 |
| Amy Ruhland |
 |
| Ashley Carr |
Unfortunately, it is in these times of dogged, urgent focus on patient care that health care organizations may be most vulnerable to another invisible danger: cybercrimes targeting the very hospitals tasked with protecting us.
A recent report estimates that, in 2019 alone, cybercriminals compromised over 41 million patient records, costing the health care industry billions of dollars.[1] We also know that health data breaches have increased steadily year over year, and can be expected to increase sharply in times of political or social turmoil.
In short, the global health crisis creates an opportunity for cybercriminals, and health care organizations and hospitals should consider taking steps now to minimize the risk to their systems, their data and, most importantly, their patients.
Hospitals as Targets
The health care industry is a favorite target of cybercriminals, and hospitals are particularly vulnerable. There are numerous reasons for this.
Owing to their commendable focus on patient care, many health care organizations have invested less in technology and cybersecurity than other major industries. Recent digitization of patient health records has left many hospitals without robust security infrastructure vulnerable.
In addition, hospitals increasingly are using interconnected medical devices that sometimes have limited security protection. In 2013, these security considerations led doctors for former Vice President Dick Cheney to disable the wireless feature in his pacemaker, for fear that hackers could otherwise access the device.[2]
Further, doctors and nurses on the front lines of patient care sometimes do not receive robust training on cybersecurity measures. Compounding the threat is the enormous value of electronic health records on the black market: Stolen records reportedly can fetch prices of up to $1,000 each.[3]
In short, hospitals and health care organizations are particularly exposed, even in the best of times.
Crisis Creates Opportunity
In more challenging times, the picture is darker. In the few short weeks since the World Health Organization declared COVID-19 a global pandemic, cybercriminals already have sought to capitalize on the crisis.
The Wall Street Journal recently reported that hackers targeted two hospital systems, one in the U.S. and another in the Czech Republic — the latter attack compromising the country's second largest hospital for almost two weeks.[4]
Although cybercriminals have a number of tools at their disposal, ransomware attacks are perhaps the most concerning in the current climate because they have the potential to lock hospital administrators and staff out of their own systems for lengthy periods of time, compromising patient health. Late last year, for example, a ransomware attack on a cancer center disabled its systems and forced it to halt radiation treatment for cancer patients.[5] Hospitals often are asked to pay attackers hefty ransoms to resolve such attacks.
The rapidly evolving global health crisis caused by the spread of COVID-19 is also creating new windows of opportunity for cybercrime. The increase in telemedicine and makeshift hospital facilities, in addition to overcrowded conditions in hospitals and emergency rooms across the country, mean that hospital IT systems are at maximum capacity.
Under the circumstances, just one click on an email or attachment by an unsuspecting and exhausted hospital worker could unleash malware that compromises an entire hospital's financial and clinical information systems, as well as its interconnected medical devices. The global pandemic is a crisis — but without functioning hospital systems and critical care, it could become a disaster.
Litigation Risks Abound
Adding to the burdens already faced by health care organizations, cybercrime victimizes health care targets on several fronts, and could lead not only to substantial business costs, but also to potential third-party claims from affected patients.
In one example, a ransomware attack on a Wyoming-based health care company disabled hospital systems, resulting in service disruptions to the organization's outpatient lab, respiratory therapy and radiological exams. Surgeries were canceled, new patients were turned away, and emergency room patients were transferred to other hospitals.[6] Plaintiffs lawyers began advertising a potential class action shortly thereafter.
Such lawsuits have become increasingly common in the aftermath of health-care-related cyberattacks.[7] Moreover, as cybercriminals become more sophisticated, and the internet of things is extended to include interconnected medical devices, a new wave of product liability lawsuits stemming from malware attacks that compromise patient-worn medical devices or wired devices used for patient care may be on the horizon.
Hospitals and health care organizations are urged think now about how to mitigate the consequences of such attacks, if not prevent them altogether.
Critical Care Requires Cybersecurity
The health care industry will require long-term investment, regulatory compliance, and cybersecurity prophylaxis to slow the tide of cyberattacks. But there are several short-term steps all health care organizations can take to protect themselves in this time of crisis.
First, health care companies should consider dusting off their cybersecurity contingency plans and, if necessary, hire outside professionals to update and implement those plans across facilities that are on the front lines of fighting the pandemic.
Second, hospitals should, where possible, provide updated training to emergency personnel on handling electronic health records. This is especially true where patients are being treated remotely or in temporary hospital facilities, where access to core IT systems may not be available.
Third, medical device manufacturers should be mindful of guidance from the U.S. Food and Drug Administration on the post-market cybersecurity in medical devices, particularly as regards updates and patches, and continuously work to improve device security as new technology becomes available.[8]
Further, medical device manufacturers and hospitals alike can revisit indemnity provisions in any agreements providing for the sale and distribution of wired medical devices. This will ensure that all parties know who is responsible in the event of a cyberattack affecting those devices.
Finally, all companies operating in the health care space should consider comprehensive cyber-liability insurance. The policies available are not one-size-fits-all, and can be negotiated to include both direct expenses resulting from a cyberattack (e.g., expenses associated with a malware infection, ransomware or business email compromise) as well as expenses resulting from third-party claims (e.g., litigation involving privacy breaches and product liability).
The bottom line is that consistent, reliable patient care requires secure health care systems. Hospitals and health care organizations can take precautions now to prevent cyberattacks from disabling critical systems and compromising patient care as the global health care crisis evolves.
Amy L. Ruhland is a partner and Ashley A. Carr is an associate at DLA Piper.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] Protenus Inc. & DataBreaches.net, 2020 Breach Barometer (2020); HIPAA Journal, Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2019 (Nov. 7, 2019).
[2] Dana Ford, Cheney's defibrillator was modified to prevent hacking, CNN.com (Oct. 24, 2013).
[3] Mariya Yao, Your Electronic Medical Records Could Be Worth $1000 To Hackers, Forbes (April 14, 2017).
[4] Wall Street Journal, Cybercriminals Sweep In to Take Advantage of Coronavirus (March 24, 2020).
[5] Jessica Davis, Ransomware Attacks Disrupts Patient Care at Hawaii, NJ Hospitals, HealthITSecurity.com (Dec. 16, 2019).
[6] Jessica Davis, Campbell County Health Ransomware Attack Disrupting Patient Care, HealthITSecurity.com (Sept. 23, 2019).
[7] See, e.g., Aranowitz v. Hackensack Meridian Health Inc., 2:20-CV-01409 (D.N.J. Feb. 10, 2020); Quintero v. Metro Santuce Inc., Case No. 20-1075 (D. Puerto Rico, Feb. 11, 2020); Edwards v. Univ. of Washington, Case No. 19-2-12285-4 (Wash. Super. Ct., Oct. 21, 2019).
[8] See FDA, Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (Dec. 2016), available at https://fda.gov/media/95862/download.
For a reprint of this article, please contact reprints@law360.com.