Law

What Happens When Hospital Data is Held Hostage?

By Leslie Berkoff, Moritt Hock & Hamroff LLP

Over the past six months, the number of cybersecurity attacks have increased around the globe, many of which have specifically impacted the healthcare industry.

In 2016, in the USA alone, 328 health-care firms reported data breaches, up from 268 in prior periods, according to the 2017 Healthcare Breach Report released by data protection company Bitglass. Last May, during GGI's conference in Brussels, one of the largest ‘ransomeware’ attacks made world headlines when malicious software (aptly named ‘WannaCry’ ‘WCry’ or ‘Wanna Decryptor’) was transmitted via email targeting vulnerabilities in computer systems, in one of the largest ‘ransomware’ attacks on record. Ransomware is malicious software that infects machines, encrypts their data and then extorts money to let the users back into their own machines.

During this attack, cyber attackers took over computers, encrypted information, then demanded payment of USD 300 worth of online currency Bitcoin per machine from users to unlock the devices. Moreover, the malware did not distinguish between devices; as a result smartphones and medical devices were also impacted. The hacked devices then displayed the warning: ‘Ooops, your files have been encrypted’ along with a clock counting down to the deletion of the device's data unless payment was made within a delineated time frame.

Some of the world’s largest institutions and government agencies were affected, including Britain's National Health Service, where sixteen hospitals were hit as well as hospitals in Scotland. However, the attack did not just target the healthcare industry and all told it impacted seventy-four countries and a wide variety of industries were impacted. Since many of the European hospitals are centralised, the results were crippling. For some reason, perhaps because the hospital systems in the US are less centralised, US hospitals were not significantly impacted by this attack. Over the past year, multiple attacks have specifically addressed various healthcare systems in the US.

The attack apparently exploited a vulnerability purportedly identified for use by the US National Security Agency, which had developed the software, but then lost it to hackers. The hackers subsequently leaked the malware on the Internet and it was distributed by Shadow Brokers, a team of hackers. Microsoft had released a patch that would fix the vulnerability but in many cases the patch had not been installed or certain operating systems were outdated and therefore still vulnerable to attack.

During the May attack, hospitals had no access to computers or phone systems. Wards and emergency rooms were closed and new patients were turned away since no medical or financial records could be accessed to process insurance policies or payments. Moreover, they postponed treatments in order to ensure that people were not receiving improper, contradictory, or fatal treatment, such as prescribing medication where there are contraindications for adverse interactions with other medications or allergy warnings. Internal phone lines at hospitals became inoperable so medical personal could not consult with one another. Private doctors' practices and pharmacies could not access insurance systems and medical records, forcing them to turn away patients and prescription requests.

The cost to recover from the attack could be exponential. At the National Health Service, teams had to work 24/7 to restore information and scrub files of the malicious malware. Thus, time and dollars that could have been spent elsewhere on medical improvements were lost to repairs and data recovery.

Furthermore, the risks extend beyond the immediate impact. The hackers can use or sell the stolen information to falsely obtain medical procedures. Another risk is that individuals could potentially be blackmailed due to sensitive information contained in health records. Unscrupulous third parties could also utilise healthcare information to falsify prescriptions and sell them on the black market or obtain them for personal use. Lastly, these attacks may give rise to lawsuits. People who have had their privacy breached, or their personal data hacked, may have a basis to sue the medical facilities for failing to take proper precautions. Healthcare systems have an obligation to take reasonable care to protect private customer information. It is unclear whether any of the entities have specific cybersecurity policies which are designed to address these kinds of attacks. These suits may stress already financially stressed healthcare providers.

Therefore, health systems are gravely concerned about this attack and others. Last year, seventy-five percent of all major health care systems in the US alone had experienced major malware malfunctions. While the concern exists, the cybersecurity protections do not seem to be in place. While healthcare providers are universally switching over to electronic data, the security of this information has not matched its growth. Financial services industries devote in excess of 10% of their annual IT budgets to cybersecurity while the health care industry is less than 5%. Moreover, the cost of mitigating the damage can be astronomical, never mind the potential health hazards which arise during the interim period following the attack.

