Saturday, February 11, 2006

The Elephant in the Clinical Computing Living Room

The presence of clinical computing (EMR, CPOE, etc.) in hospitals has the potential to significantly increase the quality of care. This assumes that the IT is designed and implemented properly, not just technically but from the perspective of the complex world that medicine has become.

When healthcare IT is implemented improperly, however, the technology gets an undeserved bad reputation, as opposed to the information technology management responsible for the defects, who seem to get a pass. "IT malpractice" is a term not yet in the lexicon of healthcare, but perhaps it should be. For when patients (and politicians) read stories like the Seattle Times story below, support for clinical IT is injured. This is a shame.

The good news in this healthcare computing near-disaster story: manual systems were in place so that when the computers died, patients lived.

The bad news in this story is the obvious but unmentioned "elephant in the living room," that is: the IT errors that allowed a 20-year-old Walmart employee to hack a hospital, including its ICU systems, and how and why such fundamental errors occurred.

Just how were hospital computers, including those in an ICU, exposed to the hacking of a 20-year-old outsider who worked at Walmart? What type of network architecture was in place? Who designed the hospital computing infrastructure? Who approved it? Why were ICU computers as well as administrative (e.g., pager) computer affected? What were the safeguards? Who was monitoring the IT at this hospital? Were 'cost-saving' measures in effect that facilitated this intrusion?

The young hacker and his juvenile accomplices should not be the only people held accountable. Perhaps the hospital Chief Information Officer and his or her senior management should also be held accountable. If a patient had suffered harm or died as a result of this situation, I would not have hesitated to have been a plaintiff's witness regarding negligence. It seems IT leaders in hospitals, who most often have no clinical background whatsoever, seem relatively immune from accountability, and this portends badly for events to come as the Electronic Medical Record becomes more widespread.
3 accused of inducing ill effects on computers at local hospital

By Maureen O'Hagan

Seattle Times staff reporter

One day last year, things started going haywire at Northwest Hospital and Medical Center.

Key cards would no longer open the operating-room doors; computers in the intensive-care unit shut down; doctors' pagers wouldn't work.

This might have been just another computer-virus attack, a common and malicious scheme that sometimes is done for little more than bragging rights. But federal officials say it was something far more insidious.

It turns out the Seattle hospital's computers — along with up to 50,000 others across the country — had been turned into an army of robots controlled by 20-year-old Christopher Maxwell of Vacaville, Calif., according to a federal indictment issued Thursday. And Maxwell, along with two juveniles, earned about $100,000 in the process, court documents state.

The trio had created a "botnet," a phenomenon that is on the cutting edge of computer crime, federal officials say.

"Their goal was as old as fraud itself," Assistant U.S. Attorney Kathryn Warma said Friday during a news conference. "To line their own pockets."

... Maxwell simply created a program instructing his infected computers, or "bots," to download the adware. The bots then "phoned home" to the adware company, which credits the hacker's account, unaware that he hasn't gotten the computer owner's permission.

Since 2004, Maxwell earned more on botnets than he did at his Wal-Mart job, according to court papers.

[Not mentioned is how hospital and ICU computers were able to be infected in the first place -- SS.]

Difficult to solve

"We're seeing the migration of traditional fraud to the cyber area," said Frank M. Harrill, an FBI expert in computer crime.

It's just as difficult to solve. By the time the computer owner figures out what's going on, the bot-herder has covered his tracks. In fact, some companies are reluctant to even report the attack to authorities because it can prove embarrassing to their business, government officials said.

[In clinical IT, prevention is the best medicine - and perhaps the ONLY medicine -- SS.]

But the Northwest Hospital case played out differently in January 2005. Hospital officials called the FBI immediately, and an agent went to the scene while the attack was in progress. Meanwhile, the hospital used some old-fashioned backup systems. When electronic file transfers didn't work, nurses ran the files up and down hallways. When key cards wouldn't work, they stood guard and inspected ID badges themselves.

No patients were harmed, but First Assistant U.S. Attorney Mark Bartlett said this kind of attack could easily endanger lives.

In all, about 150 of the hospital's 1,100 computers were infected over the course of three days.

150 hospital computers violoated by a 20-year-old and several juveniles? That is inexcusable. Blame Microsoft all you want, but the primary responsibility rests with the hospital MIS (management information systems) leadership.

I have observed less than ideal attitudes towards clinical IT firsthand. The hospital where I was Director of Clinical Informatics in the late 1990's, Christiana Care Health System in Delaware, hung Compaq desktop PC's from the ceilings of small ICU rooms against my advice along with uncovered keyboards and mice, potentially exposing sick patients to dust contaminated with airborne pathogens from inside the machines that was then circulated by the power supply fans - or by clinicians' hands or gloves after data entry.

The IT leader and project team then made a "political issue" out of it, in effect bullying me into silence, when I questioned these decisions and warned of this potential problem. Alternate form factor computers and input devices designed for harsh environments were ignored because "they cost too much" and "were not supported by I.S." I left the organization due to this information technology solipsism and fanaticism, which also included cavalier attitudes towards the Chair of Medicine and towards Invasive Cardiology.

-- SS

1 comment:

Anonymous said...

Someone screwed up and didn't apply patch management or basic security measures on critical workstations. The staff analysts didn't do their job and I'd be embarassed if this happened to my organization. But working in healthcare IT, I know there's a real reluctance to engage authorities because of a fear of a black eye, which is complete crap.