191 comments

[ 3.3 ms ] story [ 229 ms ] thread
The absurdity is painful. That in a wealthy nation people can be unable to access medicine because the system for deciding who will pay how much for it is unavailable. Absolutely grotesque.

The hack isn't the problem. The system that privileges access to medicine is.

I mean, even on a good day, the people who need drugs can't necessarily access them. Can't wait for the system to come back up so I can find out another important medication isn't covered.
That sounds like it is still part of the system that privileges access. In a sane world, you have the option of paying the seller for the thing you want, then they give it to you.

That is a big part of what makes this crazy. People are in an insane system where they can't pay for drugs. Then the system goes down and they really get into trouble.

[flagged]
Right, equitable access to medicine means everyone pays a zero, or trivially affordable price, that's the same regardless of who they are and regardless of what the medicine is. In the UK that is £9 maximum - free for many.

P.S. vouched your gp comment back to life.

I'm not sure this is the message of this story. There are tons of computer systems involved under single-payer systems.
I agree that the hack is the problem, but a single-payer system would mean the moving parts of the distributed system are less complex which means it's easier to manage. Just having fewer corporations involved means fewer boundaries between systems which means it's less likely to break.
But none relating to payment or ability to pay. In the UK, medications are dispensed without checking whether a person is eligible for free prescriptions. Anyone can collect a prescription medication without paying by claiming an exemption (e.g. being on low income, pregnant, etc.) without proof. The pharmacist can also waive the £9 fee for a prescription. There's never a situation where not being able to figure out the paperwork prevents medicine being available.

The prescription system itself could be compromised, in which case everyone in society would face the same issue (which would be mediated by the fact that paper prescriptions are still produced, and a pharmacist can telephone a prescribing surgery). Only a supply chain attack would really cripple the system.

Presumably even in a single-payer system, you still need just as good of an accounting of costs and care provided. The data needs are all still there, just fewer parties are transacting.
Absolutely. But in the UK, Ireland, Germany, New Zealand, etc... nobody would be refused their medicine because the payment system didn't work. Even if the computers didn't work.

In the USA, people can and do die because there's a financial barrier to accessing medicine. Not so in countries that care about people.

> But in …Germany…etc... nobody would be refused their medicine because the payment system didn't work. Even if the computers didn't work.

If the computers didn’t work, it would be incredibly painful in Germany because most pharmacies don’t regularly stock most prescription drugs. They’re often ordered from central warehouses on demand - i.e. if you walk in with a prescription for Xanax in the morning, you’ll typically need to come back in the afternoon to pick it up.

That ordering process is entirely digital. If you suddenly switched to paper forms, phone calls, and faxes, it’d be a nightmare.

I have never experienced that problem. I've had my prescriptions filled without having to wait for stock dozens of times in Berlin.
It's not really a "problem" because you can usually get them the same day, but I can assure you that it's a thing, especially if you take controlled medications like Methylphenidate.

An even more fun quirk is that because different pharmacies seem to use different distributors, you'll sometimes have to hop around until you find one whose distributor has whatever your medication is in stock. I once had to go to four different pharmacies in Mitte before I found one that could order Zolpidem.

Methylphenidate is exactly what I take - strange and interesting that we have opposite experiences, but in Xberg I never had a problem
Polish person here, this is very true. Our prescription system is extremely centralized, there's no such thing as a paper prescription any more. When a doctor gives you a prescription, you get a four-digit code. The prescription can be redeemed at any farmacy by giving them the code and your national identification (PESEL) number. If this system goes down, there's no access to prescription medication, to anybody, anywhere in the country, period. Even an emergency government authorization to use paper prescriptions wouldn't help here, as a lot of people are on "long-term" prescriptions. They go to a specialist once a year or so, get a prescription for a year's worth of drugs, and then go to the farmacy every month to get their monthly refill. There's no way we have enough doctors to get all the long-term prescriptions correctly and quickly re-issued on paper when the need arises.
> There's no way we have enough doctors to get all the long-term prescriptions correctly and quickly re-issued on paper when the need arises.

In the US, prescriptions with refills have a label on the bottle indicating how many refills left. I imagine in a recognized crisis, you would be able to get those refilled with little trouble, maybe even if it said zero refills as long as it was a drug typically used long term and not a drug commonly abused.

> label on the bottle

We don't do that. You just get a box and that's it.

You could print a label that is stickied onto the "retail" box.
This is usually the case in the UK, at least at major pharmacy chains. It’s definitely convenient (similar to the US-style bottles) for traveling to easily indicate that any medicines you have are on prescription in your name.
This is true re electronic prescriptions. It’s an awesome system that works like a charm.

However, paper prescriptions still exist and can be used in a pinch. I had a doctor write one out for me a few months ago. He did not have access to a computer but had a pad and his stamp on him.

Keep in mind that this electronic system came online a few years ago. Most doctors have issued paper prescriptions longer than electronic prescriptions.

It’s a bit dramatic to say that there is no way to get them to do it again if the need arose.

Sounds like the real crisis is that it costs a tiny bit more money doing it the old fashioned way.
I hope I did not give an indication that it costs more money doing it the pen-and-paper way. There is no cost involved to the patient. Is not know about the doctor but I presume it’s free issuing a prescription either way.
Perhaps it's possible for the public to outbid the parasite's owners and pay the ransomware group to just shred the entire operation. As companies become ever more virtual, the corporate death penalty ala Fight Club or Mr. Robot seems ever more plausible.
Something between John Oliver burning $15M in medical debt and Tyler Durden with vans full of nitroglycerin.
They will be pack if you pay. The only safe payment is in fbi tracked money. then track the guilty down and put them in prison (or what ever reform program). If the country they live in won't give them up that is an act of war and send NATO in.
In practice, cyber attacks dont seem to trigger even discussion of article 5. It will be interesting to see if we reach a state where they do
There was a discussion of including cyber attacks as military action before 2020 among NATO leadership, iirc.
Wasn't a hot news item some 4+ years back that US decided to include cyberattacks on the list of acts that potentially warrant nuclear retaliation?
You might think about geopolitics a bit too much if you reach for article 5 because of cyber crime, maybe a bit too much wargaming in your head, things are kind of tense these days and I dont think invading a country would be an appropriate or mature response.
This is a war, just a cyber war.. these groups are russian backed.
Every nation does this? When I lived in a universal healthcare system I had to show my healthcare card to get medicine. Prescriptions were transmitted electronically.

