Honestly? This goes further back to Gmail, Google Chrome, and the rise of the SaaS/PaaS era IMO. Who needs "software" and "files" when everything runs in the browser, right?
Hell, Chromebooks are exactly that unless you hack them, and despite everyone seeming to have forgotten about them, they're still a thing, still successful, and especially scarily, are being given to millions of students every year.
People complain "oh these kids with their iphones don't know how to use a filesystem" but our education system continues to give them fake net appliances instead of real computers to this day. Even the awful, locked down NT instances I grew up with were more computer than "your laptop is just Chrome now, better learn Google Docs."
In 2019, the Corporation that owned the Rehab I worked at had issued an ultimatum: They were developing psychometric assessment software in house and it was on my facility, my department specifically, to implement it into our standardized assessment scheme. A year and a half later, I quit my job; partly because staff cuts made during 2020 made implementation of this deeply flawed, completely unproven, completely useless software utterly inadequate for clinical purposes. The road from the request to try it out in June of 2019 and my resignation in mid December of 2020 is a long and twisted one which involves a lot more than just software hijinx, but since this thread is about the gradual death of local file storage and the internet of things, I thought I'd share my Clinical Psychology experience with how these systems function in real time. If anyone has ever worked with records protected by HIPPA, the U.S. Healthcare Law protocol for patient records and data, you can already see where this is going. The software came to us on Chromebooks, freshly shipped in January of 2020, and it used regular ass Chrome with a very basic encryption scheme.
The software, as was true for most of our health records, had to communicate to the office in Tennessee. I had been building an independent, Intranet-Only software with a team of friends that had way more features than the Corporate Product, due to the staffing issues of 2020. By the time I was interfacing with this Chromebook piece of shit Corporate (the CEO in particular) had direct stake in, we were about six months into planning and coding. I'd been so desperate to get my version of the software up off the ground, I offered my facility CEO and the corporate CEO exclusive licensing rights for 10 years. Sadly, I hadn't personally sucked the Corporate CEO's dick so we did not get funding and my software got canned. This is my story.
Part 1/5 -- [CORPORATION], [FACILITY], and Data Science
We're gonna start with what my job was so I can build up your understanding of the multi-discipline approach I took and how it ran afoul of rich men who don't know any better and deserve to be tossed out a 78 story window for the murder they did during 2020. I was hired at a facility in Arizona which we're calling [FACILITY], and that facility was owned by a major healthcare corporation we're calling [CORPORATION]. [CORPORATION] had a policy of purchasing existing facilities and using a confusing command hierarchy of loosely regional organization to make their books look a certain way per-capita, so the CEO of [FACILITY] was responsible starting in mid 2019 for a total of 4 facilities, and that fact alone should give you an idea of how bad management was. We had staffing issues which basically saw mass hiring and firing of nurses, techs, and residential assistants, and every Q4 between Thanksgiving (November) and end-of-year, they'd also mass fire loads of people including famously some of our IT which was "over staffed" (5 people managing 280+ machines in a healthcare setting is NOT overstaffed). So [CORPORATION] ran [FACILITY] progressively into the ground over the course of about a decade of ownership, my boss had seen this all happen and we worked hard to establish direct incentive metrics to keep ourselves relevant. Boss's background was Outcomes Research and Implementation Science, two fields that if you're an Insurance Adjuster, you should know about by now.
Outcomes Research is the discipline of data science (in our case, psychology/healthcare oriented) that establishes metrics of performance via consultation of facility needs and the literature to assess the possible quality of care via how patients perform after their treatment has concluded. [CORPORATION] wanted recurrent revenue, so if treatment was decent but not efficacious in alleviating a syndrome, it was a desired outcome since that meant places like [FACILITY] would see the same patient multiple times for a few months or years. We're an Inpatient, meaning you sign up and the doors lock behind you until (1) You are no longer a threat to yourself/others, (2) You and the treatment team agree that your treatment is complete, or (3) You can no longer secure payment for services or run through the treatment window your insurance will cover (most common). Stays at [FACILITY] ran about 1,000usd/day, with the average cost of a 30 day treatment program being 30,000usd uninsured. To say that you had to have good insurance is an understatement. So often, Outcomes Research is less effective than you'd hope because an independent variable (the affordability of healthcare) tends to determine the Outcomes of your patient, rather than a distinct methodology or model of care underperforming. This made our capacity to measure and monitor long-term success harder, but my boss had tried via a few small assessment systems in our Continuing Care network which measured patients' attitudes 30 days, 6 months, and 1 year after treatment. We had good data.
