Hospital hacks show HIPAA might be dangerous to our health
Cyber attention should focus on patient care and security rather than regulatory compliance
By Bob Sullivan, ThirdCertainty
A few years ago, my long-time, elderly, live-alone neighbor was taken away in an ambulance. I wasn’t home and heard about it secondhand. I had no idea how serious it was or even where he was taken, but I was really concerned. So I started calling local hospitals to ask if he’d been admitted. You can probably guess how that worked out for me.
I was stonewalld at every turn. Even when I said I might be the only one who would call about him, that I was concerned he had no nearby next of kin, I got nowhere. I was fully HIPAA’d out.
Complimentary webinar: How identity theft protection has become a must-have employee benefit
Eventually, I talked to local police who tipped me off that he had been brought to a nearby hospital. I called them again.
“Not to be morbid, but can I even confirm that he’s still alive?” I pleaded.
“Due to patient privacy, we cannot divulge anything,” I was told.
Now, you probably know I care about privacy as much as the next person, but if my friend and neighbor were dying in a hospital bed, I was hell-bent to make sure he didn’t die without knowing at least someone cared about him. And this seemed cruel to me.
I called a few more times and finally reached someone who, from her voice, sounded quite a bit older. Maybe even a volunteer. She heard me out.
“You didn’t hear it from me,” I recall her saying. “But he’s recovering from brain surgery. He probably had a stroke.”
I’m happy to tell you that I went to see my neighbor a few times during the next several weeks, and after a long recovery, he’s doing really well.
I tell you all this because I am worried that situations like these are helping hackers.
Ransomware hits hard
Perhaps you’ve heard about the rash of hospital and health care systems being attacked by ransomware. In the Washington D.C., area, the MedStar chain was reduced to performing nearly all tasks on paper by a virus that locked all files and demanded payment to unlock them. The problem is so serious that U.S. and Canadian authorities jointly issued a warning about ransomware on March 31, calling attention to attacks on hospitals.
What does this have to do with HIPAA or my neighbor’s stroke? It shows we are worrying about the wrong things.
All of us have been HIPAA’d at some point. We’ve felt the wrath of the Health Insurance Portability and Accountability Act, enacted in 1996. Want a “yes” or “no” answer to a simple question from your doctor? You can’t get an email from her or him. You have to log on to a server that probably will reject the first five passwords you enter and then force you to a reset page. Half the time you’ll give up before you find out that, yes, you should take that pill with food.
There’s a saying in the geek world that “compliance is a bad word in security.” Walk into any health care facility, and you’ll immediately get the sense that everyone from doctors to nurses to cleaning staff are terrified to violate HIPAA. On the other hand, I’ve been told by someone who has worked on a recent hospital attack that health facilities routinely are five or even 10 years behind on installing security patches.
Geoff Gentry, a security analyst with Independent Security Evaluators, puts it this way:
“We are defending the wrong asset,” he told me. “We are defending patient records instead of patient health.”
If someone steals a patient record, sure, they can do damage. They can perhaps mess up a patient’s credit report. But if someone hacks and alters a patient record, the consequences can be much more dire.
“It could be life or death,” he said.
Patient privacy inadequately protected
Gentry was part of a team from Independent Security Evaluators that reviewed hospital security at a set of facilities three months ago in the Baltimore/Washington, D.C., area. The timing couldn’t have been better, and the message couldn’t be more important.
“For almost two decades, HIPAA has been ineffective at protecting patient privacy, and instead has created a system of confusion, fear and busy work that has cost the industry billions. Punitive measures for compliance failures should not disincentivize the security process, and health care organizations should be rewarded for proactive security work that protects patient health and privacy,” the report says. “(HIPAA has) not been successful in curtailing the rise of successful attacks aimed at compromising patient records, as can be seen in the year-over-year increase in successful attacks. This is no surprise however, since compliance rarely succeeds at addressing anything more than the lowest bar of adversary faced, and so long as more and better adversaries come on to the scene, these attempts will continue to fail.”
In the test, Independent Security Evaluators found issues that ran the gamut from unpatched systems to critical hospital computers left on, and logged in, when patients are left alone in examination rooms. A typical problem: Aging computers designated for a single task that are left untouched for months or even years, missing critical security updates.
Larry Ponemon, who runs The Ponemon Institute, a privacy consulting firm, was an adviser on that project. His assessment is equally as blunt.
“Being HIPAA-compliant has become almost like a religion,” he says. “The reality is that being compliant with HIPAA doesn’t get you really far.”
Security takes back seat to compliance
To be clear: The report didn’t uncover lazy IT workers playing video games while IT infrastructure crumbles around them. Nor did it find uncaring doctors, nurses or even administrators. To the contrary, it found haggard security professionals desperately trying to keep up with security issues, and generally falling hopelessly behind as their attention is constantly redirected to paranoia over compliance issues.
“A lot of companies have made poor investment decisions in security. They are doing things that are not diminishing their risk,” said Ponemon. (Note: Larry Ponemon and I have a joint project on privacy issues, a newsletter called The Ponemon Sullivan Privacy Report.)
Hackers are devoted copycats, so we know more attacks on hospitals are coming. At the moment, these attacks seem to have been limited to administrative systems, and the impacted health care facilities say patient care was unaffected.
It’s easy to imagine far worse outcomes, however. Gentry speculated that hackers could attack a specific patient and extort him or her. Ponemon talked about attacks on pacemakers or other digitally connected devices that control patient health.
“These sound like they are science fiction, but hospitals are part of the Internet of Things,” he said. “And there doesn’t seem to be a plan to manage the security risk.”
The plan, Gentry says, has to involve righting the regulatory ship and letting hospitals and health care facilities worry about the right things.
“We need to take a lot of this bandwidth we are appropriating to compliance and use that bandwidth on security and patient health,” he said.
And we’d better start soon. Because we’ve given the bad guys a pretty sizable head start while we were distracted by Herculean efforts to protect my neighbor from me.
More stories on health care security:
Hospitals show little resistance to ransomware virus
As hackers target health care data, sector must get proactive
Health care sector finds cure for digital attacks elusive