Given that they often have outdated IT systems and a wealth of confidential patient data, hospitals remain a particularly tempting target. As healthcare budgets shrink, healthcare providers must focus on preparing and protecting against further attacks. While it may not be possible to replace all outdated equipment, some steps can be taken. Consulting with a cybersecurity firm can be productive and could be geared towards a sliding economic scale. Raising awareness among staff and medical professionals of new threats, scams and emails which may contain malware is important. A good firewall and email screening process can provide some measure of protection. Finally, every hospital or healthcare agency should be backing up files and critical data, establishing a plan for an attack, and considering cybersecurity insurance as a way to handle the next WannaCry.


Leslie A. Berkoff

Leslie A. Berkoff

Moritt Hock & Hamroff LLP, Garden City (NY), New York (NY), USA
T: +1 516 873 2000
E: This email address is being protected from spambots. You need JavaScript enabled to view it.; W: www.moritthock.com

Moritt Hock & Hamroff is a full-service commercial law firm providing a wide range of legal services to businesses, corporations and individuals worldwide. The firm has 19 practice areas and offices in Garden City, NY, and New York City, NY, USA.

Leslie A. Berkoff is a Partner with the firm and chair of its Bankruptcy practice group. She concentrates her practice in the area of bankruptcy representing a variety of corporate debtors, trustees, creditors and creditors’ committees, both nationally and locally.
 


Published: September 2017 l Photo: Witthaya - Fotolia.com

GGI Logo 70x50px

GGI Geneva Group
International AG

Schaffhauserstrasse 550
P.O. Box 286
8052 Zurich
Switzerland

Contact

T: +41 44 2561818
F: +41 44 2561811
This email address is being protected from spambots. You need JavaScript enabled to view it.
www.ggi.com

Disclaimer

Disclaimer and Privacy Notice

Legal Disclaimer

This website is managed by Geneva Group International AG Zürich (hereinafter referred to as "GGI") on behalf of the member firms of GGI, a worldwide organization of independent Law, Accounting and Consulting Firms. GGI provides information and documentation on World Wide Web sites, such site(s) being known as the GGI Internet (hereinafter referred to as the "Website"). If you make any use of this Website, you confirm that you agree to each of the terms and conditions set forth below. You shall not be authorized to use this Website if you do not agree with any of the terms and/or conditions set forth below.

GGI, a company incorporated in accordance with the laws of Switzerland, provides no legal, audit or other professional services to clients. Such services are provided solely by GGI member firms in their respective geographic areas. GGI and its member firms are legally distinct and separate entities. They are not and nothing shall be construed to place these entities in the relationship of parents, subsidiaries, partners, joint ventures or agents. No member firm of GGI has any authority (actual, apparent, implied or otherwise) to obligate or bind GGI or any other GGI member firm in any manner whatsoever.

No action should be taken or omitted to be taken in reliance upon information contained in this Website. The information contained and accessed on this site is provided by the member firms of GGI for general guidance and is intended to offer the user general information of interest. The information provided is not intended to replace or serve as substitute for any accounting, legal (in those jurisdictions where GGI member firms are permitted to practice law), tax or other professional advice, consultation or service. You should consult with a professional from a GGI member firm in the respective legal, accounting, tax or other professional area. Based on specific facts or circumstances, the application of laws and regulations may vary.

Based on the fundamental universal condition of the electronic communication process, GGI does not guarantee, warrant and/or offer any assurance that this Website (including its functions, contents, downloadable files, software etc.) will be uninterrupted, without delay, error-free, omission-free, or free of viruses, free of Trojan horses, similar destructive software and/or free of harmful codes which may impair the proper functioning of any software, hardware or other equipment and/or materials of the user. GGI does not guarantee, warrant and/or offer any assurance that this Website is compatible with any user's computer equipment (hardware and/or software) or network through which access to this Website is gained. GGI does further not guarantee, warrant and/or offer any assurance that the use of this Website will not lead to viruses, Trojan horses and/or similar destructive software accessing any user's computer equipment.

