A Power Plant Hack That Anybody Could Use

The night before the start of this week's Black Hat hacker conference here in Las Vegas, security researcher Dillon Beresford gave a demonstration to a small audience in his room at Caesar's Palace. The topic: how a hacker could take over the Siemens S7 computers that are used to control engines, machines and turbines in tens of thousands of industrial facilities.

It was a preview of the talk he was set to give Wednesday, and Beresford seemed both nervous and relieved to be finally talking to the handful of reporters and industry and government officials in the room. A few months ago it wasn't clear when or if he'd ever be able to go public with his research. Concerned that his research could be misused, he pulled out of an earlier conference to give Siemens more time to fix the problems he'd uncovered. Even now, after months of work with Siemens and the U.S. Department of Homeland Security, coordinating patch after patch for many of the bugs he's found, Beresford can't say everything he knows.

But clearly, he knows quite a lot. The question is, how much will he make public?

A look at the Siemens S7 PLCs that NSS Labs' Dillon Beresford hacked.

The NSS Labs researcher said he's found ways to bypass the S7's security measures and read and write data into the computer's memory -- even when the system has password protection enabled. He can steal sensitive information from the systems, he said. And on one model, the S7 300, he found a command shell, apparently left in the system's firmware by Siemens engineers, that he can connect to and use to run commands on the system.

After poking around for a bit he discovered a hard-coded username and password that allowed him access to a Unix-like shell program on the systems, where he can run his own commands: Username: basisk; password: basisk.

This shell is a "back door" to the system that could be misused by an attacker, Beresford said.

He also discovered dancing monkeys. This goofy graphic of four dancing monkeys was apparently an Easter egg -- a software developer's version of graffiti, left for other geeks to discover -- stuck in the S7 300's firmware.

NSS Labs researcher found this image in the firmware of a Siemens S7 300 PLC. It reads, 'Not hearing, not working, just...'

The demo wasn't much to look at. The S7s are like futuristic grey shoeboxes with green LED lights on them. Smoking a cigarette, Beresford would type into his laptop and one by one, the machines would turn off. But considering that each one of those machines could be running a nuclear centrifuge or an elevator, the demonstration held everyone's attention.

The government official in the room Tuesday night -- a contractor from the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team -- didn't want to be quoted. Neither did Tim Roxey, a staffer with the North American Electric Reliability Corp., the nonprofit corporation chartered with helping to keep the U.S. supply of electricity online.

Clearly both groups are interested in Beresford's work. The S7 300 systems on which Beresford found the back door and dancing monkeys are the same computers that were targeted by the Stuxnet worm, thought to have destroyed centrifuges at Iran's Natanz nuclear reactor.

For decades, makers of these industrial computer systems -- companies such as Siemens, Rockwell Automation and Honeywell International -- lived in a bubble. They built computer systems that were adapted by electrical engineers for the factory floor. It used to be that these systems operated entirely on their own, disconnected from the rest of the networked world, but gradually they've been networked with Windows computers. They are supposed to be run on networks that are physically separate from the rest of the world, but these networks can have misconfigured routers, and every time a consultant plugs a laptop into them, it's another opportunity for a virus to spread.

The problem is that these industrial systems were not built with security in mind, according to Dale Peterson, CEO of security consultancy Digital Bond. Industrial systems security experts like Peterson have known for at least 10 years that these kind of problems were coming, but not enough has been done. "We've made progress in a lot of areas, but we haven't made progress on these field devices," Peterson said.

He and other security experts say Siemens is hardly alone; that all industrial control systems suffer from the kinds of bugs that Beresford discovered.

The industry could add strong authentication control to machines like the Siemens S7, so they only run code that's given to them by trusted sources. But in a world where rebooting a computer means taking a power plant offline for a day, that's not easily done. "No one in the industry wanted to do this because of the possible consequences," Peterson said.

On the other hand, as Stuxnet has shown, the risks of a cyber-attack on these industrial systems are very real. And malicious programs wind up on factory floors all the time.

