Inpatient or outpatient and the battle to control costs: The truth about the push for electronic medical records?

Electronic health records have been pushed like opiates on a run-down inner city street corner for some years now; yet the evidence does not support the aggressive national push currently underway.

I'd thought wishful thinking, hope, government naivete, industry aggression and lobbying, and other similar factors were a major explanation.

A candid article today, however, in my local newspaper, about the ER of a hospital where I did my residency years ago (pre-EHR), seems to offer the most potent driver behind the current push - real-time money games:

Inpatient or outpatient? The battle to control costs

By Michael Vitez
Inquirer Staff Writer
Sun, Dec. 26, 2010

Randy Klein had a lovely vacation, three weeks in Europe with her husband, Stephen, for their 36th anniversary.

They went to Paris, Rome, Venice, even took a cruise to Monte Carlo. On the last day, they ate oysters in Normandy.

Her stomach started cramping on the airplane. The diarrhea didn't hit, thank God, until she got home, in Rydal, on Oct. 17, but it landed with a fury.

"Doesn't even give you a shot to get to the bathroom," she said.

She went to the emergency room at Abington Memorial Hospital, where they took cultures and she spent the night. She began to feel better and went home the next day.

A few days later, a violent diarrhea slammed her even worse than before. She went back to the ER and soon was on a gurney and hooked to a morphine drip.

Klein, 56, was too sick to know or care, but she was the subject of a conversation taking place down the hall between her ER doctor and an admission review nurse:

Should Klein be admitted to the hospital or treated there but as an outpatient, in what is known as observation? [That is, "short-stay", or "one-day" fast-tracked admissions - ed.]

This may sound bureaucratic, even benign. But this question - and where it leads - tells a lot about the state of health care today, the tension between hospitals and insurers, the impact on patients.

The tension is strong indeed:

Abington wants to avoid treating Klein as an inpatient, then getting paid only an outpatient rate from the insurer - half as much.

Insurers see themselves as good citizens, responsible parents [I think their principle motivation is, rather, to be good parents to their profits - ed.], doing the difficult job of holding down health-care costs, in part by refusing to pay for what they view [from a distance, post hoc - ed.] as unnecessary care.

Doctors see this as second-guessing by insurers and an erosion of the doctor's role.

[I don't "see it" as second guessing. It *IS* second guessing, on first principles - ed.]

And hospital finance people say these cuts in reimbursement will affect the care of Randy Klein, thousands like her, and eventually all of us.

And some will be injured and die as a result...but it's all for money:

... These skirmishes over reimbursement take place gurney by gurney, patient by patient, like a thousand paper cuts, but the dollars add up.

Abington says it will lose $12 million a year because of this. Hospitals around the state and nation are feeling the same financial pressure.

Observation status, created by Medicare, has existed for years, but was infrequently used by area hospitals until last year, after a crackdown by Medicare auditors.

The idea is basic: If a patient arrives in the emergency room, and it isn't immediately clear whether the patient should be admitted, the patient can be placed in observation - treated in the hospital but as an outpatient.

The statement "treated in the hospital but as an outpatient" shows George Orwell's concepts of language manipulation are alive and well.

... Steve Fisher is one of 40 emergency-room doctors at Abington. He likes to say, "I'm paid to be paranoid."

On Monday, Oct. 25, before he went to see Randy Klein, he saw that she had been in a few days earlier for the same problem, and that immediately raised concern.

The results of cultures taken the previous week showed she had two parasites, campylobacter and giardia, infections one gets from contaminated food and fecally contaminated water. Fisher knew giardia, which he felt was causing her trouble, is rarely life-threatening, but he is paid, as he says, to be paranoid.

On examination, Fisher felt Klein's belly was incredibly tender, and he contemplated a CT scan of her colon, but decided against subjecting her to the radiation.

He didn't think she had a blockage or anything that would need surgery. But considering the extreme inflammation, a rupture was possible, and he was confident she would need subsequent abdominal exams in the hospital, in the days to come.

ER doctors need to be "paranoid" because they ultimately are responsible for outcomes. They also develop a keen sense of judgment towards potential trouble. This patient was admitted for several days, but soon the claim for inpatient care was denied.

