Friday, February 2, 2018

What year is it? Oh yeah, 2018...

I never visit Doctors.. I try to avoid them at all costs, in fact.

But alas, I have a Deviated Septum, and in order to finally and properly take care of it, I have to immerse myself into our wonderful world that is Healthcare.

RECENT TRIP TO DOCTOR'S OFFICE

Let me tell you about my recent trip to Doctor's office...

After making an appointment online, I get an email asking me to pre-register on some EZDoc site before coming in - I think to myself, "Awesome!! Finally the times have changed!" I submit my information and my appointment is confirmed.

I show up to the Doctor's office finally, and, what's this? They need me to fill out more (paper) forms. 3 more. My handwriting sucks, and I haven't held a pencil or pen in seemingly years (surely I am embellishing here). Authorization forms, yadda yadda, ok, I get that. I just wish it had been on EZDoc and I'd have been done already.

As I hard her the forms I realize they are completely unencrypted and likely will sit in some filing cabinet for the rest of eternity (or until they close up shop). Sigh.

Oh, they also need a copy of my insurance card, "No problemo," I explained, "I already uploaded it to EZ Doc." "Well, that is not our system," she replied. Crap. WTF.

OK, FINE, but it is an eCard I have in my Smartphone. She asks me to email it to her personal-but-officey-looking email address. Ok, well, whatever. Nothing that isn't already out there from some previous trips I'm sure.

By the time I get into the screening room, the Nurse pulls up my CT scan from 2 years ago (when I first figured this out). I never go the surgery and had been putting it off until now.

Ok, so I get that I gave her "authorization" to pull "my records" but nothing actually authenticated this. She just did it. Sure, she would be in legal trouble if I hadn't given authorization, but legality aside, it seems anyone can just pull anyone's records w/out any kind of intervention/authorization/authentication taking place.

So, I end up having to get ANOTHER CT scan and pay ANOTHER $250 because the first one "wasn't good enough." I saw the bill and it was over $1,000 for the 7-minute session and use of their scanning equipment. Luckily I only owed $250, but this is such a scam - anyways, that is a topic for a different blog perhaps.

Finally I hear from my Doctor's office again and they are scheduling the surgery. After a few days of mixups and a delay due to my "insurance provider's systems were down all day" they finally get it scheduled. Next step? You guessed it! Register on some other site (SimpleAdmit)! More sighing.

I have yet to have the Surgery (Doctor only does them on Fridays), but hope the rest of this ordeal is better and I can get this done and move on with my life.

CONCLUSION

Living in the world of InfoSec and Security Operations, I have come to have very high expectations of products and services, and the security they provide. Maybe I am one of the few, but I guess my bar is just too high. Or is it? It is 2018, and we have been through an insane amount of Healthcare hacking tragedies already. Why are things not changing? Are folks waiting on someone else to take that lead?

You can almost think of Healthcare as Industrial Controls/SCADA - maybe even more critical, and certainly much more personal.

I fear many Healthcare organizations right now are making themselves more secure solely by hardening their systems, users' desktops, etc...

Have they forgotten about their Products and Services??  You know, those old Doctor's Office terminals that still run on WinXP and have the password right there on a sticky note (actually they had 3, and one was the WiFi password).

I'll leave you with one final thought, you know, just in case I end up needing some post-op painkillers or something. That is, companies like CVS are quickly becoming Kings of Customer Service. They have on-line prescription re-fills, no forms, no paperwork - it just works. Maybe they should open up their own Healthcare group?