In February 2011, the two-year-old Conficker worm infected systems at a Brazilian power plant, according to Marcelo Branquinho, executive director with TI Safe, the consulting company that has been working on fixing the problem these past few months. Engineers would clean up the infection only to find it reappear on the network, most likely spread there by an infected machine that they had missed. "This is not the first Conficker infection we've seen in Brazilian automation plants," he said in an e-mail interview.

Branquinho wouldn't name the power plant, but the infection was clearly disrupting operations. The plant's management systems were freezing up and not displaying data from the field. This forced operators to control their systems the same way they did before computers -- using radios to communicate with each other.

If those infected Conficker machines had contained the type of software that Beresford has written, things would have been much worse.

This isn't the first time that researchers have released code relating to industrial systems, but past releases have focused on the Windows-based management consoles that these systems use -- not the control systems themselves. And the fact that Beresford has hacked the S7 300 -- widely used in the energy sector -- puts his work in a category by itself.

In fact, Beresford isn't sure when he's going to make the software he's written public. There are 15 modules, small programs he's written for the open-source Metasploit hacking toolkit, but he wants to give Siemens' customers time to patch their systems before he releases the code. He said that six months might be an appropriate window.

Once his code is available, anyone could use it. But Beresford believes that he's only making public what others have secretly known for a long time.

Digital Bond's Peterson says that releasing the code might be what it takes to push the industry to finally fix its security problems. "At this point, I'm like, let's give it a shot," he said. "I don't think he's telling the nasty people anything they don't already know."

Ralph Langner, one of the researchers who helped crack the Stuxnet mystery, thinks that Beresford should never release his code. "Dillon did not ask me for advice," he said. "But the advice I would give him is, 'Don't ever release the Metasploit code, because this is dynamite.'"

The Metasploit modules would make it easy for a less-skilled hacker to build software that could disrupt a power plant. And even if Siemens has addressed all of the underlying issues, it will be years before the patches are installed. One day of downtime at a power plant can easily cost the operator US$1 million, Langner said. "Don't assume that a power plant operator will say, 'I will shut my plant down for a day to install the damned patch,'" he said.

It turns out that Langner is the guy who inspired Beresford to look into Siemens systems in the first place. Because of the apparent reconnaissance work and sophisticated PLC programming involved in Stuxnet, Langner believes that only a few organizations have the technical know-how to pull something like this off.

Beresford wanted to prove that industrial hacking could be done on the cheap too. His company kicked in $20,000 to buy the Siemens systems, but Beresford did most of the work from his bedroom in a couple of weeks. "It's not just the spooks who have these capabilities," he said when he finally gave this Black Hat presentation. "Average guys sitting in their basements can pull this off."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

View the original article here

Read More

Spam King Sanford Wallace Indicted for Facebook Spam

Notorious spam king Sanford Wallace is facing federal fraud charges for allegedly breaking into Facebook accounts and sending 27 million spam messages in 2008 and 2009.

Sanford Wallace

Wallace, 43, allegedly used a phishing attack to steal usernames and passwords from victims and then used the stolen credentials to post spam to victims walls, the U.S. Department of Justice said. Wallace allegedly made money from the scam by driving Web traffic to affiliate marketing companies, who pay their members by the number of clicks they can deliver to websites.

The charges are outlined in an indictment, filed July 6 but made public Thursday after Wallace turned himself in to federal authorities.

Wallace gained fame as one of spam's most vocal defenders back in the 1990s and he has faced numerous civil actions over his activities, including lawsuits from MySpace and the U.S. Federal Trade Commission.

However this is the first time he's facing criminal charges.

Wallace has also been sued by Facebook, which won a US$711 million civil judgment against him. As part of that judgment, he was banned from Facebook, and the criminal indictment accuses Wallace of contempt of court for allegedly logging onto the social network during an April 2009 Virgin Airlines flight from Las Vegas to New York. Wallace also allegedly set up a Facebook profile in January of this year under the user name David Sinful-Saturdays Fredericks.