Based on a cookbook known as "InterQual", Blue Cross would pay at an observation rate, an outpatient rate, even though Abington provided inpatient care. Read the article or the link above for more on that cookbook.

Now about the denial and the second guessing of doctors:

"Respectfully," [senior medical director at Independence Blue Cross Donald Liss] added, "I'd say, jeez, this is the perfect case for observation. Is she going to respond, get better in six, eight, 12 hours from now and perk up? That's the one where you would want to keep an eye on her, responding to therapy or not."

[How does he know? He was not present. He did not perform an exam. He did not get a "sense" of the patient. - ed.]

Liss wanted to emphasize that "I have a personal interest in the continued existence of Abington. My wife and I delivered our kids there. I live within a mile.

That's very nice, but irrelevant. What is relevant is this:

"We don't intend to tell the ER doc how to practice medicine," he added. "I appreciate the conundrum and challenge that creates at the point of care.

"But unashamedly our job is to be a good steward of the dollars our customers entrust us [such as patients just like Randy Klein? - ed.] to spend on health care."

This is bull. It is a lie. I find this statement offensive and insulting to my intelligence. I am indeed tired of the lying and the spin.

Of course the insurance company representatives are telling the ER doctor how to practice medicine.

Patient disposition decisions are part of an ER physician's practice of medicine. Insurance company interference in those decisions is precisely a matter of telling ER docs how to practice medicine.

Their profits depend on it.

Now for the EHR angle:

... Joanne Mainart and Donna Tobin are nurses and case managers at Abington who review admissions. Mainart was hired for this job a year ago; Tobin joined her in March.

They sit at their own computer in the ER [i.e., with their own access to the EHR - ed.], away from patients, and when they see a black ball beside a patient's name [signifying the insurer may deny an inpatient claim and pay at aforementioned "outpatient inpatient" rates - ed.], their job is to examine medical records and treatments and determine if the patient meets criteria for inpatient admission.

Doctors still make the decision. These nurses only advise. But their mission is to make sure patients get put in the right category - inpatient admission or observation [so the hospital can be paid appropriately - ed.]

Assigning Mainart and Tobin to the ER was Abington's response to the push toward observation.

And this:

... Blue Cross has its own team of utilization review nurses, all of whom, it says, have at least five years experience and have received special training in utilization review.

One of the nurses, working at the Blue Cross offices in Plymouth Meeting, got access to Abington's computers through a secure logon [they can see the EHR too! - ed.] and reviewed the same records Tobin had the previous evening.

[Note the centrality of the computers in this payment "poker game" process - ed.]

The Blue Cross nurse did not feel Klein met InterQual.

[Since nurses cannot unilaterally make these decisions, a physician later reviewed the case and concurred - ed.]

So, there we have it.

Physicians' work is interfered with by EHR's ostensibly put in place to "help them", but in reality a behind-the-scenes cybernetic game of financial chess is going on, worth billions to hospitals and the insurers.

If that is not a compelling driver for EHR technology, I don't know what is.

Unfortunately, it does not benefit patients or doctors clinically (my mother was nearly killed earlier this year by the unintended adverse consequences of an ED EHR system), and it looks like the upper hand financially now lies with the insurers.

Hospitals like Abington estimate they "will lose $12 million a year because of [the denials]." Hospitals around the state and nation are feeling the same financial pressure.

Per Abington Chief of Staff Jack Kelly, a former director of my Residency program there:

John J. Kelly, [now] Abington's chief of staff and top doctor, said: "It actually costs us more money to do observation. You might say that doesn't make any sense."

He said Abington has had to hire more staff and "compress everything" - in other words, try to provide the same care it gives an inpatient but squeeze that into 24 hours of observation.

Kelly also said staff was required to do more documentation "because you're paid by the hour for observation. It's craziness."

"What they're asking us to do sometimes is dangerous, I think," said Kelly, speaking for himself and not the hospital.

"The 'retrospectacope' is the most powerful instrument known to man," he added. [That sounds like vintage Jack - ed.]

"Part of the reason we spend so much of our resources in training physicians is to develop that sense of judgment about who needs what. And we're being second-guessed by everybody strictly on the basis of costs.

