Hospital hacks show HIPAA might be dangerous to our health

Cyber attention should focus on patient care and security rather than regulatory compliance

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A few years ago, my long-time, elder­ly, live-alone neigh­bor was tak­en away in an ambu­lance. I wasn’t home and heard about it sec­ond­hand. I had no idea how seri­ous it was or even where he was tak­en, but I was real­ly con­cerned. So I start­ed call­ing local hos­pi­tals to ask if he’d been admit­ted. You can prob­a­bly guess how that worked out for me.

I was stonewalld at every turn. Even when I said I might be the only one who would call about him, that I was con­cerned he had no near­by next of kin, I got nowhere. I was ful­ly HIPAA’d out.

Com­pli­men­ta­ry webi­nar: How iden­ti­ty theft pro­tec­tion has become a must-have employ­ee benefit

Even­tu­al­ly, I talked to local police who tipped me off that he had been brought to a near­by hos­pi­tal. I called them again.

Not to be mor­bid, but can I even con­firm that he’s still alive?” I pleaded.

Due to patient pri­va­cy, we can­not divulge any­thing,” I was told.

Now, you prob­a­bly know I care about pri­va­cy as much as the next per­son, but if my friend and neigh­bor were dying in a hos­pi­tal bed, I was hell-bent to make sure he didn’t die with­out know­ing at least some­one cared about him. And this seemed cru­el to me.

I called a few more times and final­ly reached some­one who, from her voice, sound­ed quite a bit old­er. Maybe even a vol­un­teer. She heard me out.

You didn’t hear it from me,” I recall her say­ing. “But he’s recov­er­ing from brain surgery. He prob­a­bly had a stroke.”

I’m hap­py to tell you that I went to see my neigh­bor a few times dur­ing the next sev­er­al weeks, and after a long recov­ery, he’s doing real­ly well.

I tell you all this because I am wor­ried that sit­u­a­tions like these are help­ing hackers.

Ran­somware hits hard

Per­haps you’ve heard about the rash of hos­pi­tal and health care sys­tems being attacked by ran­somware. In the Wash­ing­ton D.C., area, the Med­Star chain was reduced to per­form­ing near­ly all tasks on paper by a virus that locked all files and demand­ed pay­ment to unlock them. The prob­lem is so seri­ous that U.S. and Cana­di­an author­i­ties joint­ly issued a warn­ing about ran­somware on March 31, call­ing atten­tion to attacks on hospitals.

What does this have to do with HIPAA or my neighbor’s stroke? It shows we are wor­ry­ing about the wrong things.

All of us have been HIPAA’d at some point. We’ve felt the wrath of the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act, enact­ed in 1996. Want a “yes” or “no” answer to a sim­ple ques­tion from your doc­tor? You can’t get an email from her or him. You have to log on to a serv­er that prob­a­bly will reject the first five pass­words you enter and then force you to a reset page. Half the time you’ll give up before you find out that, yes, you should take that pill with food.

There’s a say­ing in the geek world that “com­pli­ance is a bad word in secu­ri­ty.” Walk into any health care facil­i­ty, and you’ll imme­di­ate­ly get the sense that every­one from doc­tors to nurs­es to clean­ing staff are ter­ri­fied to vio­late HIPAA. On the oth­er hand, I’ve been told by some­one who has worked on a recent hos­pi­tal attack that health facil­i­ties rou­tine­ly are five or even 10 years behind on installing secu­ri­ty patches.

Geoff Gen­try, a secu­ri­ty ana­lyst with Inde­pen­dent Secu­ri­ty Eval­u­a­tors, puts it this way:

We are defend­ing the wrong asset,” he told me. “We are defend­ing patient records instead of patient health.”

If some­one steals a patient record, sure, they can do dam­age. They can per­haps mess up a patient’s cred­it report. But if some­one hacks and alters a patient record, the con­se­quences can be much more dire.

It could be life or death,” he said.