"We applaud the efforts of the U.S. Attorney's Office and the FBI to bring spammers to justice," Facebook said in an e-mailed statement. "Now Wallace also faces serious jail time for this illegal conduct. We will continue to pursue and support both civil and criminal consequences for spammers or others who attempt to harm Facebook or the people who use our service."

Wallace could get more than 16 years in prison, if convicted.

He was released Thursday on a $100,000 bond. His next appearance is set for Aug. 22 at the U.S. District Court for the Northern District of California in San Jose, California.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

View the original article here

Read More

Startup Aims to Get the Poor Online With Phone Numbers

U.K. startup Movirtu plans to help 3 million or more people in poor countries use mobile services by giving them personal phone numbers, not phones.

Working with a U.N.-affiliated initiative called Business Call to Action (BCtA), Movirtu will offer the numbers, which it calls mobile identities, through commercial carriers in developing countries in Africa and South Asia. People in those countries who typically borrow phones from others will be able to log into the carrier's network and use their own prepaid minutes and bits of data.

The service is called Cloud Phone, though it operates within a carrier's own infrastructure rather than on the Internet as a classic cloud service would. Having a personal mobile identity can save users money in two ways, according to Ramona Liberoff, executive vice president of marketing, strategy and planning at Movirtu. First, they can use mobile services without buying a phone, which is a luxury even at US$15 or $20 for people making $1 or $2 per day.

Second, the cost of prepaid service from a carrier typically is less than what consumers in those countries pay someone to borrow a phone, she said. Though it's customary in many of these countries to lend a phone to someone in need, the borrower is also expected to pay the lender for the usage. The average savings from using regular prepaid service instead is estimated at about $60 per year, Liberoff said.

The service will help people to use mobile banking, insurance and farming assistance services as well as make phone calls, Liberoff said. Some of these services currently can only be delivered to individuals and not to someone sharing a phone. Personal mobile identities could be a boon to NGOs (non-governmental organizations) that want to use mobile technology.

"In many cases, there are great NGO programs that can't reach 80 percent of their base," because those people don't have their own phones, Liberoff said.

Movirtu has committed to finding and keeping at least 3 million users of its service in Africa and South Asia as part of BCtA, an initiative by two U.N. agencies and a group of non-governmental organizations that is designed to leverage private enterprise to solve major global problems. BCtA provides leadership, information-sharing and advice to companies that participate in its program.

Movirtu expects about 75 percent of its users to be women, because women in Africa and South Asia are statistically far less likely than men to have their own phones, Liberoff said. In some cases, this is by choice, because having a phone can make women targets by revealing their wealth, she said.

Users can get a mobile identity by going to one of the mobile carrier's shops. When they borrow a phone, they enter a shortcode for the Movirtu service and then punch in their individual phone number and a personal identification number. After that, the temporary user can access all the services available through the phone, as well as a personal carrier home page where they can manage and top up their prepaid account, Liberoff said. The system works on any GSM (Global System for Mobile Communications) phone, using USSD (Unstructured Supplementary Service Data), a GSM protocol for communicating with a service provider's computers.

The company is piloting the service in the island nation of Madagascar, off the eastern coast of Africa. Through local carrier Airtel, the service was made available throughout the island starting on Monday. Madagascar is a perfect market for Movirtu, because Airtel has built an extensive network but many people in the country can't afford to buy a phone, Liberoff said.

"It's got lots of great network and very few users," she said.

Movirtu plans launches in at least 12 markets in Africa and South Asia by early 2013, reaching at least 50 million potential users. The two regions were chosen because they are home to about 1 billion of the 1.3 billion people in the world who rely on borrowed phones, Liberoff said.

