March 23, 2010 – 12:53 pm
I ran across a story the other day about an England EMS service that screwed up and was categorizing falls from a height of more than 6 feet not serious enough to warrant an emergency response (within 8 minutes).
So the initial read (admittedly from slashdot), made the impression that there was a flaw in the software that categorized the calls. The actual article, and some further research, however points to the software’s configuration by the administrators of the system. Apparently they “they altered the program used by most control centres [sic] in an attempt to manage demand for 999 services,” and “five of England’s 12 ambulance trusts did not allow call handlers to upgrade such calls.”
I used to work in EMS. I understand the need to manage resources and provide the best possible services for everybody involved. That being said, there are two things you have to remember:
- you never know what you’re getting into get until you get on-scene
- a problem with A(airway), B(breathing), or C(circulation) is a serious issue. You need all 3 of those to survive.
I don’t have the audio of the 999 call, I don’t know the staffing in the area at the time, nor am I very well versed in the EMS system over across the pond. I do know however that “unconscious, and breathing abnormally after falling more than 12ft” is serious. I also know that the first two of those alone would have required a paramedic emergency response where I live. If you’re unconscious, you can’t manage your airway. If you’re having trouble breathing AND are unconscious, especially if from a 12 foot fall (think jumping out a second story window), you’ve probably got other serious problems.
This event highlights the need for auditing in a very sobering way.
Any green Aide (Charge EMT) from my Rescue Squad would have recognized the problem with the event above. You’ve got to be able to think on your feet and give appropriate attention to the issue at hand. Be it the local drunk who starts to bang on the bay doors at 2 am or the woman going into labor at McDonalds who “didn’t know she was pregnant.” You also expect the worst and you prepare for it. If you’re not sure, you ask somebody with more experience than you.
If you set a policy, you’ve got to think about all the ramifications of that policy. And you need to allow for the ability to change it if the need arises, or put in some sort of compensating controls to fail back on.
Same goes for IT Security. Sure, we’d all love to require a sandboxed machine that’s 100% patched with only whitelisted applications for every desktop user 24/7, but that’s not possible, be it due to the user environment, financial situations or time limitations (and if you think you do have it, you’re lying to yourself and your boss). You have to be able to say, “Yes, I understand your $30,000 hardware bought 10 years ago can’t be patched and is vulnerable to flaw X of the week and on a high risk network. I also understand that you need this to do your job, so I propose we do… blah blah blah.”
What’s that? You can’t secure that because it’s so old and not patched? Shenanigans! You don’t know how to secure that device? ASK! Talk to the vendor. Talk to other InfoSec folks. Think outside the box. You can’t patch that 7 year old Apache install without breaking the website that’s needed by Federal law? Fine! Don’t! Move those 15 ancient static pages to another host. Can’t do that? Fine! Don’t! Setup a web application firewall. You have 100 different options. Use them and audit your shit.
“But we setup this network program years ago because we had to comply with policy X and we can’t not have it running.” Ok, setup a separate program and duplicate the service for a week while you move over and validate your new system. Or see if policy X even exists anymore! If doing one extra step voids the need for a system, why spend the time and effort on it? Audit your shit.
Is the manpower crunch that was the driving force behind the England EMS software configuration still in effect? Is it present in EVERY district? If you fall more than 6 feet, nothing else could possibly be wrong with you, right? Audit your shit.
England is not a third-world country. They can afford proper EMS services. And somebody with a clue to review it and keep up with it.
Posted in Real World, WVRS | No Comments »