Photo (cc) by j.reed
A few years ago, my long-time, elderly, live-alone neighbor was taken away in an ambulance. I wasn’t home and heard about it second-hand. At first, I had no idea how serious it was or even where he was taken, but I was really concerned. So I started calling local hospitals to ask if he’d been admitted. You can probably guess how that worked out for me.
I was stonewalled at every turn. Even when I said might be the only one who would call about him, that I was concerned he had no nearby next of kin, I got nowhere. I was fully HIPAA’d out.
Eventually, I talked to local police who tipped me off that he had been brought to a nearby hospital. I called them again.
“Not to be morbid, but can I even confirm that he’s still alive?” I pleaded.
“Due to patient privacy, we cannot divulge anything,” I was told.
Now you probably know I care about privacy as much as the next person, but if my friend and neighbor was dying in a hospital bed, I was hellbent to make sure he didn’t die without knowing at least someone cared about him. And this seemed cruel to me.
I called a few more times. I finally lucked out and got to someone who, from her voice, sounded quite a bit older. Maybe even a volunteer. She heard me out.
“You didn’t hear it from me,” I recall her saying. “But he’s recovering from brain surgery. He probably had a stroke.”
I’m happy to tell you that I went to see my neighbor a few times during the next several weeks, and after a long recovery, he’s actually doing really well.
A distraction from the real problem
I tell you all this because I am worried that situations like these are really helping hackers.
Perhaps you’ve heard about the rash of hospital and health care systems being attacked by ransomware. In the Washington, D.C. area, a chain named MedStar was reduced to performing nearly all tasks on paper by a virus that locked all its files and demanded payment to unlock them. The problem is so serious that U.S. and Canadian authorities jointly issued a warning about ransomware on March 31, calling attention to attacks on hospitals.
What does this have to do with HIPAA, or my neighbor’s stroke? It shows we are worrying about the wrong things.
All of us have been HIPAA’d at some point. We’ve felt the wrath of the Health Insurance Portability and Accountability Act, enacted in 1996. Want a yes or no answer to a simple question from your doctor? You can’t get an email from her or him. You have to login to a server that will probably reject the first five passwords you enter and then force you to a reset page, and half the time you’ll give up before you find out that, yes, you should take that pill with food.
There’s a saying in the geek world that “compliance is a bad word in security.”
Walk into any health care facility and you’ll immediately get the sense that everyone from doctors to nurses to cleaning staff are terrified to violate HIPAA. On the other hand, I’ve been told by someone who has worked on a recent hospital attack, health facilities routinely are five or even 10 years behind on installing security patches.
Geoff Gentry, a security analyst with Independent Security Evaluators, puts it this way:
“We are defending the wrong asset,” he told me. “We are defending patient records instead of patient health.”
If someone steals a patient record, sure, they can do damage. They can perhaps mess up a patient’s credit report. But if someone hacks and alters a patient record, the consequences can be much more dire.
“It could be life or death,” he said.
A system of ‘confusion, fear and busywork’
Gentry was part of a team from Independent Security Evaluators that reviewed hospital security at a set of facilities three months ago in the Baltimore/Washington area. The timing couldn’t have been better. The message couldn’t be more important.
“For almost two decades, HIPAA has been ineffective at protecting patient privacy, and instead has created a system of confusion, fear, and busywork that has cost the industry billions. Punitive measures for compliance failures should not disincentivize the security process, and healthcare organizations should be rewarded for proactive security work that protects patient health and privacy,” the report says.
“(HIPAA has) not been successful in curtailing the rise of successful attacks aimed at compromising patient records, as can be seen in the year over year increase in successful attacks. This is no surprise however, since compliance rarely succeeds at addressing anything more than the lowest bar of adversary faced, and so long as more and better adversaries come on to the scene, these attempts will continue to fail.”
In the test, Independent Security Evaluators found issues that ran the gamut from unpatched systems to critical hospital computers left on, and logged in, when patients are left alone in examination rooms. A typical problem: Aging computers designated for a single task that are left untouched for months or even years, missing critical security updates.
Larry Ponemon, who runs a privacy consulting firm, was an adviser on that project. His assessment is equally as blunt.
“Being HIPAA compliant has become almost like a religion,” he says. “The reality is that being compliant with HIPAA doesn’t get you really far.”
Security scrambling to keep up
To be clear: The report didn’t uncover lazy IT workers playing video games while IT infrastructure crumbles around them. Nor did it find uncaring doctors, nurses, or even administrators. To the contrary, if found haggard security professionals desperately trying to keep up with security issues, and generally falling hopelessly behind as their attention is constantly redirected to paranoia over compliance issues.
“A lot of companies have made poor investment decisions in security. They are doing things that are not diminishing their risk,” Ponemon, who runs The Ponemon Institute, said. (NOTE: Larry Ponemon and I have a joint project on privacy issues, a newsletter called The Ponemon Sullivan Privacy Report.)
Hackers are devoted copycats, so we know more attacks on hospitals are coming. At the moment, these attacks seem to have been limited to administrative systems, and the impacted health care facilities say patient care was unaffected. (I did interview a D.C.-area patient who said two doctors were unable to share his patient files, leading to unnecessary delay and expense).
It’s easy to imagine far worse outcomes, however. Gentry speculated that hackers could attack a specific patient and extort him or her. Ponemon talked about attacks on pacemakers or other digitally connected devices that control patient health.
“These sound like they are science fiction, but hospitals are part of the Internet of Things,” he said. “And there doesn’t seem to be a plan to manage the security risk.”
The plan, Gentry says, has to involve righting the regulatory ship and letting hospitals and health care facilities worry about the right things.
“We need to take a lot of this bandwidth we are appropriating to compliance and use that bandwidth on security and patient health,” he said.
And we’d better start soon. Because we’ve given the bad guys a pretty sizable head start while we were distracted by Herculean efforts to protect my neighbor from me.
What’s your experience with health care privacy systems? Share your stories in comments below or on our Facebook page.