None of this is unique to the US.

Having to show identity documentation doesn't rely on a payment processor. Prescriptions in the UK (and other places - Germany for example) are electronic by default but can be made out on paper and verified without a computer.
Same in Ireland. My doctor can send it electronically to a pharmacy but I can take my paperwork to any pharmacy to get it filled.
It's not showing an identity document, it's "our systems aren't up so I can't fill your prescription".
How many countries allow a single company to monopolise it?
Are you suggesting that single payer systems have multiple, redundant IT systems in place with different vendors?
In germany I get a piece of paper and bring it to a pharmacy most of the time... It has worked when my phone was out of charge, when the pharmacy had Internet problems, etc.
One the primary goals of any - and indeed every - medical system is to ration resources. Which is to say to privilege access to medicine. When we talk about medical care access, we tend to talk around this, but it's a needed part of any system. Any system that doesn't do this quickly learns, institutionally, that without some limiting mechanisms in place the system will be overwhelmed and its resources exhausted.

Obviously some approaches and systems work better than others and are more tolerant to some kinds of faults. Unfortunately, none of this gets away from the absurd, insulting, and grotesque reality that care has to rationed somehow.

> One the primary goals of any - and indeed every - medical system is to ration resources.

We can fix this. Essentially, every smoker, every alcoholic, and every obese human immediately goes to the back of the line.

No need for this convoluted bullshit of a system.

Firstly, that is still a convoluted bullshit system for rationing healthcare. Logically you'd have to assign some sort of worthiness score to every activity that matters then track everyone to figure out their score and stop them lying to get to the front of the queue. Even if you literally only mean these 3 things, you'd have to track smoking and alcohol consumption. I doubt that'd be enough to effectively ration healthcare though, since the resource demand is practically infinite.

Secondly, you're inviting some really complex moral and political arguments. There have been worse ideas than linking healthcare to a political assessment of lifestyle, but I suspect it'd be up there in the same orbit as communism, genocide and slavery. It is hard to see it ending well once the politicians start to disagree on the healthiness of people's lifestyles.

I dunno, in some ghoulish sense it might be the next logical thing for the US to try. Why stop at merely bad ideas?

The Affordable Care Act (Obamacare) does allow health plans to charge higher premiums to smokers. Implementation varies by state. I'm sure that a lot of plan members just lie to avoid the surcharge.

https://www.kff.org/faqs/faqs-health-insurance-marketplace-a...

That doesn't put smokers at the back of any queues. They still get resources roughly in line with the amount of money that they have.
The absurdity of people defending possibly the worst system of rationing healthcare on the planet will never grow stale.

I suppose straight up denying healthcare based on class would be worse. But such a system would actually afford its customers the dignity of honesty.

I'm sorry, I can see I have been unclear. I am in no way defending the worst system of rationing healthcare on the planet. It's awful, horribly, abominable, and must be changed to include some basic fucking humanity.

I'm saying that rationing is inevitable and our thinking about health care systems needs to account for that.

> I'm saying that rationing is inevitable and our thinking about health care systems needs to account for that.

I understand there are utopian arguments for healthcare, but where is the demand to respond to them?

I am in no way condemning the individual response to this I'm just earnestly curious where this impulse comes from.

Because, arguably, vast majority of people - in other words, public opinion, or vast majority of voters - don't understand that healthcare has to ration scarce resources too. Healthcare being a right is a nice, feel-good slogan, but does little to address resource scarcity or system inefficiency.
Dismissing basic, reasonable expectations as "feel good slogans" is a smarmy tactic to distract from wealth hoarding.

The sky is the limit with what humans can do, but under late stage capitalism, it boils down to the preferences of those who control the system, and nothing more.

https://nymag.com/intelligencer/2022/03/how-asset-managers-h...

Healthcare rationing has historically been even more severe under non-capitalist systems.
Which would be a poor comparison in this context given what the linked article spells out:

We already have a centrally planned economy, but it's only for the wealthy.

> Healthcare being a right is a nice, feel-good slogan, but does little to address resource scarcity or system inefficiency.

I don't think these are contradictory concepts, nor does this do much to justify the objectively atrocious method we currently use to ration healthcare. Every dime of profit could have gone to healthcare—that's not rationing, that's just unnecessary and easily preventable cruelty.

I guess increasing supply isn't profitable enough compared to artificial scarcity.
Every healthcare system I've ever encountered, read about, or heard about has some kind of rationing. This is apparently independent of questions of profit or non-profit, private or public. Socialized, not-profit-driven healthcare systems also have to ration resources somehow.
It's certainly a constraint of any medical system but not a goal, primary or otherwise. The goal of socialised medicine is to provide medical care equitably to everyone who needs it - to assign that as a right. Care only has to be rationed to the extent that resources are constrained below what is required to meet the need. And all of that is orthogonal to a system like that in the US, where care is a luxury not a right.
How do you define "need"? We certainly should do better at improving access to affordable care and eliminating inefficiencies. But need for healthcare is essentially infinite for patients with serious chronic conditions or near end of life. And as the population becomes older and more obese that will be an increasingly larger share. We just don't have the resources to pay for everything regardless of where the bill goes. Care rationing in most developed countries will only get stricter.
The problem is not that the ransomware attackers attacked. It's the fact that $10 says they've been systematically underinvesting in security and nows it's biting them in the a*. But it doesn't matter because they've basically managed to be come a monopoly through acquisitions and using the bludgeon of government regulation to ensure no competition occurs.

The next step is to move to declare this critical national infrastructure and create all sorts of new obtuse rules and regulations that will be in the name of security, but will mostly be theater and whose only real effect will be to create tons of new "compliance" jobs by low skilled morons who couldn't cut it in a real security job and whose primary job will be preventing actual security and sapping energy from anyone who builds things, because "it's not on the checklist".

Not to mention the dozens of new vendors who will pop up soliciting a product that will promise to ensure customers are in complaince with the new regulations.

Meanwhile Joe blow will still be unable to get his prescription filled and have his personal health data stolen and sold all over the black market.

> $10 says they've been systematically underinvesting in security and nows it's biting them in the a*. But it doesn't matter because they've basically managed to become a monopoly [...]. The next step is to move to declare this critical national infrastructure and create all sorts of new obtuseness rules and regulations [...]

There really only need to be 3 for critical infrastructure.