Access to this Website may be interrupted or unavailable at any time, in particular during maintenance or upgrade procedures. Therefore, the information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness and completeness. In no event shall GGI or partners, executives, principals, agents or employees of its member firms be liable for any direct, indirect, incidental, special, exemplary, punitive, consequential or other losses and/or damages of any kind (including, but not limited to, liability for loss of use, data, profits, other intangibles, the costs of procurement of substitute goods and/or services), without regard to the form of any action, including but not limited to contract, negligence or other tortuous actions, arising out of or in connection with this Website, any content on or accessed by use of this Website, or any copying, display or other use hereof even if GGI has been notified of the possibility of such loss and/or damage. All statements, information, downloadable data and files etc. on this Website are made available without liability or guarantee for their correctness, completeness, accuracy, durability, assurance of features, reliability, workability, merchantability, quality, fitness for a particular purpose, achievement of results, non-infringement of proprietary rights, absence of any deficiencies or something similar. GGI shall not be liable for any damage which a user may suffer as a result of any errors in content or arising from any virus or other destructive software. Users are responsible for ensuring that their computer equipment has appropriate security and virus protection features.

All intellectual property rights (in particular copyrights, trademark rights, design rights and patent rights) to the contents of this Website shall be reserved. As content on the site is protected by intellectual property laws (such as for instance copyright, trademark, patent laws) as well as by unfair competition laws, any unauthorised use of any materials on the site may violate copyright, trademark, patent and other laws. Pictures, texts, graphics, computer software etc. which are contained, featured and/or downloadable on this Website may not be copied, downloaded or used in any other way unless indicated otherwise on this Website. Should a user download and/or print the materials on this Website for personal or non-commercial use, the user must retain all copyright and other proprietary notices contained in the original materials on any copies of the material and the source must be indicated completely. The complete and/or partial reproduction, transmission (electronically and/or otherwise), modification, public display, performance, distribution, linking, framing or other use of this Website for any public and/or commercial purposes shall not be allowed without the prior written consent of GGI and the complete indication of the source. GGI does not grant the users of this Website any rights (in particular no intellectual property rights), except for the rights that are necessary to use this Website for purposes permitted under these conditions.
Some links on this Website refer to other websites which have been set up and are operated by third parties. Such links are provided only as a convenience to users. GGI does not control and is not responsible for any of these sites or their content. GGI explicitly disclaims any endorsement or recommendation of and guarantee or liability for such websites of third parties.
This Website is not intended for persons who are subject to a jurisdiction that prohibits the publication of and/or access to this Website (be it because of the nationality, their age, the domicile or for any other reason). If you are affected by such restrictions, you may not access this Website.

GGI data protection policy

This privacy policy describes the collection and use of your personal data made by GGI Geneva Group International AG Zürich as data controller, a joint-stock company incorporated under Swiss law with Swiss company registration number CH-170.3.020.433-0 whose registered offices at Schaffhauserstrasse 550, 8052 Zurich, Switzerland (hereinafter referred to as "GGI"). GGI’s data protection manager is Mr. Marco IZZO, who can be contacted by email at the following address: izzo@ggi.com.

A. Which data does GGI collect?

In the context of your organisation’s membership in GGI (or potential membership) or collaboration or your participation to a GGI event, GGI may collect the following information about you: name, gender, title, date of birth, position, email address, phone number, key competences, practice area, special interests, CV, picture, social media pages (such as your LinkedIn profile), memberships, languages spoken, private, political and business positions, insurances, signature, address, travel arrangement details, accommodation preferences, credit card details, identity card or passport copy, visa information, participation in meetings, participation in optional activities, information about transactions and deals concluded.

GGI may also collect data about your (minor) children when they accompany you to events organised by GGI. In that case, GGI may collect their names, photo, accommodation dates, travel arrangement details, participation in optional activities and their identity card or visa when it is necessary.

This information may qualify as personal data under the applicable legislation (including the General Data Protection Regulation (GDPR) n° 2016/679).

GGI may also collect “special categories” of personal data, such as health condition, allergies and dietary preferences.
The collected personal data are considered useful or even necessary for GGI to provide its services to its members and events’ participants. Some data are mandatory (such as name, e-mail address, picture, address, accommodation dates, participation in meetings, participation in optional activities, your company name: without these data, you will not be able to benefit from GGI’s services. Other data is optional and will allow GGI to provide a better service.

