> Their #1 goal is saving people's lives, not messing with IT issues
Technically, profit tends to be the #1 goal, at least in the US. Consequentially, this also drives a lack of investment in cybersecurity. Also, US hospitals have some of the most opaque pricing and billing processes of any industry that I can think of, which makes it much easier for them to recoup losses from patients that can't pay by shifting those costs onto the insurance provider and other patients who can pay. This is one of the reasons why basic things like bandages cost so much in an ER. Despite efforts to bring transparency to medical billing, hospitals are still resisting the push to publish pricing and explain their business models in more detail. We've become so culturally desensitized to the state of US healthcare that we're now just defending it as "we really can't expect hospitals to do any better than they are right now", and that kind of apathy really scares me.
As the healthcare sector continues to be consumed by private equity, I don't expect to see the situation to improve. Again, it's all about profit, saving lives is secondary.
> Technically, profit tends to be the #1 goal, at least in the US. Consequentially, this also drives a lack of investment in cybersecurity.
UK's hospitals fare no better in terms of cybersecurity. This is about the culture of nursing / doctors / hospital administrators, which is largely shared between USA and UK.
This isn't a systemic issue that is solved by nationalizing health care like UK did.
USA health care system, culturally, is about saving lives. Whether our system matches it is another story. But the underlying people largely do the right thing.
------
I think the systemic issues regarding health care / infrastructure / investments are wholly independent of this cybersecurity issue.
> USA health care system, culturally, is about saving lives.
With all respect, but for someone who had lived in the US after moving from EU, I'd say it's first and foremost about making money. It saves lives where saving is needed, but I'd argue vast majority of cases are outpatient and the culture is strikingly blunt about milking the patient.
Hospitals in the US are not especially profitable. Including federal relief, median hospital profit margin is 2%.
The whole market is wildly distorted- starting with doctor education up through private insurance and government programs like Medicare and Medicaid- that simple answers like this totally miss the mark.
Agreed. Any simplistic statement like "the problem with healthcare in the US is [blank]" is evidence of someone that doesn't know very much about the many complex and interlinked issues. Likewise, someone thinking the system can be fixed by "just doing X" is also being reductionist.
The pandemic showed a number of areas in healthcare where people were generally ignorant. For example, thinking that hospitals have tons of reserve capacity to handle extraordinary events. Even well before the current situation, hospitals (community) tended to run at about 80% occupancy. Far from being a profit-consideration, even the department of Health and Human Services mandated that hospitals had to run at least 55% occupancy, or they lost benefits.
The pandemic is a bit unusual in affecting everyone at once. For a local or regional problem, staffing wouldn't be as much of an issue because workers can travel. (For example, traveling nurses.)
> that simple answers like this totally miss the mark.
I am not providing my "answer" to the US problem, I am merely noticing how strikingly different approach the healthcare has here, so I reject your insinuation.
To be honest, I don't need to care who's making how much money to make a point – all I know that from my perspective, at the end of the day it is about milking the patient and it differs wildly from the general EU experience.
If profit were the primary motive, wouldn’t you expect non-profit institutions (both healthcare and otherwise) to be in much better shape from a cybersecurity standpoint? E.g., is there evidence that a large non-profit healthcare system like the VA is substantially better at cybersecurity?
While profit no doubt impacts the decisions, it doesn't appear to be the primary driver of cybersecurity lapses.
I wouldn't. Both goals of maximizing profit and achieving a goal on a minimal possible budget end up cutting costs in places that aren't immediate blockers, where security lies. In my experience, security is a focus at places, either non-profit or otherwise, in one of the following situations:
* The organization has one or more squeaky wheel employees that force everybody else to consider security where they wouldn't otherwise.
* The organization or another in the same industry has already had a very painful security breach.
* Security itself is part of the selling point.
Non profits are slightly different, but they still experience many of the same problems because the goal is still getting the most done on the budget you've got.
Yeah, I can see that. I think you’re right. But that feels more to the "cultural" point (i.e., different perspectives having different priorities) than the specific claim specifically that "profits" are the driver.
> If profit were the primary motive, wouldn’t you expect non-profit institutions (both healthcare and otherwise) to be in much better shape from a cybersecurity standpoint?
I will respond to that partially: where profit is not a primary motive, i.e. in countries where healthcare is public, it tends to be centralized on federal or regional level, and, as such, much of the IT and cybersecurity is a lower, shared cost incurred by the government.
So if I understand your point correctly, it’s not necessarily that removing the profit incentives directly improves the outcome but rather the improvement is attributable to a better economy of scale?
There is a lack of cybersecurity investments in almost every industry. The issue is that the executives making the decisions 1) Usually aren't knowledgable about CyberSec and 2) don't justify the investment because it's not something they can physically point at and take credit for. .
The "economist" proposed a solution: tire cyber-security incidents to the stock market. The approach proposed was something akin to "have someone count and display the incidents of each company and blast radius". I'm not sure if this would actually work.
