Another day, another healthcare related hacking

Posted in :

stlplace
Reading Time: 4 minutes

Or ransomware as a service or RaaS, please refer to this Pensacola News Journal article, search for “Black Basta” for the detailed information. I felt this article was well written. Unfortunately, this one is the place I used to work – Ascension Health (company official note on this cyber security event). I also talked about Ascension from time to time, after I left the company in June 2021. Here are some tweets.

Impacts

My 1st worry is its impact on patients, such as this patient in Wisconsin (I tweet below too). The impact to the patients is real and in a way is similar to the recent Change Healthcare hack (WSJ; I have a blog post too).

It impacts the caregivers too – Ascension cyberattack: Patients, nurses frustrated as problems persist. And all over Ascension service area, such as this one in Middle Tennessee, ‘Chaos’: Nurses, visitors describe conditions inside Ascension hospitals after cyberattack. This is very unfortunate for the patients, caregivers and impacted families. I just don’t have words for them – I hope they all can pull through. I will touch upon the evil of the bad actors below.

All this also showed the computerization of the medicine (or healthcare), while has its advantage: electronic medical record in theory at least gave the provider a holistic view of patient health issues. At the same time it shows its fragility (easy to break). Paper based process is always needed, because no computer systems is 100% reliable. This is somewhat like the Disaster Recovery (business continuity process) many decent sized organizations run or try to run, in case something horrendous happens (natural disaster, fire and so on). But in real life, how many hospitals or providers have the paper process nailed down, and have regularly ran the DR exercises. For me personally, I only saw DR exercise in action at Mastercard (and I participated it once as a lead, and it was quite interesting). In fact to me “production” is also interesting 🙂

Last but not least, if there is no lawsuit, then it’s not America. Central Texas woman sues Ascension following cyberattack.: interesting part of this article is it talked about RaaS and “Black Basta” in more details.

Health Insurance

We know in the US, health care system is very complicated (I wrote a series on this, the 3rd post is here).

Also note Ascension’s insurance (Blue Cross Blue Shield of Michigan) is not that great to begin with, as I learned 1st hand from my COBRA usage, or attempt to use my COBRA coverage after I left. My new employer’s benefits didn’t kick in immediately and there was two months gap.

Why I left Ascesnion

Below is one reason, the event proceeded my leaving. But not the only reason. I guess we may say that’s last straw.

Incidentally I worked at another major catholic hospital chain in the St. Louis area, and while my experience is not as bad, nonetheless I was not happy on one project – at one time we were briefly asked by the management to come in on Saturdays to complete the project “on time”. I knew it was mostly for “a show” not for actual completion of the project. And we had quite a few people quit (jump ship) during that time.

At both places, I have seen or worked on ambitious projects that started because one executive has the budget, and later on had to abandon because of various reasons. I understand software development projects are notoriously for cancellation and budget overrun because its complexity, hard to estimate and changing (or sometimes random) requirements. But I have worked on other industries too, and they usually “fail early, fail faster” (the agile way).

Recent cyber security events that I wrote

Panera Bread System Down

UnitedHealth Group Change Health Hack

Odds and Ends

Before I join the company (Ascension.org), I encountered some issues (login or single sign on SSO related) at myAscension.org. I still encountered similar issues (I would say about 33% failure rate) when I was working there. Looking back, this is a red flag of an organization’s IT capability.

If you happen to work in the IT/software development field, think “security security and security” all the time. It won’t prevent all the hacks. But it’s a good starting point. Btw, once when I was working for the Mastercard, I had the fun task to investigate the bad guys logged into a bank’s rewards redemption website and redeemed air tickets and hotels. One thing I still remember is this “client attorney privilege… ” in the email thread; another thing I was emotionally drained was seeing how some people can be that kind of malicious (stealing is bad, stealing on internet is equally bad as physically stealing). I also recalled when I was at college, I was stolen twice, once at a bus, someone picked up my wallet (when I realized, it was a bit late); another time, someone broke the lock on my drawer and took the money that my dad sent me recently. Always have the “security in mind” in daily life and in IT. Learn as much as you can, such as this Security in Mind channel on YT.

Last but not least, I understand we are going towards “electronic medical record” world, but we probably still need to keep some papers around prescription, vaccination records and testing results etc., better yet, back them up in the iCloud or somewhere you believe is safe, just in case the MyChart etc. goes down.

More Coverage in the news

Retired FBI agent weighs in on Ascension cyberattack

Fallout from Ascension cyberattack continues: Michigan pharmacies can’t fill prescriptions

Healthcare leaders praise Ascension cyberattack response

Ascension nurse: Ransomware attack makes caring for hospital patients ‘so, so dangerous’

Delays in cancer treatment. Canceled appointments. Long wait times. Ascension patients still grapple with fallout from cyberattack

How the Ascension cyberattack is disrupting care at hospitals

Ascension Saint Thomas Health patient files class action lawsuit over data breach

%d bloggers like this: