10 October 2020

Kyle in Payables Has Been Binge-Watching, and Now You Need to Care About Zettabytes


Please welcome the newest inmate to our cozy little asylum.  Robert Mangeot  has been around the short mystery fiction scene for a few years now. His stuff is in a few anthologies and appears frequently in Alfred Hitchcock Mystery Magazine (and has made my best-of-the-week selection four times.) He’ll have a piece in AHMM's November/December issue due out later this month. Bob is a healthcare industry long-timer when not writing, as his first piece makes clear.
— Robert Lopresti


KYLE IN PAYABLES HAS BEEN BINGE-WATCHING, AND NOW YOU NEED TO CARE ABOUT ZETTABYTES

by Robert Mangeot

Here’s Kyle again, five minutes late for the 8:00AM St. Healthcare Payables team Zoom huddle. He’s bleary-eyed--again--and slurping coffee (“Kyle, can you mute, please?”) after all-nighter binge watching the just-dropped Wicked Streaming Show That Has People Talking, season two. WSS.2, in Kyle-ese. He’ll gush baggy-eyed over each and every spoiler if anyone hangs on the Zoom too long. Usually, we can’t stay mad at him. Kyle is bedrock here in Payables, first with the virtual high fives and the loudest voice singing “Happy Birthday.” This morning, though, the coffee isn’t kicking in yet, and he’s digging this new email promising a GIFT CARD!!! if he clicks there and takes this important HR survey. Gift cards? Hello, WSS merch.

Don’t do it, Kyle. Don’t.

Kyle does it. Clickety clickety click. He’s heard about email scams and stolen files and that stuff. They do training in Payables, thank you very much. But this email seems legit. The logos and fonts are right for HR (they are), the linked website looks like HR (it kinda does, those smiling nurses), and the password log-in seems fine (it’s so not). Anyway, his melatonin is off this morning.

Let’s call the malware BigBummerExpress. Kyle’s computer doesn’t slow to a crawl processor-wise. It doesn’t flash the Blue Screen of Death. It doesn’t laugh a super-evil laugh like that cray hacker episode from WSS.1. BigBummerExpress is loaded and running, sure. And yeah, there’s patient information on his computer for the grabbing.  

Kyle isn’t who BigBummerExpress is after.

                                                                                  #

Meet the United States healthcare system. We Americans spend $3.6 trillion annually on all things medical and surgical, much more per capita than most other industrialized nations. Three trillion isn’t the largest number involved in this caper, but it’s the motivating number.

However we got here and whatever your opinion about it, U.S. healthcare is a huge market. Most money is spent well enough or at least well-intendedly. As for the rest, there’s a reason that entire professions--including mine--have spun up to chase bad actors. And lately, there’s the bad actor golden ticket: ransomware. 

To be clear, I am not a technology expert. I’m not involved in cybersecurity. I’m a humble regulatory nerd who barely understands how my laptop crunches its ones and zeroes. But with cybersecurity being crucial to those regs, I try to stay hip on the trends.  

In September, Universal Health Services--a giant at 400 facilities--announced a major cyberattack had taken down clinical systems. Universal is not releasing details, but if it sounds like ransomware, it probably is. Patient appointments were rescheduled, test results were delayed, and patients inbound to their ERs were diverted elsewhere. 

Universal is hardly alone in the cyber battles. In 2019, hospitals and clinical practices reported nearly 1,000 successful ransomware attacks. What makes healthcare an outsized target over other sectors? Large health organizations can find the pay-off money somehow. Paying up may be a care imperative. Also, medical software products are often older and assembled as a patchwork. Lastly, a patient record contains a more comprehensive set of personal data than your average retail outlet. Such records are so valuable that the Dark Web apparently coined its own term: Fullz.

Health data has grown to mind-boggling size and mushrooms further each year. Experts predict that cumulative health data about you and me will reach 35 zettabytes this year. A zettabyte is tech-speak for one sextillion. That’s roughly one byte for all the grains of sand on all the Earth’s beaches--multiplied by 35. Or to see all the commas, we’re talking 35,000,000,000,000,000,000,000 bytes of health data out there.

And the problems usually start with phishing

                                                                                #

A month has passed since Kyle did that vendor survey thing. He’s forgotten about that gift card or reporting a concern because, bless him, rumors go WSS.3 will be the full throttle, slam-bang finale. In that month, BigBummerExpress has used his system credentials to cruise the company IT platforms and learn where that sweet data is, how it’s structured, what protects it. To the Security people, if they spot any oddness in Kyle’s activity, it looks like him accessing places he’s authorized to access. 

It’s encryption time. 

8:15AM, the Zoom huddle and Kyle slurping coffee. His boss is asking Kyle to mute when everyone’s Payables screens flicker off. Text messages start flying. His boss manages to say, “I gotta go.”

                                                                             #

It’s no wonder that crime fiction often involves a cyber angle. The technology and its human implications can be fascinating, and it brings plenty of cat-and-mouse games. If anyone is mulling a healthcare cyber tale, here’s a general lay of the land for 2020 realism. 