"I understand the need to be sensitive to costs, yet they're going to cripple us, the insurers [and] the government."

Note his statement:

"Part of the reason we spend so much of our resources in training physicians is to develop that sense of judgment about who needs what."

I concur with his assessment, and from personal experience. I was one of the physicians he trained.

A plague of our current culture is the permitting of second guessing by people who both lack the expertise of the experts, and/or lack the crucial benefit of direct, concurrent observation of the patient.

In conclusion:

First, it is increasingly apparent that clinical information technology has been hijacked from its inventors and pioneers. It has been morphed from a tool that was supposed to help clinicians in their private doctor-patient relationship, into a cybernetic control mechanism for bureaucrats.

Second, until this culture takes away the power from ill informed bureaucrats, people need to bring a bodyguard (medical advocate) with them to any hospital encounter.

"If you are second-guessed wrong, your patient's dead" seems an apropos motto for this era.

-- SS

GAO report: - Health Care Delivery: Features of Integrated Systems Support Patient Care Strategies and Access to Care (such as HIT)

A new GAO report has appeared entitled "Health Care Delivery: Features of Integrated Systems Support Patient Care Strategies and Access to Care, but Systems Face Challenges." (Hat tip: saw this in story by Inga at HerTALK).

The report is available at these links:

GAO-11-49 November 16, 2010
Highlights Page (PDF) Full Report (PDF, 33 pages) Accessible Text

One of those strategies, of course, is healthcare IT:

IDSs in GAO's sample reported that using electronic health records (EHR), operating health insurance plans, and employing physicians all support strategies to improve patient care. An EHR contains patient and care information, such as progress notes and medications. Some IDSs said that using EHRs supports their patient care strategies such as care coordination, disease management, and use of care protocols by increasing the availability of individual patient and patient population data and by improving communication among providers.

Some might take this report as "proof" that healthcare IT is ready for national rollout.

However, the following passage lends doubt to that interpretation, in the form of a significant "however" (a common word seen in reports about healthcare IT, along with terms such as "but", "except", "in some cases", "in the next release", the ever-valuable term "glitches", and other similar hedge terms).

… However, the information we present is from the perspective of the IDSs in our sample. We relied on data obtained through the Web-based data collection instrument, interviews with system representatives, and published studies and did not conduct independent analyses of the effectiveness of strategies.

This report suffers a serious flaw: potential (or might I say likely) self-reporting bias.

Caveat emptor.

-- SS

American Board of Medical Specialties to "incorporate tools to promote meaningful use of health IT into its maintenance-of-certification program"

From an Aug. 16 article "Industry pushes meaningful use through incentives" in Modern Healthcare (signup unfortunately required):

... Physicians will also be feeling the pressure to be IT savvy in order to maintain their professional certification. The American Board of Medical Specialties said that it would incorporate tools to promote meaningful use of health IT into its maintenance-of-certification program.

More than 750,000 U.S. physicians are certified by an American Board of Medical Specialties (ABMS) member board, “so it’s readily apparent” [really? - ed.] that building meaningful use of health IT into [Board] certification maintenance will benefit patients, ABMS President and CEO Kevin Weiss, said in a written statement. Additionally, the merging of these two tools “will help to facilitate physicians’ knowledge, skill and use of health IT, and in turn can improve physician performance and patient outcomes,” he said.

The bolded statements of certitude from ABMS CEO Kevin Weiss follow the familiar pattern I observed such at my July 2010 post "Science or Politics? The New England Journal and The 'Meaningful Use' Regulation for Electronic Health Records".

These are statements of certitude supported at best by scanty evidence, "estimations" and "projections", while refuted by a growing body of significant research on health IT as it exists now (such as the recent materials here).

It is unfortunate that the ABMS has now fallen away from evidence-based medicine and fallen prey to mysticism-based IT practices in medicine.

I did, however, see moves like this coming. I believe the ABMS move augurs future, more forceful demands from the healthcare IT "Trade Federation" that physicians and hospitals buy and use this technology, a form of totalitarian caprice considering the evidence base.

