Tuesday, August 16, 2016

Yes, the OS and filesystems on our EHR servers were hacked and our data encrypted for ransom, but "no medical information was looked at or compromised"

On this blog I have an entire series of posts regarding EHR crashes that point out an absurd-on-its-face and, in fact, insulting boilerplate executive response to the EHR unavailability:

"BUT patient care has not been compromised." 

The posts can be accessed via the query link http://hcrenewal.blogspot.com/search/label/Patient%20care%20has%20not%20been%20compromised.

It seems I may need another, related indexing term when EHRs get hacked and ransomware is inserted:

"BUT no information was looked at or compromised."

I've seen this in various incarnations several times now. 

For instance, see my Feb. 18, 2016 post "Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised" at http://hcrenewal.blogspot.com/2016/02/hollywood-presbyterian-medical-center.html and my March 29, 2016 post "Bad health IT at Medstar Health: FBI probing virus behind outage" at http://hcrenewal.blogspot.com/2016/03/bad-health-it-at-medstar-health-fbi.html.

This type of statement suggests that thieves who are able to gain access at highly granular levels of a server's filesystem and OS in order to encrypt the contents and insert the ransomware are "honest thieves" who would not look at the PHI for purposes of identity theft, or even sadistically alter data for purposes of causing harm.  In other words, it's the executives reassuring the populace that the thieves have honor.

The latest example:

Novato firm remains silent about ransomware attack on patient records
Richard Halstead, Marin Independent Journal
08/13/16
http://www.marinij.com/article/NO/20160813/NEWS/160819914
Officials at a Novato [California, https://en.wikipedia.org/wiki/Novato,_California - ed.] company that provides medical billing and electronic medical records services to many Marin physicians aren’t talking about a ransomware attack on their system this month that left doctors unable to access patient records for more than 10 days.

Ten days without charts is unprecedented in the paper world, except perhaps after a major physical catastrophe.

Clearly, the refrain "BUT patient care has not been compromised" would be absurd under such conditions.


Lynn Mitchell, CEO of Marin Medical Practice Concepts, issued a terse email on Aug. 4 confirming that her company had paid a ransom to regain access to its data. She wrote, “To date, there is no evidence that any patient information was accessed, transferred or otherwise compromised.”

Honest thieves were involved.

Since then, Mitchell has declined to comment on how many patient medical records were involved, how Marin Medical determined that the records weren’t compromised and whether the company reported the security breach to law enforcement or — as required by law — the state Attorney General’s Office and U.S. Department of Health and Human Services.

“We have nothing further to add at this time,” Mitchell said in an email Thursday.

Not specifying how such a determination was made significantly decreases the credibility of an already non-credible assertion, in my view.

Joe Cohen, an information technology consultant based in Greenbrae, said, “They claim no information was looked at or compromised. I don’t believe it.”

Cohen, whose personal data is in Marin Medical’s system, said he is worried that whoever encrypted the company’s files may have copied the data before demanding the ransom.

That's a best-case scenario, considering the possibility of deliberate or accidental alteration or corruption.

Typically in such ransomware attacks, a sophisticated computer virus finds its way into a victim’s system when an unsuspecting employee opens an email attachment. The virus encrypts the system’s data and attackers essentially hold the data hostage until the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin.

"Finds its way into a victim's system" is a rather mild way of saying "invades a victim's system due to inadequate security precautions."

Carl Chapman, operations manager of the Northern California Computer Crimes Task Force and an inspector in the Marin County District Attorney’s Office, said Marin Medical did not report the extortion to his task force.

“Typically, people don’t report them because I think it is well known throughout information technology departments that we are unable to unlock the information,” Chapman said.

... In 2012, the state began requiring businesses and government agencies to notify the attorney general on breaches affecting more than 500 Californians. The law applies to any business or agency whose unencrypted personal information was acquired, or reasonably believed to have been acquired.

I'd say it's more likely that organizations that don't report such crimes want to keep their victimhood due to negligence out of the public spotlight.

According to a report issued by the Attorney General’s Office in February, in the past four years the attorney general has received reports on 657 data breaches affecting a total of more than 49 million records of Californians. ... health care, which accounted for 16 percent of breaches, is starting to see an increase in hacking breaches as the sector transitions to electronic medical records. ... the “most vulnerable information in health care was medical information, such as patient records, and Social Security numbers.”

That level of incidents leads me to state the following:

  • Lack of EHR interoperability, so often complained about, is actually a good thing in 2016, as it may limit the scope of individual breaches of EHR security; and
  • The utopian dream of a national health information network connecting the entire country's EHR systems is a very, very bad idea in 2016 and should be postponed.  Reality is a harsh master, and the risks are clearly great in 2016 due to the immaturity of computer security.