Movirtu's customers are the carriers, which can use the personal mobile identities as an avenue to sell prepaid service, Liberoff said. The company isn't donating anything for the BCtA initiative, only making the commitment to bring its service to a certain number of people in the two regions, she said. Providing mobile identities in the developing world is Movirtu's primary business model. There are also some potential uses for the technology in the developed world, such as an alternative to traditional international roaming mechanisms, Liberoff said.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com

View the original article here

Read More

Chinese Hackers Blamed for Database Theft

Hackers have stolen the personal data of 35 million users of the South Korean social network Cyworld and search engine Nate, the company that runs them, SK Communications, has admitted.

The country's regulator, the Korea Communications Commission, said in an official statement that SK Telecom had traced the attack to IP addresses in China, and involved the theft of phone numbers, e-mail addresses, and encrypted data such as passwords and 'resident registration' numbers of users of the service.

Cyworld is a domestic competitor to foreign services such as Facebook and Twitter, while Nate has a more Korean flavor in which users use avatars to inhabit to virtual houses, and share photos and videos from smartphones.

Assuming the most sensitive data has been taken in its encrypted form, the scope of the attack for the services is likely to be low. Users will be asked to reset those credentials. Access to the services is also free which means no financial data will have been taken. (See also "Top 5 Potential Cyber-Enemies for the United States.")

However, as with the Sony data breach from earlier this year, the main worry is that the data theft will fuel a rise in spamming, phishing and social engineering attacks.

South Korea and it companies are a regular target for attacks, and China and neighbour North Korea are usually blamed. What stands out in the latest attack is once again its size and scope. The entire user database seems ot have been compromised.

"It's too early to say whether this attack is politically motivated or merely an attempt to steal personal information for financial gain. However it's now becoming increasingly difficult to differentiate between attacks on military, communications, financial, civilian or critical infrastructure targets," said Mark Darvill of security company AEP Networks.

View the original article here

Read More

Fusion-io to Buy IO Turbine to Reach Virtualized Servers

Flash storage vendor Fusion-io has agreed to buy IO Turbine for up to US$95 million to extend its on-server cache products to virtualized environments.

IO Turbine provides software that allows cache storage on servers to be shared across multiple virtual machines. The software will complement Fusion-io's flash products, which use solid-state storage media as a cache for heavily used data in order to minimize the amount of data that has to travel over storage networks. Fusion-io's components have so far been limited to use with data-intensive applications in non-virtualized environments, Fusion-io Chairman and CEO David Flynn said Thursday.

"It doubles the addressable market for server-attached flash," Flynn said. "Now, there's not an application out there that can't benefit from Fusion-io."

Fusion-io will pay as much as $95 million in cash and stock for IO Turbine, subject to purchase price adjustments, with the cash portion not to exceed $35 million. The deal is expected to close by the end of this month. Fusion-io, based in Salt Lake City, will add about 20 employees from IO Turbine to its engineering team and about five other employees across the rest of the company. IO Turbine is based in San Jose, California.

It's a hefty purchase for Fusion-io, which went public in June, raising $218.9 million. But it should help the company tap into one of the biggest trends in enterprise computing and could help to expand use of the data acceleration technique that Fusion-io pioneered. At the same time, competition is starting to heat up in this category. Also on Thursday, SSD (solid-state disk) vendor STEC announced server-attached flash products and a related software platform that it said can be used with any vendor's SSD. On Tuesday, OCZ introduced its latest line of server-attached flash components.

Fusion-io's Flynn downplayed the significance of STEC's introduction, saying that Fusion-io's products benefit from vertical integration of software, hardware and other elements. The effect is similar to that achieved by Apple, he said. Apple co-founder Steve Wozniak is chief scientist and a board member at Fusion-io.