The second part of our domain was Implementation Science, which is the study of how procedures, methodologies, and other research work their way into being used by professional industry. Implementation Science is something you do every day you have to adopt a new system in a job; or if you've ever worked with a teacher as a student assistant in making something new happen, that's basically the goal. If we find out for example, "EDMR has these beneficial clinical results", our job is to help therapists and the facility implement the modality of treatment and then monitor its performance using Outcomes Research. The Outcomes Research then gives us quality data (hopefully) which we can then use to report on the Implementation Science methods we used, and that in theory can help us in a macro-sense collect performance data at our facility and permit us a sample size of convenience many times larger than most clinical trials. We applied this methodology of Outcomes Research and Implementation Science to a few therapeutic interventions that [FACILITY] had been using for nearly a decade and change, and my boss quickly rose to prominence within [CORPORATION] due to her tendency to push out preliminary findings to publish to journals and healthcare advertising agencies. I think my boss's Outcomes Research data which used NOMS was responsible for upwards of 10% of recommendations to [FACILITY] for high-profile patients. Our facility was, after all, one of a kind and a top performer in the field. That it was run badly, not our fault.
Part 2/5 -- My job as a Psychometrist, resident nerd, and computer literate office worker
So my job in a nutshell was Clinical Psychometrics and Data Analysis. I got lucky when I was hired, because I was relatively tech savvy for a Millenial, knew how to data-enter with 10-key, had a research background from working in a college library system, and clearly knew what I was talking about with Outcomes Research despite having no formal education in it. My boss hired me over other options for candidates for the role because she mostly needed someone to be a data-entry monkey, but my passion, quick learning, and clinical skills made me go immediately from 'paid intern' into 'critical staff' in about 2 weeks of employment. Boss had this book of assessments put together which measured many domains of psychology in brief, but very well validated, self-report psychometric measures. We used this to capture clinical symptoms with what I refer to as "detection scales", measures meant to help patients report on their experiences of their psychology in a manner that can be used by a Clinical Psychologist. We had a team of licensed Clinical Psychologists who'd review the data and results with the patient, and that data would also go into a databank for regression analytics and other statistics modeling for the boss and I to do that important Outcomes Research and Implementation Science. It was a fast paced job, and when our department secretary got axed in Q4 2017, I took over many responsibilities including scheduling patients for assessments, running the assessments in person, then entering the data and preparing the reports for the Psychologists. I was cutting my teeth for grad school, it was tough but manageable; but I effectively had a caseload of the entire resident patient population of [FACILITY], which at its peak capacity could hold 156 patients.
My job included a lot of interpersonal clinical skills, for which I was renowned by clinical and support staff for having an incredible level of empathy and insight. The docs I worked with loved interacting with me because I always had observations that could make or break a diagnostic assessment, especially because we had many cognitively impaired folks who needed that nuanced multi-observer modality to assess. Patients rarely knew my name (and vice versa), but we often knew each other's faces and in many cases my clinical notes, communications, and the psych testing data I prepared would validate care and authorize insurance coverage. Nothing makes you cry quite like being in that position, and there are few things I'd be unwilling to give up if it meant I could do the job again. We coordinated a lot with every department in [FACILITY], my boss called it "metastatic joy", a joke about how we'd crept our way from a niche insurance-only application of data science into being a critical and distinct market edge that made [FACILITY] truly one of a kind. Chiefly, I handled a lot of IT's workload in addition to my other duties, predominately in the wing near the CEO and Business offices where old ladies with decades of clinical experience would have trouble with printers, the Electronic Medical Records system, so on. This made me and IT fast friends, something that was invaluable for HIPPA compliance guidelines when I was developing software to help automate big segments of my job that were just not possible to juggle when staff cuts in Q2 2020 (March/April, when COVID hit) made core functions impossible, as people hired to support me were let go or cut to only 24-32 hours per week.
