Showing posts with label Richard Halstead. Show all posts
Showing posts with label Richard Halstead. Show all posts

Monday, October 10, 2016

Ransomware and incompetence in backups leads to medical data loss...but the thieves were honest thieves!

"An honest thief!" said Caledon Hockley of Jack Dawson, after planting the Heart of the Ocean diamond necklace in Jack's pocket.  https://www.youtube.com/watch?v=G5UEwCHUHjg



The headline of this posting may sound absolutely insane, but it is factual.

But don't worry, your precious medical data is far safer than it ever was on that 5,000-year-old invention, papyrus.

Marin patients’ medical data lost after cyber attack
By Richard Halstead, Marin Independent Journal   
September 30, 2016
http://www.mercurynews.com/2016/09/30/marin-patients-medical-data-lost-after-cyber-attack/

The Marin Healthcare District and Prima Medical Foundation are notifying more than 5,000 patients that some of their medical data was lost due to a glitch that followed a ransomware attack in August.

There's that all-purpose euphemism again, "glitch", which in this case is a euphemism for negligence.  See blog query link  http://hcrenewal.blogspot.com/search/label/glitch for more on "glitches."

Prima Medical Foundation supports the Prima Medical Group, many of whose doctors work closely with Marin General Hospital.

I covered the wondrous EHR at Marin General Hospital at my May 17, 2013 post "Marin General Hospital nurses warn that new computer system is causing errors, call for time out" at http://hcrenewal.blogspot.com/2013/05/marin-general-hospital-nurses-warn-that.html, and my May 20, 2013 post "Marin General Hospital's Nurses are Afraid a Defective EMR Implementation Will Harm or Kill Patients .. CEO Cites Defective HHS Paper and Red Herrings As Excuse Why He Knowingly Allows This To Continue" at http://hcrenewal.blogspot.com/2013/05/marin-general-hospitals-nurses-are.html.

The computer records of Marin Medical Practice Concepts, a Novato company that provides medical billing and electronic medical records services to many Marin physicians, were hacked on July 26. As a result, some Marin doctors were unable to access their patients’ medical records for more than a week.

More than a week with no records is, needless to say, putting patients at great risk.

Responding to questions from the Independent Journal on Aug. 4, Lynn Mitchell, CEO of Marin Medical Practice Concepts, confirmed the malware attack. In her email, Mitchell wrote, “Ransom was paid. For security reasons we will not be releasing the amount or denomination paid.”

That really inspires confidence.

Typically in such ransomware attacks, a sophisticated computer virus finds its way into a victim’s system when an unsuspecting employee opens an email attachment. The virus encrypts the system’s data and attackers essentially hold the data hostage until the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin.

A virus "finds its way" into a victim's system?

Let me rephrase into the politically incorrect, but factually correct, "due to incompetence in computer security. evil people are able to infiltrate the virus into a life-critical EHR system."

The Marin Healthcare District and Prima Medical Foundation issued nearly identical press releases on Wednesday, stating, “The third-party forensic firm hired to investigate this incident found no evidence that patient personal, financial, or health information was accessed, viewed, or transferred.

I guess they never considered that such evidence could have been removed by the hackers, who obviously had just a bot more IT expertise than the average high schooler.

But, of course, the thieves were honest thieves who would NEVER steal valuable medical charts for profit on the black market...

Here's what I consider the very worst part of this incident:

“However, during the restoration process, one of MMPC’s backup systems failed, causing information to be lost that was collected at the district’s nine medical care centers between July 11, 2016 and July 26, 2016.”

I note that a "backup system failing" causing data loss is a "never" event.  Incompetence...

The release went on to say: “This information includes vital signs, limited clinical history, documentation of physical examinations, and any record of the communication between patients and their physician during a visit in that 15 day period. Results of diagnostic tests were not lost and patients do not need to be re-tested.”

But patient safety was not compromised...

Jamie Maites, a spokeswoman for Marin General Hospital, said, “The ransom unlocked the data; however, at the time of the incident, we were in the middle of a system upgrade. The data loss occurred at the time of the system restore due to a faulty backup system — not due to the malware.”

Well, that's certainly reassuring.

Maites said Marin General’s systems were unaffected by either the ransomware or the failed backup systems. The patients being notified are patients of physician practices that are part of the Marin Healthcare District Medical Care Centers and Prima Medical Foundation.

The hackers were generous in sparing the hospital.

In a statement, Lee Domanico, chief executive of the Marin Healthcare District, said, “Our community can rest assured that the Marin Healthcare District will continue to work side by side with our vendors to ensure that all of our data is protected with today’s most advanced technology to reinforce their security systems against the most aggressive threats.”