In its first quarterly financial report since going public, Fusion-io reported revenue of $71.7 million in its fiscal fourth quarter ended June 30, up 556 percent from $10.9 million a year earlier. Net income was $5.8 million or $0.06 per share, compared with a net loss of $11.9 million or $1.00 per share a year earlier. For the current quarter, the company forecast revenue of $60 million to $65 million, down from the previous quarter because of the timing of a few large deals, Flynn said. The latest forecast was adjusted up from the company's earlier estimate for the quarter, he said.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service. Follow Stephen on Twitter at @sdlawsonmedia. Stephen's e-mail address is stephen_lawson@idg.com

View the original article here

Read More

Computers That You Can Wear

It’s an exciting time for the wearable-computing industry. Venture capitalist Marc Andreessen declared in a recent interview that wearable computers were the next big thing for Silicon Valley, and the past few months have seen a flurry of new product announcements in the arena.

A device that records everything you see for later playback, a bracelet that comfortably and discreetly monitors your health, Dick Tracy’s watch phone--these devices aren’t just coming soon, they’re here.

WIMM's prototype Android watchFor instance, WIMM Labs announced just this week a new line of Android-powered devices small enough to fit on your wrist but powerful enough to help you keep track of your calendar, the weather, and more. As our own Ed Oswald was quick to point out, however, we’ve had the technology for these kinds of devices for years. Microsoft’s similar SPOT watch launched way back in 2003.

Wearable computing has already become part of our lives. What else is on the way? Travis Bogard, vice president of product management and strategy for Jawbone, says that the next few years should see wearable computing expand to new areas as consumers become more comfortable with the idea.

Jawbone is best known for its line of Bluetooth headsets, but recently it announced Up, a bracelet that will launch by the end of the year. The discreet device will keep tabs on what you eat and how you sleep, and it will monitor your movement to help you see how much exercise you get. You’ll be able to stay on top of all that information via a phone app that lets you check your data throughout the day.

Jawbone's new Up health monitor

As exotic as these devices may seem, in many ways they’re just a natural extension of a wearable-computing lifestyle that has already found adherents. Over 3 million runners currently use the Nike+iPod system to keep track of their exercise. The small Nike+ sensor, which costs $20, fits into the heel of a running shoe and records how far and how strenuously you run. The device, coupled with an attractive Web interface, has helped runners log over 420 million miles' worth of exercise since it debuted in 2006.

The Nike+ sensorThe Nike+ system is just the tip of the iceberg for the wearable-health industry. For several years, companies such as BodyMedia, with its $180 FIT armband, and Apex Fitness, with the $200 BodyBugg system, have offered devices that can monitor how many calories you burn during the day and, with the help of an online food journal, help you lose weight.

What’s Next?

The next step for wearable computing may be a focus on the design of wearable-computing devices. Traditionally, wearable computing has valued function over form--but with smaller and more comfortable devices such as the Up and the Nike+ on the market, that’s changing. Jawbone's Travis Bogard says the end goal is to take wearable computing from a novelty to an almost invisible part of our daily lives. “You want to be able to stay connected with all that information, and you want to do it in a way that can get onto the body in a seamless way,” Bogard says.

Jawbone has some experience in that area. From the very beginning, the company has seen its Bluetooth headsets as wearable computers. “In a world where you’re out there mobile and moving around, in that mobile world, the reality is that we use our hands and eyes to navigate,” Bogard says.

Some wearable-computing concepts obstruct the user's vision with complicated overlays, or occupy the user's hands with miniature keyboards. Such designs keep users from interacting with the world normally. Bogard says Jawbone thinks of its headphones as a solution to this problem. “Audio is interesting because it doesn’t use up those resources,” he says. And freeing people to use their eyes and hands normally is “a key element of interacting with computing without having to be so physically engaged with it.”

Bogard argues that every time you put on a Bluetooth headset, you’re already taking part in the wearable-computing revolution. The experience is just so commonplace, and so comfortable, that we don’t even notice it anymore.

But for Bogard, at least, that isn’t just a side effect of good design--it’s the goal. Bogard believes good design should be invisible to the end user, and only when it becomes a natural extension of ourselves will the technology really take off.