Patient pri­va­cy inad­e­quate­ly protected

Gen­try was part of a team from Inde­pen­dent Secu­ri­ty Eval­u­a­tors that reviewed hos­pi­tal secu­ri­ty at a set of facil­i­ties three months ago in the Baltimore/Washington, D.C., area. The tim­ing couldn’t have been bet­ter, and the mes­sage couldn’t be more important.

sh_medical records_280For almost two decades, HIPAA has been inef­fec­tive at pro­tect­ing patient pri­va­cy, and instead has cre­at­ed a sys­tem of con­fu­sion, fear and busy work that has cost the indus­try bil­lions. Puni­tive mea­sures for com­pli­ance fail­ures should not dis­in­cen­tivize the secu­ri­ty process, and health care orga­ni­za­tions should be reward­ed for proac­tive secu­ri­ty work that pro­tects patient health and pri­va­cy,” the report says. “(HIPAA has) not been suc­cess­ful in cur­tail­ing the rise of suc­cess­ful attacks aimed at com­pro­mis­ing patient records, as can be seen in the year-over-year increase in suc­cess­ful attacks. This is no sur­prise how­ev­er, since com­pli­ance rarely suc­ceeds at address­ing any­thing more than the low­est bar of adver­sary faced, and so long as more and bet­ter adver­saries come on to the scene, these attempts will con­tin­ue to fail.”

In the test, Inde­pen­dent Secu­ri­ty Eval­u­a­tors found issues that ran the gamut from unpatched sys­tems to crit­i­cal hos­pi­tal com­put­ers left on, and logged in, when patients are left alone in exam­i­na­tion rooms. A typ­i­cal prob­lem: Aging com­put­ers des­ig­nat­ed for a sin­gle task that are left untouched for months or even years, miss­ing crit­i­cal secu­ri­ty updates.

Lar­ry Ponemon, who runs The Ponemon Insti­tute, a pri­va­cy con­sult­ing firm, was an advis­er on that project. His assess­ment is equal­ly as blunt.

Being HIPAA-com­pli­ant has become almost like a reli­gion,” he says. “The real­i­ty is that being com­pli­ant with HIPAA doesn’t get you real­ly far.”

Secu­ri­ty takes back seat to compliance

To be clear:  The report didn’t uncov­er lazy IT work­ers play­ing video games while IT infra­struc­ture crum­bles around them. Nor did it find uncar­ing doc­tors, nurs­es or even admin­is­tra­tors. To the con­trary, it found hag­gard secu­ri­ty pro­fes­sion­als des­per­ate­ly try­ing to keep up with secu­ri­ty issues, and gen­er­al­ly falling hope­less­ly behind as their atten­tion is con­stant­ly redi­rect­ed to para­noia over com­pli­ance issues.

A lot of com­pa­nies have made poor invest­ment deci­sions in secu­ri­ty. They are doing things that are not dimin­ish­ing their risk,” said Ponemon. (Note: Lar­ry Ponemon and I have a joint project on pri­va­cy issues, a newslet­ter called The Ponemon Sul­li­van Pri­va­cy Report.)

Hack­ers are devot­ed copy­cats, so we know more attacks on hos­pi­tals are com­ing. At the moment, these attacks seem to have been lim­it­ed to admin­is­tra­tive sys­tems, and the impact­ed health care facil­i­ties say patient care was unaffected.

It’s easy to imag­ine far worse out­comes, how­ev­er. Gen­try spec­u­lat­ed that hack­ers could attack a spe­cif­ic patient and extort him or her. Ponemon talked about attacks on pace­mak­ers or oth­er dig­i­tal­ly con­nect­ed devices that con­trol patient health.

These sound like they are sci­ence fic­tion, but hos­pi­tals are part of the Inter­net of Things,” he said. “And there doesn’t seem to be a plan to man­age the secu­ri­ty risk.”

Redi­rect focus

The plan, Gen­try says, has to involve right­ing the reg­u­la­to­ry ship and let­ting hos­pi­tals and health care facil­i­ties wor­ry about the right things.

We need to take a lot of this band­width we are appro­pri­at­ing to com­pli­ance and use that band­width on secu­ri­ty and patient health,” he said.

And we’d bet­ter start soon. Because we’ve giv­en the bad guys a pret­ty siz­able head start while we were dis­tract­ed by Her­culean efforts to pro­tect my neigh­bor from me.

More sto­ries on health care security:
Hos­pi­tals show lit­tle resis­tance to ran­somware virus
As hack­ers tar­get health care data, sec­tor must get proactive
Health care sec­tor finds cure for dig­i­tal attacks elusive


Posted in Data Breach, Data Security, Featured Story