It's not the main problem, but one problem with Hospital IT is doctors making IT decisions. I hear from others there's a similar problem with IT around lawyers.
I can confirm the lawfirm side of things. Back when I cofounded an msp they were some of our best clients. Why? Because they all collude about pay stuff (illegal but what are you gonna do, sue all the best lawyers in town?) to the point where around 2008 they just started firing entire it departments and sysadmins thinking they could pay less for outsiders who could then be scapegoats if shit went wrong. The funny thing was that they not only spent more money on the msps and consultants, but got less work and machinery for it. Getting anything approved was like pulling teeth, especially in places where it all had to go to the partners first.
I appreciate my time working with some great lawyers because I learned so much and still have many useful contacts (do you know the best IP lawyer in your state?) but it really created a quiet seething distrust of lawyers and the legal system in general.
Ive never seen the worst people in society hailed as the paragons of the community as much as lawyers.
The biggest hospital gig I had was for the neurosurgeons and they got stuff done faster than any other hospital department because they had their own building, the pull, and the money to do so and due to stories I heard I just knew they were an outlier.
Hospitals have terrible budgets. There's never money to buy anything. Doctors make big salaries, but there's so much administrator bloat, it's similar to colleges.
There's a bit of responsibility from us IT / cybersecurity folks.
Our system is setup that we defend the networks we've been assigned to. The greater cultural problems are someone else's problem. We don't actually look outside of our own networks.
Hospitals getting hacked? Well, that's sad, but not our problem. Not until they pay us at least.
------
Granted, I'm not sure what we _should_ be doing about this issue. But at least acknowledging our current culture would be a step forward. Good IT security comes from the top, from a culture of security.
Some of that is due to being told to not touch them. There's strong cultural memory of safety, security, or just sound planning being thrown out by non-IT people, till even new hires quickly start getting instinct to bunker down.
People who are in highly educated fields but aren't IT adjacent somehow get that idea that computers are not that difficult. Doing IT for doctors and lawyers is usually frustrating.
Some of the best hospital clients I've had have been doctors who are smart enough to understand that info tech knowledge is almost as important to them as medical knowledge. If you spend the time with them to advise on how to best implement their ideas for new systems/processes then you can end up with the best possible win/win result.
That said, you have to know what you are talking about or admit you don't. Doctors are used to being mislead by the best, and if you try to mislead or bullshit them they will know and you've lost their trust. Admit when you don't have in depth knowledge about what they are asking for and they will respect you for it. In a lot of cases you may be able to learn from them, as there interest is specific when you will have to deal with the entire environment.
The other important thing is don't waste their time. A lot of Doctors are working 18 to 20 hour days, and don't have time for you to be disorganised. If something is going to take a long time to do, then tell them so they can plan around the job. If a quick task suddenly looks like it's going to take longer, let them know as soon as you can so they can plan.
Keep at the top of your mind that the clinical staff you are supporting are their to save the lives of real people, they are not there at your convivence. Remember one day you will be a patient and you don't want your doctor to have to stuff around with a unhelpful IT specialist.