B. Use of personal data

1. Purposes of the processing and legal bases for processing

GGI processes the above-mentioned information for the following purposes:
- Compiling and using general or specific mailing lists for sending newsletters, announcements (e.g. new members) and information emails (e.g. related to a particular conference)
- Listing in the GGI global directory publicly accessible online at www.ggi.com
- Organising and executing GGI activities (e.g. contacting members for participating in GGI projects such as writing articles for the newsletter or publications on social media, matchmaking and networking, organising social events, invoicing)
- Analysis of the activities and the functioning of the GGI organisations (e.g. post-event analysis based on the attendance of the delegates of the various sessions)
- Business development activities related to candidates for GGI membership, potential partnerships and/or collaborations
- Announcements on new members on social media and sharing of members’ articles on social media
- Inclusion in the GGI’s website internal area downloadable Excel files (including the contact details)
- Publication of tombstones related to members’ transactions

Where possible GGI requests your consent for the processing of your personal data. GGI will also ask for your specific consent when it processes sensitive data (e.g. dietary requirements). However, it is not always possible to process your personal data on the basis of your consent. GGI will process your personal data where you act as the contact person or representative of your organisation, for the performance of the contract that GGI has with your organisation (e.g. organisations of meetings, networking or conferences); such processing will serve the legitimate interest of GGI, your organisation and third parties involved. GGI also has a legitimate interest in processing the personal data of representatives or contact persons of prospects on the basis of its legitimate interests, i.e. for promoting GGI’s activities and membership. Similarly, prospects have a legitimate interest in being informed about GGI opportunities. Such processing has a limited impact on your rights and freedoms (as a representatives of your organisation), considering the non-sensitive nature of the data and the limited data processing involved.
Concerning the processing of special categories of data, you have given your explicit consent for such processing.

2. Recipients of personal data

GGI may share your personal data with other GGI members (e.g. for referrals or recommendations or in the context of Practice Group activities).

GGI may share your data with processors and GGI partners, such as genevents GmbH, GGI North America Services Corp., Geneva Group International (Latin America) S.A., Geneva Capital Group AG, Geneva Consulting Group AG, and GCG International AG. GGI will only transfer your data in the pursuit of purposes such as the organisation of events and conferences, networking, matchmaking or business development activities.

GGI may also share your personal data (in particular your name and contact details), when it communicates publicly on the (new) membership of organisations (e.g. for marketing purposes and for the listing in the global rankings). Recipients of your personal data will be organisations such as Association of International Law Firms Network (AILFN), European Group of International Accounting Networks (EGIAN), International Accounting Bulletin (IAB), Accountancy Magazine and Accountancy Age.

Your personal data may also be communicated to the general public when GGI sends newsletters or posts announcements via social media.

3. Transfer outside the European Economic Area

Your data will be processed outside the European Economic Area, i.e. in Switzerland, and transferred to and within the European Economic Area, the United States, Argentina and and Uruguay. These countries have been recognised as providing an adequate level of protection of personal data, by the adoption of an adequacy decision by the European Commission (see
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en).

Your data may also be transferred to Thailand and the United Arab Emirates. Your rights as a data subject are guaranteed on the basis of the standard data protection clauses (as proposed by the European Commission).

4. Retention of your personal data

GGI will process your personal data as long as your data are useful for the listed purposes. In principle, it will store and use your data as long as your organisation is a member or a prospect of GGI and you remain a representative for your organisation. Where the processing is based on consent, GGI will stop processing your data when you withdraw your consent.

5. Your rights as data subjects

In addition to the information contained in this data protection policy, you have the right to access the personal data which GGI processes regarding you. Should the personal data that GGI has regarding you be incorrect or incomplete, you are entitled to have the data rectified.

You have the right to request from GGI the erasure of your personal data, when they are no longer necessary for the listed purposes, when you withdraw your consent or when you object to the processing (if GGI or third parties have no overriding legitimate grounds for the processing), when GGI has unlawfully processed the personal data or when GGI is subject to a legal obligation to erase the data. GGI will honour your request, unless it is subject to a legal obligation requiring it to process your personal data, the processing is done for reasons of public interest (public health), for archiving or statistical purposes and for the establishment, exercise or defence of legal claims.