#1 - Patch your shit according to industry standards, and have documented audit records that you've done that in a timely manner.

#2 - You're fair game for NSA and DoD offensive pen testing. Failed pen tests are responsibility disclosed, then reported to the market after delay.

#3 - So goes CISO, so goes CEO. Along with a ban from leadership roles for a number of years (5?).

The issue is that the CEOs of these companies hire fall-on-your-sword guy as CISO, ignore the issues / listen to their CISO glossing over deficiencies, then claim breaches came out of nowhere, fire the CISO, and repeat business as usual.

It's not going to change until CEOs have a realistic expectation that deficiencies will be found and personal consequences when they are.

There is literally no point to "investing" in modern commercial IT cybersecurity. It is all a bunch of useless junk that is incompatible with creating systems with any meaningful security. The big banks are spending hundreds of millions to billions of dollars a year on that junk and their cybersecurity teams know they can not even stop small teams with a million dollar budget. Literal kids fresh out of college at the banks manage more money than that.

That is literally the case across all industries in every field in every area with big tech being no exception. Almost certainly everybody you have heard about does not and has never had the slightest clue on how to protect against economically motivated, professional criminals; the kinds of attackers that are now commonplace and are expected to attack every commercial system in the modern threat landscape.

This is not a problem of underinvestment, it is a problem of structural incompetence. Systems need to verifiably survive red team pentests with multi-million dollar budgets with exactly zero discovered vulnerabilities before we are even in range of reasonable solutions. Any standard lower than that is inadequate to demonstrate resistance to commonplace attacks and is not even worth discussing.

There are two kinds of security.

Nearly all of corporate America practices security by checklist and certification. This is not real security, it’s just CYA for careerists and legal challenges.

Actual security is hard and almost no one does it. The people capable of it are rare and expensive. They’re probably not jumping at the opportunity to work at Optum for $80,000.

And who does actual security? Certainly not Google, Apple, Microsoft, Palo Alto Networks, Crowdstrike, etc. If that is who you were going to bring up, none of those companies has ever developed and deployed a usable system secure against even middling adversaries with only a few million dollars of budget.

You will find exactly zero people at those companies who would be willing to bet their job that a small team of say 3-5 skilled offensive specialists specifically targeting them and willing to expend a year of fulltime work (i.e. a few million dollars worth of personnel cost) would not be able to completely compromise any usable system they designed.

Exactly zero of the recognized names can protect against economically-motivated professional criminals targeting you. All they even claim to do is make you the ROI of attacking you go from the industry average of 100x to a still wildly profitable 10x under the "You don't need to be faster than the hunters, you just need to be faster than the other dodos" theory. Unfortunately, that theory does not work when the hunters keep bringing more of their friends to eat mouth-watering dodos. I mean, the cyberattacks have only been increasing by like, 500% YoY for the last 10 years. Exponential growth that slow means you can keep outrunning the hunters for like 5-10 more years until they eat everybody.

This economic projection-simplification doesn’t sound right to me.

Even if $1M gets you a successful attack, doesn’t mean that the next $1M will. A strong security culture patches up holes and reduces the surface area and damage radius over time.

I agree there’s a ton of snake oil. Most of it is. I agree that actors like Google and Apple also have 0days and will continue to have them. However, there’s still a massive difference between not giving a shit and a strong security posture. Some industries (most?) are in the former camp. They’re the ones who grinds to a halt from WannaCry and friends.

If the audit was only run once as a exploratory measure, then you are correct, but that is not the case. If you run a audit intended to detect defects at the 1 M$ level 10 times and literally every single time you find truckloads of defects then you have statistical evidence on the quality of your processes.

As a simpler example, suppose you did a firing test of a bulletproof vest and the bullet went right through. They patch that up and then you fire again and it goes right through. They do that 10 times and literally every single time it goes right through. You can conclude that those failures were not a fluke, their bulletproof vest is just garbage.

To use a slightly more complex variant, suppose they had bulletproof vest version 1 and during acceptance testing the bullet goes right through. They go back to the drawing board and produce bulletproof vest version 2 claiming it is bulletproof and then the bullet goes right through again. They do this 10 times and literally every time they claimed it was bulletproof and every time the bullet goes right through. You can conclude that their engineering or validation processes are garbage and, additionally, you can only trust them as far as you can throw them. Until they conclusively demonstrate robust protection against bullets in representative tests their products and "expertise" should be ignored.

The thing in the cybersecurity industry is that they fail the audit every time across all fields across all products across all systems. This is not a one-off case where a company has never done it before and they failed once so it might be a fluke or they can improve. This is everybody doing thousands of audits each and literally every single one of them has never once demonstrated a defect rate better than the low M$ range no matter how many changes or "improvements" they make. And the entire time they have been issuing deceptive marketing making people think they can. That is about as clear cut statistical evidence of industry-wide quality control failures as you can find in any field.

Just for reference, this is extremely abnormal in other industries. Only in cybersecurity and software are poor quality control and validation processes so rampant that obvious global process failures are viewed as just the way things are done. Yes, some parts of the software industry are even worse, but even the "best" parts are laughably inadequate. Engineering is not about subjective evaluations like better, it is about objective evaluations like fit for purpose. And commercial IT cybersecurity fails that with a resounding no.

Thanks for following up.

I agree, however say Google and Apple have very few of these despite being disproportionately targeted. Doesn’t mean they are doing enough. But it sure as hell makes a difference. In ~15 years my gmail has never been leaked or hacked. That’s better than having an unprotected DB leaking every customers credit score, like we’ve seen.

Certainly this audit-, certification- and checklist based security is a joke. Security isn’t a patch-work. It’s not separable from software development, and cannot be a separate process/workstream either (a thousand faint gasps ring out from middle managers across the enterprise world).

Anyway, I’m rambling. I guess I wanted to say that I’m optimistic for the long term. We’ve already made some significant progress in the last 10 years, for the better. I expect that to continue slowly.

Its not just presciptions. Its eligibility , claim submission, prescriptions, etc.

This is really affecting doctors and patients. Patients are not getting the drugs they need or the authorization for a critical procedure. Doctors' cash flow is interrupted.

A lot of admin workers are backed up, and that itself is leading to problems too.

Why the backup? Its not just electronic data exchange being offline. Its that everything is now "going to paper" (submitted hard copy) which requires humans. Those humans used to take care of the actual work. Now they are stuck shlepping paper from A to B instead.