Part 3 -- Software Contest
So we're getting to the point, sorry it took this long but you can imagine that [FACILITY] was a pretty complicated place to work at. Under HIPPA there was a pretty significant amount of protection required for the electronic transmission of patient records both via Intranet (limited to facility) and Internet (external to facility), and we had issues from my first day of work with the deficits in Strategic Infrastructure that plagued our facility. Due to my gumption and experience in the domain of Strategic Infrastructure Hardening, I understood that if we had to store patient records on a data rack somewhere in Tennessee (where [CORPORATION] HQ was), we'd be plagued by outages. So, I established a protocol that permitted us to use localized storage on an external hard drive to maintain local records. This was against company policy, but IT helped me write an exception request and get it approved, so when we lost data infrastructure due to local outages, my department would be the only one running business as usual. This is what saw me angling towards designing software that could operate over the local Intranet via peer to peer encryption, matching a computer platform in-network to a host machine to run assessments and collect data electronically. By unplugging the software from the internet, we had a higher capacity to securely store the information on local drives then back it up via the corporate cloud storage, enabling us to run things without internet.
The problem ultimately came with [CORPORATION]'s convergent approach to Outcomes Research which was a cloud-based psych testing product. [CORPORATION]'s pick we're calling [PRODUCT] was a tech start-up that the CEO of [CORPORATION] had personally put a lot of money into, suffice to say my local software solution was competition. I arrived to an agreement with [FACILITY] CEO in early 2020 to continue with developing my software with my two unpaid friends who were like me hoping for a paycheck to materialize from our efforts. [FACILITY] CEO had talked to [CORPORATION]'s CEO and had initial approval to potentially fund my software product, but things had gone off the rails so hard that by November of 2020, I was on the verge of quitting and [FACILITY] was in mortal financial peril because [CORPORATION] was feeling the sting of buying up too many failing facilities before the pandemic. It wasn't meant to be, but to give you an idea of the problem we had, I needed by projection to work about 80 hours a week to keep up with my caseload and duties. It was obviously not possible and even doing 50ish hours a week was draining, obviously. I was still working on the software too, so the limitations of [CORPORATION] and [PRODUCT] as it was being implemented by myself at [FACILITY] were all combining to make it out to [CORPORATION]'s CEO that my boss and I were trying to sabotage his investment or something, so when I was executed for treason effectively I washed out from the clinical field entirely and it's been like that since 2021.
Part 4 -- Local Vs. Cloud, Strategic Healthcare Data Infrastructure
This is the Thesis: Under no fucking circumstances does cloud data storage have any goddamn role as the primary and only form of data storage for healthcare records. Despite what many IT people might say about encrypted cloud storage, there's a simple fact about patient records which cannot be fucking avoided: YOU NEED TO HAVE THEM HANDY. If say, a major hurricane strikes infrastructure and severely damages data infrastructure between you and Tennessee randomly during 2018 and 2019 and 2020, perhaps that demonstrates a deficit in storing files and relying on systems which have no local software solutions or storage. When you can't access the hardware your facility stores its data on, you are putting a lot of trust in actors like [CORPORATION] which is running [FACILITY] into the ground. More-over, because of profit incentives and cross-contamination at the corporate level, when things like [PRODUCT] are rolled out on Chromebooks, it creates staffing issues that go from 0 to 100 on the resource drain scale caused by complications, technical issues, and scheduling concerns. We had Chromebooks in particular just fail constantly, shoddy QA made them prone to instability, and because they had to talk to a server in Tennessee, our shoddy internet from [FACILITY] to [CORPORATION] HQ meant patients were having to do psych tests all over again from scratch when the network lost signal.
So we have multiple issues for the purposes of HIPPA and then the Strategic Infrastructure domains. On HIPPA's side, everything needs to be encrypted and secured and ideally data should be instance-only, write-only access on something like a Chromebook. This makes Cloud storage way easier to manage inspection on, since it means you don't have to account for local storage and make sure it is secure at a per-platform level. However, because we access that data from a local machine that has to talk to the cloud through the internet, it opens us up for interception assuming for example [PRODUCT]'s operating firm has a data breach. This means sensitive data is NOT in your domain, you have no control over it and worse than that, when software is buggy and resets completely due to loss of session connection, it makes patients unwilling to redo the metrics you wanted [PRODUCT] to provide you! It is strategic lunacy to think that somehow, your on-site solution which could live in a secure intranet configured, on-site storage is somehow less safe than the cloud storage of a fucking third party. More, if you're constantly losing access to patient records because of the internet and/or vendor having technical issues, the benefit of the Cloud is one of the most fucking nonexistent things. We'd often have to drop to paper records because the internet not working would knock out our phone systems, our electronic patient records, and many other CRITICAL FUNCTIONS. If we were a regular medical hospital, that kind of unreliability of infrastructure and routine outages would kill people.