With respect to seeing this coming, here's what I wrote in my post Masochism, Medicine and Clinical IT: How Physicians Can Be Beaten Over and Over, and Still Come Back For More back in April 2009:

... Here is a tale about the companies that medicine will be dependent upon for EHR's and other clinical IT - now by force of government (financial at first, but I would not at all rule out punitive licensure and other measures as a possibility in the future for "EHR noncompliers")...

We're not there yet, but I would not be surprised to see moves in that direction in the future.

I also consider the ABMS succumbing to IT mysticism as another sign of the degradation of efforts towards true evidence-based medicine in favor of corporate interests.

Fortunately, some research organizations have not entirely bought into the irrational exuberance, although whether they can exert enough influence to reform the healthcare IT industry before billions of precious dollars are wasted on today's ill conceived systems is debatable.

For example, (and in another example of research done today affirming conclusions I'd reached years ago using observational skills, knowledge of Medical Informatics, internal medicine thought processes and common sense), McKinsey offers the following.

Per the recent McKinsey study "Reforming hospitals with IT Investment":

... The realization of the benefits from health care IT investments will require a radically new approach to IT on the part of the CIOs of health care providers, as well as the business leaders and clinicians those CIOs serve. Health care providers will need to use new approaches to achieve an inclusive governance process with streamlined decision-making authority, a radically simplified IT architecture, and a megaproject-management capability.

Based on observation alone, I'd written this in 2002 (and probably before as well, somewhere):

... From a dual perspective as both a clinician and computer professional, it is evident that critical clinical computing projects benefit greatly from an alternate approach to project preparation, development, implementation, customization and evaluation, as compared to management information systems (business computing) projects. Clinical and business computing appear to be different subspecialties of computing.

Instead of naïve, unquestioning IT exuberance, the ABMS and other medical professional organizations should long ago have put their efforts behind moving the health IT vendors and their hospital customers to adopt the 'radical changes' required as in the McKinsey report (and elsewhere, such as in the 2009 National Research Council's report on health IT). They should have done so before insisting use of the technology be a metric for qualifications to practice medicine.

They should be pushing for the approval of health IT as medical devices under the Federal Food, Drug, and Cosmetic Act (FD&C Act), such as the EU is now moving towards; see for example the Swedish Medical Products Agency 2009 report here (PDF). From that report entitled "Proposal for guidelines regarding classification of software based information systems used in health care":

A general opinion of the health care providers represented in this Working group is that from a patient safety point of view, it is desirable that stand alone software and systems intended to, directly or indirectly, affect diagnosis, health care and treatment of an individual patient shall be regulated under a Product Safety Regulation. The Working group has not been able to define any other appropriate regulation than the Medical Device directives when it comes to the definition of such systems.

... The Working group believes that software intended for a medical purpose must be regarded as a "device" and expressions such as "project", "service" and similar must be avoided describing a Medical Information System.

Further, ABMS should also be pushing for robust post-marketing studies of health IT.

If truly representative of ensuring medical practitioners' competence in the interest of patient safety, ABMS should be discouraging specialty societies from blindly buying in to this experimental technology, and instead encouraging them to evaluate health IT critically - as critically as any new medical device or technology - including a complete examination of the literature.

The ABMS should hold off on linking clerical capabilities of clinicians to board certification, per Brown University ophthalmologist Michael Migliori in the above-linked Modern Healthcare story:

“I don’t believe achieving meaningful use equates to maintenance of certification,” said Michael Migliori, an ophthalmologist in Providence, R.I. Maintenance of certification is a measurement of clinical knowledge, whereas meaningful use is a clerical designation, he said.

“I understand the clinical importance of electronic medical records both in terms of patient safety and quality [although not in today's form IMO - ed.], but we are not at the point where EMR and health information exchange are ready for universal implementation,” Migliori said. “They should not be linked at this time.”

In other words, today's health IT is not ready for national roll out, especially with any form of coercion in effect.

Here's a major problem in slowing this train. The following chart appeared in the aforementioned McKinsey report on "startup costs" of EMR systems. The figures are presented in the form of dollars per bed:

McKinsey on EMR startup costs, estimated at $80,000-$100,000 per bed - click to enlarge.

