I’m in awe of my oral surgeon. Though it has been a few years since I saw him, I still marvel how he extracted three teeth and performed other procedures within the space of 30 minutes. I didn’t feel a thing, including the multiple novocaine injections. It was an entirely pain free experience.
That is until I stopped by reception and was handed my bill. Nice work if you can get it and have the talent and smarts to perform dentistry at such an elite level.
Among the information I was initially asked to provide was my social security number, which I refused to do. Dentists, doctors, hospitals, and other healthcare providers demand your SSN to make it easier for them to hunt down patients who don’t pay their bills. My oral surgeon doesn’t have to worry about getting stiffed because patients can’t leave his office without coughing up the dough he is owed. Providers who rely on health insurance reimbursements can sic a bill collection agency on those who don’t pay up. Trust me, collection agencies know how to find you.
It is reckless for any healthcare provider to ask for your SSN and store it. That’s because healthcare facilities, including the major hospitals, are negligent investing the required funds to secure their IT systems from hacks. A kid in his pajamas could easily penetrate most hospital systems, and extortionist hacks routinely do. Not surprisingly, healthcare accounts for nearly 79 percent of all IT reported breaches. A cybersecurity expert tells me that it’s widely believed that China possesses 80 percent or more of Americans’ healthcare information.
Nefarious IT pros lock up a hospital’s computer systems and then demand payments called ransomware to liberate them. More than one in three health care organizations globally reported being hit by ransomware in 2020, according to a survey commissioned by Sophos, a cybersecurity firm. Alarmingly, the sector experienced a 45 percent uptick in ransomware attacks since November 2020. My cybersecurity source tells me that breaches are far more extensive than reported because health care IT systems are so porous hospitals often don’t know when they’ve been hacked. Universal Health Services said it spent $67 million to restore and repair its systems after a cyberattack, yet another reason why U.S. healthcare is so obscenely expensive.
“Hospitals’ systems were already fragile before the pandemic,” Josh Corman, head of the Cybersecurity and Infrastructure Security Agency (CISA) Covid-19 task force, told a reporter with the AAMC. “Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.”
IT hacks are potentially life threatening, as hackers can disrupt critical medical treatments. A cyberattack at San Diego-based Scripps Howard in May lasting more than a week forced the cancellation of surgeries, cancer treatments, and other medical procedures. A breach of a suburban Atlanta-based medical systems company in April disrupted cancer treatments for patients across the U.S. One third of the hospitals in Las Vegas were brought to a standstill last year after Universal Health’s systems were hacked.
Breaking into the systems of a local medical practice is child’s play. A Utah-based radiology center last week announced it was hacked, exposing the personal information of nearly 600,000 patients. The Urology Center of Colorado two weeks ago reported it was hacked, imperiling the personal information of 137,000 patients. Southern Ohio Medical Center was forced to cancel appointments earlier this month because of a security breach. These stories are routine in healthcare and cybersecurity trade publications.
Hospitals knowingly operate with critical IT vulnerabilities. As I noted in a recent post, it’s estimated that more than 60 percent of hospitals rely on Alaris infusion pumps, including 152 VA hospitals. The infusion pumps have been subject to more than a dozen FDA recalls, including some identified as “Class 1,” meaning they involve risk of death or injury. The Department of Homeland Security last year issued an alert warning the Alaris pumps are highly vulnerable to cybersecurity breaches. A hacker accessing a drug pump can kill patients by altering the prescribed doses of medicines or simply shutting down the machines.
Replacing Alaris pumps is a costly administrative expense and a resource-demanding job because it requires the participation of multiple departments. While some hospitals, notably including Scripps Howard, replaced their Alaris pumps, others prefer to live dangerously.
One of those hospitals is Michigan-based Beaumont Health, which uses Alaris pumps throughout its eight-hospital Detroit area network. Beaumont has disclosed it’s been victim to multiple hacks. The hospital system not only continues to use Alaris pumps but has taken measures to prevent hospital staff from filing written concerns about them constantly breaking down.
An industry source told me that it would cost Beaumont about $5 million to replace the pumps. Hospital CEO John Fox has earned more than $20 million running Beaumont these past six years, and he potentially stands to earn a golden parachute windfall exceeding $30 million if the FTC approves his deal to have Grand Rapids-based Spectrum Health take over his troubled hospital network. Fortunately, Spectrum uses Baxter drug infusion pumps.
Hospitals, including Beaumont, are quite adept with IT when they want to be. The Wall Street Journal reported in March how leading hospitals embedded special coding on their websites that hid their pricing from web searches. Hospitals are required to disclose their pricing, but the American Hospital Association is fighting the Trump Administration mandate. The AHA wants government assistance to secure its members’ systems.
The bottom line is that hospital CEOs have little incentive to make the significant investments required to secure their IT networks. Significant penalties are rarely imposed for IT breaches, and there is rarely a public outcry for the negligence. I have no doubt that if executive pay was tied to IT security, hospital systems would be as impossible to penetrate as the Rock of Gibraltar.
Unless that happens, keep your SSN to yourself.