May 28, 2019
A recent report indicated that eighty-two percent (82%) of hospitals in the United States experienced a “significant [information] security incident” within the twelve months prior to the report. Another report indicated that the average cost of a data breach in the healthcare industry is over $400 per record, by far the highest across all industries.
Earlier this month, a health care provider (like a hospital, a “covered entity,” under HIPAA) paid $3 million to resolve an investigation by the U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) in connection with an all-too-common form of health information security breach. Likewise, last month UCLA Health agreed to pay $7.5 million to settle a class-action lawsuit relating to a cyberattack that occurred in 2014 and affected 4.5 million patients.
Also earlier this month, Microsoft made available a software patch for certain legacy operating systems that it no longer supports (e.g., Windows 7 and Windows Server 2008) reportedly to help users stave off cyberattacks similar to the so-called WannaCry ransomware attacks that two years ago largely disabled the information systems of the National Health Service in the United Kingdom and thousands of other organizations around the world. Likewise, a hospital in the United States impacted by the so-called NotPetya cyberattack that also occurred in 2017, shortly after the outbreak of the WannaCry attacks, was forced to replace its entire network as result of the damage caused by the attack. Subsequently, experts have claimed that WannaCry and NotPetya were state-sponsored attacks (sponsored directly or indirectly by North Korea and Russia, respectively) and that similar attacks likely will proliferate in the future.
Other reports indicate that cyberattacks against individual hospitals and hospital systems typically number in the billions each year.
Perhaps most ominously, yet another report recently revealed that researchers in Israel may have developed malware that could exploit security vulnerabilities in commonly used CT and MRI scanners in order to insert images of fake cancerous nodules (and possibly to remove images of actual nodules), suggesting that cybercriminals might use similar tactics to trick physicians into misdiagnoses and to trigger other potentially catastrophic patient safety crises.
In summary, in addition to substantial legal exposure, cyberattacks and other cybersecurity incidents pose very substantial risks to hospital operations, finances and even patient safety. It is therefore imperative that hospitals stop treating cybersecurity as “an IT problem” and start treating it as what it is: an enterprise-wide risk management problem. That means engagement and leadership at the enterprise level: the board room and the c-suite.
1. Board engagement
In short, the hospital board of directors and senior management must take ownership of cybersecurity risk management. The board should solicit updates regarding cybersecurity incidents as well as ongoing security risk management programs and initiatives at its regular meetings and as necessary to stay up to date on critical security issues. At least one executive level officer or director should be responsible for oversight of cybersecurity matters. The board also must empower operational level personnel accountable to carry out their directives and hold them accountable for not following through.
2. Operational accountability
Conversely, it is critical that the hospital privacy officer, security officer and other responsible managers and initiatives act proactively to keep the board up-to-date; their objective should be to facilitate ongoing discussions with and among the board and senior management not only in regard to current security incidents and initiatives, but also in regard to security threats and vulnerabilities that may affect the hospital in the future. The board should also empower these individuals to act proactively to provide needed training, updates and information to the hospital’s employees and personnel in regard to present and future cybersecurity threats and to hold them accountable for conduct that jeopardizes information security.
3. Outside resources
Internal leadership and accountability, in itself, is not enough. Hospital leadership must seek out and engage with appropriate third party advisors, as needed, to better position the hospital to mitigate cybersecurity risks. Outside information technology experts can lend credibility and valuable advice and leadership to hospitals’ ongoing security risk analysis and risk management programs. Cyber (or other risk) insurance experts (e.g., cyber insurance broker or agent, or legal counsel for the insurer) can assist the hospital in developing insurance solutions that – in coordination with technology – appropriately address cybersecurity risks identified in the course of ongoing risk analysis and risk management and may also offer valuable security tools and services (e.g., risk analysis, incident response specialists) in connection with insurance coverage. Outside legal counsel can advise and assist the hospital in carrying out security risk analysis and risk management in compliance with applicable laws, implementing security safeguards in compliance with HIPAA and other regulatory requirements and in regard to litigation and other legal risks associated with cybersecurity matters. To maximize the value of these resources, however, it is critical that they work together, in synchronization. It is critical, therefore, that hospital boards and senior management not only engage with these resources, but also require and empower them to coordinate their efforts.
4. Key issues
Cybersecurity will always be a work in progress. Even the most expert, highly resourced hospitals and healthcare organizations must work every day to keep up with rapidly evolving cyber threats. Unfortunately, however, very often cyberattackers and other criminals are able to exploit human error and other “low hanging fruit.” While hospital boards and senior management may be limited in their ability to expedite technology solutions, they can and should act promptly to eliminate or substantially reduce risks associated with human error and low hanging fruit. These steps may include the following:
(a) Phishing. The great majority of ransomware and other cyberattacks involving hospitals and healthcare organizations originate from or involve a phishing scam, social engineering or similar tactics that prey on human error. Technology can prevent certain of these attacks, but not all of them. Consequently, it is essential that hospital boards and senior management ensure that the hospital diligently educates and updates its workforce and vigorously tests and polices compliance with hospital-established procedures to guard against phishing and similar attacks.
