Hackers have published extensive patient information from two U.S. hospital chains in an apparent attempt to extort them for money. The files, which number in at least the tens of thousands and were posted to a blog on the dark web that the hackers use to name and extort their victims, includes patients’ personal identifying information, like their names, addresses and birthdays, as well as their medical diagnoses. They come from the Leon Medical Centers, which serves eight locations in Miami, and Nocona General Hospital, which has three locations in Texas….”I can’t tell you with absolute certainty that they did not send a ransom demand,” he said in a phone call. “I can tell you we did not open one.”
There’s another report from Wall Street Journal:
The hacking blitz comes as the health-care industry reported a bruising year of data breaches in 2020, particularly as the effects of the pandemic began to set in. Security and technology staff at hospitals suddenly had to deal with an expanded remote workforce, Covid-19 patients swamping wards and the setting up of makeshift sites for virus testing…Under the Health Insurance Portability and Accountability Act, organizations that handle patient data must report breaches involving 500 people or more to HHS within 60 days.
Hospitals and clinics cite a variety of reasons for the breaches, including improper records disposal, device theft and natural disasters. Hacking or compromised technology, however, are the primary culprits.
Why do so many breaches occur in the hospitals? I think the fundamental mechanism is based on trust- the staff is geared to define the trust in whomsoever wants to access the services. There is a different level of trust in someone who wants to access the defence installation versus the hospital. WSJ had a helpful informatic here:
I don’t think that technology (alone) has to be blamed though; you need better solutions for the workflow by working backwards in the workflow integration. I know this because I had attempted to liaise with a major technology solution provider (and they didn’t take their learnings forward beyond the marketing optics).