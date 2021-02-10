Many years ago my first gig after college landed me in the hospital. I’d like to brag up an exciting narrative to explain that result involving some death-defying feat in my first professional assignment. Maybe that I was such a brilliant academic that the CIA took notice and recruited me at graduation, after which I splintered a bone in training overseas. Nope. My new employer had simply thought my resume was good enough for an interview that I aced toward being a middle-manager administrator in a hospital. That end fits more with my mediocre grades, and my station otherwise in life.
It happened to be a hospital among the limitless job-seeking reels cast, and it also happened to be in systems security. Not exactly what I would have planned for, would I have been a planning college student, while taking business courses and nearly collecting enough philosophy credits for a lucrative minor in the discipline. It was a truly fortunate prospect since computers and security had always been of some interest growing up in the War Games era. Then, we watched every home in America get outfitted with an oh-so-slow PC topped with a monitor deep as any microwave. Historically, the timing was right and as it turned out the security system that I was to oversee from installation to policy development to daily operations was, then, the largest of its kind outside of governmental enterprise security systems. Someone fresh off the graduate’s assembly line was likely not prepared for the work.
The other interesting timing occurrence was that my tenure there, nearly five years all told, spanned the “Y2K” preparations, scare, and nonplussed results; the implementation of Clinton’s Health Insurance Portability and Accountability Act; and most remarkably the tragic events of 9/11. All these phenomena affected the healthcare industry variously. The new millennium, arguably not to appear for another annum after Y2K fizzled in its effects, was limited to affecting the planning up to that last fateful moment of nothingness at 12:00:01 a.m. The attacks of 9/11 called for the most excitable, uninformed, and harried responses, particularly because I and the hospital were in Chicago where targets such as the Sears Tower were bandied about in the intelligence community. We provided healthcare for the epicenter of downtown Chicago’s pulse, including all sorts of procedures for mass emergencies, world leader intakes, or viral outbreaks. For years afterwards, security in general and healthcare security as much as any niche would try to understand 9/11, and then prepare to better manage and mitigate another such event.
The world changed on 9/11 though in healthcare, perhaps, an even greater resonating impact of the era was HIPAA. HIPAA’s title seems focused on insurance. One need was to ensure that Americans who’d left, or been removed from, their employer’s rolls still had some opportunity to carry healthcare insurance. However, the lingering effects that I’m invoking surround HIPAA’s information security and privacy rules. Legislators knew at the time that our personal, private medical information was prone to hackers since it’d been growing in form from traditional paper hard copies of information to ones and zeroes traveling along “the wire” from computer network to doctor’s office to insurance companies to who-knows-where else. HIPAA, therefore, includes many effective rules about maintaining secured systems that honor the privacy of such intimate details of our individual lives.
I say that healthcare information security, and HIPAA as a component of that topic, were as much as or more meaningful long-term as 9/11 because, in fact, we’re still wrestling with it.
Last week—and, without hyperbole, likely any given week since HIPAA—yet another rash of hackers absconded with medical data and stole our IDs. What has changed as time passed since HIPAA is the sophistication of the attacker. Now, according to some of the leading global intelligence communities from Europe to Canada to American teams of analysts, medical ID theft has grown to be the work of nation-state actors trying to disrupt the modern medical information model.
In the good ol’ days of healthcare hacking, the bad guys would steal personal information for profit, for corporate subversion, maybe for the mere challenge. Now however, the pandemic’s temptations and the advancement of a medical record’s value superseding banking or credit card data on the black market make healthcare data some of the most sought-after targets to the largest hacking enterprises.
The U.S. Department of Health and Human Services reported that in any given month of 2020 over a million patients’ data were compromised from security breaches. To be fair, there has always been some risk in holding and transmitting healthcare information. Mistakes are made, files get lost, fires break out. Those minor bumps in the road of security are far outweighed by malicious actions of hackers in the modern era.
Maybe it’s a nuisance to recoup from a security breach at any given healthcare facility. HIPAA requires that most of them notify patients when that happens, a costly and wasteful activity especially when all hands are needed to manage a global pandemic. The real risks, though, cannot be described as nuisances.
The American Hospital Association tallied losses from just March through June last year at over $200 billion. More than a few times during the pandemic an entire hospital system has been taken down to its knees due to hackers. A well-funded, organized, state-sponsored ransomware campaign can remove from everyone’s view or use the thousands of critical healthcare files, systems, and even its baseline power supply.
Maybe too often I burden you with a duty because, as I see it, we’re all interconnected in this mess: chain … weakest link … get it? Here I am, though. Next time you visit a healthcare provider, ask them how secure your most private information is. How prepared are they to protect you?
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
