Wednesday, October 20, 2010

Paranoid IT-diocy

One of my many friends in the PACS arena, working in an academic setting, sent me this message the other day:

This morning, I was working with an orthopedic surgeon at the big ortho clinic.  He was using his personal digital camera to take a picture of films that were up on a light box.  He said it was the only way he could get images to put in a presentation. How sad is that?

The new PACS system does have the functionality to do it but IT workstations are so locked down, no one can put in a thumb drive, or even save to a shared drive on the network. They will someday be installing a product that will enable them to import/export images, but have not seen fit to deploy it yet.
Now, if that isn't foolish enough, try this one, coming to one of my hospitals.  It seems that remote verification is problematic, and so something like this is to be employed:
RSA® Adaptive Authentication is a comprehensive authentication platform providing costeffective protection for an entire user base. Adaptive Authentication is powered by Risk-Based Authentication, a risk assessment and authentication technology that operates transparently and classifies all users by measuring a series of risk indicators. This transparent authentication for the majority of users provides for a convenient online experience as users are only challenged when suspicious activities are identified and/or an organizational policy i violated. The strong authentication functionality of RSA Adaptive Authentication is offered to Citrix XenApp® environments through the RSA Adaptive Authentication Adapter, which enables integration of RSA’s risk-based authentication technology with Citrix XenApp’s user name and password verification system.
Here it is graphically:

It seems that our hospital is going to implement a system whereby we are to be telephoned for a confirmation (requiring us to answer and press the # key) before we can sign on to the system from a location outside the hospital.  I kid you not.
What we see in these two situations is a trend of what I can only call paranoia, and maybe even tyranny.  IT is so consumed in its own importance and the obsession with even the remotest possibility of a breach or infection, that they will implement such foolish and draconian measures as I have outline above. 
Clearly, they don't get it.  Perhaps a reading of Dalai's Laws by IT would be in order.  Several times per hour for the next month.
Attention IT!!!!  These computers and networks exist for PATIENT CARE, and they are not your own personal virtual castles.  You may not hole yourselves up in your little electronic fortresses and force the rest of us to play these little games to feed your paranoia.  This crap has to stop. 
Yes, I understand the importance of maintaining security, and I'm certainly willing to work with IT on reasonable measures to keep the network safe.  But IT had better start understanding that we have to use their damnable equipment for PATIENT CARE, which trumps everything else.  And I do mean EVERYTHING else.  Work with us, and we'll work with you.  But being an obstructionist in a patient-care enviromnent only hurts the patients.  Is that what you really want?  I hope not.
Don't call me, I'll call you.  And your bloody computer system better not call me, either. 


Anonymous said...

I think the it folks need to walk the floors more and spend less time reading cisco, intel, IBM, or any other ridiculously large software providers propaganda.

LD said...

Couldn't agree with you more. IT is self-consumed at most companies/hospitals. Rather than approaching it from the user perspective, they approach it from the IT perspective. That's been proven to be counterproductive.

Patient information security is important, but as you have just shown, it's quite simple for an authorized user to get that info anyway.

What your IT has done is simply job security. If it's complicated and requires man-hours they've ensured themselves of ongoing employment. Not that it serves any true need or business purpose.

Anonymous said...

It sounds simply like the implementation of a two-factor authentication (ie. something you have and something you know). It's pretty standard practice for most facilities, especially in the USA. The telephone approach is probably the best for patient care, since it eliminates a hard token that could be lost or fail. Not sure why you would oppose a low-tech solution like a telephone...

SBG23 said...

Cell phones do not often work in radiology depts. with lead lined walls, RF shielding, and basement locations...They also do not often get coverage when a doc is remotely located.

Celticpiping said...

tokens are the remote tool of choice at our hospital.
They've worked great for several years.
Telephone verification...eeek!

I'm an ex-IS Dept guy turning PACS geek, and can understand the desire to lock machines down: but as you say patient care must NOT be inhibited.
A balancing act that does not always have the easiest answers...

Rob Dejournett said...

Tokens would be great...until the doc loses it. My IT friend for a major bank uses a token system, its very easy and convenient. Just don't lose it. It's incredibly secure though.

Our PACS system just uses windows authentication. This seems like overkill for patient info. Overkill for nuclear missiles? No.