Michigan Medicine, the University of Michigan’s teaching hospital, is as good as it gets when it comes to healthcare in America. The hospital is consistently ranked in the top tier, a deserved recognition given the quality of its care and its pioneering research. At $1.72 billion, the University of Michigan is the nation’s top public university in research spending.
On the HR front, Michigan Medicine runs circles around most, if not all, U.S. hospitals. It recently circumvented a strike by its unionized nurses, offering them a generous pay package over the next four years and improved staffing guidelines. While other hospitals are singing the blues about a nursing shortage, Michigan Medicine is on track to have a record-setting year for nurse recruitment, with 1,058 nurses hired from July 2021 to May 2022. These efforts contributed to Michigan Medicine’s current vacancy rate of 5% compared to a national average vacancy rate of 17%.
Michigan Medicine’s ethics are possibly unrivaled. I know this because a family friend recently shared that his father died at the hospital because of a physician error at the height of the pandemic. Michigan Medicine fessed up immediately and settled the matter, rather than hide behind a Michigan law that absolved all state hospitals of liability treating Covid patients.
Unfortunately, when it comes to cybersecurity, Michigan Medicine’s appears as inept as its lesser rivals protecting its IT and patient information, underscoring that even top-tier hospital managements are out of their depths when it comes to safeguarding technology.
As reported by the Detroit Free Press, the personal information of about 33,850 Michigan Medicine patients was compromised in August through a phishing scheme that targeted employee emails. Cyberattackers obtained names, medical record numbers, addresses, dates of birth, diagnostic and treatment information and/or health insurance information of some of the patients. Details about the coordination and care of some patients was also compromised.
While stolen medical records might not readily seem like a big deal, the information is gold to those engaged in identity theft, which is why the sale of a medical record on the dark web commands a higher premium than a stolen credit card number.
“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence,” said Jeanne Strickland, Michigan Medicine chief compliance officer, in a statement.
Here’s what I find troubling, particularly since it involves Michigan Medicine. The hospital said it discovered the breach in mid-August, but it took two months to investigate the extent of the damage, completing its probe on October 17.
Then it waited more than a week to publicly disclose its findings.
Michigan Medicine also claimed to have implemented “additional safeguards” to prevent a recurrent breach, which immediately begs that question as to why those safeguards weren’t already in place. The hospital had a data breach in December 2021, albeit on a much smaller scale, but that should have been a wake-up call.
IT breaches of U.S. hospitals have reached epidemic proportions. Healthcare accounts for 79 percent of all reported breaches, but the actual number of hospital hacks could be grossly underestimated. A healthcare cybersecurity source whose information and insights have consistently been accurate told me that healthcare IT is so poorly administered that hospitals often have no clue that their systems have been compromised.
According to the HIPPA Journal, hospital data breaches increased 11 percent in 2021 over the year ago period; 712 healthcare known data breaches were reported between January 1 and December 31 – an industry record. Data breaches on average cost a healthcare institution more than $9 million, according to IBM Security and the Ponemon Institute.
One could hire a lot of nurses with that kind of money.
Hackers have moved beyond stealing patient information and are increasingly commandeering entire hospital IT systems and successfully demanding ransom as a condition for unlocking the networks. The most massive breach occurred earlier this month at CommonSpirit Health, the second largest U.S. “nonprofit” hospital chain with 140 hospitals and more than 1,000 care sites in 21 states.
The breach impacted CommonSpirit’s facilities across the country, forcing ambulance diversions, system shutdowns and patient appointment rescheduling. At St. Michael’s Medical Center, a CommonSpirit hospital in suburban Seattle, the breach created such havoc in the ER that a nurse was forced to call the fire department to bring in backup support. The University of Vermont Medical Center also suffered major disruptions to its patient care because of a breach.
The Department of Health and Human Services issued a warning in April about a group called Hive, which it described as a “an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations.”
The warning hardly inspired confidence. Among the agency’s guidance was two-factor authentication protocols, which even I know are no longer effective. Thanks to lax security by the major wireless carriers, hackers have learned how to hijack cell phones and can authenticate a person’s identity.
Little wonder that the U.S. government isn’t much better at cybersecurity than hospitals. In April, Chinese hackers compromised dozens of government agency and defense contractors. The breach involved the theft of intellectual property and project data so extensive that one cybersecurity expert told the Washington Post, “we suspect there was data theft that occurred that we won’t ever know about.”
It’s likely only a matter of time before hackers decide to hijack all U.S. hospital operations in one fell swoop. It could be a hostile foreign government or possibly just some kid in his pajamas angry because his parents grounded him for remotely disabling their Tesla.