Law

What Happens When Hospital Data is Held Hostage?

By Leslie Berkoff, Moritt Hock & Hamroff LLP

Over the past six months, the number of cybersecurity attacks have increased around the globe, many of which have specifically impacted the healthcare industry.

In 2016, in the USA alone, 328 health-care firms reported data breaches, up from 268 in prior periods, according to the 2017 Healthcare Breach Report released by data protection company Bitglass. Last May, during GGI's conference in Brussels, one of the largest ‘ransomeware’ attacks made world headlines when malicious software (aptly named ‘WannaCry’ ‘WCry’ or ‘Wanna Decryptor’) was transmitted via email targeting vulnerabilities in computer systems, in one of the largest ‘ransomware’ attacks on record. Ransomware is malicious software that infects machines, encrypts their data and then extorts money to let the users back into their own machines.

During this attack, cyber attackers took over computers, encrypted information, then demanded payment of USD 300 worth of online currency Bitcoin per machine from users to unlock the devices. Moreover, the malware did not distinguish between devices; as a result smartphones and medical devices were also impacted. The hacked devices then displayed the warning: ‘Ooops, your files have been encrypted’ along with a clock counting down to the deletion of the device's data unless payment was made within a delineated time frame.

Some of the world’s largest institutions and government agencies were affected, including Britain's National Health Service, where sixteen hospitals were hit as well as hospitals in Scotland. However, the attack did not just target the healthcare industry and all told it impacted seventy-four countries and a wide variety of industries were impacted. Since many of the European hospitals are centralised, the results were crippling. For some reason, perhaps because the hospital systems in the US are less centralised, US hospitals were not significantly impacted by this attack. Over the past year, multiple attacks have specifically addressed various healthcare systems in the US.

The attack apparently exploited a vulnerability purportedly identified for use by the US National Security Agency, which had developed the software, but then lost it to hackers. The hackers subsequently leaked the malware on the Internet and it was distributed by Shadow Brokers, a team of hackers. Microsoft had released a patch that would fix the vulnerability but in many cases the patch had not been installed or certain operating systems were outdated and therefore still vulnerable to attack.

During the May attack, hospitals had no access to computers or phone systems. Wards and emergency rooms were closed and new patients were turned away since no medical or financial records could be accessed to process insurance policies or payments. Moreover, they postponed treatments in order to ensure that people were not receiving improper, contradictory, or fatal treatment, such as prescribing medication where there are contraindications for adverse interactions with other medications or allergy warnings. Internal phone lines at hospitals became inoperable so medical personal could not consult with one another. Private doctors' practices and pharmacies could not access insurance systems and medical records, forcing them to turn away patients and prescription requests.

The cost to recover from the attack could be exponential. At the National Health Service, teams had to work 24/7 to restore information and scrub files of the malicious malware. Thus, time and dollars that could have been spent elsewhere on medical improvements were lost to repairs and data recovery.

Furthermore, the risks extend beyond the immediate impact. The hackers can use or sell the stolen information to falsely obtain medical procedures. Another risk is that individuals could potentially be blackmailed due to sensitive information contained in health records. Unscrupulous third parties could also utilise healthcare information to falsify prescriptions and sell them on the black market or obtain them for personal use. Lastly, these attacks may give rise to lawsuits. People who have had their privacy breached, or their personal data hacked, may have a basis to sue the medical facilities for failing to take proper precautions. Healthcare systems have an obligation to take reasonable care to protect private customer information. It is unclear whether any of the entities have specific cybersecurity policies which are designed to address these kinds of attacks. These suits may stress already financially stressed healthcare providers.

Therefore, health systems are gravely concerned about this attack and others. Last year, seventy-five percent of all major health care systems in the US alone had experienced major malware malfunctions. While the concern exists, the cybersecurity protections do not seem to be in place. While healthcare providers are universally switching over to electronic data, the security of this information has not matched its growth. Financial services industries devote in excess of 10% of their annual IT budgets to cybersecurity while the health care industry is less than 5%. Moreover, the cost of mitigating the damage can be astronomical, never mind the potential health hazards which arise during the interim period following the attack.

