For most everyday citizens, robocalls are an unwelcome annoyance. For hospitals, the stakes are much higher.
Robocallers have clogged hospital phone lines reserved for patients, wasted staff time, preyed on unsuspecting patients by imitating hospital phone numbers, impersonated law enforcement to threaten doctors and disturbed sick patients in their hospital beds. Congress heard hospitals' complaints, and the U.S. House of Representatives is set to vote Wednesday on first steps to protect medical centers from robocalls.
Dave Summitt, chief information security officer at the Moffitt Cancer Center & Research Institute in Tampa, Fla., has led the charge for legislative relief. In a 90-day period the center received 6,600 calls from scammers posing as Moffitt internal phone numbers, he testified during a House Energy and Commerce Committee hearing. The calls consumed 65 hours of employee response time. Moffitt was also the target of robocallers posing as U.S. Justice Department employees who claimed that they had to speak to doctors about urgent issues regarding their medical licenses.
The calls have calmed down somewhat since that hearing, but Summitt worries it could be the calm before another storm.
"That's the dangerous sign of this. I don't know why it's calmed down and why they have backed off. They could be waiting for a time when it is off everyone's radar to pick back up. If we don't move forward, I think it's going to return," he said.
Congress responded by including a provision specifically intended to protect hospitals from robocalls in the Telephone Robocall Abuse Criminal Enforcement and Deterrence, or Traced, Act. The provision protecting hospitals was not in the version of the Traced Act the Senate passed in May, but it will likely make its way to the president's desk because Senate leaders including Majority Whip John Thune (R-S.D.), who co-sponsored the bill with House Energy and Commerce Committee Chair Frank Pallone (D-N.J.), have preemptively agreed to the version the House will consider.
"Illegal robocalls perpetuate fraud, threaten personal privacy and undermine our healthcare system. Specifically designed to shield the critical infrastructure of our healthcare system, this bill helps combat unlawful robocalls made to hospitals and helps hospitals protect themselves from malicious scammers," said House Energy and Commerce ranking Republican Greg Walden of Oregon, another co-sponsor of the Traced Act.
USTelecom, the major telecommunications lobbying association, AT&T, Verizon and Comcast did not respond to requests for comment about their stances on the new version of the legislation.
The Traced Act would give the Federal Communications Commission more legal authority to combat robocalls generally and create a working group of stakeholders that would within a year of the bill's passage develop best practices for hospitals and service providers. The FCC would then assess the extent to which the best practices could be implemented voluntarily.
"The Hospital Robocall Protection Group will help shield hospitals and patients from these scammers, and I'm proud it's included in our bill," Pallone said.
Peter Rucys, chief information security officer at Tampa General Hospital, said he is skeptical of the voluntary application of best practices. Robocalls have interrupted patient care at Tampa General because hospital staff in emergency settings use wireless phones to communicate patient updates. Rucys said lawmakers might feel a greater sense of urgency to address the problem if they had personal experience with it.
"It would take one of the lawmakers' loved ones to be in an institution overnight with staff attending them getting plagued by robocalls that caused a missed medication drop or a missed vital count," Rucys said.
Summitt told the Energy and Commerce Committee that he had three items on his wish list for legislation addressing robocalls: provisions for accurate caller identification, some responsibility for telecom carriers and requirements for carriers to work with businesses to shut down malicious activity.
The bill checks some of the items but not others. It includes provisions to require accurate caller identifications and gives some responsibility to telecom carriers to implement anti-robocall technology. But Summitt pointed out that hospitals would still have the burden of upgrading their telecom systems. The bill does not require telecom carriers to work with hospitals to investigate malicious robocalls.
However, Summitt said the legislation could still do good by expanding the FCC's legal authority to go after robocallers.
"The more the FCC has to go on from a legislative standpoint, the more of a stick they can wield," Summitt said.
Robocallers have deployed a wide variety of tactics to leverage hospitals' credibility to exploit people. Steve Stallard, chief privacy officer at Orlando Health, said robocallers have imitated Orlando Health's phone number to call members of the public and then hung up after one ring. Concerned citizens then called the hospital en masse to ensure they were not missing calls about their healthcare. If the incident were widespread enough, Stallard said it could impact patients' access to care.
He voiced concern that some robocall issues may persist even after congressional action.
"I have faith this will help, but I'm not putting all my faith into it. The bad guys always seem to find a way to leverage it. It's amazing that where there's a will, there's a way," Stallard said.
Tampa General was able to update its internal communications systems to mitigate robocalls, but Rucys said he is powerless to block robocalls on wireless devices.
"It's like a mosquito bite. Once one goes away, another one appears," Rucys said.
The update to a more secure internal communications system cost Tampa General $7.5 million, and Rucys said hospitals may not necessarily have the cash on hand to invest in expensive security products.
Rucys warned that hospitals need to be aware that the scourge of robocalls is only going to get worse, and advised that hospitals should evaluate their strategies to combat robocalls and ensure best practices are in place.
"What I would relay is that if it hasn't happened in a massive amount yet, it will," Rucys said.