Wearable Computing’s History

That approach is a far cry from the common vision of the wearable computer in the public imagination. Though some experts define wearable computing so broadly as to include the pocket watch, the idea--as it is commonly understood today--was born in the early 1980s as academics created complicated proof-of-concept rigs that covered the whole body.

Though the early experiments stretched the definition of "portable" (an early model by wearable-computing pioneer Steve Mann had to be carried around in a backpack), the efforts also helped to shape the public perception of the wearable computer. To most people, the term usually refers to an extensive rig that looks, frankly, a little embarrassing. These systems have more in common with the Borg from Star Trek than with a Bluetooth headset.

The development of Steve Mann's wearable computing devices

Of course, even experimental systems have become smaller and less noticeable over the years. In 1994, Steve Mann created a new wearable-computing system and began an ambitious project to transmit his whole life, live, for two years. By then his system was a rather bulky series of boxes that hung off his belt. After the experiment ended, Mann slimmed his system down even more. By the late 1990s, his rig consisted of a particularly large pair of sunglasses attached to a single small box hooked onto his belt.

The Looxie 2 cameraToday the ability to record everything you see is available to the average consumer: The $200 Looxcie 2, a small camera about the size of a Bluetooth headset, fits over your ear and lets you record up to 10 hours of POV footage that you can download to your computer for a daily log of your activities.

As computing technology continues to get smaller and more powerful, the possibilities for wearable computing can only expand. Travis Bogard likens the state of the industry to that of the personal computer in the late 1980s. Now that wearable technology is such an integral part of our lives, we need to explore what exactly these new portable computers can do.

Although the possibilities for the industry are exciting, the most fascinating thing about the wearable-computing future may be that it has already arrived.

For more wearable computing, past and present, try our slideshow on the history of wearable computers.

View the original article here

Read More

Healthcare Industry Leads Market in IT Hiring

Flush with federal funds and under the gun of federal regulatory deadlines, the healthcare industry is leading the market in IT jobs creation, according to the U.S. Bureau of Labor Statistics job placement services.

The bureau indicated that IT jobs in healthcare are expected to grow by 20% annually through 2018, "much faster than average." There are currently 176,090 healthcare IT jobs, according to the agency.

Since November 2009, healthcare IT positions have increased 67%, according to online job search engine SimplyHired.com, which lists 7,200 open healthcare IT positions out of 4.9 million jobs on its website.

Leading the pack from a percentage of increase perspective are CIO and CTO positions, according to Dion Lim, CEO of SimplyHired.com. Since 2009, CIO positions in the healthcare field have increased 101% (more than 200 current job listings) and chief technology officer positions have increased 127% (about 100 job listings).

"My experience has been that CIOs from other industries are being hired into healthcare," said Robert Booz, a vice president and distinguished analyst with market research firm Gartner. "People who were in retail banking or manufacturing are being brought into the healthcare world to bring their lessons learned from other industries."

Booz said CIOs and CTOs are given the responsibility of being agents of change, using the lessons learned in other industries to bring the healthcare industry up to speed. Healthcare has been a slow follower in IT adoption, but today is being driven by federal regulations requiring it to roll out electronic health records (EHRs) and to implement best practices in care through standardized medicine.

Among these regulations, the federal government is requiring a changeover from the current ICD-9 medical coding system to ICD-10 by Oct. 1, 2013. The effort has been under way since 2008, yet most hospitals have not begun the changeover, according to the American Hospital Association.

ICD-10 adds about 68,000 new codes that describe medical conditions and treatments, and will affect databases and EHRs, billing systems, reporting packages, and other decision-making and analytical systems. The changeover will require major upgrades or the replacement of current IT systems.

In addition to ICD-10, by 2012, healthcare providers must upgrade from the current version of the Health Insurance Portability and Accountability Act (HIPPA) to the HIPAA 5010 standards, which address new rules for claims management systems, including transaction uniformity and the streamlining of reimbursement transactions.