To read the industry studies, hospital ransoms used to be small, way cheaper than fighting the protracted fight. A volume business. Fast forward to 2020: Those studies put asking prices in the millions. Today’s ransomware isn’t just encrypting data natively but stealing it on threat of release, so that companies can’t plug in the back-ups and refuse to bargain. Big game hunting, in the lingo.

Healthcare providers have layers of serious defenses in place. Be assured the good guys are damn good—and have to be. Federal regs (anyone remember the Health Insurance Portability and Accountability Act?) require detailed IT security plans and regular self-assessments, at the pain of major fines and enforcement should personal health information be jeopardized. Europe’s laws are even tougher.

Cybercriminals are such an everyday threat that it’s an insurable risk. Of course, no underwriter goes on the hook for potential millions only to stay out of the response and prevention discussions. Like I said, serious defenses.

That can have a weak link.

                                                                             #

Kyle is messaging his buddy. He had another emergency Zoom interview, this time an IT consultant dude with an open collar shirt and razor stare. The consultant dude kept showing Kyle that HR email and asking about BigBummerExpress and even about his browser history. His affiliations. This FBI lady joined the call, too. She didn’t utter a word. Just made notes. 

It was awesome.

It’s been weird at St. Healthcare. HR sent an actual email with an actual performance warning. It took forever to get the Payables and medical record interface back running, and while it’s not been on the news, Kyle figures somebody must’ve coughed up for the hackers to go away. 

Hackers. Big money. Affiliations. What Kyle’s thinking, this would make full throttle WSS fan fiction.

9 comments:

  1. Welcome to the show, Bob. Thanks for the post. Very timely.

    ReplyDelete
  2. Thanks, Eve! Major thanks to Rob for the kind words and to the Leigh and the SleuthSayers gang for adding me. I'm honored and will try to keep up.

    ReplyDelete
  3. Welcome to SS, Bob. Good to have you here!

    ReplyDelete
  4. Thanks, John. This will be fun.

    I realize that above I forgot to thank Velma. Thanks, Velma!

    ReplyDelete
  5. Bob, welcome to the SS family. Besides your short stories in AHMM, I also enjoyed your essay on cat food at http://robertmangeot.com/

    ReplyDelete
  6. Thanks, R.T. I enjoy your stuff in AHMM, too. And as for the cat food essay, even my mom hasn't commented on that one!

    I really appreciate the kind welcome.

    ReplyDelete
  7. An entertaining introduction, Bob, to a deadly serious problem.

    I come at the problem as that IT consultant you mention. In my opinion, a frightful number of organizations fail their customers through poor security. It began with venture capitalists concluding they'd make more money developing crap software in, for example, India rather than use highly trained, seasoned professionals who'd spent years studying secure computing. Now we see porn sites with tighter security than some banks. It sounds like a joke when I say that, but it's true.

    That's why Band of America and one of the nation's top security firms, HBGary, were brought to their knees by a handful of grey-hat hackers. I don't know if it's still in vogue, but at one time, security plans were rated not by depth and quality, but quantity of pages in their assessments.

    Ever wonder where those millions go?

    Answer: Primarily North Korea, hosted by the Liaoning or Jilin Chinese provinces. Russians are also thought to be involved, cousins to the Russian military intelligence branches that have plagued US, British, and French elections.

    In other words, when companies, governments, and individuals pay off, they're financing our nation's most serious adversaries. Enemy nations are waging economic war against us, and we're not paying attention.

    A few weeks ago, Uber apparently paid seven figures in a ransomware attack. Funny how banks and businesses suddenly turn all socialist, seeking bailout assistance for their internal failures.

    Healthcare is different because more than money is involved. Patients shouldn't suffer because of someone else's mistakes. It's crystal clear what we're doing now– nothing– isn't working.

    Thanks for bringing this to the public's attention, Bob.

    ReplyDelete
  8. Thank you, Mr. Mangeot. It's so nice to have a gentleman among us, not like these… these… insensitive literary lugs who don't know how to treat a lady.

    You'll have to excuse me, Mr. Mangeot. I'm blasting off a memo to that Leigh, but my Underwood's F key keeps sticking.

    ReplyDelete
  9. I come at the problem as that IT consultant you mention. In my opinion, a frightful number of organizations fail their customers through poor security. It began with venture capitalists concluding they'd make more money developing crap software in, for example, India rather than use highly trained, seasoned professionals who'd spent years studying secure computing. Now we see porn sites with tighter security than some banks. It sounds like a joke when I say that, but it's true.
    Site: https://bit.ly/3eYoQLd

    ReplyDelete

Welcome. Please feel free to comment.

Our corporate secretary is notoriously lax when it comes to comments trapped in the spam folder. It may take Velma a few days to notice, usually after digging in a bottom drawer for a packet of seamed hose, a .38, her flask, or a cigarette.

She’s also sarcastically flip-lipped, but where else can a P.I. find a gal who can wield a candlestick phone, a typewriter, and a gat all at the same time? So bear with us, we value your comment. Once she finishes her Fatima Long Gold.

You can format HTML codes of <b>bold</b>, <i>italics</i>, and links: <a href="https://about.me/SleuthSayers">SleuthSayers</a>