KYLE IN PAYABLES HAS BEEN BINGE-WATCHING, AND NOW YOU NEED TO CARE ABOUT ZETTABYTES
by Robert Mangeot
Here’s
Kyle again, five minutes late for the 8:00AM St. Healthcare Payables
team Zoom huddle. He’s bleary-eyed--again--and slurping coffee (“Kyle,
can you mute, please?”) after all-nighter binge watching the
just-dropped Wicked Streaming Show That Has People Talking, season two.
WSS.2, in Kyle-ese. He’ll gush baggy-eyed over each and every spoiler if
anyone hangs on the Zoom too long. Usually, we can’t stay mad at him.
Kyle is bedrock here in Payables, first with the virtual high fives and
the loudest voice singing “Happy Birthday.” This morning, though, the
coffee isn’t kicking in yet, and he’s digging this new email promising a
GIFT CARD!!! if he clicks there and takes this important HR survey.
Gift cards? Hello, WSS merch.
Don’t do it, Kyle. Don’t.
Kyle does it. Clickety clickety click. He’s heard about email scams and stolen files and that stuff. They do training in Payables, thank you very much. But this email seems legit. The logos and fonts are right for HR (they are), the linked website looks like HR (it kinda does, those smiling nurses), and the password log-in seems fine (it’s so not). Anyway, his melatonin is off this morning.Let’s call the malware BigBummerExpress. Kyle’s computer doesn’t slow to a crawl processor-wise. It doesn’t flash the Blue Screen of Death. It doesn’t laugh a super-evil laugh like that cray hacker episode from WSS.1. BigBummerExpress is loaded and running, sure. And yeah, there’s patient information on his computer for the grabbing.
Kyle isn’t who BigBummerExpress is after.
#
Meet the United States healthcare system. We Americans spend $3.6 trillion annually on all things medical and surgical, much more per capita than most other industrialized nations. Three trillion isn’t the largest number involved in this caper, but it’s the motivating number.However we got here and whatever your opinion about it, U.S. healthcare is a huge market. Most money is spent well enough or at least well-intendedly. As for the rest, there’s a reason that entire professions--including mine--have spun up to chase bad actors. And lately, there’s the bad actor golden ticket: ransomware.
To be clear, I am not a technology expert. I’m not involved in cybersecurity. I’m a humble regulatory nerd who barely understands how my laptop crunches its ones and zeroes. But with cybersecurity being crucial to those regs, I try to stay hip on the trends.
In September, Universal Health Services--a giant at 400 facilities--announced a major cyberattack had taken down clinical systems. Universal is not releasing details, but if it sounds like ransomware, it probably is. Patient appointments were rescheduled, test results were delayed, and patients inbound to their ERs were diverted elsewhere.
Universal is hardly alone in the cyber battles. In 2019, hospitals and clinical practices reported nearly 1,000 successful ransomware attacks. What makes healthcare an outsized target over other sectors? Large health organizations can find the pay-off money somehow. Paying up may be a care imperative. Also, medical software products are often older and assembled as a patchwork. Lastly, a patient record contains a more comprehensive set of personal data than your average retail outlet. Such records are so valuable that the Dark Web apparently coined its own term: Fullz.Health data has grown to mind-boggling size and mushrooms further each year. Experts predict that cumulative health data about you and me will reach 35 zettabytes this year. A zettabyte is tech-speak for one sextillion. That’s roughly one byte for all the grains of sand on all the Earth’s beaches--multiplied by 35. Or to see all the commas, we’re talking 35,000,000,000,000,000,000,000 bytes of health data out there.
And the problems usually start with phishing.
#
A month has passed since Kyle did that vendor survey thing. He’s forgotten about that gift card or reporting a concern because, bless him, rumors go WSS.3 will be the full throttle, slam-bang finale. In that month, BigBummerExpress has used his system credentials to cruise the company IT platforms and learn where that sweet data is, how it’s structured, what protects it. To the Security people, if they spot any oddness in Kyle’s activity, it looks like him accessing places he’s authorized to access.
It’s encryption time.
8:15AM, the Zoom huddle and Kyle slurping coffee. His boss is asking Kyle to mute when everyone’s Payables screens flicker off. Text messages start flying. His boss manages to say, “I gotta go.”
#
It’s no wonder that crime fiction often involves a cyber angle. The technology and its human implications can be fascinating, and it brings plenty of cat-and-mouse games. If anyone is mulling a healthcare cyber tale, here’s a general lay of the land for 2020 realism.
To read the industry studies, hospital ransoms used to be small, way cheaper than fighting the protracted fight. A volume business. Fast forward to 2020: Those studies put asking prices in the millions. Today’s ransomware isn’t just encrypting data natively but stealing it on threat of release, so that companies can’t plug in the back-ups and refuse to bargain. Big game hunting, in the lingo.
Healthcare providers have layers of serious defenses in place. Be assured the good guys are damn good—and have to be. Federal regs (anyone remember the Health Insurance Portability and Accountability Act?) require detailed IT security plans and regular self-assessments, at the pain of major fines and enforcement should personal health information be jeopardized. Europe’s laws are even tougher.Cybercriminals are such an everyday threat that it’s an insurable risk. Of course, no underwriter goes on the hook for potential millions only to stay out of the response and prevention discussions. Like I said, serious defenses.
That can have a weak link.
#
It was awesome.
It’s been weird at St. Healthcare. HR sent an actual email with an actual performance warning. It took forever to get the Payables and medical record interface back running, and while it’s not been on the news, Kyle figures somebody must’ve coughed up for the hackers to go away.
Hackers. Big money. Affiliations. What Kyle’s thinking, this would make full throttle WSS fan fiction.