I submitted two links explaining this in more detail yesterday

https://news.ycombinator.com/item?id=39561697

Brief summary of the situation (as of 3/1)

Impacted services:

-Electronic Prescriptions -Several Patient Record Sharing (PRS) systens -Claim Submission -Prior Authorization Appeals -Almost everything involving Fax + UHC

Restored services:

-Electornic Prior Authorizations (ePA) submissions -Real-time benefit checks

Sometimes this kind of event is the trigger to design a more human-efficient process.

For example, if it goes on longer, the FDA might allow the majority of drugs to be sold directly on online marketplaces like Amazon without a prescription. That would remove a huge amount of paperwork and doctors appointments for a massive number of people.

Let's be honest, the majority of prescription drugs don't have an abuse risk.

Nah. We wont even allow people to import drugs from canada. Meanwhile, canadians are the nicest, most honest people you will meet.

You have a positive outlook and that deserves kudos, but its not going to happen, at least in relation to the current fiasco.

The pharmacy lobby is too strong.

> We wont even allow people to import drugs from canada.

This seems false based on countless anecdotal experiences and various sources online [1]. Individuals with a valid prescription can have that (once issued by a Canadian/provincial licensed professional) filed and bring it with them or have it shipped through online marketplaces that integrate most of these steps.

Suppliers importing from other countries seems to still be illegal although Florida seems to have recently passed a law and received FDA authorization to do this for some drugs [2].

[1]: https://www.singlecare.com/blog/ordering-medications-from-ca...

[2]: https://www.kff.org/policy-watch/what-to-know-about-the-fdas...

There might be some risk with idiots taking z packs for colds and creating more super bugs but there's definitely less stupid ways of doing this.

People who take critical stuff regularly usually have to ration drugs so they have a store in case of emergencies. If you travel somewhere and you forget your life saving drugs you then have to spend a good chunk of your trip grovelling to the pharmacist and doctor (depending on the drug) to get an emergency refill if the drug is even available in that location. The whole system is bonkers.

i have to do this rationing, i skip a dose a couple times a month to slowly build up a reserve, it came in handy on multiple occasions where insurance was holding up meds.
"Let's be honest, the majority of prescription drugs don't have an abuse risk."

It is absolutely disgusting, that you need a prescription for pharmacy items. There is nothing better than going into a pharmacy and just being able to buy what you need. Never had any problems in Colombia, Brazil, Russia and rarely in China.

What about people without health insurance?

  > What about people without health insurance?
Are you suggesting that these people do not see doctors and self-diagnose? I could see an argument that making the drugs OTC without prescription may do this population more harm than good.
That's a good point, but honestly I don't know what the net effect would be.

Remember that in the US, drug companies market to patients, even though it's the doctor that must prescribe the medication. In other countries, this is illegal.

Maybe the barrier of a doctor's visit is not so relevant. Or, maybe it's what prevents things from becoming completely unhinged...

> in the US, drug companies market to patients

Really? Why?

In some sense, they are a company like any other, why restrict their ability to advertise?

Then again, its not exactly good intentions that got us here.

In the US there is advertisement for drugs. You have symptoms XYZ? You might have disease A. We can help. Talk to your doctor for medication B.

In many countries, this is forbidden.

It's easier to say "talk to your doctor about X" than get attractive pharmaceutical sales reps to convince doctors about the same drug's efficacy with a pamphlet.
There's a gradient. There's definitely a number of things that are prescription only for... unknown reasons. My low dose statin requires a prescription, even though I can get roughly 4 months worth of it at a time. Even its side effects are not extreme. But it forces me to interact with my doctor occasionally just to get a repeat.
"Are you suggesting that these people do not see doctors and self-diagnose? "

Ah. Yes. What is the alternative if you can't afford a doctor?

" I could see an argument that making the drugs OTC without prescription may do this population more harm than good."

Please die for the greater good. I pass.

I have no idea what other people need. Beta blocker? Metformin? For a start, I would like to have every cortisone based product (cream, tablets) OTC and antibotics too.

In some countries, you can't even buy an antibiotic cream or hydrocortisone cream OTC. In Brazil, I was damn happy that once I could get antibiotic eye drops and once an antibiotic for the ear (drops).

Hey, in many countries you can even buy Viagra OTC. A buddy asked me to bring some for him from abroad.

> Are you suggesting that these people do not see doctors and self-diagnose?

Yes! Over-regulation cost lives. See Canada, people dying because can't see doctors. Most of prescription drugs are gatekeeper for no reason, they are not 'drugs' there is no reason for that.

Meanwhile typical Montreal health-care interaction:

1. Call your doctor - next appointment in 1-3-6 month

2. Wait till it get bad enough, go to emergency room.

3. Wait and cry there for 6-12 hours, get morphine, see a specialist, get a prescription, go home.

Since my conditions are chronical I should be able to get my meds easily, but nooooo, let's gatekeep everything and make people suffer and die.

See https://globalnews.ca/news/10148872/quebec-er-patients-death... for proofs.

This is what Mexico does, and it works fine.

There are no prescriptions in Mexico.

Medications which are scheduled controlled substances (amphetamines, codiene, morphine, etc) are sold directly by hospitals. There really aren't many of these, and hospitals already have to stock most of them for surgical use.

Everything else is cash over the counter.

And pseudoephedrine is illegal because of pressure from the US.

I'm glad pseudoephedrine is legal where I live. Once in a blue moon, if I need it, I can get it.

Is it illegal in Mexico because meth comes from there in significant quantities?

It's illegal in Mexico because the US put pressure on them.

The US said "you need to stop selling this without a prescription system". So Mexico stopped selling it entirely.

That's crazy. I can but it over the counter without a prescription.
Not without showing ID, you can't. And the ID tracking system is part of the prescription system, even though there's no doctor involved.

It's why you can only buy pseudoephedrine from pharmacists.

What about drugs that can have harmful interactions with a person's other health conditions or other drugs that they are taking? A big part of the role doctors and pharmacists in the prescribing process is to guard against this. Are ordinary, non-medically qualified people really supposed to navigate this on their own?
Ordinary people can and do in many places. Pharmacies can still employ pharmacists who will advise you or ask questions if you’re something risky that may interact with others. You can always check with a doctor before hand. Most medicines don’t have significant interactions and those that do you will usually be warned to check about by both doctors and pharmacists.