With these levels of money moving like an overflowing fountain of champagne to the IT industry, with likely tributaries into medicine's regulatory, representation and accreditation organizations, no research seems likely to bring the radical changes needed to ensure this technology is safe and effective.

(The McKinsey report also opines that well-done EMR's can recoup the gap between costs and government financial incentives shown in the chart within a few years; that is also highly debatable, even if the HIT is "done well" via radical reform.)

I have no answers to these problems other than the many suggestions I've written on these blog pages since 2004, and on my academic site on HIT since 1999. Without those in power willing to consider that health IT today is yet another bubble or mania, then like some diseases, it may only be tincture of time that corrects these problems. That is, when the current Jurassic health IT ecosystem collapses of its own dead weight.

What's sad are the expensive IT fossils -- and bodies -- that will be left behind for some future archeologist to discover.

-- SS

Addendum Sept. 5:

EMR use as condition of licensure appears to be heading for reality in at least one state: Massachusetts. See http://healthblawg.typepad.com/healthblawg/2010/05/hit-incentives-in-massachusetts-less-carrot-more-stick.html

Hat tip to Al Borges, MD. See his comment in the comments section.

Third-Party Reviews of Medical Devices Come Under Scrutiny at the FDA - Except Healthcare IT Medical Devices, Which Get Special Accommodation

This WSJ article caught my eye:

Third-Party Reviews of Devices Come Under Scrutiny at the FDA
March 15, 2010
By ALICIA MUNDY and JARED A. FAVOLE

WASHINGTON—When medical-equipment makers like Philips Electronics NV, Siemens AG and General Electric Co. need approval for some new devices, they don't always have to start at the Food and Drug Administration. They can pay companies to do the reviews, which are then routinely approved by FDA officials most of the time.

Now this third-party outsourcing program has come under fire at the FDA, and the agency is weighing whether to end it. Agency officials question the quality of the reviews and whether they have served the program's original purpose: saving U.S. taxpayers money.

The "real value to industry may be that this is perceived as a way to 'sneak things,'" said an FDA official at a December meeting on device approvals, according to minutes reviewed by The Wall Street Journal. Some third-party reviewers advertise speed and a friendlier process.

At a time when the FDA is moving against third party device reviews, HHS and its Office of the National Coordinator for health IT (ONC) are soliciting to create third party EHR "certification" bodies for healthcare information technology (HIT) medical devices such as electronic medical records systems, decision support tools, clinician order entry and alerting, etc. (see RIN 0991-AB59, "Proposed Establishment of Certification Programs for Health Information Technology", PDF available at this link.)

This comes at the same time as FDA admitting this technology harms and kills patients, but the extent is unknown (existing FDA data is likely the "tip of the iceberg" reports Jeffrey Shuren MD JD at the HIT Policy Committee, Adoption/Certification Workgroup, special meeting on health IT safety on February 25, 2010).

See:

"FDA on Health IT Adverse Consequences: 44 Reported Injuries And 6 Deaths, Probably Just 'Tip of Iceberg'" at http://hcrenewal.blogspot.com/2010/02/fda-on-health-it-adverse-consequences.html

and

"On ONC's "Proposed Establishment of Certification Programs for Health Information Technology" at http://hcrenewal.blogspot.com/2010/03/on-oncs-proposed-establishment-of.html

More from the WSJ article:

... The agency's concerns about the third-party reviews come as the FDA is re-evaluating its entire device-approval process. In addition, the agency has recently announced tighter regulation of some machines that deliver radiation in the wake of reports of more than 300 cases of overdoses from CT scanners at four hospitals.

Changes under consideration at the FDA include terminating the third-party program, limiting the kinds of devices that it covers, or giving the outside reviewers more data on devices to improve the quality of their work, according to the minutes and interviews with agency officials. Jeffrey Shuren, the device division director, said the FDA will release proposed changes later this year and cautioned that no decisions have been made.

To qualify for an outsourced review, a new device must be similar to a device already on the market, and it must carry low or moderate risk to the patient.

The December 2009 minutes say "third parties often don't have appropriate expertise." The minutes cite "poor quality of review documents— they often just repeat what is in the submission, and don't provide any analysis of the data."