Lee Domanico is the same CEO who I cited in my aforementioned posts who in 2013, after dire nurse warnings, brilliantly assured the board that the hospital was safe, despite "glitches" in the new system and that "I'm confident that in spite of the implementation issues, we have a system today that is safer for patients than our old paper system, and it will get even safer as we gain experience with it and work to fix some of the glitches we've experienced."

In a similar statement, Dr. Robert Newbury, chief executive of the Prima Medical Foundation, said, “It is unfortunate that these types of cyber-attacks have become so common.”

I would more precisely state that it is unfortunate that health IT leaders are so incompetent that they cannot secure their own life-critical systems.

... According to a report issued by the Attorney General’s Office in February, in the past four years the attorney general has received reports on 657 data breaches affecting a total of more than 49 million records of Californians.  The report said that malware and hacking present the greatest threat, accounting for 54 percent of the breaches. The report added that health care, which accounted for 16 percent of breaches, is starting to see an increase in hacking breaches as the sector transitions to electronic medical records. And it said that the “most vulnerable information in health care was medical information, such as patient records, and Social Security numbers.”

I really have to ask if the (increasingly elusive) benefits of EHRs warrant this level of security risk - let alone the known risks of bad health IT aside from security issues.

-- SS

Posted by at 3 comments:
Labels: , , , , , , , ,

Thursday, May 30, 2013

Marin General Hospital's Nurses are Afraid a Defective EMR Implementation Will Harm or Kill Patients .. CEO Cites Defective HHS Paper and Red Herrings As Excuse Why He Knowingly Allows This To Continue

- Posted at the Healthcare Renewal Blog on May 30, 2013 -

The following appeared in the Marin County Independent Journal about an EHR system so bad the nurses at Marin General Hospital were publicly complaining, putting their careers at risk (see my May 17, 2013 post "Marin General Hospital nurses warn that new computer system is causing errors, call for time out"):

National critic of health care information technology says Marin General should heed nurses' advice
Posted:   05/27/2013 04:03:00 PM PDT

The critic is me.   I spoke to the reporter but did not know he would publish:

A nationally known critic of electronic health records has harshly criticized managers at Marin General Hospital for their response to a plea by nurses to hold off on a new computer system to prevent potentially dangerous errors.

"The executives at the hospital should be taking out extra insurance policies because they're setting themselves up for a massive corporate negligence lawsuit," said Dr. Scot Silverstein, an adjunct professor of health care informatics at Drexel University in Philadelphia.

Silverstein, who contacted the Independent Journal after reading about the Marin General situation, doesn't dispute the potential of digital records; but he believes implementation has been rushed. He thinks electronic health records should be regulated by the federal Food and Drug Administration, much like medical hardware or pharmaceuticals.

Or regulated by someone with experience in similar mission critical software, and with regulatory teeth.  Paper tigers and bad health IT are a very poor mix where patients' rights are concerned IMO.


At issue is a new computerized physician order entry system, known as CPOE; doctors place medication orders for patients directly into the system.

At a meeting of the Marin Healthcare District board on May 14, a group of Marin General nurses told the board problems with the new computer system were diverting them from their patients and causing errors, such as sending orders to the wrong patients. One nurse reported that a patient had received a medication to which he was allergic.

That is a very direct calling out of the potential for harm and death by front line clinical personnel.  To ignore it is grossly if not criminally negligent.


Lee Domanico, who serves as the CEO of both Marin General and the Marin Healthcare District, assured the board that the hospital was safe, despite "glitches" in the new system. Domanico said he was working to fix the problem.

Glitches = safe?  The Board must be highly gullible if they believe this  See http://hcrenewal.blogspot.com/search/label/glitch for more on "safe" glitches.

Silverstein said, "Glitches are a euphemism for life-threatening electronic health record malfunctions and defects."


"What they need to do is exactly what the nurses are asking for," Silverstein said. "They need to turn the system off and put it through rigorous testing and confirm the thing is going to work properly with no glitches before they use it on patients."

That's not rocket science - its common sense - unless they think their own nurses are lying.

Of course, as computers have more rights than patients, and bonuses might be affected, the system will likely continue in full operation, with patients as guinea pigs, and the nurses punished for informing the public that perhaps they should consider other hospitals while the "glitches" in this enterprise clinician command-and-control system are worked out.


Two days after the Marin Healthcare District meeting, Domanico issued a press release stating, "We have not received any medication error incident reports resulting from the implementation of computerized physician order entry."

On Friday, however, Barbara Ryan, a Marin General registered nurse who serves as the California Nurses Association/National Nurses United representative, said, "I can't understand why that statement was made."

