Want to Be a Hostage? by Pat Conrad MD
This week we were treated to a new symptom of the brave new medical world, the occurrence of which will certainly not be the last. CNBC reports that the Hollywood Presbyterian Medical Center in Los Angeles has been hacked by unknown assailants, forcing the facility “to revert to paper registrations and medical records and send 911 patients to other area hospitals.” No word yet on whether any Kardashians have been in danger.
The hackers are demanding a $3.7 million ransom, and the hospital is quick to reassure that no patient’s care has been compromised. The emergency department is backed up and the fax lines jammed. The article quotes Tim Erlin of cybersecurity firm Tripwire: “It’s a good reminder that you don’t have to attack the medical device to attack its ability to deliver care.” Ain’t that the point?
This will happen again and again, resulting in greater boatloads of cash poured into the eternal cybersecurity arms race, and further restricting innocent staff from playing “Candy Crush” or Facebooking about the latest toddler diet tips. More layers of encryption, more revolving passwords, more sign-in levels will make working anywhere near a hospital and ever-growing pain in the ass. Money will be wasted, morale will suffer, and patient care will definitely not improve.
Who to blame? Everyone. The government wants every movement on a computer screen, even the bowel-type. All third-party payers push for more of this redundant wiring every day, and new layers of admistralians continue to lap it up and vomit it out, referring to the process as “productivity.” GOP presidential candidate and Gingrich in the 2012 race was repeatedly running his futurist gums over the need to make mandatory the exciting possibilities of computerizing all of health care; we all know how much good the ObamaCare EHR mandates have done. Organized medicine, consumer groups, and the family of the long-demented granny in Room 2 all insist that it all be “in the records.” And of course the lawyers circling in the parking lot are just waiting to dispense compassion if a single sentence goes missing; or if a paragraph falls into unauthorized hands and the superheroes from the HIPAA league have to swing into action.
Well here is another downside: the more we interconnect ourselves medically, the easier it is to take down large groups of us at once. These hackers just want a ransom – what if they destroyed the data? How would a large hospital provide for any treatment continuity, or even get paid? Will “The hackers ate my homework” fly with CMS? Yeah, I’m laughing too.
I’m no Luddite and I’m typing this rant on a laptop, not scratching it on a stone tablet. But our slavish, truly mindless rush to embrace computer networks as the primary customers will continue to harm patient care in direct and indirect ways. And scoff if you like, but wouldn’t a government or Big Insurance corporation desperate to save money at some point be willing to insert codes into payment programs that just delayed, or slightly corrupted submissions, just to, you know, make up some losses on the float? Remember, it’s not paranoia if it turns out they are really after you.
this problem has been addressed on the TV program CSI cyber. What about burned out hospital employee. The problem doesn’t have to be from the outside.
The Brave New World.
We have been warned….Asimov….Kubrick…..Phillip K. Dick….Ayn Rand…..
Oh the things we will see and hear……
From my next EMR compliments of IBM, managed by H.A.L. (I mean Watson)
“I’m sorry Dr. Hakum, I cannot allow you to provide life saving measures for this patient. This conversation serves no further purpose. Goodbye Dave.”
Tele-presence medicine. “Who is that strange man in the picture, is he a real Doctor? He kind of looks like Dr. Max Headroom, without the stutter.”
“That strange, Nurse Mable, I swear those IV pumps keeps turning on and off to the rhythm of Jingle Bells.”
“I’m sorry Mrs. Jones, some hacker in Indonesia gave your husband his whole PCA pump of morpine in one bolus. Your husband didn’t feel a thing.”
“Mister Smith, I’d love to remove that history from your chart about having quintuplets, two hysterectomies, and severe PMS, but golly gosh darn, only the hackers are able to change that data without prompting a Federal investigation.”
“Hey, who notified all the singles on the dating site that I had herpes, syphilis, genital warts, and a terrible case of Peyronies disease?”
I suppose if the hackers destroyed my EMR and forced me to go back to paper, I would send them a thank you card.
or perhaps if they shut down cms, congress, and the rest of our wonderful bureaucrats for the rest of the year…definitely a card and perhaps a bottle of champagne ….
Wait for the IOT! The Internet of Things involves the interconnection of machinery through open access and addresses. The nurses will soon control IV infusions through software at the nursing desk. You don’t need to know much about medicine to know how horrific this idea is – including when the “Computer Goes Down” or access is lost.
Losing EMR’s temporarily to hackers is bittersweet – at last extreme, one can revert to the traditional world of data-sparse care of the patient by, e.g. HISTORY and EXAMINATION. The real threat is at the interface where machines deliver stuff directly or nearly-directly to sick humans. Turning off IV pumps hospital-wide, for instance, or randomly injecting bogus telemetry streams into monitors – Jerry’s looking to be in VFib, but it’s a spoofed telemetry stream. Now, go defibrillate Jerry. Joke’s on you, Jerry! Or fire off the hospital’s canned code announcements – call codes in six different places at once. Or turn off all the lights in the OR.
The best way to not get hanged is to not put your head in a noose. Or in the last words of guitarist Terry Kath of Chicago…”Don’t worry, it’s not loaded.”