(The point on lack of expertise is a point I raise in my aforementioned commentary on ONC's "Proposed Establishment of Certification Programs for HIT." I wrote: HHS should not be creating new, potentially (likely?) amateur organizations and bureaucracies overseeing these new virtual medical devices that will have variable (or no) experience in software validation, certification, regulation, postmarketing safety surveillance, etc. Rather, HHS should be leveraging existing governmental expertise in certifying, validating and regulating mission critical IT.)

The industry as always is looking out for - itself, patients coming in second:

Terry Sweeney, vice president of clinical affairs at Philips Healthcare, said the third-partyprogram benefits industry and helps relieve the FDA of a burden. "Every week's delay [i.e., in rigorously assuring medical device safety - ed.] can cost the company a large sum of money," he said.

It's not like the time differential is enormous:

It takes an average of about 72 days for a company to get final clearance for a device when it goes the third-party route, according to the FDA. That includes the time for the agency to sign off on the outside reviewer's conclusion and compares with an average 109 days for similar applications that go directly to the FDA.

So, the vendors seem to be saying, let's compromise the device safety evaluation process via third party reviewers so we can get to market a month sooner.

The FDA is having serious second thoughts about this state of affairs.

Worse, on health IT devices, the HHS itself via ONC is soliciting for the creation of third party reviewers for HIT, while the FDA itself seems marginalized or even unwilling to shoulder the burden of patient protection from faulty HIT.

Odd. Why do computerized HIT medical devices such as EMR's get special government accommodation?

-- SS

For more on HIT challenges see "Contemporary Issues in Medical Informatics: Common Examples of Healthcare Information Technology Difficulties" - http://www.tinyurl.com/healthITfailure

Networked EMR's and Healthcare Information Security: Practical When Massive IT Security Breaches Continue?

At "Networked, Interoperable, Secure National Medical Records a Castle in the Sky?" I wrote that the holy grail of electronic medical record efforts - the creation of a networked, interoperable, secure national medical records system - may be far more difficult than anyone expected due to vulnerabilities in current, widespread IT networking and OS platforms.

Now we hear the situation is even worse than in the articles I cited at that post:

Wall Street Journal
Feb. 18, 2010
Broad New Hacking Attack Detected

Global Offensive Snagged Corporate, Personal Data at nearly 2,500 Companies; Operation Is Still Running

Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach.

The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.

One can only imagine how internet-connected hospitals, generally an IT backwater, might fare under such an onslaught.

... In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

They also broke into computers at 10 U.S. government agencies. In one case, they obtained the user name and password of a soldier's military email account, NetWitness found. A Pentagon spokesman said the military didn't comment on specific threats or intrusions.

At one company, the hackers gained access to a corporate server used for processing online credit-card payments. At others, stolen passwords provided access to computers used to store and swap proprietary corporate documents, presentations, contracts and even upcoming versions of software products, NetWitness said.

Data stolen from another U.S. company pointed to an employee's apparent involvement in criminal activities; authorities have been called in to investigate, NetWitness said. Criminal groups have used such information to extort sensitive information from employees in the past.

Read the while article. These breaches are an unpleasant reality in 2010, but what's worse is there really are no solid metrics for the true extent of this 'disease.'

Perhaps future Internet technologies will reduce or eliminate the problem, as one reader suggested in a comment to my aforementioned post. I do not believe, however, that patients and their medical records should be used as guinea pigs until those new networking and security technologies are widely deployed and well-proven.

In effect, this is probably not a good time for actual records-level interoperability to be deployed in any manner other than in consideration of a future strategy. Operationalizing that strategy should probably await a time when the "digital ether" in which the data resides and moves is more mature, unless proprietary networks and technology are to be used and without connection to the Internet. Planning data-level compatibility between systems, on the other hand, is work that should continue.

Finally, the layoffs and staffing levels in today's IT departments (at both vendor and user shops), plus the outsourcing of critical IT functions to overseas contractors where workers' loyalty to the primary firm is questionable at best, may be a contributing factor to the nakedness of corporate America's information systems.