A lot of “safety” concerns is just FUD spread by a system that wants to preserve itself.

If you have humans in the loop, they're going to make mistakes. Pharmacists and doctors also have bad days and forget things. People are their own best advocates and caretakers.

If there's a database with contraindicators, make it public, let people search it, require packaging to inform the public to search the database for contraindicators for their own safety before taking the drug. If people are really unsure, they can decide to engage a doctor or pharmacist instead of being forced to engage a doctor or pharmacist.

Doctors are navigating interactions in large parts by database lookups anyway - there are websites where you enter drugs and get a list of possible interactions. Those could be made available to patients too (the one I saw a doctor in my family using is provided by some medical website and softly gated "for doctors use only").
Natural selection will eventually handle the crowd of people who take random drugs without considering possible interactions.

Hardware stores also sell many things that will kill you if used incorrectly. We can't have the world revolve around the least capable of us, it's holding everyone back.

If doctors and pharmacists were effective in preventing all adverse interactions, we wouldn’t have those “don’t take ADVERTIX if…” disclaimers in US drug ads.
(comment deleted)
Are prescriptions required for antibiotics?
Nope.

And the world has not imploded.

There's a lot of chicken-little-ism around the prescription system

Yea, this screams multi drug resistant infections.
there is a system diagram of roles; this system serves several purposes at once, some of the roles accelerate or benefit from, different purposes; there is so much money involved that the money becomes a driver aside from intended purposes.

The system is being attacked / interfered with, almost certainly over the money parts.

Patients using the product are by definition not reliable for self-prescribing (argue against this all you want, there is a lot there)

Specialization has risen profoundly in the digital age. Even full time MD's do not know all the aspects of the prescriptions; even full time pharmacists do not know all the medical case context; patients know almost none of this as a whole, though the have intense incentives to think they do, or try to, to varying degrees of success.

A suggestion of "just let the markets and customers work it out" is unwise at the least, and certainly will bring unintended consequences. The current system is overly gamed and now failing outright. What to do? just describing a problem space here..

> Its that everything is now "going to paper"

Is it wrong of me to hope it stays that way?

Yes, frankly. It results in terrible outcomes for basically everyone, which ultimately hurts patients the most.
Does it? My impression is that going paperless actually made doctors stop doing medicine and start spending 90% of visit time doing bullshit e-paperwork.

(Yes, I know it's not bullshit - it's so that right insurers get billed. The most important part of medical art.)

(comment deleted)
This is frustrating given the humans affected

I always find it interesting how some Russians seem to understand our system better than we do, and we collectively seem to know so little about theirs for the same level of fun and profit

Expect more of this with the heavy downward pressure on offshoring jobs too.

Until there are hefty fines on these companies (to the point of forcing public ownership of it if they continue to fuck up) then these issues will continue.

(comment deleted)
They only need to find one vulunerable part of the system to understand not the full system.
Cyberattacks like these deserve the same kind of government response a terrorist attack gets.
> the same kind of government response a terrorist attack gets.

Has that particular kind of response ever achieved anything?

(Anything germane to the concern at hand, I mean - of course it has often achieved enriching well-connected contractors and such)

Has looking like a sitting duck ever achieved anything besides making you look like a good repeat target?
You think invading countries is a plausible way to stop people from cyberattacking the united states? How many people would you say youll have to kill?
Nobody is talking about invading countries, you don't need to do that to retaliate against a handful of people
What does "send nato in" sound like to you? Do you think other countries are cool with you violating their borders?
This fits the bill for terrorism in my mind, it is an intentional act to directly affect the people of a nation, and if it causes even one death it becomes way more likely the law will see it as such. Who knows when (one of these events will eventually cause a response from fed) cyberattack becomes synonymous with terror attack, though. Could be this one, could be the future (hypothetical) attack on Fox News or CNN, could be someone turning off the sewage treatment plant for DC, one of them will ruffle the right feather, eventually.
There have been other attacks in the past that would meet that bar, the first that comes to mind is WannaCry - seeing as it disrupted the NHS.
> it is an intentional act to directly affect the people of a nation

I would define terrorism as something closer to “violence with the intent to intimidate political opponents”. This isn’t really violent, and even if it is (it’s certainly very dangerous!), there’s no political message. Unless this is a 4D chess play that somehow is supposed to weaken America by making us more stressed or something, this just seems like Russian privateering.

Your definition is a bit too broad, as I think you would admit to - I’m guessing you didn’t intend it as a flawless philosophical definition, just a quick one

I don’t want to live in whatever world you’re dreaming of
THe nice property of terrorist attacks is that the terrorist groups need somebody in the country where the attack actually happens. You might be too late to catch them, they might commit suicide etc, but in general, that property makes law enforcement work a whole lot easier. With ransomware, even if you can say with 100% certainty that Dmitrij Smith from St. Petersburg did it, this still doesn't get you any closer to putting said Dmitrij smith behind bars in the US. It's highly likely that you can't even interrogate / surveil the suspect, making it that much harder to see if they were acting on their own and out of pure greed or on government orders. And that's if you know who did it, cyber attack attribution is complex, and you often can't say anything with certainty.
We have a proxy war in Ukrain to escalate in that case.
Well go on then, ill buy your ticket, go fight.
Call / email your congressmen and tell them to stop stalling on the Ukraine defense bill.
He already wants to but he's a small fish in a big pond.
Mine’s been too worried about losing the primary to someone who is crazy rather than merely craven like him to care what I think.
Read https://rewardsforjustice.net/rewards/foreign-malicious-cybe... and notice how the USG only cares if the hackers are acting under the direction of a foreign government. Hacking for profit sadly gains more acceptance as a legitimate form of enterprise each year, similar to corporate raiding. You can buy insurance to cover ransom payments. There's also hackers who hack into consumer PCs, routers, and phones where instead of holding you to ransom they just MiTM HTTPS to inject ads, rent out access to DDOSers, or let companies like Cox actively listen to your microphone. A lot of devices like Lenovo have been known to come pre-hacked before they even leave the factory. It's all above the board at this point. Rather than being treated as terrorists, the worst consequences you'll see for them usually is just a lawsuit.
Invade a country that had nothing to do with it?
(comment deleted)
I wonder how many more of these incidents will need to happen until everyone starts to take computer security seriously. How much longer will there be zero consequences for offloading the risk of shoddy security to your users?
> everyone starts to take computer security seriously

Weren't the last big attacks literally carried out by hackers exploiting security software? As in, the solarwinds thing, which was carried out on systems which were 'textbook secure' ?

