Wait it's not the company paying the fine but the jerks that did it ? wow this is news.
Healthcare dev fined $155m for lying about compliance
A health records software company will have to pay $155m to the US government to settle accusations it was lying about the data protection its products offered. The Department of Justice said that eClinicalWorks (eCW), a Massachusetts-based software company specializing in electronic health records (EHR) management, lied to …
COMMENTS
-
Friday 2nd June 2017 02:54 GMT Kernel
So it's not just the auto industry
"At one point, it is alleged that the company configured the software specially to beat testing tools and trick the HHS into believing the products were far more robust and secure than they actually were."
It's probably just a rogue engineer that did this without any knowledge of the senior management team - "lessons will be learnt, processes are being carefully reviewed, the health and well-being of the patients are our primary concern, etc., etc."
-
-
Friday 2nd June 2017 06:23 GMT John Smith 19
OMG Greedy ba***ds made to actually hand over some of their own money for fu**up.
If only the NHS had set up (or rather HMG had set up for it) this sort of regulatory framework maybe they would not still be running a 17YO OS in a VM on another obsolete OS.
Thumbs up for the US regulator, not the p*** poor UK effort in this regard.
-
Friday 2nd June 2017 10:15 GMT Cuddles
What were the users doing?
"create the illusion that the software was able to access large databases"
"lying about the software's ability to transfer records between doctors and audit transfers"
It wasn't able to access databases and wasn't able to transfer records or audit said transfers. It might be possible to fake that in regulatory tests, but how did the people actually using the software not notice it couldn't do any of the things they actually needed it to do? This isn't like VW fixing the results of emissions tests, it's as though VW faked the results of their tests and when someone actually bought a car it turned out not to have an engine in it at all.
-
Saturday 3rd June 2017 00:50 GMT dgc03052
Re: What were the users doing?
"create the illusion that the software was able to access large databases"
"lying about the software's ability to transfer records between doctors and audit transfers"
It wasn't able to access databases and wasn't able to transfer records or audit said transfers. It might be possible to fake that in regulatory tests, but how did the people actually using the software not notice it couldn't do any of the things they actually needed it to do?
This was likely to fool certain minimal security testing, like not seeing the patient name or diagnosis in network traffic. Once the test is over, they go back to just storing plain text in the DB, because that is easier. You can fake "transferring" records by just allowing the other user access to the same data, so it would work for users, just you never took the information away from the original person, and it wouldn't actually work across different installations, or to anyone else's system. Or you do brain-dead serialization/deserialization, and worry about transferring it between different software versions later. And real users looking at audit reports, hardly...
There are just so many ways of doing a crappy job that just tick a checkbox, as shown by "agile" in all sorts of places...
-
-
Friday 2nd June 2017 13:46 GMT Anonymous Coward
programmers are in India
their support is also. worked for 2 hospitals that looked into ECW. One in Billings gave up after 2 years trying to make it work for their clinics. Second hospital bought a small clinic that was already using their cloud based version. I've had no good experiences with them. Trying to get an ADT interface to work from their EMR to Evident should be an easy task except their sales team doesn't have a clue what they can actually interface so when you finally get to the people you'll be working with, you learn it just won't work.
-
Friday 2nd June 2017 17:01 GMT Fatman
eCW 'troubles'
This bothers me as two of my doctors use it.
Both have 'encouraged' me to set up an on-line portal; and so far, I have not done so, out of concerns that once an on-line account is created it could be hacked.
But, I do like the idea that the execs get nailed for the fines, as opposed to the company. Now, if you really want to send a message, include a permanent ban on their being employed in the healthcare industry. Along the lines of how the SEC gets rogue traders thrown off Wall Street.
-
Friday 2nd June 2017 18:31 GMT Anonymous Coward
Not limited to just their software....
They insist on installing VNC on all workstations, which without the proper plugin is not encrypted. My experience with them was that the seemed to have a general disregard for complying with HIPAA regulation. There is probably a lot more violations outside of what was mention in this article...