: Medical Devices

Got an email back about the issue of imaging and it showed me how little I know about the 'grand scheme'. Like I said, I'm involved in a very small piece of it.

Currently the EMR system in Alberta is split into two things. There is the Electronic Medical Record (EMR). This is what is created and maintained by your family doc. This has all the records about all your sniffles and scrapes that you go into the doctors office for,

The Electronic Health Record (EHR) is a central repository run by the health authority (Note: it's a government agency but is not 'the government', they are very much arms length. Kinda hard to explain in a simple post). This record is where imaging reports (currently) and images (being implemented) as well as anything major (physicians can add anything that they deem necessary but it's not a record in the same detail as the EMR) but gets uploaded to and is accessed from a central portal. Physicians apply for access to this portal (initial overall access) and are vetted for security, privacy requirements, etc. From there they can access records with a crap ton of auditing and access controls. If someone is rooting around where they aren't supposed to be there's massive fines and other punishments.

Don't quote me on all of this as the paperwork is several feet thick and I have neither the interest nor the narcotics to deal with understanding it.

I think alot of thereason it's working as well as it is stems from the universal healthcare up here but that's as close to political as I'm gonna get in this thread.

Re: Medical Devices

This isn't an either/or situation. We need both privacy and timely medical care. We can achieve both.

It's not reasonable to sacrifice everyone who needs the help of a medical specialist in the next 60 days in order to live, to protect the privacy of everyone not currently dying. If you can't get life saving medical care when you're dying, what's the use of medical records or hospitals at all?

The idea behind HIPAA is an important one, but badly executed, a perfect example of unfortunate unintended consequences. I believe that we can solve both the problem of protecting patient privacy and getting dying patients life-saving medical care.

You're vastly underestimating the number of people affected. The example provided by the doctor with cancer illustrates the problems patients have any time they need to see a specialist outside of their own hospital. Considering the fact that the top three leading causes of death in the US are heart disease, cancer, and stroke, won't a colossal number of people end up in the sacrificial group eventually?

Oh, I completely agree! It's a complicated problem.

I haven't even decided whether it's feasible for me to attend this year yet! Before Friday I had no intentions of going at all and there are quite a few obligations over the next few weeks that are problematic, but I really really want to attend. There is a looming project deadline with a big customer and other important stuff, including a few people who are traveling quite a long distance to see the device I mentioned in the "Impromptu Contest" thread. Give me two days to decide if I can attend, and if I can, then the first round is definitely on me. If I'm not attending this year, please continue without me, this is important to everyone. I'm very happy to see that there is interest in it.

We've had similar discussions when talking about solutions. Don't worry, I don't want to discuss policy, the only tech concerns regarding policy are whether solutions can feasibly abide by current regulations so that we can avoid attempting to change policy.

I think the contributions made by people at Defcon would be better kept in the realm of identifying security issues.

Thank you so much for this!

Re: Medical Devices

This is nothing new, however with more advancements talking place I do see this as becoming a more common topic.

Seeing as how I've made it through the last two Defcons without any issues, I'm looking forward to this year seeing as how I have even more wireless gadgets attached than before.

Render, I'll try to catch up with you this year.

Re: Medical Devices

As an ideal, sure, but I seriously doubt both can be achieved practically. Disclosure: I worked in the emergency medical field 30+ years ago, and my wife works in health care now. Based on my past knowledge of how medical records are managed and the current information I hear from her, I doubt it can be fully achieved as a practical matter.

No, it may not be reasonable, but we have yet to discuss what is "reasonable." Some limits will always be applied. For example, if I'm traveling outside my home area, especially in a foreign country, I don't expect -nor think it would be reasonable- for an ED to have my records available, even with EMR. If nothing else, record format incompatibilities and human languages may be reasonable barriers to the ideal.

Again, I'm not sure that both can be applied practically while completely balancing the interests of both sides.

Well, that's an assumption on your part. Based on my experience and current information, I may have a much better idea of the numbers than you think I do.

Perhaps, and don't get me wrong, I recognize that it IS a problem. However, like a lot of problems where well meaning but competing interests hang in balance, the devil is in the details. I don't claim to have the answers, but I am not convinced that both interests can be fully met in a practical system.

Re: Medical Devices

Thorn: I see dying people who don't need to die. I believe in privacy. You seem to think I'm somehow on the wrong side of things. Rather than bicker debate over petty semantic points, I'd rather know, what exactly is your point? Are you against EMR and changing how HIPAA is implemented?