If you want a secure system, my advice would be to fall back to using dumb hardware terminals, VT100 style. Anything more complicated than that will have a backdoor.

Fair enough, a no-bullshit discussion on how to actually achieve security should be part of the process.
The issue is, actually having that discussion becomes very hard, because a lot of 'security consultants' basically rely on the commissions they get from selling that type of inherently-creating-a-single-point-of-compromise managementware.

So all of the 'experts' you might draft in to give you helpful advice will be telling you exactly the opposite of what you should be doing, which is reducing your attack surface as much as possible; cutting down, not increasing, the number of apps installed.

And don't get me started on MDMs, which are basically a rootkit that's only as benign as the guy sitting behind the operator panel.

I wouldn’t characterize solarwinds as “security software”, the product that got hit was classic up/down monitoring software.
Reuters said, "[t]he problems began last week after hackers gained access to Change Healthcare's information technology systems [...]" so it was probably because some airhead gave their login to the hacker over the phone. Social engineering accounts for 98% of all cyber-attacks. Highly intelligent people who are only accustomed to employing software don't understand this, because the only thing they're afraid of is their software getting exploited.
My money is on some un-upgraded backend/frontend stuff due to "compatibility" and/or lack of budget to hire people to keep things patched and up-to-date.
Blah, when it comes to a target that large, hackers will insert a contractor into the role who can secure the relevant credentials.

This is another reason the remote-work scenario is such an issue - it's so trivial when large numbers of people are working remotely to gain access to secure systems.

Why are we shipping software that’s hard on the outside and soft on the inside? We know our customers have employees that will be socially engineered. Heck, let’s not be smug, “we” have employees that will be too.
> software that’s hard on the outside and soft on the inside

So are tanks. And so are humans.

Security is opposite to usefulness. If you harden your system thoroughly to the limit of possibility, it becomes a rock. Systems are made to do something, so some parts need to actually do that thing.

The software in question is currently doing nothing.
>using dumb hardware terminals, VT100 style

Those VT-100 terminals actually have Z80 CPUs in them, but even so, they connected to VAX or other computer systems, which are generally networked.

Multi-trillions in defense spending and for what?

Our country is crippled with ineptitude and hogtied by the billionaire plutocracy. The systems the masses depend on will crumble long before the ruling class notices. Look to our national elections as a grotesque reminder.

Given how poorly our defense spending effects literally anything related to our security, I'd rather not discover what havoc our government might wreak on the internet.
The US government as a whole already spends more on health care than it does on defense.

2022: 944 billion (Medicare), 805 billion (Medicaid). [1] We could add the VA health care system (approx 100 billion), CHIP (few tens of billions), ACA subsidies (tens of billions), other publicly owned medical services (???), and probably some more things we're forgetting.

753 billion requested by the WH in defense spending. [2] This probably does not encompass all defense spending period, but there's nothing else going to add many 100s of billions to even come close to the health care figure.

The problem with the US medical system isn't that not enough dollars are being allocated to it. The US government as a whole (state and federal) is already spending as much per capita as many European countries. We just don't get as much for it. I think it's fair to say as you did that entire sectors of the US economy are being crippled by ineptitude, which I would say is institutional rather than personal. The problem is systemic and it's hard to see how it could ever be practically fixed.

[1] https://www.cms.gov/data-research/statistics-trends-and-repo...

[2] https://www.defense.gov/News/Releases/Release/Article/263871...

Well it has always been a cat and mouse game. Even with best intentions you will get someone discovering some sort of exploit, or some employee going rogue or forced or tricked into installing something. When ever we talked about these issues it brings me right back to the xbox 360 days and the hacking scene. It was amazing to see the back and forth between MS and the hackers and what each side would do to countermeasure the other. The one that impressed me the most was MS started making games about 8gb in length. DVD's only were only sold in 7.5gb size. Hackers learned that the games were just being padded with random useless data so learned to truncate the games and burn to 7.5gb discs again. MS learned to detect truncated games. Hackers then figured out how to flash certain DVD burners so that they would burn to the outer most area of the 7.5gb DVDs, an area that would typically not be used due to chance of increased errors burning in that area. So then you could burn a game all the way to the edge of the disc and then hackers developed a scanner to check for game errors as burning to the edge didn't work well so you would have to burn at slow speeds and really use high quality DVDs as cheap ones didn't work well. The back and forth that kept happening was so impressive. I guess my point is no matter what you try as long as millions of dollars is on the line people will find a way.
How long till we break up these colluding market forces so there is some redundancy?
There’s not enough qualified people to take computer security seriously. The vast majority of “cybersecurity” professionals are capable only of insuring that boxes are checked.

Of the small number of truly qualified people, many work as independent researchers or in small specialized consultancies because they are dispositionally incompatible with a giant enterprise. The remainder work in places like Google or Microsoft.

If UnitedHealth Group by some miracle broke through its cultural barriers to hiring a bunch of poorly dressed 28 year olds with bad attitudes, paying each more than a group vice president makes, plus empowering the head bad attitude former hacker CISO to block corporate initiatives in the name of security, it still would be a zero sum game. We’d end up with a less secure android or windows.

People take it seriously and all it got us was a bunch of idiot cyber box-checkers and a lot of paperwork.

The fundamental problem is pushing to digitize everything way too fast and being totally irresponsible with the data. You should have to pass a competence test before you integrate computerization of a lot of these kinds of processes, but obviously the tech lobby would not like that one bit because they only exist on account of selling their victims a sense of overconfidence.

lol couldn’t happen to nicer people. Take their money then tell them it’s ’not Covered’ and just keep plowing away.
This is due to not having a single payer. In this situation we all loose. Lack of being single payer also poses risks to us all regardless of coverage with our emergency rooms all over crowded.
Even without single payer, insurers should never be able to stand in the way of a doctor practicing medicine. They should be strictly required to cover any procedure or medication a doctor deems necessary, and the practice of pre-approvals should be forbidden.
That’s ridiculous because in a single per system the government stands in front anyways.

