Healthy Optimism, May 17

Soooo…bad week for the UK and National Health Service, huh? Appointments cancelled, imaging systems shut down, repairs that could take weeks. Yay ransomware.

It used to be a handful of dudes wearing bandanas and carrying shotguns, jumping from behind rocks to hold up the Wells Fargo wagon. Now, it’s clever strings of code designed to lock down a user’s computer until they pay up. Same story, different generation.

And it’s not just health systems suffering. Telefonica, the communications company, was hit as well. Comcast was down for hours on Monday afternoon (including in Nashville, leading to a slightly earlier-than-normal happy hour in the Health:Further office). We didn’t quite get around to blaming WCry, but definitely had some fun speculating on what was happening. All told, as of the 12th, Avast had seen 57,000 instances of the WannaCry ransomware attack across 99 countries. Three days later, according to an update, those numbers were 213,000 and 112, respectively.

This type of stuff? It’s only going to get worse. Ransomware attacks are on the rise. Earlier this year Forbes contributor Lee Mathews quoted data showing a 19% increase in attacks from 2014 to 2015, and 16,800% from 2015 to 2016 (ok, it’s not quite that bad. It’s actually only 16,789.47%). Matthews also pointed out that setting up an attack has gotten pretty freaking easy, what with the new ability to subscribe to a ransomeware service called Spora.

And so, we all sit around, pointing fingers at the NHS and the National Security Agency (which apparently built part of the WCry code), hoping that the hospital system where our medical records are housed isn’t next.

A lot of us…ok, fine, I’ll speak for myself. I tend to think, “why the crap aren’t people taking precautions?” A lot of the problem, according to analysts, is that Microsoft’s fix to close the hole exploited by WannaCry didn’t make it on to a lot of computers because those computers were still running Windows XP. So they couldn’t be updated. In fact, if you just search “windows xp,” the top hits are almost all about how, well, XP users should hunker down and get ready for the apocalypse.

Isn’t it worth doing to protect patient records and keep MRI machines up and running? I mean, we’re headed towards a world where EVERYTHING is linked through the Internet of Things. How much worse is it going to get as the hackers lock down our imaging scanners, our medical records, our personal information, and our smart refrigerators? So please, hospital administrators, just upgrade your systems, deal with the backlash, find some innovative vendors who can help you get past all that clunky legacy software, and keep our data safe.

(Plug for a friend — if you’re looking for vendors to help solve software or any other problems, check out Lucro. You post your need, the vendor posts their solution, you connect with each other and life gets a little better. And yes, Lucro is a Health:Further partner.)

Of course, it’s not that easy. People continue to run legacy systems because those systems run the software the users need, in the way they need it. Everything’s customized, finely tuned, balanced. Or at least generally functional. Why risk breaking something by upgrading? Plus, upgrading means getting all the users trained up with the new stuff. In healthcare, like so many other industries, the reaction to “we’re going to take a half day next Wednesday to teach you the new software management is installing,” is usually somewhere between an eye roll and white hot anger at the waste of precious billable time. Totally understandable, it’s a pain.

At the same time, we (ok, again, “I”) get all worked up when some faceless company emails to say my customer data has been compromised. And yet, I get irritated when I sign up for a new service and they push me to activate two-factor authentication. I mean, really? An extra step to logging in to my account? Why can’t I just type in my password “12345” and be done with it?

Ask FBI Special Agent Scott Augenbaum. He gave a talk last week at the Applied Health Analytics NEXXUS Conference on cybersecurity in healthcare. Great talk. He spent most of his time, not yelling at big healthcare organizations and IT departments for mismanaging technology, but explaining why individual users are responsible for a huge chunk of the breaches he investigates. In fact, he said the one thing his victims all have in common is a failure to use two-factor authentication. Hackers get the password and there’s no recourse, no second layer of security to keep them out.

Once a hacker has an in to one user’s system or account, they can dig out contact information for other people, personal records, health information, and much more. He also noted that simple things like clicking links in emails or responding to phishing schemes can lead to system-wide problems. SA Augenbaum gave an example of a $5 million invoice that was paid to Nigerian scam artists instead of the vendor to whom it was owed. And then he told us about a similar incident where the damage was a mere $3.something million. Ooops.

In other words, while the headlines may come from the system wide attacks, the damage is often caused by small scale breaches caused by sloppiness on the part of individuals. In Augenbaum’s examples, it was nothing to do with firewalls or corporate regulations or — most notably — HIPAA. HIPAA has nothing to do with it, and it certainly won’t keep your organization safe from hackers if you and your team don’t protect your personal accounts.

So, as Augenbaum pointed out, it’s about prevention not recovery (sounds a lot like health in general, huh?). It means taking the time to do the little stuff — setting up two-factor authentication — and figuring out how to keep massive IT systems up to date without too much disruption. On the other hand, we’ve seen how much disruption software vulnerabilities can cause, so maybe the discomfort of changing out a legacy system isn’t so bad in comparison.

This is the weird dichotomy in healthcare. Things work well enough to get us by, but nowhere near well enough to match the minimum standards we’d expect for pretty much any other system or industry. Until the s**t hits the fan and people can’t get their MRIs or their personal information is being sold like a tourist trap t-shirt (3 for $10, 7 for $20, according to Augenbaum).Obviously, the WCry attack and many other problems show that healthcare isn’t the only industry with big gaps. But there’s a resistance to upgrading, innovating, switching course in healthcare that seems more pronounced than in most other industries. And, it’s both irritating and untenable. Unfortunately, it’s extreme events like the NHS attack that get people riled up. Fortunately, there are a lot of great people trying to figure out the solution to avoid the next catastrophe. Changes will happen, not just because they have to, but because really smart, good people want to make things better. Because some people like to create and do awesome things, not just make a couple bucks off my crappy password and general laziness.