Hospital Ransomware Hacks Show Our System is Focused on the Wrong Things

Photo (cc) by j.reed

A few years ago, my long-time, elderly, live-alone neighbor was taken away in an ambulance. I wasn’t home and heard about it second-hand. At first, I had no idea how serious it was or even where he was taken, but I was really concerned. So I started calling local hospitals to ask if he’d been admitted. You can probably guess how that worked out for me.

I was stonewalled at every turn. Even when I said might be the only one who would call about him, that I was concerned he had no nearby next of kin, I got nowhere. I was fully HIPAA’d out.

Eventually, I talked to local police who tipped me off that he had been brought to a nearby hospital. I called them again.

“Not to be morbid, but can I even confirm that he’s still alive?” I pleaded.

“Due to patient privacy, we cannot divulge anything,” I was told.

Now you probably know I care about privacy as much as the next person, but if my friend and neighbor was dying in a hospital bed, I was hellbent to make sure he didn’t die without knowing at least someone cared about him. And this seemed cruel to me.

I called a few more times. I finally lucked out and got to someone who, from her voice, sounded quite a bit older. Maybe even a volunteer. She heard me out.

“You didn’t hear it from me,” I recall her saying. “But he’s recovering from brain surgery. He probably had a stroke.”

I’m happy to tell you that I went to see my neighbor a few times during the next several weeks, and after a long recovery, he’s actually doing really well.

A distraction from the real problem

I tell you all this because I am worried that situations like these are really helping hackers.

Perhaps you’ve heard about the rash of hospital and health care systems being attacked by ransomware. In the Washington, D.C. area, a chain named MedStar was reduced to performing nearly all tasks on paper by a virus that locked all its files and demanded payment to unlock them. The problem is so serious that U.S. and Canadian authorities jointly issued a warning about ransomware on March 31, calling attention to attacks on hospitals.

What does this have to do with HIPAA, or my neighbor’s stroke? It shows we are worrying about the wrong things.

All of us have been HIPAA’d at some point. We’ve felt the wrath of the Health Insurance Portability and Accountability Act, enacted in 1996. Want a yes or no answer to a simple question from your doctor? You can’t get an email from her or him. You have to login to a server that will probably reject the first five passwords you enter and then force you to a reset page, and half the time you’ll give up before you find out that, yes, you should take that pill with food.

There’s a saying in the geek world that “compliance is a bad word in security.”

Walk into any health care facility and you’ll immediately get the sense that everyone from doctors to nurses to cleaning staff are terrified to violate HIPAA. On the other hand, I’ve been told by someone who has worked on a recent hospital attack, health facilities routinely are five or even 10 years behind on installing security patches.

Geoff Gentry, a security analyst with Independent Security Evaluators, puts it this way:

“We are defending the wrong asset,” he told me. “We are defending patient records instead of patient health.”

If someone steals a patient record, sure, they can do damage. They can perhaps mess up a patient’s credit report. But if someone hacks and alters a patient record, the consequences can be much more dire.

“It could be life or death,” he said.

A system of ‘confusion, fear and busywork’

Gentry was part of a team from Independent Security Evaluators that reviewed hospital security at a set of facilities three months ago in the Baltimore/Washington area. The timing couldn’t have been better. The message couldn’t be more important.

“For almost two decades, HIPAA has been ineffective at protecting patient privacy, and instead has created a system of confusion, fear, and busywork that has cost the industry billions. Punitive measures for compliance failures should not disincentivize the security process, and healthcare organizations should be rewarded for proactive security work that protects patient health and privacy,” the report says.

“(HIPAA has) not been successful in curtailing the rise of successful attacks aimed at compromising patient records, as can be seen in the year over year increase in successful attacks. This is no surprise however, since compliance rarely succeeds at addressing anything more than the lowest bar of adversary faced, and so long as more and better adversaries come on to the scene, these attempts will continue to fail.”

In the test, Independent Security Evaluators found issues that ran the gamut from unpatched systems to critical hospital computers left on, and logged in, when patients are left alone in examination rooms. A typical problem: Aging computers designated for a single task that are left untouched for months or even years, missing critical security updates.

Larry Ponemon, who runs a privacy consulting firm, was an adviser on that project. His assessment is equally as blunt.

“Being HIPAA compliant has become almost like a religion,” he says. “The reality is that being compliant with HIPAA doesn’t get you really far.”

Security scrambling to keep up

To be clear: The report didn’t uncover lazy IT workers playing video games while IT infrastructure crumbles around them. Nor did it find uncaring doctors, nurses, or even administrators. To the contrary, if found haggard security professionals desperately trying to keep up with security issues, and generally falling hopelessly behind as their attention is constantly redirected to paranoia over compliance issues.

“A lot of companies have made poor investment decisions in security. They are doing things that are not diminishing their risk,” Ponemon, who runs The Ponemon Institute, said. (NOTE: Larry Ponemon and I have a joint project on privacy issues, a newsletter called The Ponemon Sullivan Privacy Report.)

Hackers are devoted copycats, so we know more attacks on hospitals are coming. At the moment, these attacks seem to have been limited to administrative systems, and the impacted health care facilities say patient care was unaffected. (I did interview a D.C.-area patient who said two doctors were unable to share his patient files, leading to unnecessary delay and expense).

