Because they are lazy, incompetent and indifferent. But they might be against a very powerful and public group of people who can sue them out of existence, so maybe that will scare other health providers into better security practices.
You hinted at it but didn't mention it explicitly: greedy. It simply costs more to have somewhat better security practices, and they don't want to pay unless they have to.
Lazy indifference probably explains it more than greed I think. If they cared, a doctor could add "burn a CD and put it in the filing cabinet with the other patient records" to the job duties of their secretary without increasing their compensation. It would only take a few more minutes, and would only slightly detract from the time they spend idly chatting with each other.
More accurately, they are NOT tech professionals, the type of people who do IT for small private practices are not that good either and they really just don't know for the majority of it. You really can't expect these people to understand the full consequences of stuff like encryption, offline vs online media and more. To them, if it has a user name and password, that is safe right? Use the HIPPA lockbox software and it should be good right?
In the past before computers they would be putting these in files on a large file folder shelving units with colored folder tabs behind a counter and the only real security was a receptionist that would stop you if you tried to interact with it, and they locked the door to the office when they left. If someone broke into the office back then too, your medical records would've been stolen & unencrypted (beyond the illegibility of most doctor's handwriting) and as a society, we were ok with that security level.
You're probably right that ignorance is the root of their apathy. Hopefully with this event making the news, doctors at least in the same specialty will hear about it and do something. Unencrypted offline records physically secured in the office building seems more than adaquate in all but the most exceptional scenarios though. Maybe it wouldn't be good enough for doctors of high-value targets (celebrities, politicians, etc.) Burglars targetting medical records seems uncommon.
Harsh fines are probably the best way to make doctors care though. If they know they risk financial ruin for not securing their records, they'll have a strong personal incentive to remediate their ignorance.
I'd think it specifically of doctors who specialize in human bodies, not computer stuff. SolarWinds on the other hand could not possibly be excused for ignorance.
One of my first jobs out of college was working at a medical school. Doctors in general think computers are magic and that compared to their actual medical expertise programming is easy. I neither expect nor, to be honest, want them worrying about computer stuff. I won't try to tell them how to cure sick people.
I don't want them to be tech professionals. I want them to use the best in class tools they can get, which it turns out are also the easiest to use and often the cheapest. If this surgery practice had just kept their photos on Google Drive with GSuite admin policy enforcing 2FA, they would have been most of the way to gold standard infosec and also would have dramatically better real-world durability and availability. Any consultant could have set them up that way in an hour.
That doesn't protect against the kind of attack that compromises the end point (wait for logged in 2FA state, interact with browser in the background with exact same state in a headless mode and download), and you do not know when they set up their systems where Gsuite, 2FA & HIPPAA / UK Equivalent agreements were even available back then.
For all you know, they could have had that system too, the article does not say what it was.
There's a one-time purchase of bigger/more disks. Figure 1GB (50 20MB pictures) per customer. Just add another 2TB, then 4TB, now 8TB or bigger drive. That's about $250 or $300 each time. Double that for a sync'd drive somewhere in the office.
Now they should be doing 3-2-1 backups. With S3 they'd be paying $160/month (for storage, not counting other costs) for 8TB or $40/month for BackBlaze B2. That's 8,000 customers.
They're in England so some variance in pricing. But it would be relatively inexpensive to buy big drives, sync them to a set in the office, and back them up online. Where the doctors or whoever is running the clinics can SEE the data is still there whenever they want.
I agree that there should be increasing worry about keeping information that you don't need, whether it's intimate pictures of your surgical clients or people who bought from you 5 years ago and not since. But it seems like keeping things handy will be an impulse that's hard to overcome.
TBH DVDs / Blu-Rays are too low density, expensive and labor intensive, and tape drives start at $1000 and most non tech professionals don't know they even exist. 2.5TB of 25 100GB writable BDXL disks cost about $250. A 4TB drive costs $80 and a computer to throw in 3.5" HDDs pretty cheap too.
Maybe. Sounds like their incentive will be primarily to keep _some_ records more safe. Eg i'm skeptical that this would propagate to poor people, without legislation at least.
(which isn't to say that they'd purposefully choose two different implementations. Rather, just that if i'm using poor person doctors i'm unsure they'd rise to the new "standard" of security practices)