There are plenty of drugs in Europe doctor might want to prescribe but the government says “nope, not going to pay for it”

> That’s ridiculous because in a single per system the government stands in front anyways. > There are plenty of drugs in Europe doctor might want to prescribe but the government says “nope, not going to pay for it”

Not only does this happen with the current system, it’s worse, because there aren’t always explicit instructions about what will be covered - so your care depends on whether your doctor is willing to beg the insurer to provide a drug to you

Insurance companies can always hike premiums to compensate though. State run system could/would be a lot stricter with their funding and have less wiggle room.
One major difference is that most people, at some financial burden, can choose to change insurance providers whereas in many countries with universal systems (single-payer or otherwise) the government guidelines for what the national service or insurance providers must pay for or not tends to be more consistent across the board.

For instance, this is a struggle for people in many European countries who would benefit from access to specific psychiatric prescriptions which are either not prescribed except after trying various cheaper options or are not even approved because of the potential cost to the government, while the same drug is often available in the US (ranging from $10-hundreds a month, as is typical in the US). Public healthcare in at least California sounds more comparable to the universal single-payer systems I’ve seen in its relative inflexibility.

No system would be perfect, but by cutting out most of the administrative overhead more gets to be spent on actual care. And by having everyone getting the same or similar coverage decisions it could easier to sort out. Also another benefit of single payer is that all or at least most out outcomes can be collected and compared to the treatments. This should enable improved outcomes and cut through the B$ we have here where 70,000 people can die needless from Vioxx before it even got a review. https://www.jci.org/articles/view/38430#:~:text=Some%20consi....
(comment deleted)
I think it just needs to reverse to old and tried all-paper, hard copy, no-electronics approach of yesteryear. There is no way institutions that are filled with non-technical people can prevent this if the entire system is electronic and networked.
Yet again we blame everyone and everything except the operating systems that have a massive design flaw baked in from the 1970s, they all rely on ambient authority to function.

This isn't going to get better until this our fundamental OS security models get updated to reflect reality.

I honestly don't get it. With the number of IT billionaires out there, why isn't there just one who wants to solve this problem?

We already know how, in principle - capability-based, formally verified OS kernels like EROS and CapROS have shown us the way. The next step is building a real world OS and user environment that carry these principles through.

Yes, if would take 10 years at a minimum. But it wouldn't even be a charity, even if you went the OSS route! There would be massive commercial opportunities arising out of the product. If you have the money, and it's profitable and world changing in 15-20 years, why not do it?

The billionaires aren't coming to save us.
Because you can just lie and claim you make secure systems like Microsoft, Apple, and Google have been doing. Much easier and you get to have a billion features in your "secure" product so it supports more uses than actual secure systems. There was a small pile of systems sufficiently secure for actual high security work during the regime of the TCSEC Orange Book and the early era of the Common Criteria. But once Microsoft and the other consumer IT companies lobbied to get serious security certification requirements removed or reduced since their security was inadequate to bid on new projects and they found that unfair, they sucked all the air out of the room for actual high security commercial systems.

And, even if they did decide to pursue it their every instinct is completely incorrect. They have all made their fortunes on entertainment and consumer software and principles like "move fast and break things" that are antithetical to the development of secure and reliable systems; they do not have the foggiest clue how to solve problems in security or even how to compose secure components into secure systems.

That is not to say that nobody is doing so, you can just look to what is actually being deployed in domains that actually demand high security and high reliability systems and have the testing, auditing, and verification to establish conformance like aerospace and certification requirements like the Common Criteria Separation Kernel Protection Profile (SKPP) which required formal specifications, formal proofs of security, and a clean NSA penetration test (i.e. the literal NSA could not find any vulnerabilities).

However, the market for things that actually work is not as large as you might think given how much people crow about security because again, you can just lie. The chickens have not come home to roost yet because cyberattacks are only just starting to be a serious problem. It takes a while for 18 year old kids to bootstrap worldwide criminal enterprises able to attack millions of companies. I mean, even Zuckerberg had VC funding and it still took them over a decade to saturate the world. You have to cut the cybercriminals some slack for taking a few years to become a actual crisis. Give it another 10 years.

Change Healthcare is a transaction clearinghouse, or effectively an API, translation, and routing gateway.

Think of it as a private SWIFT vendor.

They were acquired by UHC, which is why you see the Optum name. But this is not specific to UHC/Optum patients.

Providers (hospitals, doctors, software vendors) interface with CH’s REST+JSON APIs and in turn CH emits EDI records to the insurance company backends (and translate the responses from EDI to JSON/XML/etc).

This affects general healthcare EDI messages (claims, benefits eligibility verification, ACH notices, etc).

The people impacted do not have direct EDI implementations with the insurance companies. If they did, they could side step this.

Or even a different clearinghouse.

Edit: clarified some ambiguous terms

> The people impacted do not have direct EDI implementations with the insurance companies. If they did, they could side step this.

Thank you. I was trying to figure out how this company seemingly handles most of this stuff in the US.

> Optum first disclosed on February 21 that its services were down as a result of a “cyber security issue.” Its service has been hamstrung ever since. Shortly before this post went live on Ars, Optum said it had restored Change Healthcare services.

“So far” seems like a stretch, unless they’re including ramp up time or something? It really sums up the whole article: great quality journalism, absolutely terrible exploitative publisher.

> Optum provides a nationwide network called Change Healthcare, which allows health care providers to manage customer payments and insurance claims.

Is the entire system in the US really using a single private company to handle this?

No. Optum (Change Healthcare) has multiple active competitors in the clearinghouse business. But due to limitations in the industry interoperability standards, switching vendors is a slow and expensive process.
My former employer Stedi, an EDI integrations startup, is working on a compatibility layer to help companies who are affected route messages to alternative clearing houses.

The founder posted on Twitter to let people know they can also reach out directly for urgent support at change@stedi.com

https://x.com/zackkanter/status/1764057780800094350?s=46

I hope the compatibility layer will be self-hosted. Otherwise the compatibility layer could become an even bigger single point of failure.
This current failure is already a failure of a hosted compatibility layer. The service in question presents a central JSON API to do healthcare billing so you don't have to deal with the ancient arcane EDI formats to talk to insurers.
The EDI formats are old, but reasonably well documented and quite easy to implement. The bigger obstacle to interoperability in this space is that the various payers have different rules around handling optional data elements or how certain things should be coded. You have to implement the base X12 EDI format plus a supplementary guide for every payer. And there are changes every year. So, it can be difficult for provider organizations to stay current. CMS could use their regulatory authority to tighten up the specifications and reduce the ability of payers to do their own thing.
My doctor notified me of this ransomware attack a few days ago. I'd imagine it's quite frustrating to deal with. What I've noticed is that engineering/tech culture is non-existent in heavily regulated industries. IT is usually a cost center, so there is very little incentive to improve things. Until there is a paradigm shift in their existing culture, these type of issues will continue to happen.
Hey Russia/China/India, can you keep up your attacks? You might be the only thing that can get this abomination of a system we call healthcare replaced.
The walking corpse that is the american healthcare system is really showing its bones right now
I, unfortunately, take a bunch of prescriptions and had literally no problems over the last week. I even had a new prescription sent to pharmacy, filled, and processed by insurance.