IT administrators

Jobs in healthcare IT administration are also seeing strong growth, according to the SimplyHired search engine. Since 2009, database admin jobs have grown by 94% (400+ jobs); network admin positions have grown by 64% (100+ jobs); sys admin jobs have increased 43% (about 100 jobs), and storage admin positions have grown by 37% (about 100 jobs).

In terms of sheer numbers of positions, developers lead the pack with more than 6,000 job listings, or a 65% increase since 2009, followed by system analysts with more than 2,000 jobs, or a 35% increase.

"Healthcare has been one of the highest performing areas for jobs creation pre recession, recession and post recession," Lim said.

By comparison, Lim said other leading markets for jobs creation have been the automotive industry at 60% and the financial services industry, with 34% growth over the past year.

The Bureau of Labor Statistics states on its website that through 2018, employment of medical records and health information technicians will lead the pack in healthcare IT job growth.

"In addition, with the increasing use of electronic health records, more technicians will be needed to complete the new responsibilities associated with electronic data management," the agency stated.

Specialists are the most highly sought

This year alone, healthcare IT spending is expected to reach $40 billion, according to a study from market research firm RNCOS.

The Affordable Care Act, passed last year, is expected to drive an 8.3% growth in healthcare spending by 2014, according to the health policy journal Health Affairs.

Driving much of the spending increase is the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act requires hospitals and physician practices to roll out and prove the meaningful use, a set of specifications and certification criteria for EHRs, by 2015 or face penalties.

An estimated 50,000 health IT employees are needed for the industry to meet these regulatory deadlines, according to Eric Marx, vice president of Health Care IT for Modis IT Staffing, a job placement agency with locations in 28 states.

The federal government has spent $144 million to set up IT worker training at more than 80 U.S. community colleges and universities to help fill the employment gap.

A significant part of the training will be for staffers at 60 regional extension centers (REC), the public-private partnerships that will eventually assist in the deployment of EMR systems at rural hospitals and physician practices with 10 or fewer doctors.

"The graduates from these programs aren't ready for primetime yet, but will have the needed experience starting in 2013," Marx said.

However, there is a significant disparity between the gross need for health IT employees and the number of qualified professionals able to meet requirements, Marx said. Modis' clients have struggled to find applicants who are not only technically proficient, but also experienced in the clinical health care environment.

"I'd compare the IT job situation in healthcare to the dot-com era or Y2K. There's a tremendous amount of demand for workers, but with a very specialized skill set," Marx said.

Marx said his hospitals and physician practice clients are seeking workers with vendor specific skills and experience in implementing EHR systems. For example, IT workers are needed who know how to deploy and run EHR systems from vendors such as Phillips Healthcare, Cerner, Meditech and EPIC.

Hospitals aren't just looking for people who can implement those EHR systems, they need IT people to run them and adapt them over the long haul.

"These are salaried employees. They are going to be busy for quite some time, like the Bureau of Labor Statistics suggested with its 2018 timeframe," Marx said.

Marx and others emphasized that workers with clinical knowledge, who may have formerly worked in a healthcare position, have a huge leg up over workers with only IT experience. So, healthcare workers who get formal IT training will be highly sought after.

Adding to the overall growth in healthcare IT positions is the fact that by 2020, nearly 28 million previously uninsured Americans are expected to get health insurance coverage as a result of health care reform, the majority of it coming through health care exchanges (HIX), which the government is mandating states deploy by 2014. The influx of newly insured Americans will put a strain on billing systems, databases and EHRs.

IT workers in other fields may also find a sense of fulfillment working in healthcare, where using their skills directly affects the well-being of patients.

"The better we do our job, the more people can get care, and the more people can get better care," Booz said. "There is definitely this sense of accomplishment beyond one's self role that you have when you're working in healthcare."

For more enterprise computing news, visit Computerworld. Story copyright © 2011 Computerworld Inc. All rights reserved.

View the original article here

Read More