The 2016 conference for the Healthcare Information and Management Systems Society (HIMSS) is just over a week away in Las Vegas, and as with any large gathering of tech professionals I am sure that the schedule is already jam-packed. But if I were a betting person, I venture to guess that the dominating conversation of conference attendees won’t be to anything presented at the conference…it will be to news events which broke this week and will certainly shape the discussions and presentations. For those of us interested in technology, particularly in Healthcare Technology, both serve as a cautionary tale and hopefully as a teachable moment.
News broke early this week that Hollywood Presbyterian Hospital had their computer network compromised last week by hackers, who are holding the data hostage in exchange for $3.4 Million Bitcoin. This isn’t just a matter of stealing data from an EHR system; the hackers succeeded in taking down the network, either through actions of their own or through forcing the hospital to shut it down to prevent the hackers gaining further access. This means it is not just computers and scheduling systems affected. Any equipment that uses the network (such as MRI machines, CT scanners or Lab machines) cannot run. Several articles have quoted sources inside the hospital who describe going back to physical pen and paper record keeping, with fax machines used to send the data where it needed to be. For anyone interested in how a ransomware attack works, Brian Barret over at Wired has a great Hack Brief that lays out what the attack is and how devastating it can be. The hospital declared a state of emergency, and was working with the FBI and other experts to help deal with the fallout, until news broke yesterday that they paid the hackers $17,000 or 40 Bitcoin (far less than originally demanded) to restore their network.
It has been speculated that the hackers may have gained access to the network by use of a social engineering or phishing scam, where the hackers will trick an employee to click on a link or open a file which gives the attackers an open door into the network. If this is indeed the case, it is another strong reminder that the biggest threat to network security is often the users themselves. Experts agree that attacks of this kind are expected to rise, so let us hope that attendees to HIMSS use this as a teachable moment to emphasize again the importance of a thorough security and disaster recovery program, no matter how big or small the facility is.
The second news item comes courtesy of the FBI and Apple, who are locked in a fight over access to the iPhone of one of the shooters in the San Bernadino Terrorist attack. The FBI has requested Apple to build a backdoor into their OS, granting the FBI access for investigative purposes. Apple CEO Tim Cook has publicly refused to do so, citing not only privacy concerns with such a request but also pointing out that building a backdoor for the FBI would add a security weakness that could be exploited by state actors or talented hackers. Not only could your contacts and personal data be exploited, Cook argues, but so could protected health information (PHI). It’s not just the number of steps you are taking every day on Apple’s Health App; if your physician has an app that allows you to upload prescription refill requests, or if you use an app to log things like your weight and lab values like blood pressure or blood glucose levels, you have PHI on the phone.
Apple has long been a staunch supporter of privacy for its users, but his highlighting of the risks to PHI is very applicable and interesting. Wearables and medical apps are big business in the tech world, and little thought has been given to the privacy of the data that is being collected and shared. No doubt attendees at HIMSS 2016 will be discussing and watching this dispute play out as well; the implications are profound.
Oh, to be a fly on the wall!