(b) Insider threats. Cyber criminals are not the only bad actors hospitals should be wary of, however. A significant number of hospital data breaches involve theft of patient information by members of the hospital’s workforce or hospital contractors. This is not surprising, since criminals typically value stolen medical information much more than other personal information, even credit card and social security numbers. Besides theft, incidents of hospital personnel “snooping” and “peeping” at patients’ information still occur with alarming frequency. To address these risks, in addition to equipping personnel to avoid phishing attacks and similar threats, hospital boards and management must ensure that the hospital has in place adequate screening procedures to keep criminals out of the workforce and adequate sanctions policies to deter hospital personnel from inappropriately accessing, using or disclosing patients’ information.
(c) Access controls. Cyberattacks and related crimes are increasingly focused on stealing and exploiting user login credentials. Likewise, hospitals too often do not appropriately limit users’ access – i.e. to the information the user needs to do his/her job. To make matters worse, hospitals are often dependent on running manual login audits that may be done irregularly and may not be executed properly due to lack of human expertise, diligence, etc. As a result of these and similar problems, criminals are not only able to gain access to a hospital’s network, they may be able to “hide out” and move freely within the network, undetected, for long periods of time, thereby exacerbating the potential damage to the hospital. Hospital boards and senior management must prioritize implementing appropriate access controls, such as two factor authentication and regular (ideally automated) network monitoring, to mitigate these risks.
(d) Software updates. Notwithstanding the technical issues involved, the WannaCry and NotPetya attacks were successful largely due to human error. Both attacks exploited legacy Microsoft systems that had not been properly patched – notwithstanding that Microsoft made the required patch available months prior to the attacks. A similar failure resulted in a breach of 143 million individuals’ credit information maintained by Equifax. As these and many similar cases illustrate, it is crucial that hospital boards and senior management ensure the hospital has systems in place to timely patch and update legacy software.
(e) Connected devices. Any “smart” (i.e., internet connected) device connected to a hospital’s network is a potential point of entry for a cybercriminal. Until recently, device manufacturers have not been legally obligated to address security in product development. Even with proper security safeguards in place, however, devices must be properly configured to protect patient information. Moreover, implementing security enhancements, at least until technology further evolves, may come at the expense of slowing down or impeding care delivery, a reality that potentially implicates patient safety – and likely breeds tension with clinicians, in any case. Likewise, hospitals may not be able to appropriately secure certain devices, either because the hospital cannot afford to take them offline (e.g., life-sustaining devices), because the device includes legacy software no longer supported by the manufacturer or for which there is no patch or update or because the hospital cannot afford to updated or replace the technology. So, in addition to ensuring the hospital takes appropriate steps to update and properly configure connected devices, hospital boards and senior management must ensure that risks associated with legacy devices that cannot be updated are appropriately accounted for in risk analysis and that adequate safeguards (e.g., insurance coverage) are in place to address such risks.
(f) Third-party risk management. Hospital devices are not the only devices connected to the hospital’s network, of course. More and more vendors require network access to provide critical services to hospitals. Additional connectivity adds risk and security issues for the hospital. Indeed, significant portions of data breaches reported to OCR, and class action lawsuits and other security-related litigation, involve an error or misconduct by a hospital vendor (i.e., a HIPAA business associate). Hospitals must assess security risks associated with providing network access to vendors and take appropriate steps to mitigate such risks. Hospitals must also ensure that any vendor or contractor that will have create, receive, transmit or maintain protected health information (as defined under HIPAA) pertaining to hospital patients enters into a HIPAA-compliant business associate agreement and that the business associate agreement, as well as the underlying service contract(s), allocate security risks appropriately between the vendor and the hospital (i.e., in accordance with the hospital’s risk assessment). Hospital boards and senior management must take the lead in implementing appropriate safeguards to address and mitigate third-party security risks and must be prepared to deal appropriately with vendors whose security practices jeopardize the security of patients’ information.
(g) Medical staff accountability. Physicians and other healthcare providers may need access to a hospital’s electronic medical record to facilitate treatment of patients at the hospital. Medical staff physicians (i.e., who are not employed by the hospital) may also own or manage a physician practice entity that employs or contracts with other clinical and administrative staff who need access. In other words, medical staff physicians may pose security risks similar (or greater) than those posed by third-party vendors. Consequently, hospital boards should consider whether the hospital should enter into confidentiality or similar agreements with these practice entities and the individual physicians and staff that require them to take appropriate steps to safeguard information pertaining to hospital patients and provide appropriate remedies to protect the hospital in the event a physician or his/her staff fail to comply. Hospital boards also must ensure the medical staff bylaws, hospital rules and regulations and other governing documents, and/or the documentation utilized in connection with medical staff credentialing (including renewals), include robust safeguards the hospital may invoke to hold medical physicians (whether or not employed) accountable in the event their conduct (e.g., emailing or texting patient information from an unsecure device, sharing login information with his/her employees or others) jeopardizes patient privacy or information security. Bottom line, hospital boards and senior management must take concrete, affirmative steps to hold their medical staff accountable for protecting the information security of hospital patients, and they must be prepared to stand behind and enforce them in respect to any physician whose conduct poses impermissible risks to patient privacy or information security.