The other capitalist option is to make cybersecurity insurance mandatory, and impose high fees both to reimburse victims and to some government watchdog/agency (yes, government watchdogs and capitalism can co-exist). Then, it will be in the insurer's best interest to have clients with adequate cybersecurity implementations, and the market can sort it out.
At the same time, we should make sure that any insurance company that chooses to pay the criminals instead loses their license to operate.
The US healthcare system cannot be primarily about saving jobs or the AMA would not have ever lobbied to restrict residencies to prevent a glut of doctors.
Since the AMA is an organization of medical professionals, one must conclude that it reflects their position: protectionism for their field.
In that case it is a culture of low salaries and tech being a support function. Governments aren't paying market salaries for tech and are not willing to have highly technical people in many leadership roles.
Many governments aren't willing to have highly technical people in any leadership roles. I've worked with government IT departments before where 100% of management (not an exaggeration) was non-technical, as in had never been a developer, sys admin, or any type of engineer. From the front line managers the whole way up to the "CIO."
I certainly agree with much of your attitude toward American hospitals. But I don't think dragontamer's point had anything to do with greedy American corporate hospitals. So mentally substitute "community-owned co-ops of small rural hospitals out in farm country" if you need to.
The point is, just like it says in the Preamble to the U.S. Constitution - "...insure domestic Tranquility, provide for the common defence..." - that protecting everyone from large-scale, organized, high-skill malicious activity is a bedrock function of any national government. NONE of the hospitals, water treatment plants, small corporations, city governments, ordinary citizens, etc. should need to worry about high-cost, high-skill self-protection against ransomware groups - any more than they should have to hire and equip private security forces to protect themselves against mafia enforcers, Russian paratroopers, or missiles launched from North Korea.
it's true that domestic orgs should be guaranteed peace and stability at home on American soil. But the us government only guarantees you and your property/business interests to a limited degree abroad and domestically as well.
Banks and stores in US routinely employ private security. There is no reason why US public should foot the entire security bill of Tiffany's or CVS.
US gov should have defensive and offensive cyber capabilities deployed strategically to assist and deter, but uncle sam can't babysit each and every it vendor or client.
US gov also needs to hammer shit IT practices and make it too expensive for bad guys to do harm and too expensive for "good guys" to be morons.
Para. 2 - Yes...but notice how few people or organizations need private non-cyber security. And even when they do, it's usually a tiny number of modest-training, modest-pay security guards. If half a dozen bandits with automatic weapons started robbing a Tiffany's - is Tiffany's expected to have (or foot the bill for) a security team armed & ready for that? Or would public (city / county / state) law officers be expected to arrive ASAP, and take over?
Para. 4 - Lordy, yes. Though that needs to be competently done. Starting with setting up a computer version of Underwriters Laboratories - that could drive the sellers of Internet of T*rds crap out of business (at least in the U.S.), revoke Experian's right to operate a database full of sensitive financial information, etc.
What about those that are non-profit? You can refuse to do business with for profit hospitals. Getting rid of the for profit does more harm than good, especially for underserved communities.
There are many "non-profit" billion-dollar hospital chains in the US.
A few examples;
Ascension Health - $5.7bn net income on $27bn revenue in fiscal 2021 [1]
Cleveland Clinic - $1.3bn net income on $6bn revenue in H1 2021 [2]
Mayo Clinic - $728mn net income on $14bn revenue in 2020 [3]
"Non-profit" doesn't mean they don't like profits just like corporations. It's a designation meaning no shareholders, as in money made by the organization stays within the organization.
I like the term "not-for-profit" rather than "nonprofit" as I think it more accurately captures that the while the primary goal is not profit (unlike a traditional corporation), it does not mean that they don't make money. Pedantic, perhaps.
You don't get all that much choice in hospitals. In an emergency, you go to the nearest. Otherwise, you go to the one your insurance/doctor are affiliated with.
Sure, some places have two (or more) hospitals in the region, but often there's only one and the choice is just go or don't go. It is one of those areas, like utilities, where it really is _not_ a free market.
Technically, profit tends to be the #1 goal, at least in the US. Consequentially, this also drives a lack of investment in cybersecurity. Also, US hospitals have some of the most opaque pricing and billing processes of any industry that I can think of, which makes it much easier for them to recoup losses from patients that can't pay by shifting those costs onto the insurance provider and other patients who can pay. This is one of the reasons why basic things like bandages cost so much in an ER. Despite efforts to bring transparency to medical billing, hospitals are still resisting the push to publish pricing and explain their business models in more detail. We've become so culturally desensitized to the state of US healthcare that we're now just defending it as "we really can't expect hospitals to do any better than they are right now", and that kind of apathy really scares me.
As the healthcare sector continues to be consumed by private equity, I don't expect to see the situation to improve. Again, it's all about profit, saving lives is secondary.