I’m sure this is bad for those affected, but the prescription market does not seem “hamstrung” to me.

Reducing centralization seems like the only rational way of avoiding such large attacks. No system can ever be 100% secure, centralizing to such extremes creates a huge target with a massive payoff for anyone interested in hacking it.

We keep making this mistake as a society, assuming that centralization is the answer and that optimization when the system runs well is always worth the risk.

I depend on the security of many systems. If I want to test the security of those systems myself, with the intent to report problems I find, I will be arrested and thrown in jail.

Why are we sacrificing national security for the convenience of companies?

We should have strong legal protections for security researchers. Anyone who attacks a system with the intent of causing minimal harm and reporting what they find should be protected. We could also create a government agency whose job it is to continually try to break into these systems we depend on, a national red team.

The only downside is it will inconvenience and embarrass many companies. We might also find that the majority of our companies and institutions are incapable of creating secure systems, and that will be a hard political reality to deal with. But this is literally a matter of national security.

The bad guys will not be stopped by laws, but maybe the good guys can still win if we don't hamper the good guys with bad laws.

Unitedhealth IT labor force is vastly offshore, the system is inherently insecure.
The fact that healthcare providers are allowed to give access to sensitive healthcare data to foreign nationals should be illegal.
In some cases it is illegal but it requires you to essentially trust that systems are locked down according to frankly a flimsy attestation. I have my doubts how trustworthy are some of these attestors. There is a deep culture of ass-covering over anything else.
Yes, there's a deep culture of questionnaires and dubious "scans" in the security industry. It's all we got because nobody is actually allowed to kick the tires. Nobody is allowed to actually test the security of the systems they rely on.
> Anyone who attacks a system with the intent of causing minimal harm and reporting what they find should be protected.

Do you think that people should be allowed to penetration test your house without your permission?

At what point does a system become big enough that you think people should be allowed to attack that system - regardless of its owner’s desires - as long as the attacker has subjectively good intentions?

I am sympathetic to the idea behind your comment, but I don’t see how it’s compatible with strong private property rights. I don’t want you attacking my systems without my permission.

A thought provoking analogy, but I don't think it's applicable because my house isn't performing an essential service for other people.

A better analogy might be a friend stopping to double check that my front door is locked before he walks away leaving his child in my care.

If we use an analogy at all, it must account for the fact that millions of bad actors are constantly wandering by and checking the security of my proverbial house. Like, if my house was on an extremely busy street and a someone came to me and said "hey, the lock on your front door doesn't work", I would not have them arrested, nor would it be practical for me to arrest every passerby that checked the lock for whatever reason.

If my house depends on your house being sound, then yes, I should be allowed to nondestructively inspect your house form the outside or with whatever access you gave me.

This analogy has limits, but I work in the medical field. I even worked at change healthcare until last year. The consequences of PHI data breach are almost unbounded. Furthermore, If I put my reputation and that of the business on your service you better bet I will poke around with whatever access you gave me.

This is what one front of the next world War looks like.
Part of the problem is drugs in the US are so expensive and hard to obtain. Where I live I receive a cancer drug for free, but the one time it was not available, I just went and bought the month's supply from the pharmacy for $1300. In the states that same drug would cost me $14,000, and of course I couldn't just buy it OTC. BTW the drug is manufactured in the US.
Hi all: I'm the founder/CEO of Stedi. Came here to say that we're preparing to publicly launch drop-in replacements for Change's Claims and Eligibility APIs[1]. Our new API will allow customers who have been using Change to directly switch with minimal development effort. The API: i) accepts Change JSON request format, ii) translates it to X12 270/837, iii) submits it to a clearinghouse (we have a master connection with Availity, or can use yours), and iv) returns the response as Change JSON. We are working around the clock over the weekend to onboard the first external customers.

Here are the beginnings of the docs:

https://www.stedi.com/docs/api-reference/post-healthcare-cla... https://www.stedi.com/docs/api-reference/post-healthcare-eli...

Our goal is to help providers submit claims and eligibility checks as quickly as possible. We’ve created a streamlined contracting process along with a standardized price list and the ability to match volume pricing. We can get folks set up with a dedicated Slack channel immediately and start working with engineering/ops teams to get back online.

If there's anything we can do to help, email us at change@stedi.com or contact me directly (zack@stedi.com).

[1]: https://x.com/zackkanter/status/1764057780800094350?s=20

Recall the fable of the grasshopper and the ant: https://read.gov/aesop/052.html

Everyone should have a reserve of everything they need to the extent it is practical. A reserve of meds should be a high priority.

Reserves act as an accumulator or a capacitor.

When we ants stock up in good times, it primes the supply chains to be ready to provide a little extra later. If half the customers buy 10% extra over time, the supply chains expect to provide an extra 5%.

When shortages hit, we ants are taken care of, and do not stand in line competing with the grasshoppers for the last few bottles of pills.

Because we ants primed the supply chains when stocked up in good times, there might even be an extra bottle of pills in addition to fewer customers fighting over it. We ants perform a public service by stocking up.

The vast majority of meds in the US say they are "made in the USA," but the precursor chemicals are usually made in China.

Trans-oceanic trade was cut off (for a while and severely reduced for longer times) in World War 1 and again in World War 2. It can happen again.

It is a common scam to buy something from China, claim to make it in the USA, and resell it at a large markup. This means that a lot of things we think are made in the USA will not be available if international trade is restricted or stopped.

I expect massive shortages of meds when/if the balloon goes up in the South China Sea.

Natural selection often eliminates certain populations in short, sharp corrections.

I hope I am wrong and the grasshoppers do just fine this winter.

Are you suggesting people just buy extra prescription drugs? That's not how it works.