Given that they often have outdated IT systems and a wealth of confidential patient data, hospitals remain a particularly tempting target. As healthcare budgets shrink, healthcare providers must focus on preparing and protecting against further attacks. While it may not be possible to replace all outdated equipment, some steps can be taken. Consulting with a cybersecurity firm can be productive and could be geared towards a sliding economic scale. Raising awareness among staff and medical professionals of new threats, scams and emails which may contain malware is important. A good firewall and email screening process can provide some measure of protection. Finally, every hospital or healthcare agency should be backing up files and critical data, establishing a plan for an attack, and considering cybersecurity insurance as a way to handle the next WannaCry.


Leslie A. Berkoff

Leslie A. Berkoff

Moritt Hock & Hamroff LLP, Garden City (NY), New York (NY), USA
T: +1 516 873 2000
E: This email address is being protected from spambots. You need JavaScript enabled to view it.; W: www.moritthock.com
 


Published: September 2017 l Photo: Witthaya - Fotolia.com

GGI Logo 70x50px

GGI Geneva Group
International AG

Schaffhauserstrasse 550
P.O. Box 286
8052 Zurich
Switzerland

Contact

T: +41 44 2561818
F: +41 44 2561811
This email address is being protected from spambots. You need JavaScript enabled to view it.
www.ggi.com

Disclaimer

Legal Disclaimer & Privacy Statement

Legal Disclaimer

This website is managed by Geneva Group International AG Zürich (hereinafter referred to as "GGI") on behalf of the member firms of GGI, a worldwide organization of independent Law, Accounting and Consulting Firms. GGI provides information and documentation on World Wide Web sites, such site(s) being known as the GGI Internet (hereinafter referred to as the "Website"). If you make any use of this Website, you confirm that you agree to each of the terms and conditions set forth below. You shall not be authorized to use this Website if you do not agree with any of the terms and/or conditions set forth below.

GGI, a company incorporated in accordance with the laws of Switzerland, provides no legal, audit or other professional services to clients. Such services are provided solely by GGI member firms in their respective geographic areas. GGI and its member firms are legally distinct and separate entities. They are not and nothing shall be construed to place these entities in the relationship of parents, subsidiaries, partners, joint ventures or agents. No member firm of GGI has any authority (actual, apparent, implied or otherwise) to obligate or bind GGI or any other GGI member firm in any manner whatsoever.

No action should be taken or omitted to be taken in reliance upon information contained in this Website. The information contained and accessed on this site is provided by the member firms of GGI for general guidance and is intended to offer the user general information of interest. The information provided is not intended to replace or serve as substitute for any accounting, legal (in those jurisdictions where GGI member firms are permitted to practice law), tax or other professional advice, consultation or service. You should consult with a professional from a GGI member firm in the respective legal, accounting, tax or other professional area. Based on specific facts or circumstances, the application of laws and regulations may vary.

Based on the fundamental universal condition of the electronic communication process, GGI does not guarantee, warrant and/or offer any assurance that this Website (including its functions, contents, downloadable files, software etc.) will be uninterrupted, without delay, error-free, omission-free, or free of viruses, free of Trojan horses, similar destructive software and/or free of harmful codes which may impair the proper functioning of any software, hardware or other equipment and/or materials of the user. GGI does not guarantee, warrant and/or offer any assurance that this Website is compatible with any user's computer equipment (hardware and/or software) or network through which access to this Website is gained. GGI does further not guarantee, warrant and/or offer any assurance that the use of this Website will not lead to viruses, Trojan horses and/or similar destructive software accessing any user's computer equipment.

Access to this Website may be interrupted or unavailable at any time, in particular during maintenance or upgrade procedures. Therefore, the information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness and completeness. In no event shall GGI or partners, executives, principals, agents or employees of its member firms be liable for any direct, indirect, incidental, special, exemplary, punitive, consequential or other losses and/or damages of any kind (including, but not limited to, liability for loss of use, data, profits, other intangibles, the costs of procurement of substitute goods and/or services), without regard to the form of any action, including but not limited to contract, negligence or other tortuous actions, arising out of or in connection with this Website, any content on or accessed by use of this Website, or any copying, display or other use hereof even if GGI has been notified of the possibility of such loss and/or damage. All statements, information, downloadable data and files etc. on this Website are made available without liability or guarantee for their correctness, completeness, accuracy, durability, assurance of features, reliability, workability, merchantability, quality, fitness for a particular purpose, achievement of results, non-infringement of proprietary rights, absence of any deficiencies or something similar. GGI shall not be liable for any damage which a user may suffer as a result of any errors in content or arising from any virus or other destructive software. Users are responsible for ensuring that their computer equipment has appropriate security and virus protection features.