Part 5 -- Recommendations
My experience during 2020 taught me a few things, one of those being that [CORPORATION] was being run like every major corporate enterprise and its role as a Healthcare-specific business was irrelevant to its non-strategic behavior. If you can't do core business functions because your software and data storage doesn't work without the internet, you can't fucking make money. Chromebooks and other non-local cloud-only storage solutions are so vulnerable that these days it's often far more efficient to just defeat a cloud-storage company's security to access ALL OF THE RECORDS than it is to ransomware or phish an individual healthcare worker. Local file storage provides you the ability to operate under adverse conditions, including when there's a natural disaster; this can be life or death for many applications, and having your data infrastructure able to operate over LAN / Intranet style systems is critical to hardening our most important institutions against a variety of threats. It not only makes things harder for professionals to have internet outages stall operations, but it also makes you more vulnerable to high-value targets (your service providers) being compromised and causing you to get tied up in lawsuits when the government sues you for HIPPA violations. That shit eventually starts costing you money, and it's because of the fact that people idiotically think somehow they can skirt securing local hardware on a per-platform basis.
Mother fuckers, you access CRITICAL FUNCTIONS through Google Chrome exclusively!? So [CORPORATION] vends through [PRODUCT] and the Cloud Company, and then asks another third party, GOOGLE, to facilitate the key entry infrastructure and the local platforms themselves to the point that IT can barely modify the Chromebooks to have secure boot configurations (it took our IT guys two months to meet HIPPA compliance with the Chromebook images). Taking your hands off the solutions at the Local Level in favor of some packaged deal exposes you to the vulnerabilities that result in shit going wrong because a power line near your data center goes down. External to healthcare, we're seeing a lot of companies get fucked sideways by hardware and software that is far too soft of a target. One way to avoid being hit by a major data attack is not to have your data able to be easily attacked, and you can insulate that ironically through Local Storage more reliably by using Intranet data management solutions to push minimum need-to-know Cloud transmission for operations at a Corporate level. There is no perfect silver bullet for avoiding a Facility-level ransomware attack, but to be blunt the Cloud doesn't make you all that safer. Websites like "have I been pwned" have operated for years and are a form of documentation about how easily online data storage can be exploited by hostile actors, and especially in healthcare when you're causing critical functions and patient data to become inaccessible, that vulnerability can potentially cost you a lot more than you'd ever expect.
Final Thoughts:
I don't have a tech security background but I know about how vulnerable these systems can often be. If I'm being honest, we put so much data out there for free harvesting that the NSA can pull up 2018 Discord logs between me and a friend when said friend is being interviewed for his Hazmat Cert Clearance. The NSA seems like an extreme example, but if their record of broad incompetence at counter-terrorism and foreign-adversary deterrence is to be accounted for, you can see how the U.S. government's mass-harvesting data solution is only one of many vectors for compromising your safety and security. Dropbox was recently hit by a database attack, leaking log-ins and many countless private, personal cloud stored files to the black market. Automated systems are becoming more and more sophisticated at navigating the defenses of Cloud Storage, and without secure, encrypted, well managed storage with 2FA and other manual-authorization clearing methods for access, we just have a lot of shit naked and ready to be exploited. It deserves to be said that FOSS solutions just aren't trendy enough for major players to invest in a DIY secure local and cloud data solution that enables companies to have a smaller profile. We use the cloud because it's cheap, not because it's particularly suited for secure data storage or even all that amazing at having reliable access. The Chromebook is a little product that sort of represents the ultimate cost-cutting dependent form of this strategy, a paperweight that makes places like my former workplace have to go all the way back to archaic pen and paper methods of data tracking the instant it gets a little too windy. Gods help you if it hates your company's wifi set up too, they really are pieces of shit.