(h) Incident response. In the event of a cybersecurity incident, a hospital may need to take a number of critical steps in short order to avoid or mitigate harm to the hospital and affected patients and to comply with applicable laws. Therefore, it is critical that hospital boards ensure the hospital has a capable incident response team and effective incident response procedures in place at all times – that is, before an attack occurs. Among other things, robust data backup and recovery procedures are needed to avoid or mitigate potential damages caused by a ransomware or other cyberattack. In addition, it is critical that the hospital engage appropriate counsel to understand and be in position to comply with complex, time-sensitive federal (i.e., HIPAA) and State requirements that may apply (e.g., in the event of a breach of unsecured protected health information, as defined by HIPAA). Similarly, it is essential that the hospital regularly test its incident detection and response procedures (e.g., by means of regular penetration testing and vulnerability scans and/or tabletop exercises) to ensure the procedures function effectively and efficiently.
This Client Alert only provides an overview of a sampling of cybersecurity issues pertinent to hospital boards of directors and senior management. If you have specific questions or concerns regarding cybersecurity matters at your hospital, please contact our firm or other appropriate legal counsel.
PLEASE BE ADVISED: This Memorandum is intended only to provide an overview of the matters addressed herein and does not constitute legal advice. If you have questions regarding a specific arrangement with a physician or other health care provider, please seek appropriate legal counsel.
 See Mackenzie Garrity, Becker’s Hospital Review, “5% of hospital IT budgets go to cybersecurity despite 82% of hospitals reporting breaches” (March 12, 2019), available at https://www.beckershospitalreview.com/cybersecurity/5-of-hospital-it-budgets-go-to-cybersecurity-despite-82-of-hospitals-reporting-breaches.html (last accessed May 28, 2019).
 See Ponemon Institute, 2018 Cost of a Data Breach Study: Global Overview (July 2018), at page 4. Available at https://public.dhe.ibm.com/common/ssi/ecm/55/en/55017055usen/2018-global-codb-report_06271811_55017055USEN.pdf (last accessed May 28, 2019).
 US Department of Health and Human Services Office of Civil Rights, “Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients’ protected health information” (May 6, 2019), available at https://www.hhs.gov/about/news/2019/05/06/tennessee-diagnostic-medical-imaging-services-company-pays-3000000-settle-breach.html (last accessed May 28, 2019).
 See UCLA Health, HIPAA Journal (March 22, 2019), available at https://www.hipaajournal.com/ucla-health-settles-class-action-data-breach-lawsuit-for-7-5-million/ (last accessed May 28, 2019).
 See Jessica Davis, Health IT Security, “Microsoft Issues Rare Legacy OS Patch to Prevent Another Wannacry” (May 15, 2019), available at https://healthitsecurity.com/news/microsoft-issues-rare-legacy-os-patch-to-prevent-another-wannacry (last accessed May 28, 2019).
 See Melanie Evans, Cyberattack Forces West Virginia Hospital to Scrap Computers, Wall Street Journal (June 29, 2017), available at https://www.wsj.com/articles/cyberattack-forces-west-virginia-hospital-to-scrap-its-computer-systems-1498769889 (last accessed May 28, 2019).
 See Fred Donovan, Europol Warns Nation-States Behind More Ransomware Attacks, HealthITSecurity (September 19, 2018)(citing Europol Internet Organised Crime Threat Assessment 2018), available at https://healthitsecurity.com/news/europol-warns-nation-states-behind-more-ransomware-attacks (last accessed May 28, 2019).
 See Nicole Westman, Health Care’s Huge Cybersecurity Problem, The Verge (April 4, 2019), available able at https://www.theverge.com/2019/4/4/18293817/cybersecurity-hospitals-health-care-scan-simulation (last accessed May 28, 2019).
 See Kim Zetter, Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists, Washington Post (April 3, 2019), available at https://www.washingtonpost.com/technology/2019/04/03/hospital-viruses-fake-cancerous-nodes-ct-scans-created-by-malware-trick-radiologists/?utm_term=.5629ba8c4e7b (last accessed May 28, 2019).
 See Josh Fruhlinger, What is WannaCry ransomware, how does it infect, and who was responsible?, CSO (August 30, 2018), available at https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html (last accessed May 28, 2019).
Lily Hay Newman, Equifax Officially Has No Excuse, Wired (September 14, 2017), available at https://www.wired.com/story/equifax-breach-no-excuse/ (last accessed May 28, 2019).