All intellectual property rights (in particular copyrights, trademark rights, design rights and patent rights) to the contents of this Website shall be reserved. As content on the site is protected by intellectual property laws (such as for instance copyright, trademark, patent laws) as well as by unfair competition laws, any unauthorised use of any materials on the site may violate copyright, trademark, patent and other laws. Pictures, texts, graphics, computer software etc. which are contained, featured and/or downloadable on this Website may not be copied, downloaded or used in any other way unless indicated otherwise on this Website. Should a user download and/or print the materials on this Website for personal or non-commercial use, the user must retain all copyright and other proprietary notices contained in the original materials on any copies of the material and the source must be indicated completely. The complete and/or partial reproduction, transmission (electronically and/or otherwise), modification, public display, performance, distribution, linking, framing or other use of this Website for any public and/or commercial purposes shall not be allowed without the prior written consent of GGI and the complete indication of the source. GGI does not grant the users of this Website any rights (in particular no intellectual property rights), except for the rights that are necessary to use this Website for purposes permitted under these conditions.
Some links on this Website refer to other websites which have been set up and are operated by third parties. Such links are provided only as a convenience to users. GGI does not control and is not responsible for any of these sites or their content. GGI explicitly disclaims any endorsement or recommendation of and guarantee or liability for such websites of third parties.
This Website is not intended for persons who are subject to a jurisdiction that prohibits the publication of and/or access to this Website (be it because of the nationality, their age, the domicile or for any other reason). If you are affected by such restrictions, you may not access this Website.

Privacy Statement

Geneva Group International AG Zürich, a joint-stock company incorporated under Swiss law with Swiss company registration number CH-170.3.020.433-0 whose registered office is at Schaffhauserstrasse 550, CH-8052 Zurich, Switzerland, (hereinafter referred to as "GGI") is in charge of the data supplied to this Website and the processing of such data. This website is managed by GGI. The goal of this target group is to develop additional sustained and diversified business opportunities on the basis of these relationships.

For the purposes of this Privacy Statement, member firms, correspondent firms, associated firms of GGI and other companies assisting GGI in running and maintaining this website are together described as Partners.

GGI provides information and documentation on World Wide Web sites, such site(s) being known as the GGI Internet (hereinafter referred to as the "Website"). This page contains the information gathering and use policies adopted by GGI in connection with the Website. These policies are subject to periodic review and any changes will be included within this section of the Website.
GGI is not responsible for the privacy policies of third party sites to which links are provided (including sites of Partners of GGI). The privacy policies on these sites should be checked before providing any personal information to these sites.

GGI is committed to the protection of personal information supplied by clients and prospective clients and other users of this Website. GGI provides further support and specialised services for Partners most of whom are situated outside Switzerland in countries which may not afford an adequate level of protection for personal data. Personal information submitted to the Website may be transferred to other Participant Firms outside of Switzerland to the extent necessary to meet the purpose for which the information was submitted. In submitting personal data to this Website in connection with a request for support and specialised services, the individuals concerned consent to the transfer of their personal data outside Switzerland to the extent necessary to comply with the request.

Collection of information

GGI will only collect and use personal data voluntarily and openly provided to this Website. Authorised users are able to browse the Website without disclosing any personal information. An authorised user of this Website may choose to provide GGI with limited personal data as required in order to register for certain services; once registered the information will only be used for the specified purpose(s). If you provide any data by completing the appropriate spaces on this Website or by sending a message to GGI by any means (particularly e-mail) you confirm that you agree that GGI may save, analyze and/or use the date for any purposes, including, but not limited to sending information and brochures to you. You may revoke your consent to the further use of the transmitted data by GGI at any time by sending an e-mail to GGI.

GGI reserves the right to save information regarding the domain name and/or IP-address of users of the GGI Website or their providers' for administrative, statistical and/or other purposes. The IP address indicates the location of the authorised users' computer on the Internet. GGI does not require registration for access to the Website.

It will normally be clear when personal information is being collected. The information required is the minimum necessary to enable GGI to deal with the services requested, but additional information may be requested in order for GGI to provide the most appropriate response. If such additional information is requested it is highlighted and its provision is voluntary.

We do not solicit sensitive personal data through the Website except where legally required to do so, e.g. for the purposes of retaining information for inclusion in the GGI directories of Partners, their principals and their professional expertise. We would suggest information of this nature is not provided except where such data is for inclusion in GGI directories of Participating Firms, their principals and their professional expertise.

At the present time, the standard technology known as "cookies" is not used on the GGI Website. Cookies are small text files placed on the authorised user's hard drive that allow the Website to store tokens of information in connection with use of the Website by allocation of an identifier to an authorised user while the Website is in use. However, GGI reserves the right to start using cookies at any moment without prior notice. Use of cookies would enable GGI to analyse the operation of the Website, thus permitting continuous improvement of the service that it provides.

Use of information

Information is used only for the specific purpose for which it was provided except where there has been an explicit selection to receive other information from GGI. Personal data provided through the Website will be made available to the provider of the information on request as any individual whose personal data is held on the Website is entitled under the Swiss Privacy Act to the information constituting his or her personal data. Personal information may be deleted from the Website at any time. Requests for copies or deletion of information may be made by e-mailing the Geneva Group International Head Office in Zurich at any time.

Provision of Information to Third Parties

GGI will provide personal information to third parties in the following circumstances:
 
  • where the transfer is necessary to fulfil the requirements of the operation for which the information was provided, and the third party is a Partner;
  • in order to fulfil a request which involves other Partners;
  • so as to assist GGI's professional advisors regarding matters referred to them concerning the operation of the Website:
  • where requested explicitly by an authorised user of the Website;
  • or as required by a court order or any other legal or regulatory requirement.
GGI does not collect or compile personal data or information obtained by the Website for dissemination or sale to outside parties not Partners for the purposes of marketing or mailing by or on behalf of third parties. GGI does not undertake marketing activities for third parties.

Accuracy of information

GGI assumes responsibility for keeping an accurate record of personal data once it has been submitted, but not for confirming the ongoing accuracy of the personal information. If GGI is advised that the personal data is no longer accurate, it will be amended (where practical).

Retention of information

Information collected from authorised users of the Website will be kept in order to provide the required services as well as for statistical purposes. Once the service has been completed all information will be destroyed in accordance with GGI's data retention policies. Where the information has been collected in connection with an expression of interest in working for GGI or a Partner it is agreed that GGI may use, hold and destroy personal data supplied in connection with the initial expression of interest in accordance with GGI's standard recruitment procedures:
 
  • details may be retained for up to the next twelve months for the purpose of notification of suitable vacancies that might arise;
  • details may be used for the purpose of research and analysis designed to improve recruitment and human resources policies and practices.
Where the authorised user of the Website has provided additional information, personal details will be retained for a period of time reasonable in the context of the nature of the request.

If these conditions are not acceptable the site should not be further used.

Security of information

GGI has implemented accepted standards of technical measures and security policies that are aimed at protecting the personal data it has under its control from:
 
  • unauthorised access;
  • improper use or disclosure;
  • unauthorised modification;
  • unlawful destruction or accidental loss.
All GGI personnel are required to keep personal information confidential and only authorised persons have access to such information.

Please note that the Website contains links to other sites (including sites maintained by Partners) which are not governed by this privacy statement.

Additional general conditions governing the Legal Disclaimer and the Privacy Statement

The rejection of any liability and/or responsibility regarding the Website and its content and other terms and/or conditions contained in this legal information are also applicable to all companies associated or affiliated with GGI, particularly GGI member firms (Partners).

GGI reserves the right to change all and/or any of the regulations mentioned above at any time without any prior announcement. Unless explicitly indicated otherwise, the new regulations shall immediately apply to all information, indications etc. featured on the GGI Website. By continuing to use the GGI Website, you accept all changes of such regulations.

The invalidity or unenforceability in any jurisdiction of any of these terms shall not affect the validity or enforceability of any other of these terms. If any term is held to be invalid or unenforceable it shall be deemed to be amended to the minimum extent required to render such term valid or enforceable, such amendment to be determined by GGI.

The Legal Disclaimer and the Privacy Statement indicated above shall be governed by and are construed in accordance with Swiss substantive laws (excluding the rules of the conflict of laws) and the courts of Zurich, Switzerland shall have exclusive jurisdiction in any possible dispute.


Copyright pictures
 
The copyright of the photos is published here or under the articles.

