KYLE IN PAYABLES HAS BEEN BINGE-WATCHING, AND NOW YOU NEED TO CARE ABOUT ZETTABYTES
by Robert Mangeot
Kyle again, five minutes late for the 8:00AM St. Healthcare Payables
team Zoom huddle. He’s bleary-eyed--again--and slurping coffee (“Kyle,
can you mute, please?”) after all-nighter binge watching the
just-dropped Wicked Streaming Show That Has People Talking, season two.
WSS.2, in Kyle-ese. He’ll gush baggy-eyed over each and every spoiler if
anyone hangs on the Zoom too long. Usually, we can’t stay mad at him.
Kyle is bedrock here in Payables, first with the virtual high fives and
the loudest voice singing “Happy Birthday.” This morning, though, the
coffee isn’t kicking in yet, and he’s digging this new email promising a
GIFT CARD!!! if he clicks there and takes this important HR survey.
Gift cards? Hello, WSS merch.
Don’t do it, Kyle. Don’t.
Let’s call the malware BigBummerExpress. Kyle’s computer doesn’t slow to a crawl processor-wise. It doesn’t flash the Blue Screen of Death. It doesn’t laugh a super-evil laugh like that cray hacker episode from WSS.1. BigBummerExpress is loaded and running, sure. And yeah, there’s patient information on his computer for the grabbing.
Kyle isn’t who BigBummerExpress is after.
However we got here and whatever your opinion about it, U.S. healthcare is a huge market. Most money is spent well enough or at least well-intendedly. As for the rest, there’s a reason that entire professions--including mine--have spun up to chase bad actors. And lately, there’s the bad actor golden ticket: ransomware.
To be clear, I am not a technology expert. I’m not involved in cybersecurity. I’m a humble regulatory nerd who barely understands how my laptop crunches its ones and zeroes. But with cybersecurity being crucial to those regs, I try to stay hip on the trends.
In September, Universal Health Services--a giant at 400 facilities--announced a major cyberattack had taken down clinical systems. Universal is not releasing details, but if it sounds like ransomware, it probably is. Patient appointments were rescheduled, test results were delayed, and patients inbound to their ERs were diverted elsewhere.Fullz.
Health data has grown to mind-boggling size and mushrooms further each year. Experts predict that cumulative health data about you and me will reach 35 zettabytes this year. A zettabyte is tech-speak for one sextillion. That’s roughly one byte for all the grains of sand on all the Earth’s beaches--multiplied by 35. Or to see all the commas, we’re talking 35,000,000,000,000,000,000,000 bytes of health data out there.
And the problems usually start with phishing.
A month has passed since Kyle did that vendor survey thing. He’s forgotten about that gift card or reporting a concern because, bless him, rumors go WSS.3 will be the full throttle, slam-bang finale. In that month, BigBummerExpress has used his system credentials to cruise the company IT platforms and learn where that sweet data is, how it’s structured, what protects it. To the Security people, if they spot any oddness in Kyle’s activity, it looks like him accessing places he’s authorized to access.
It’s encryption time.
8:15AM, the Zoom huddle and Kyle slurping coffee. His boss is asking Kyle to mute when everyone’s Payables screens flicker off. Text messages start flying. His boss manages to say, “I gotta go.”
It’s no wonder that crime fiction often involves a cyber angle. The technology and its human implications can be fascinating, and it brings plenty of cat-and-mouse games. If anyone is mulling a healthcare cyber tale, here’s a general lay of the land for 2020 realism.
To read the industry studies, hospital ransoms used to be small, way cheaper than fighting the protracted fight. A volume business. Fast forward to 2020: Those studies put asking prices in the millions. Today’s ransomware isn’t just encrypting data natively but stealing it on threat of release, so that companies can’t plug in the back-ups and refuse to bargain. Big game hunting, in the lingo.
Cybercriminals are such an everyday threat that it’s an insurable risk. Of course, no underwriter goes on the hook for potential millions only to stay out of the response and prevention discussions. Like I said, serious defenses.
That can have a weak link.
It was awesome.
It’s been weird at St. Healthcare. HR sent an actual email with an actual performance warning. It took forever to get the Payables and medical record interface back running, and while it’s not been on the news, Kyle figures somebody must’ve coughed up for the hackers to go away.
Hackers. Big money. Affiliations. What Kyle’s thinking, this would make full throttle WSS fan fiction.