[tyingq]

The central IT function in a US hospital also usually has little organizational power and funding. Admissions, radiology, etc, buy whatever hardware and software they want, and the underfunded IT department has to figure it out.

[oneepic]

This may vary by hospital, but in general many hospital IT staff tend not to be very good with computers, from my experience. Many are more focused on business/bureaucracy, or maybe they're just unskilled. I don't mean to attack their character, but instead to make the point that some very unqualified people are in charge of very important systems.

(Edit: My first job was hospital IT for a few months, and my boss was actually a pretty skilled programmer with a good grasp on security. So there are definitely exceptions.)

I imagine not many hospitals hire security talent either, or that they do much security beyond the "change your password" email every 6 months. Oh, and doctors/nurses/etc tend to ignore those emails.

[sidlls]

Agreed with this. IT in hospitals is perpetually underfunded and basically a playground for creatures of corporate politics. Between administrative staff who think their medical credentials qualify them to micromanage IT decisions and perpetually under-funded departments I'm actually shocked that their systems aren't regularly crippled or destroyed by malicious entities.

Don't assume your medical data is secure. Systems that conform to HIPAA regulations are just one part of their computing infrastructure, and it's trivial to maliciously access a huge surface area outside of those specific pieces of hardware and software--and once a malicious actor has that access, it's not too hard to cross the gap.

[JBlue42]

+1 to this and some other comments below. Our combination call/field technicians are actually quite experienced for help desk (min. 4-5 years experience) but have been perpetually understaffed. We have to go through a staffing firm to hire people at low rate to fill those ranks and then people wonder why they don't do well.

Upper level IT management doesn't communicate with the team when large changes are made, and pretty much treat them disrespectfully, even though they have their fingers on the pulse of what's going wrong from the medical staff. There's also a lot of waste from poorly implemented/delayed projects (there are more PMs than IT staff to implement the projects). Definitely a frustrating and bureaucratic area to be in.

[ohithereyou]

Not to mention that network security necessarily means limiting access, and getting that wrong in a hospital context can lead to wasted minutes and hours that can cause harm to somebody.

[nitwit005]

Radiology has gotten somewhat better. They do might buy whatever they want, but the files tend to end up in a vendor neutral archive with proper access controls.