Infecting the Hippocratic Oath

Healthcare News first published this article “Infecting the Hippocratic Oath” on April 9, 2019.

“We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.” 

–Carl Edward Sagan

Medicine Gets Sick

Somewhere deep within the labyrinth of regulations promulgated since Congress passed the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) in 2009 exists health care’s very own Kobayashi Maru. Mindful of the draconian consequences in deviating from the so-called HIPAA Privacy Rule, health care practitioners who follow these national standards to defend individual medical records and other protected health information (“PHI”) sometimes must stand down like a Star Fleet cadet forced to watch the entire crew and passengers of another vessel perish. On the other hand, those rogue clinicians who chose rescue over risk may face attack from federal and state authorities.

Governmental response to lapses in safeguarding PHI is due, in part, to algorithmic steps undertaken by malware, including exfiltration attempts between the malware and attackers’ command and control servers, not to mention the possibility of malware propagating to other systems, potentially affecting additional sources of electronic PHI (“ePHI”). While digitizing patient medical records remains a top national priority, fear of compromising confidentiality is still its greatest obstacle. To the unwitting health care provider, the choice between an investigation by the Office of Civil Rights (“OCR”) or a threat from ordinary malware may be just as devastating as an attack from a Klingon Negh ‘Var-class warship.

The Cost to Comply

Health care must finally surrender to systemic futility when providers wage war against disease with an arsenal that protects PHI first. Even under the guise of the Hippocratic Oath and its sacrosanct directive to help or at least do not harm the patient, the physician may not risk PHI exposure. Hippocrates’ lesser known principle included an obligation to keep the “holy things” of medicine confidential, and federal and state regulations remain vigilant as to both. Those responsible for drafting patient privacy laws, however, never imagined a malicious software from cryptovirology could make public PHI or perpetually block all access until a ransom is paid, or that it would occur 181.5 million times in the first six months of 2018 alone.Read more →