More on ransomware:

Gordon [Amy Gordon, a partner in the Chicago law firm of McDermott Will & Emery LLP] said in addition to encrypting data, ransomware may also transfer information to a remote location.

“In this day and age, people’s personal information is valuable,” Gordon said, “so unfortunately some of these hackers may be selling this information in addition to getting the ransom from the hacked entity.”

The thieves are already taking a significant risk, and smart thieves would certainly be expected to maximize their haul..

In February, Hollywood Presbyterian Medical Center in Los Angeles paid a ransom of $17,000 in the hard-to-trace digital currency Bitcoin in order to regain access to its data.

Then in March four more organizations fell victim: MedStar Health, which operates 10 hospitals throughout the District of Columbia and Maryland; Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, California; and Methodist Hospital in Louisville, Kentucky.

The first two incidents are covered in the aforementioned posts.

John Hall, who operates Sausalito Networking, a small system integration firm, said, “If someone hits a hospital they can usually get a lot of money because the hospital needs to get the darn patient data.”

Indeed, making them among the most pliable of victims.

Hall said several of his clients — a small construction company, a tax advisory firm and a medical facility — have been hit by ransomware attacks recently. He said he is advising all of his clients to install special anti-ransomware software.

Bret Lowry is the founder of Florida-based WinPatrol, which produces the anti-ransomware software that Hall recommends.

“This year ransomware attacks have just exploded,” Lowry said, “because organized crime has gotten involved and is using it to make money.”

That is not surprising to me.   Further evidence the "ready, aim, fire" push to national health IT by our government and IT industry with little consideration to risk, now in a stage of coercive penalties for non-users, once again has been proven to have been reckless.  As examples of the government and industry leaders downplaying risk:

March 6, 2013
On EHR's: See No Evil, Hear No Evil, Speak No Evil: Part 1
http://hcrenewal.blogspot.com/2013/03/on-ehrs-see-no-evil-hear-no-evil-speak.html

March 8, 2013
On EHR's: See No Evil, Hear No Evil, Speak No Evil: Part 2
http://hcrenewal.blogspot.com/2013/03/on-ehrs-see-no-evil-hear-no-evil-speak_8.html

In the first post I noted this:
... The head of CCHIT, Mark Leavitt, has penned the following at iHealthBeat: 

June 19, 2009 - Perspectives 

Health IT Under ARRA: It's Not the Money, It's the Message

by Mark Leavitt 

... Before ARRA, most surveys concluded that cost was the No. 1 barrier to EHR adoption. But as soon as it appeared that the cost barrier might finally be overcome, individuals with a deeper-seated "anti-EHR" bent emerged. Their numbers are small, but their shocking claims -- that EHRs kill people, that massive privacy violations are taking placethat shady conspiracies are operating -- make stimulating copy for the media. Those experienced with EHRs might laugh these stories off, but risk-averse newcomers to health IT, both health care providers and policymakers are easily affected by fear mongering.

Fear mongering.  Right.

In the second I noted this:

... Blumenthal, at the time Director of ONC at HHS had reportedly stated that:

http://www.massdevice.com/news/blumenthal-evidence-adverse-events-with-emrs-anecdotal-and-fragmented

... [Blumenthal's] department is confident that its mission remains unchanged in trying to push all healthcare establishments to adopt EMRs as a standard practice. "The [ONC] committee [investigating FDA reports of HIT endangement] said that nothing it had found would give them any pause that a policy of introducing EMR's [rapidly and on a national scale - ed.] could impede patient safety," he said.

The "nothing" includes 44 injuries voluntarily reported to FDA and 6 reported deaths in an enviroment where few know where to report such things and where no reporting requirements exist, and a statement from the head of CDRH at FDA that due to systematic impediments to accurate knowledge the known figures likely are a small fraction ("tip if the iceberg") of the actual occurrence.


Further:

Chapman said, “In the cases we’ve investigated, all of the leads go to Eastern European countries for which we don’t have the ability to do any further investigation. I’m not aware of any federal agencies that are specifically working on ransomware.”

In other words, the hackers cannot be identified nor brought to justice.

Under these conditions, continued pushes for interoperability and mass networking of multiple EHR's is simply reckless.  The proper caution calls for a slowdown in those efforts until security issues are under reasonable control.  However, the past decade has shown that "caution" seems an abstract concept to our government and industry with respect to the health IT sector.

Finally:

"BUT no information was looked at or compromised"
is a phrase that also needs to be backed up by robust proof, because it rings as hollow as, or perhaps more hollow than "BUT patient care has not been compromised." 

-- SS

No comments: