Hospital Impact—Cybersecurity breaches pose major legal threat to healthcare providers

Cybersecurity
Physicians may want consider adding cybersecurity vulnerabilities to the list of risks discussed with patients seeking treatment.
Trish Carreiro

Medical devices promise huge advantages, including improved patient care, cost savings and workforce productivity, but there are also significant dangers.

The healthcare sector is notorious for its underinvestment in cybersecurity; a reality made only more dire by the demands of the Obama administration’s electronic medical record mandate. The Department of Health and Human Services recently issued a report (PDF) stating that the healthcare sector’s cybersecurity is “in critical condition.”

Although one medical chart is worth 50 social security numbers, per (PDF) Symantec, healthcare generally invests only 4%-6% of its IT budget in cybersecurity, according to the SANS Institute. The financial sector, by comparison, spends 10%-12%.

Given the value of medical information and healthcare’s poor investment in securing that information, it’s no wonder criminal attacks, according to the Ponemon Institute, are the leading cause of healthcare data breaches. In 2016, the number of healthcare providers that experienced a hack grew 320%, causing a 181% increase in the number of records hacked in a single year, per a report from CynergisTek. Almost 78% of these hacks were of healthcare providers.

The consequences of this data theft go well beyond fraudulent purchases and spoiled credit, extending into areas like Medicare fraud and prescription drug abuse.

RELATED: 2016 a banner year for EHR security breaches

Beyond medical record theft, however, are even more nefarious breaches: ransomware. In a ransomware attack, the hacker holds information or a computer system hostage and threatens to delete it unless a ransom, usually in bitcoin, is paid within a certain time. Instances of this attack have repeatedly made headlines, including the attacks against Hollywood Presbyterian Medical Center, MedStar Health, Heritage Valley Health System and the U.K.’s National Health Service.

Roughly 4,000 ransomware attacks happened each day in 2016. In May 2016, WannaCry shut down 65 hospitals in the U.K., affecting not only computers but refrigerators and MRI machines as well. Ransomware has been growing in popularity, increasing 36% in 2016 alone, per (PDF) Symantec. Some of this increase is likely due to ransomware’s ease and difficulty to trace; there’s no need to find a buyer for the personally identifiable information, no need to use the information to commit a fraud, just straight cash.

The average ransom amount has also increased, jumping 266%, up to $1,077, in 2016, according to a report from Symantec. The Institute for Critical Infrastructure Technology said ransomware will “wreak havoc on America’s critical infrastructure community,” and the healthcare sector is no exception. Ransomware accounted for 72% of healthcare malware attacks in 2016, according to a report from Verizon.

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

The dangers to patient life from providers’ inability to access patient medical records, the broader computer network or related medical devices is obvious, as is the damage that could result. These risks include not knowing how much of what medication to give, not knowing about a drug allergy, not knowing a blood type, or even worse, a full system crash during a key moment in a surgery.

With an estimated 85% of healthcare organizations expected to use IoT medical devices by 2019, per Hewlett Packard, the threat is very real. As 64% of these medical devices are patient monitors, the threat for patients with insulin pumps, pacemakers and other devices with wireless, remote or near-field communication capabilities is particularly grave.

The threat is nothing new. In 2013, Vice President Dick Cheney had the wireless capability on his pacemaker turned off for that very reason. In 2016, Johnson & Johnson warned customers about the security of its insulin pumps. In late 2016 and early 2017, St. Jude spent months patching a vulnerability in its equipment, including defibrillators and pacemakers, and the FDA recently recalled 465,000 pacemakers for similar flaws.

Although no loss of life has yet been reported due to one of these device vulnerabilities or ransomware attacks, it is only a matter of time until medical device manufacturers, hospital administrators and healthcare providers are sued. While insurers may seek shelter in cyber policies’ personal injury exclusions, limits and sublimits, healthcare providers may find themselves facing a new kind of malpractice claim—one that may not be covered by their usual malpractice policy.

This threat is particularly dangerous for doctors who rely most on technology, and who therefore face rising medical malpractice premiums. For example, cardiologists implanting vulnerable pacemakers in their patients and interventional radiologists using robotics and constant imaging to navigate and perform surgery through patients’ veins may face an increase in malpractice claims arising from cybersecurity hacks.

Indeed, these physicians may already need to consider adding cybersecurity vulnerabilities to the list of risks discussed with patients seeking treatment. Even more, these doctors may have to ask themselves whether they can ethically treat their patients at hospitals that don’t properly invest in cybersecurity and related technology.

Doctors being sued for malpractice based on cybersecurity breaches will have many questions to answer: (1) Did you know, or should you have known, of the cyber vulnerabilities of that device—did you even look into it? (2) Did you know, or should you have known, that your computer system was vulnerable to hacking? (3) Why didn’t you download the update for a known problem? (4) Why didn’t you pay that ransom? Wasn’t a life worth more? (5) Why didn’t you warn me that your technology was so vulnerable?

The list goes on, but one thing is certain, a new type of virus—a computer virus—may be on physicians’ most feared list.

Trish Carreiro practices in Axinn’s Litigation Group and has experience in a broad range of civil litigation, including commercial and insurance disputes.