Geneva Group International; Rieder Media - Uwe Rieder
Fotolia.com: Kurhan; lagom; Abou Jaoude, Siegmar; Jürgen Effner; magcom; Maksim Šmeljov; Gilles Paire; david hughes; clayllama; robynmac; Dan Marsh; daphot75; Suzanne E.; Pierre-Yves Babelon; QQ7; Fotokon; reinobjektiv; cienpies; Alterfalter; Mark Yuill; Flying-Tiger; Katja Wickert; sk19; fazon; Andy Dean; Immo Schiller; Pavla Vanicka; jamesdavidphoto; sysiphus; Kirill_M; Herbert Esser; djama; Rafael Ben-Ari; ollirg; bruder jakob; soleg; Kobby Dagan; Chris Boswell; Hagit Berkovich; Ruzanna Arutyunyan; lilufoto; zybilo; Esther Wagner; pixelfux; Jim Parkin; Zacarias da Mata; Martina Berg; Konstantin Yuganov; Gail Johnson; maudanros; auremar; swisshippo; tobago77; rudi1976; tagstiles.com; detlef menzel; Luftbildfotograf; FotolEdhar; Temistocle Lucarelli; ErnstPieber; synto; ZINQ Stock; Tupungato; Barbara Helgason; Aleksey Khripunkov; Lucian Milasan; Gabriela; JonaSanpo Tokyo; Leonid Tit; Sven Hoppe; sborisov; denys_kuvaiev; G.J. Prozee; Andrey Burmakin; Digitalpress; gemenacom; arsdigital; deusexlupus; travelwitness; Alison Cornford; gena96; anyaivanova; spiritofamerica; G. Mönks Photografie; Moreno Novello; Picture-Factory; Galyna Andrushko; endostock; Thomas Röske; carlos; Mezzalira Davide; griangraf; laur7410; simon gurney; sborisov; ChantalS; th-photo;kbuntu; maudanros; apops; JR Photography; Josemaria Toscano; luanka; Tyler Olson; Jörg Hackemann; drubig-photo; AlfaSirius; arenaphotouk; vvoe; rolffimages; Ross Kummer; dabldy; silver-john; Wimbledon; nitroshoprod; Moreno Soppelsa; piccaya; Hawkeye; Horváth Botond; motodan; fazon; Minerva Studio; Digishooter; Mapics; TMAX; Fanchy; JFL Photography; kichigin19; Nmedia;  fotofuerst; Henri FRONTIER; Marcin Kubiak; pitrs; goldencow_images; habrda; nattanan726; dmitrydesigner; PackShot; swisshippo; michaeljung; Friedberg; Rawpixel; bluedesign; Ralf Gosch; Forgiss; Frankix; Jörg Hackemann; Gilles Paire; JaimeP; peresanz; lumen-digital; Stefano Garau; AlexF76; industrieblick; sborisov; chris2766; mitifoto; kamonrat; Rainer Plendl; peresanz; Vojtech Vlk; scabrn; Luftbildfotograf; Andrew Kazmierski; bruno135_406; pressmaster; vandertens; Tom-Hanisch; Alexey Stiop; Patrik Stedrak; Jiri Foltyn; kosmos111; Tomfry; S.Alias; beerkoff; Peter Marble; forcdan; Henryk Sadura; TTstudio; samott; Nordreisender; QQ7; imagineilona; 072618; aroberlin; lunamarina; whitelook; Pavel Parmenov; Jeff; jcfotografo; Jiri Foltyn; JS; Robert Wilson; SNEHIT; Sergii Figurnyi; mandritoiu; tilialucida; rabbit75_fot; IRStone; stockphoto mania; saiko3p; zoltangabor;  E. Adler; lovegtr35; kiravolkov; davidevison; Kruwt; alexandro900; Rafael Ben-Ari; Frédéric Prochasson; Halfpoint; fotoherkules; eddygaleotti; mandritoiu; Mik Man; ALCE;  LUNYANSKIY; Sondem; heyengel; forcdan; IRStone; gianliguori; Henryk Sadura; .shock; SNEHIT; alex9500; mpodrucki; KarenDMartin; mimadeo; SNEHIT; IRStone; lena_serditova ;  Friedberg; pixelABC; peshkov; Klaus Heidemann; photofang; frakala; Beboy; vacant; Noppasin; : Leonid Andronov; surangaw; dennisvdwater; Chris Lofty; Robert Kneschke; Gajus; chrisdorney; samografy; DOC RABE Media; vichie81; everythingpossible; Rafael Ben-Ari; Eisenhans; bakerjarvis; stokkete; hankimage9;