Storing the Wrong Information in the Cloud Could Kill People
November 29, 2019 - For years we've been warning our readers about the dangers of storing information online. And things don't get more online than cloud data storage. For the nontechnical among us, storing data in the cloud simply means that rather than storing your data on your own computer, you use a third party service located somewhere else for storage. Services like Google Drive, Microsoft OneDrive and Dropbox are good examples of consumer cloud storage. Business cloud storage has become big business, and unfortunately that means that the companies providing these services have become big targets for hackers and those distributing ransomware. And a recent incident targeting a cloud storage company providing services to nursing homes highlights some risks you may never have considered when it comes to this type of service.
Virtual Care Provider, Inc, based in Milwaukee, is a company that provides cloud storage to more than 100 nursing home companies operating in 45 states. The data stored on their systems includes medical records, payroll and billing information.
While the fact that both billing and payroll for VCP's customers will be disrupted in a problem, the lack of access to medical records for individual patients has the potential to create life threatening disasters. To be perfectly clear here, there has been no announcement by anyone that this particular incident has led to any injury or death, the possibility of that happening is very clear. Moreover, as more and more incidents of this type occur, the eventual result of injuries is almost a certainty.
There are a number of questions that need to be asked, both by state legislatures and perhaps at the national level. Should medical providers be forced to keep a written copy of all medical records? Are there certain security standards that must be met by any company that stores electronic medical records? And perhaps most importantly, should companies be able to outsource the storage of medical records to third party cloud storage providers?
The push to use cloud storage across a broad spectrum of industries is driven by a number of factors. A company like Boeing would probably tell you that they are more interested in building aircraft than in data storage. Likewise, nursing homes would probably tell you that patient care is more important to them than computer systems. To provide their own storage they may have to hire IT specialists, staff new department s and face increased costs which they will have to pass on to clients. Those are all legitimate arguments so why not hire a company that specializes in data storage to do the job instead?
But in this case there is one issue that can't really be overlooked. If the nursing homes using VCP had all been using their own data processing facilities instead, a single ransomware attack against one of them wouldn't have locked all of the others out of their patient records.
The hackers behind this attack have demanded a payment of $14 million in Bitcoin. According to an article published in FierceHealtcare, VCP can't afford to pay the ransom. As a result, at least of VCP's customers has apparently stated that they may have to go out of business.