You are entitled to request the restriction of processing (temporarily) if the accuracy of the personal data is contested, the processing is unlawful and you prefer the restriction of the processing to the erasure of your data, if GGI no longer needs your data except for the establishment, exercise or defence of legal claims or while it is being verified whether your legitimate interests override GGI’s.

You have the right to object to the processing, when the processing is based on GGI’s or third party’s legitimate interests, on the basis of your particular situation. You also have the right to object when your data are processed for direct marketing purposes by clicking the “unsubscribe” link in the newsletters that you receive.

You are entitled to receive the data concerning you in a structured, machine-readable format that is commonly used and you have the right to have the data transmitted to a controller of your choice (data portability).

You can exercise these rights by sending an e-mail to the data protection manager, Mr. Marco IZZO at izzo@ggi.com.
Should you have a complaint concerning the processing of your personal data, you have the right to lodge a complaint with the competent national supervisory authority.

Cookie Policy

A cookie is a small text file containing data for technical session logging and enabling GGI to store information related to the user's computer and/or device for the duration of the user's use of the Website.

Below you will find specifically the list of cookies used on the website:

Session (Necessary)

Google Analytics:
Cookies:
_ga
_gid
_gat

Cookies related to the analysis and monitoring of the software in question anonymously collect some data about the use of the site as page views, time spent on site etc. Also in this case no sensitive data that can connect the user to the navigation is stored, in this way respecting the privacy of the public web.

Google GoubleClick For Publishers - Small Business:
Cookies:
__gads

This cookies serve purposes such as measuring interactions with the ads on that domain and preventing the same ads from being shown to you too many times (banner GGI Members).

JB Cookies:
Cookie:
jbcookie

This cookie documents the declaration of consent to the use of cookies when using the homepage.

Locking or deleting Cookies

Users can set the computer's browser so that it accept / reject all cookies or to display a warning whenever a cookie is offered, in order to assess whether or not to accept.

The user is allowed, however, to change the default configuration ( default ) and disable cookies ( ie block a final ), by setting the security level higher. You can find information about how to manage cookies in your browser to the following addresses: Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Windows Explorer.

If you disable the cookies that we use, this could affect navigation on our site, or prevent you from visiting certain sections or to use certain services offered by the site.

Security of information

GGI has implemented accepted standards of technical measures and security policies that are aimed at protecting the personal data it has under its control from:

  • unauthorized access
  • improper use or disclosure
  • unauthorized modification
  • unlawful destruction or accidental loss

All GGI personnel are required to keep personal information confidential and only authorised persons have access to such information. Please note that the Website contains links to other sites (including sites maintained by Partners) which are not governed by this privacy statement.

Choices

You have several choices regarding your use of the Website. In general, you are not required to submit any personal information when you visit our websites, but GGI may require you to provide certain personal information in order for you to receive additional information about our services and events. If you opt-in for particular services or communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in each communication or on the website.

Additional general conditions governing the Privacy Statement

The rejection of any liability and/or responsibility regarding the Website and its content and other terms and/or conditions contained in this Privacy Statement are also applicable to all companies associated or affiliated with GGI, particularly GGI member firms (Partners).

GGI reserves the right to change all and/or any of the regulations mentioned above at any time without any prior announcement. Unless explicitly indicated otherwise, the new regulations shall immediately apply to all information, indications etc. featured on the GGI Website. By continuing to use the GGI Website, you accept all changes of such regulations.

The invalidity or unenforceability in any jurisdiction of any of these terms shall not affect the validity or enforceability of any other of these terms. If any term is held to be invalid or unenforceable it shall be deemed to be amended to the minimum extent required to render such term valid or enforceable, such amendment to be determined by GGI.

The Privacy Statement indicated above shall be governed by and are construed in accordance with Swiss substantive laws (excluding the rules of the conflict of laws) and the courts of Zurich, Switzerland shall have exclusive jurisdiction in any possible dispute.


Copyright pictures

The copyright of the photos is published here or under the articles.

