Give Me the Money — or Everyone Knows about the Shark

I once asked a great professional writer I know, “Which kind of writing pays best?”

“Ransom notes,” he deadpanned.

About a month ago, a West Coast hospital had its electronic files “kidnapped” by unknown hackers, and it made international news. “There but for the grace of God go I,” most hospital CEOs and IT gurus thought to themselves. Just as those who come to them for care and/or healing are susceptible to illness or injury, hospitals, physician practices and healthcare organizations are susceptible to cyber-threats every moment of every day.

The $17,000 ransom demanded by the hackers (and paid by the hospital in the form of Bitcoin) pales in comparison to the potential loss of patient volume and damage to the hospital’s reputation that are certain to happen when patient files are compromised. Patients and potential patients will rightly ask themselves if a hospital that has been hacked can be trusted with their personal health records.

Think of the embarrassment: “Patient exhibits a nevus of approximately 68 mm in the popliteal fossa region in the shape of the former Soviet Republic of Kyrgyzstan.”

Translation: Shirley has a noncancerous mole on the backside of her knee which, if you squint your eyes really hard, looks like a shark. Sort of.

Seriously, who wants that sort of thing floating around the Internet?

People trust hospitals to keep the details of their bodies and their medical conditions secret. Should a hospital or physician violate that trust, even if that violation occurs via hackers, the consequences are profound and long-lasting.

There is a reason the CMS (Centers for Medicare and Medicaid Services) is coming down very hard on shoddy, poorly planned or implemented security precautions. Privacy matters. Period. I’m guessing the Hollywood Hospital will be visited by the CMS to discuss what happened, how it happened, and what was in place before the hack to prevent it from happening. Then it just becomes a matter of the size of the fine.

Sadly, these sorts of virtual kidnappings are likely more frequent than we know. Many organizations, I suspect, simply opt to pay the ransom, keep things quiet and get on with business. Hospitals and healthcare organizations don’t have that luxury.

Instead, they revert back to the Medical Stone Age where doctors write orders on paper (a new experience for those fresh out of residency), and communicate via fax machines.

I don’t think we even have a fax machine in my office anymore.