-- SS

Networked, Interoperable, Secure National Medical Records a Castle in the Sky?

The holy grail of electronic medical record efforts of late is the creation of networked, interoperable, secure national medical records that would allow a physician in Palo Alto to retrieve the records of a patient from Hoboken if that patient moved or was found (in the hackneyed and somewhat histrionic scenario) unconscious on the streets of San Francisco.

Recent events have made me skeptical we are anywhere near ready for such a technological accomplishment:

McAfee: Big Business Under Constant Cyber Attack
01.29.10

At the World Economic Forum Annual Meeting in Switzerland, McAfee announced the results of a survey of 600 IT security execs in "critical infrastructure enterprises worldwide": that is, in places such as utility companies, banks, and even oil refineries. And apparently, they're constantly under cyber attack and also extortion related to those attacks.

It's a real battlefield out there.

The report, written by the Center for Strategic and International Studies (CSIS), says that 54 percent of those surveyed have already been attacked. The culprits behind the cyber-attacks are listed as "organized crime-gangs, terrorists, or nation-states."

In other words, not simply teenage hackers or cyber-papparazi interested in the medical condition of a movie star.

Only one-fifth of the IT execs surveyed believe their systems are currently secure. One-third say things are worse now, vulnerability-wise, than a year ago, due to budget cuts.

What constitutes a cyber attack? A distributed denial of service (DDoS) is the most typical ... mitigation can be hampered by the local laws, working in multiple countries, or the economics of where they operate. For example, half of those surveyed claim the laws in their countries don't do enough to prevent or deter cyber attacks. That's especially true for Russia, Mexico, and Brazil.

Other attack vectors include DNS poisoning where Web traffic is redirected, SQL injection attacks on back-end data via a public Web site, and plain old theft of services.

If you need a plot for your new thriller novel, keep in mind that 20 percent of these companies are not just cyber-attacked, but have also been threatened with attacks in the last two years in "low-level extortion" attempts.

... Those surveyed said the money loss is the worst part, second is the loss of reputation, and (if you thought you weren't important) loss of customers' personal information is third.

This is a worldwide survey, and almost two-thirds of those surveyed believe foreign governments were responsible in some way for previous attacks. The two countries considering the biggest threats: China (by 33 percent of those surveyed) and the good ol' U.S. of A. (by 36 percent). China believes it's the biggest target.

The full report, called In the Crossfire: Critical Infrastructure in the Age of the Cyber War is free on McAfee's Web site in PDF format.

I note that Google recently called in the National Security Agency to help analyze a major corporate espionage attack:

The attacks targeted Google source code -- the programming language underlying Google applications -- and extended to more than 30 other large tech, defense, energy, financial and media companies. The Gmail accounts of human rights activists in Europe, China and the United States were also compromised.

Then there's this:

Intelligence Chief: U.S. at Risk of Crippling Cyber Attack
Feb. 4, 2010

The United States is at risk of a crippling cyber attack that could "wreak havoc" on the country, Director of National Intelligence Dennis Blair said.

"What we don't quite understand as seriously as we should is the extent of malicious cyberactivity that grows, that is growing now at unprecedented rates, extraordinary sophistication," Blair said.

... He said one critical "factor" is that more and more foreign companies are supplying software and hardware for government and private sector networks. "This increases the potential for subversion of the information in ... those systems," Blair said. [Outsourcing our HIT development overseas sounds like a great idea - ed.]

Read the linked articles in their entirety.

Perhaps we should focus on the local at present. National networked EMR's are a great concept, but there are a few social-technical details that remain to be worked out beforehand.

A Castle in the Sky...

-- SS

Why The Apple iPad Will Not Revolutionize, Change the Game, Transform or Create New Paradigms in Medicine Anytime Soon

The announcement of the Apple iPad has been accompanied by the usual irrationally exuberant, buzzword-laden statements and bellicose grandiosity from the IT punditry about how it will "revolutionize" or "transform" medicine.

However, this will not occur anytime soon, for in medicine, the device may help solve a portability and visibility problem (compared to PDA's), but it will not solve this problem: the mission hostile user experience.

The solution to that problem will require significant human magic.

-- SS