Geneva Group International; Rieder Media - Uwe Rieder
Fotolia.com: Kurhan; lagom; Abou Jaoude, Siegmar; Jürgen Effner; magcom; Maksim Šmeljov; Gilles Paire; david hughes; clayllama; robynmac; Dan Marsh; daphot75; Suzanne E.; Pierre-Yves Babelon; QQ7; Fotokon; reinobjektiv; cienpies; Alterfalter; Mark Yuill; Flying-Tiger; Katja Wickert; sk19; fazon; Andy Dean; Immo Schiller; Pavla Vanicka; jamesdavidphoto; sysiphus; Kirill_M; Herbert Esser; djama; Rafael Ben-Ari; ollirg; bruder jakob; soleg; Kobby Dagan; Chris Boswell; Hagit Berkovich; Ruzanna Arutyunyan; lilufoto; zybilo; Esther Wagner; pixelfux; Jim Parkin; Zacarias da Mata; Martina Berg; Konstantin Yuganov; Gail Johnson; maudanros; auremar; swisshippo; tobago77; rudi1976; tagstiles.com; detlef menzel; Luftbildfotograf; FotolEdhar; Temistocle Lucarelli; ErnstPieber; synto; ZINQ Stock; Tupungato; Barbara Helgason; Aleksey Khripunkov; Lucian Milasan; Gabriela; JonaSanpo Tokyo; Leonid Tit; Sven Hoppe; sborisov; denys_kuvaiev; G.J. Prozee; Andrey Burmakin; Digitalpress; gemenacom; arsdigital; deusexlupus; travelwitness; Alison Cornford; gena96; anyaivanova; spiritofamerica; G. Mönks Photografie; Moreno Novello; Picture-Factory; Galyna Andrushko; endostock; Thomas Röske; carlos; Mezzalira Davide; griangraf; laur7410; simon gurney; sborisov; ChantalS; th-photo;kbuntu; maudanros; apops; JR Photography; Josemaria Toscano; luanka; Tyler Olson; Jörg Hackemann; drubig-photo; AlfaSirius; arenaphotouk; vvoe; rolffimages; Ross Kummer; dabldy; silver-john; Wimbledon; nitroshoprod; Moreno Soppelsa; piccaya; Hawkeye; Horváth Botond; motodan; fazon; Minerva Studio; Digishooter; Mapics; TMAX; Fanchy; JFL Photography; kichigin19; Nmedia; fotofuerst; Henri FRONTIER; Marcin Kubiak; pitrs; goldencow_images; habrda; nattanan726; dmitrydesigner; PackShot; swisshippo; michaeljung; Friedberg; Rawpixel; bluedesign; Ralf Gosch; Forgiss; Frankix; Jörg Hackemann; Gilles Paire; JaimeP; peresanz; lumen-digital; Stefano Garau; AlexF76; industrieblick; sborisov; chris2766; mitifoto; kamonrat; Rainer Plendl; peresanz; Vojtech Vlk; scabrn; Luftbildfotograf; Andrew Kazmierski; bruno135_406; pressmaster; vandertens; Tom-Hanisch; Alexey Stiop; Patrik Stedrak; Jiri Foltyn; kosmos111; Tomfry; S.Alias; beerkoff; Peter Marble; forcdan; Henryk Sadura; TTstudio; samott; Nordreisender; QQ7; imagineilona; 072618; aroberlin; lunamarina; whitelook; Pavel Parmenov; Jeff; jcfotografo; Jiri Foltyn; JS; Robert Wilson; SNEHIT; Sergii Figurnyi; mandritoiu; tilialucida; rabbit75_fot; IRStone; stockphoto mania; saiko3p; zoltangabor; E. Adler; lovegtr35; kiravolkov; davidevison; Kruwt; alexandro900; Rafael Ben-Ari; Frédéric Prochasson; Halfpoint; fotoherkules; eddygaleotti; mandritoiu; Mik Man; ALCE; LUNYANSKIY; Sondem; heyengel; forcdan; IRStone; gianliguori; Henryk Sadura; .shock; SNEHIT; alex9500; mpodrucki; KarenDMartin; mimadeo; SNEHIT; IRStone; lena_serditova ; Friedberg; pixelABC; peshkov; Klaus Heidemann; photofang; frakala; Beboy; vacant; Noppasin; : Leonid Andronov; surangaw; dennisvdwater; Chris Lofty; Robert Kneschke; Gajus; chrisdorney; samografy; DOC RABE Media; vichie81; everythingpossible; Rafael Ben-Ari; Eisenhans; bakerjarvis; stokkete; hankimage9;