It is hard to believe we are recording our 200th episode. Some might even say it is close to a miracle that David and Donna could stay focused on one thing for this long. Probably very true. Our passion for what we do here is more than most people would think. We truly do believe that tagline we use in every episode “HIPAA is not about compliance; it’s about patient care.”.
Two-hundred episodes talking about HIPAA is shocking to anyone. How could someone talk about HIPAA that much for so many weeks? I know right?!? It is true, we have a lot of fun doing this and interacting with our listeners. But, there is also a lot of time, work, and money that we put into this labor of something we like a lot. (We can’t say we love working together. That isn’t like us at all.) We have a passion for explaining this stuff because protecting this information is the right thing to do. It is the law, it protects a patient’s right to privacy, but mostly it is the right thing to do.
When planning our topic for this episode we discussed all kinds of cool things to do. None of those ideas have panned out so far. We haven’t given up on them but we were disappointed we couldn’t make it happen and had put off committing to the topic for today. Then, everything was clear when we saw the news from Michigan this week published by DataBreaches.net: Michigan practice folds after cyberattackers wipe out all their files. How can this be?
The stories kept coming with details from other reporting including local news: West Michigan doctor’s office hacked, doctors held for ransom, Michigan Practice to Shutter after Hackers Delete Patient File, Medical Practice to Close in Wake of Ransomware Attack, Doctors Decide to Retire Rather Than Pay Ransom or Restore Systems, and many more. This is a big story for so many reasons. But, the biggest one for us is this is exactly what we are afraid will happen if providers and their business associates don’t start taking this more seriously.
What we know so far, which always changes to some extent the basics are clear. Brookside ENT and Hearing Center was hit with ransomware and the hackers demanded $6,500 for the release of the decryption key. Brookside decided not to pay the hackers. So, the hackers wiped their systems clean. Not only did they encrypt everything but they also deleted all of the files when they refused to pay up. Of course, they made a point of saying nothing was viewed or taken.
Dr. Bizon told NewsChannel 3 his office’s medical records system encrypted files and could not be accessed by the hackers. No information was copied or shared, he said, the information was just deleted.
Just deleted? Really? The office had no backups to restore and recover any of their patient records. None. Nothing. How? How can this happen? Plus, do they somehow believe that fact will absolve them of their responsibilities?
Rather than face their problems the two doctors threw up their hands and decided to retire early. As the other doctor put it, “It’s devastating,”. According to the local news story, anyway.
How was it deleted? Was the hacker still in there? Or, was it the ransomware the encrypts and deletes? If the first one, then WTF? If the second one, you can’t say no one acquired it because the hackers save a version to give back to you when you pay. At least you hope they do.
This case appears to have a nearly complete list of the things we warn people NOT to do rolled up into one ENT practice’s business. We will admit that we do not know all of the details. But, after years of hearing the same things over and over from the businesses very similar to this one, it is reasonable to believe our assumptions we have already made are pretty close. Here are a few of those assumptions about their HIPAA protections (or lack thereof) that we have made so far:
- They had no plan to deal with ransomware. Probably because they thought they were too small or it was too expensive or IT says they have it taken care of.
- They had no business continuity plan that took into account attacks that wiped all connected devices.
- They did not worry about having their backup current and available for restores.
- They did not know have adequate cyber coverage to address the costs of dealing with this kind of attack.
- With all of this wrong, they wouldn’t have been able to handle a natural disaster of any size any better than they have this ransomware attack.
- They did once a year HIPAA training that explained what the law said and no security awareness program. If there was one it was clearly not an effective one.
There is much more to consider here than just the doctor’s early retirement. What about the patients? Their records are gone. So much for protecting the integrity and availability of the patient records. They are left with nothing to take with them to another provider. Here is the part of the news story that made that very clear
“What am I going to do now because she just had surgery, who is going to follow up?” Ouellette said.
The office receptionist provided referrals, Ouellette said, but her daughter’s medical records are gone.
“I’m going to have to start all over again, they don’t know all of what happened during the surgery,” Oullette said.
Her daughter also underwent several hearing tests which returned different results, she said, “I know some of the results but the fine tuning with what’s in the chart, I don’t know, so it’s just going to be challenging.”
On top of that, no one has mentioned the impact on the staff. Many of them have probably been there for as long as the practice has been open. Yes, they have 30 days notice but do you think all of those folks were prepared to look for a new job and start over somewhere else? Will the doctors be paying out handsome severance packages? I doubt it.
There is a long list of HIPAA failures in the story and our assumptions. I can’t imagine that OCR will not be all over this case. Those docs better have thought this through because we know closing your business does not stop them from making an example of you. We know Roger is a big fan of a big juicy case that makes someone an example of what not to do. They may need to downsize some of those retirement plans. OCR has already gotten money out of a bankruptcy case and another closed business. Just shutting it down and retiring will not absolve them of all the legal issues this case will bring.
Before you say why not just give up, let’s talk about what that means. That means you really do give up. Do not let more patients believe you really care about them and entrust you with their private information.
Another article explains how one of those ransomware attacks immediately impact patient care. HEALTH CARE’S HUGE CYBERSECURITY PROBLEM, Cyber attacks aren’t just going after your data takes you through what it is like if you are hit with ransomware locking down systems right in the middle of critical patient care.
If you want to really feel kicked in the gut even harder about our industry’s ability to care for patients with all of our technology check out another report that came out recently about failures by EHRs resulting in death or serious injury: Death by a Thousand Clicks: Where Electronic Health Records Went Wrong. The problems identified in that article had me yelling out way more words than I did on this one. In those cases, someone is making a decision to put patient care at risk.
While we do joke that others may say that 200 episodes of listening to us are enough. Clearly, we have much more work to do. Maybe this will be a wake-up call to some of these folks who ignore these requirements or feel they are just checking some simple boxes on paper.
This is real. People can die. Stop playing with people’s lives because you don’t want to spend the money, be told what to do, take the advice of an expert, listen to the government, or whatever it is that keeps you from getting off your keister and protecting your patients.