It’s easy to imagine far worse outcomes, however. Gentry speculated that hackers could attack a specific patient and extort him or her. Ponemon talked about attacks on pacemakers or other digitally connected devices that control patient health.

“These sound like they are science fiction, but hospitals are part of the Internet of Things,” he said. “And there doesn’t seem to be a plan to manage the security risk.”

The plan, Gentry says, has to involve righting the regulatory ship and letting hospitals and health care facilities worry about the right things.

“We need to take a lot of this bandwidth we are appropriating to compliance and use that bandwidth on security and patient health,” he said.

And we’d better start soon. Because we’ve given the bad guys a pretty sizable head start while we were distracted by Herculean efforts to protect my neighbor from me.

What’s your experience with health care privacy systems? Share your stories in comments below or on our Facebook page.

Disclosure: The information you read here is always objective. However, we sometimes receive compensation when you click links within our stories.

Read Next
5 Ways to Put an End to Junk Mail
5 Ways to Put an End to Junk Mail

Here’s how to keep unwanted mail from clogging your mailbox and trash can.

How to Buy a Refrigerator, Step by Step
How to Buy a Refrigerator, Step by Step

Here’s how I got the perfect appliance at the perfect price.

The Annuity Everyone Needs — and Anybody Can Get
The Annuity Everyone Needs — and Anybody Can Get

This simple strategy can put more money in your pocket during retirement.

14 Things We Buy and Then Almost Never Use
14 Things We Buy and Then Almost Never Use

Save your money. These items seem alluring but they often end up as coat racks and dust magnets.

Avoiding These 5 Foods Could Save Your Vision as You Age
Avoiding These 5 Foods Could Save Your Vision as You Age

Millions of Americans may be able to prevent an incurable cause of blindness by making a basic change.

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Most Popular
9 Things You’ll Never See at Costco Again
9 Things You’ll Never See at Costco Again

The warehouse store offers an enormous selection, but these products aren’t coming back.

11 Things Retirees Should Always Buy at Costco
11 Things Retirees Should Always Buy at Costco

This leader in bulk shopping is a great place to find discounts in the fixed-income years.

Over 50? The CDC Says You Need These 4 Vaccines
Over 50? The CDC Says You Need These 4 Vaccines

Fall is the time to schedule vaccines that can keep you healthy — and even save your life.

11 Senior Discounts for Anyone Age 55 or Older
11 Senior Discounts for Anyone Age 55 or Older

There is no need to wait until you’re 65 to take advantage of so-called “senior” discounts.

11 Household Items That Go Bad — or Become Dangerous
11 Household Items That Go Bad — or Become Dangerous

When you get the impulse to stockpile these everyday items, pay close attention to their expiration dates.

8 Things You Can Get for Free at Pharmacies
8 Things You Can Get for Free at Pharmacies

In this age of higher-priced drugs and complex health care systems, a trip to the pharmacy can spark worry. Freebies sure do help.

These Are the 4 Best Medicare Advantage Plans for 2020
These Are the 4 Best Medicare Advantage Plans for 2020

Medicare Advantage customers themselves rate these plans highest.

7 Ways to Boost Your Credit Score Fast
7 Ways to Boost Your Credit Score Fast

Your financial security might soon depend upon the strength of your credit score.

The 10 Most Commonly Stolen Vehicles in America
The 10 Most Commonly Stolen Vehicles in America

A new model parks atop the list of vehicles that thieves love to pilfer.

19 High-Paying Jobs You Can Get With a 2-Year Degree
19 High-Paying Jobs You Can Get With a 2-Year Degree

These jobs pay more than the typical job in the U.S. — and no bachelor’s degree is required.

5 Ways to Get Amazon Prime for Free
5 Ways to Get Amazon Prime for Free

Hesitant to drop $119 a year on an Amazon Prime membership? Here’s how to get it for free.

10 Reasons Why You Should Actually Retire at 62
10 Reasons Why You Should Actually Retire at 62

If you can, here are several good reasons to retire earlier than we’re told to.

3 Ways to Get Microsoft Office for Free
3 Ways to Get Microsoft Office for Free

With a little ingenuity, you can cut Office costs to zero.

26 States That Do Not Tax Social Security Income
26 States That Do Not Tax Social Security Income

These states won’t tax any of your Social Security income — and in some cases, other types of retirement income.

14 Things That Are ‘Free’ With Medicare
14 Things That Are ‘Free’ With Medicare

These services could save you money and help prevent costly health problems.

5 Keys to Making Your Car Last for 200,000 Miles
5 Keys to Making Your Car Last for 200,000 Miles

Pushing your car to 200,000 miles — and beyond — can save you piles of cash. Here’s how to get there.

5 Things That Make Life More Meaningful for Retirees
5 Things That Make Life More Meaningful for Retirees

Retirees agree: These are the things that give them purpose and fulfillment in their golden years.

10 Things You Should Never Do With Bleach
10 Things You Should Never Do With Bleach

Does the pandemic have you reaching for bleach more than ever before? Learn the ins and outs of using this powerful disinfectant.

15 Amazon Purchases That We Are Loving Right Now
15 Amazon Purchases That We Are Loving Right Now

These practical products make everyday life a little easier.

View More Articles

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Add a Comment

Our Policy: We welcome relevant and respectful comments in order to foster healthy and informative discussions. All other comments may be removed. Comments with links are automatically held for moderation.