a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by user-inactivated
user-inactivated  ·  2940 days ago  ·  link  ·    ·  parent  ·  post: [48 HOURS] What is Microsoft becoming?

    Nah, the hardest thing is explaining why that's bad.

HIPAA Compliance.

Boom, done for me. The laws on the use of cloud services for storing of patient data see to depend on where you live, what courts have ruled in which ways and how well you can explain to an investigator that you are working to encrypt everything. And the Internet sucks out here. It sucks so terribly bad that it goes down at least once a month. Each outage puts you dead in the water, unless you have local access to the data which negates the cloud in the first place. One of the joys of working health care.

    But anyone you're having that discussion with has never met a good systems administrator, thinks of systems administrators as expensive janitors, and assumes the interesting problems a sysadmin should be solving belong to the application programmers instead.

Funny story time, so gather around all. The local hospital, about the time I started the current gig a decade or so ago was take over by stock guys. These guys did not know anything about running a hospital but they knew how to use stocks and bonds to trade companies and write reports that Banks and Brokers loved. After the buyout was done, they canned the entire IT staff and outsourced EVERYTHING. Once the outsourcing was done, it cost $100 to replace a keyboard or mouse, $150 to do a monitor swap, all the first line tech support went from people in the building to people overseas, the network team was replaced with a contractor that was also working for other hospitals and did not care to prioritize any of them, and the hospital completely botched the relationship with the local IT/tech community. The outsourcing saved, if the rumors are to be believed, $600,000 in each of the first two years. Then stuff started the break and fail. And the contracting company got it fixed on THEIR schedule. People started to complain about how bad the IT was. Meanwhile, we were still insourced, but a few docs thought they should look into outsourcing us. We sent them to go talk to the hospital, which killed that talk thankfully.

ACA is passed and hospitals now have to go EMR. The local tech community is still pissed over the way the outsourcing happened so they had to go with people from out of town who did not understand the city culture, did not fit in with the teams who would up doing the actual work, and from what I hear, they had to pay way extra to train people who no longer had a local internal IT group to learn from. The EMR rollout did not go well. The hospital is now a part of a larger group and some of the physician groups are demanding local IT people, but they cannot do it due to contracts with the overseas people and the local contractors who are now riding out till the end of the contracts they signed.

There are certain tasks that IMO should be outsourced. Building an initial web site, hosting the web site, training on computer skills, running cabling, the stuff that gets done once in a while. But hire a team that can do the tiny tasks in house and not have to spend money and time waiting on the out side sources.

A good IT team is never around until its time for meetings justifying their pay and budgets. A great IT team helps build skills and makes the end user community more tech savvy and efficient at their jobs. And losing that institutional ability and skill set if not done right is like throwing sandpaper in the gears of a business.





kleinbl00  ·  2939 days ago  ·  link  ·  

the HIPAA thing, on smaller scales, ends up a total red herring because most anybody's EMR lives on their iron anyway. My wife's got two, evaluated seven, and each and every one of them waivers all the HIPAA stuff onto the provider.

goobster  ·  2939 days ago  ·  link  ·  

Waving the bullshit flag here...

HIPAA compliance completely fucks with your network infrastructure.

Case in point, from personal experience: I used to work for F5 Networks, who make (among other things) the finest load balancer in the world.

For those who don't know, a load balancer takes traffic coming in from the internet, and directs that traffic to the appropriate servers within your network.

Since load balancers are facing the direct onslaught of all internet traffic coming to your domain, they are attacked almost constantly by hackers (not hyperbole... literally multiple times PER SECOND), who are trying to gain access to the internal network services.

So your load balancer (or ADC) needs to be SUPER robust to deal with all these different attack vectors.

The smartest and best way to defend against most attacks is to have a "full proxy" load balancer.

This means that traffic coming in from the internet is completely decoded and disassembled, then, on the other side of the load balancer (your network side) the packets are reassembled and passed along.

This decoding/rebuilding of network traffic removes about 95% of the potential attack vectors hackers can use.

HOWEVER...

Because a full-proxy load balancer decodes the incoming packet, HIPAA regulations say you cannot use this type of load balancer, due to patient privacy concerns.

They say that decoding internet traffic at any point between the server and the client is a breach of patient privacy, and is therefore forbidden.

This is what happens when government tries to regulate technology.

The reality is that, inside the load balancer, the ENTIRE PROCESS happens within code on a chip, and is never, at any point, in any way, accessible to anyone outside the box. Not the administrator, not the hackers... nobody can ever possibly see the unencrypted data.

But no... if you have a full-proxy load balancer, then you are breaking HIPAA regulations.

(Sorry. I get a little worked up about this shit. The government is technologically illiterate, and should be prevented from making ANY technology decisions. See: Apple vs FBI for more examples of government morons at work.)

user-inactivated  ·  2939 days ago  ·  link  ·  

    HIPAA compliance completely fucks with your network infrastructure.

The best thing about HIPAA is that those of us who touch bare metal need at least a framework to build best practices. The further you are from the server, the less you care about what the computer does and the more you care about the number of billable hours it will cost to defend the decisions.

I don't hate you so I won't quote it, but AWS has a series of white papers on cloud infrastructure and HIPAA guidelines. It can be done, there are groups doing it to comply with the 7 year mandates, but I do not have the budget to do so. We went with a vendor who runs the software, builds the apps, etc and I maintain the server farm, desktops, installs, windows updates, and the local security, accounts et al.

