It seemed as if the WannaCry ransomware attack could have created some opportunities for me to write frightening, entertaining articles about creepy hackers in Bulgaria, North Korea or a cave in Antarctica invading the computers of U.S. hospitals, health insurers and health insurance agents and brokers.
So far, however, all I’m hearing is digital crickets.
U.S. agents and insurers may have faced some attacks, but there’s no public evidence of that. Insurance industry companies and groups don’t seem to be posting more notices about cybersecurity problems than usual. Large numbers of U.S. patients don’t seem to be going on social media to complain that the ransomware ate their health records.
One obvious reason may be luck. The WannaCry developers may simply have used strategies that work better on hospital computers in the United Kingdom than on insurance company computers in the United States.
Another reason maybe that fear of the wrath of U.S. cybersecurity regulators may keep any affected entities in the United States from going public with incident reports. U.S. entities may believe that quietly junking an affected computer and reconstructing the data from backups will be cheaper and easier than dealing with the repercussions of volunteering information about incidents to federal investigators.
A third reason, however, could that the U.S. federal government and U.S. state governments have been so ferocious about developing data security rules for protected health information that the rules have helped inoculate most significant U.S. collectors of protected health information from attacks.