Ryan said nurses have told her of errors, and information about errors appears in "Assignment Despite Objection" forms that nurses have filed since implementation of the computerized order system began on May 7. Nurses file the forms to document formal objections to an unsafe, or potentially unsafe, patient care assignment.

The statement's reason and purpose seems fairly obvious. 

Ryan said Marin General nurses have filed close to 50 such forms so far this month; she said typically 10 to 20 such forms are filed per month at the hospital.

"There are still problems with the system," she said. "There are still mistakes being made." Ryan said the hospital needs to boost nurse staffing ratios during the implementation.

That would increase costs (and probably decrease the pool of money for bonuses).

Jon Friedenberg, Marin General's chief fund and business development officer, said the hospital is in the process of upgrading computer servers and adding memory to work stations to increase the speed of the new computerized order system.

"We completed an upgrade of memory to 200 of the work stations, and 120 of the work stations have been replaced," Friedenberg said.

This reminds me of a similar IT fiasco I faced some years ago, when the brilliance of IT personnel really shone through regarding an ICU monitoring system that crashed regularly.  Their solution?  Add more RAM.  (See "Serious clinical computing problems in the worst of places: an ICU" at http://www.ischool.drexel.edu/faculty/ssilverstein/cases/?loc=cases&sloc=clinical%20computing%20problems%20in%20ICU).

... Silverstein earned a medical degree from Boston University and subsequently completed a two-year fellowship in medical informatics at Yale University School of Medicine. He served as Merck Research Laboratories' director of scientific information in the early 2000s before serving for a time as a full-time professor at Drexel University. Today, in addition to teaching part-time, Silverstein works on [EHR-related - ed.] medical liability cases for plaintiff attorneys. [And the defense too, when asked; I'd rather advise on how to prevent mistakes, in fact, than get involved after the fact when someone's been injured or killed - ed.]


What was not mentioned was that I was a CMIO in a major hospital in the mid to late 1990s.

But of course, I - and similarly trained Medical Informatics experts - "don't have enough experience" to lead (as opposed to being an 'internal consultant') health IT projects, a refrain I've often heard from hospital executives.


Silverstein said he started assisting on the liability cases after his mother died as the result of an electronic health care record error that resulted in her not being given the proper heart medicine. Silverstein said his mother's case was not an anomaly.
For example, he pointed to the results of a recent Emergency Care Research Institute study of 36 hospitals conducted over a nine-week period. Asked to report electronic record problems on a volunteer basis, Silverstein said the hospitals reported 170 malfunctions, including eight incidents that resulted in patient harm, three of which may have contributed to patients' deaths.  Although the federal Food and Drug Administration does not regulate health care information technology, some manufacturers have voluntarily supplied data to the FDA. In February 2010, the FDA reported it had been notified of 260 problem events involving health care information technology in the previous two years that were linked with 44 injuries and six deaths.

See my Feb. 28, 2013 post "Peering Underneath the Iceberg's Water Level: AMNews on the New ECRI Deep Dive Study of Health IT Events" at http://hcrenewal.blogspot.com/2013/02/peering-underneath-icebergs-water-level.html.  Also see my Aug. 5, 2010 post "Internal FDA memorandum of Feb. 23, 2010 to Jeffrey Shuren on HIT risks. Smoking gun? I report, you decide" at http://hcrenewal.blogspot.com/2010/08/smoking-gun-internal-fda-memorandum-of.html. I merely report what ECRI, AMA and FDA have reported.

Finally:

In his press release, however, [CEO] Domanico stated that "more than 150 studies conducted since 2007 have confirmed that organizations using health information technology, like CPOE, have seen positive outcomes."

I believe he's referring to a highly biased and scientifically defective ONC paper of 154 selected studies: "The Benefits Of Health Information Technology: A Review Of The Recent Literature Shows Predominantly Positive Results."

What an unbelievably cavalier attitude.

My colleagues and I refuted (dare I say trashed) that paper pretty thoroughly here:
http://hcrenewal.blogspot.com/2011/03/benefits-of-health-information.html.

Even worse, the mention of that paper, or EHR benefits in general, is a diversion, an in-your-face red herring (at best; an inability to reason logically at worst), steering away from the real issue:  an EHR implementation about which nurses are complaining ... in the now.

http://www.nizkor.org/features/fallacies/red-herring.html:  A Red Herring is a fallacy in which an irrelevant topic is presented in order to divert attention from the original issue.

That a CEO of a major hospital relies on one defective paper - one that he most likely lacks the experience and expertise to understand, let alone critically evaluate - and red herrings is a poster example of why medical and medical informatics amateurs should not be running hospitals or clinical IT projects.

 -- SS
Posted by at 7 comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)