The final rules are here if anyone lurking wants help sleeping

As KB says below: Wave it all you want, you're wrong. What matters is billable attorney hours and what checks get written. as long as you are encrypting stuff, not backing up to your IPAD or Google Cloud Storage (shudder) or doing something otherwise outrageous, when the people come in to inspect they are, from the stories I've been reading and been told to me, looking for Medicare and Medicaid fraud more than encryption and email violations. The real dance is keeping all the players happy: the Docs, the Clinic Staff, the billing people, the management, the lawyers the government. (note the lack of patient in that list.) As long as you have vendors that tell you in writing HIPAA COMPLIANT, and I am getting the resources to stay on top of it we have the ammo to give the guys in suits.

kleinbl00  ·  2939 days ago  ·  link  ·  

Wave it all you want, you're wrong.

All the technological stuff you're talking about gets totally swept under the rug. Having sat next to five sales presentations, whenever you mention HIPAA compliance they all say "we got this and can protect you" and the conversation moves on.

I'm not saying these vendors are HIPAA compliant - I'm saying they're diffusing the question their customers are asking effectively be that through misunderstanding, half-truth or outright deception. Either way, individual practitioners get to check off the HIPAA box without having to know or care what a load balancer is. They mash an icon on their iPad and they're in, and their clients click a button on their website and they're in.

So get worked up. Take a stand. Pontificate about encoding. Between the pointy-haired bosses and the sales weasels, you're not only irrelevant, you're a deaf-mute because you won't even be asked. I'll take it further - you could walk into any independent practitioner's office with a white paper and server logs demonstrating that a doctor's EMR isn't HIPAA-compliant and they'll shrug, say "I got my waiver" and tell you to leave.

user-inactivated  ·  2939 days ago  ·  link  ·  

The sales weasels don't care whether the product does the right thing, they care that the customer thinks the product does the right thing. The pointy-haired boss doesn't care that the product does the right thing, he cares that his ass is covered and he has something to brag about to his pointy-haired boss to prove he has Leadership. Your users care in the abstract, but aren't really interested; if they're told all is well, they'll take it on faith because they just want problems ancillary to what they're trying to do to go away. If you care about your craft or your users, you pick fights with your pointy-haired boss and the sales weasels so you can do whatever it is you're trying to do right. Dominant species or no, PHBs are easier to replace than you are, you can get away with saying "fuck that, here's what we're going to do" as long as you're right. Or you let it grind you down and just do whatever you need to do to keep the PHB smiling, but that'll make you miserable.

kleinbl00  ·  2939 days ago  ·  link  ·  

Or, if you don't care to write your own HIPAA-compliant EHR for your staff-of-five and client-base-of-hundreds, you accept that the whole thing is a big stupid pigfuck but that it's everyone's big stupid pigfuck and move on. It's like speeding on the freeway - if everyone's doing it, the likelihood of being pulled over is proportional to the redness of your car and personal ethnicity, not proportional to speed.

HIPAA, in many ways, is the exact same boondoggle as the Americans with Disabilities Act. 10-20 percent of my audio budget used to be for Assistive Listening Devices because the ADA says you have to assume that 5% of the audience for any given public event is deaf, and you need to provide them headsets, minimum 5. Which means if you have a classroom that seats 20 people, you have to have headsets for 25 percent of the seats. Which means if you have a stadium with 20,000 seats, you've got 200 headsets in a closet somewhere.

Which nobody adhered to. Even the building inspectors knew it was a joke. They wanted to see the regulation "six headsets and an emitter" on every spec sheet because they knew it would never get used.

Commtek, Genter, Listen Technologies... these are companies that exist to make devices no one will ever use because of legislation.

When HIPAA went through I got to start putting in masking systems for every lobby in every medical office.

HISSSSSSSSSSSSSSSSSSSSSSSS

goobster  ·  2939 days ago  ·  link  ·  

Eh.

Issues like this are always complaint-enforced. So everything is fine until a patient files a lawsuit. Then your piece of paper won't be worth the paper it was written on.

"And your infrastructure isn't HIPAA compliant, either. So add another quarter million onto the award for lack of proper network infrastructure."

I rail because the technologically correct answer is inadvertently the wrong legal answer. And that shit pisses me off, because it's gonna be the little practitioners who mashed a button on their iPad who get screwed.

kleinbl00  ·  2939 days ago  ·  link  ·  

Doesn't matter. The lawyers always go after the deep pockets and the deep pockets are never the individual practitioner. Besides which, a malpractice suit isn't going to be about medical records, a records leak suit is going to be about medical records and then the practitioner points at the waiver and says "talk to my EMR."

Rail all you want. Actual HIPAA compliance matters fuckall compared to perceived HIPAA compliance, and perceived compliance is "there's an app for that."

user-inactivated  ·  2940 days ago  ·  link  ·  

    HIPAA Compliance.

Lucky you. Every application I've ever worked on subject to HIPAA I've had users emailing me spreadsheets of toxic data. Eventually I gave up trying to talk them out of it, and started teaching them how to use GPG at least.

user-inactivated  ·  2939 days ago  ·  link  ·  

To be technically correct, as long as they are not emailing and accessing those spreadsheets outside the contained network, you are legal. I still scream USE THE FUCKING FILE SHARES (maybe with a bit less obscenity) but they still do it.