Managing Cyber Risks in Medical Practices

Many Sources of Concern

Medical practices, physicians and hospitals harbor vast chunks of personal and medical data, including information on doctors who use and prescribe medication, patients who receive medical products, and clinical trial subjects. Health care professionals must use this data responsibly, and preserve and protect it so that it does not fall into the hands of unauthorized parties. To do this, they must comply with increasingly stringent privacy laws.

“Cyber-risk” can be defined as a range of computer-related problems and tech vulnerabilities inherent in information technology and systems. These include:

1. Hacker attacks;
2. Phishing — trying to defraud an online account holder by sending an email and posing as a legitimate business;
3. Viruses — a type of (usually) malicious software that inserts copies of itself into other computer programs, and typically performs some type of harmful activity on infected computers, including stealing private information, corrupting data or logging keystrokes;
4. Worms — standalone computer malware programs that need not attach themselves to an existing computer program, but often harm computer networks or cause other ill effects to a company's information technology infrastructure;
5. Spybots — a/k/a spyware, an application that collects computer information and Internet use data without the knowledge of the computer user; and
6. Inadvertent disclosure of private or proprietary information due to intentional sabotage.

I attended a risk management conference in Charlotte, NC, featuring a talk given by a cyber-risk expert. He cited to the case of a medical device manufacturer that was implementing layoffs. A “surviving” employee, upset about reductions in force, took a company laptop computer to a McDonald's, ordered coffee, and then remotely shut down the company's manufacturing processes. He did this in retaliation for what he felt were unfair layoffs. The FBI investigated, traced the laptop's IP address to a specific McDonald's, and culled store purchase records to find debit card receipts linked to a specific company employee. FBI reps questioned the worker, who confessed, but not before the company suffered substantial business interruption, losing a week's worth of manufacturing.

While this vignette spotlights the woes of a medical technology company, it is a cautionary tale for any business, including those of health care professionals and providers. Disgruntled staff or ex-employees can cause cyber losses, but so can intrusions due to too-casual oversight, preoccupation with other risks, or the inertia of lax data security procedures. Then, there are the various motivations that drive deliberate cyber attacks, such as gathering patient information, harming a patient's health, ego gratification or holding medical data ransom for financial gain.

The FDA Enters the Picture

Now, let's add to the above concerns the problems that may accompany the advent of implantable mechanical devices, some of which can be manipulated remotely. According to Adam Gollner in his recent work, The Book of Immortality: “Every technological appliance … has glitches. They don't always work properly … Do we really want tiny robots malfunctioning in our bodies? Computers are fragile, not foolproof. Imagine having to fix an intracellular motherboard crash. What about computer viruses infiltrating our bloodstream? They can already be programmed to contaminate chips and pacemakers, defibrillators and cochlear implants.” The Book of Immortality, Adam Leith Gollner, Scribner, 2013, p. 272.

As medical treatment and protocols become more complex, complications and risks are accentuated. The FDA addressed some of these concerns when, in June 2013, it issued a safety communication on cyber security for medical devices and hospital networks. The FDA places the onus on manufacturers to identify and mitigate cyber security risks. When medical devices interface with hospital IT systems, data breaches and unauthorized patient information disclosure can result. This can significantly harm a hospital or medical practice's financial health. If an attacker penetrates a hospital's network via unpatched or unprotected medical devices, patient safety and privacy breach worries exacerbate.

Health care providers should see that their computer systems run on up-to-date software, that the software is encrypted, and that devices relying on software have antivirus protection. Further, hospitals and medical practices must apply timely patches or fixes to software exhibiting vulnerabilities to security breaches.

Next month, we will look at some risk-management and loss-control strategies, and we will discuss cyber-insurance options.

*****
Kevin Quinley, CPCU, a member of the Medical Malpractice Law & Strategy Board of Editors, is Principal of Quinley Risk Associates, a risk-management consulting firm in the Richmond, VA, area. He is the author of Bulletproofing Your Medical Practice: Risk Management Strategies That Work. Reach him at http://www.kevinquinley.com or at [email protected].

In an ad for a major commercial insurer, a gloved figure in a hooded sweatshirt sits before an office computer keyboard, mask pulled over his face. The photo caption reads, “When a cyber attack puts your name in the headlines, the last thing you should be worrying about is whether your insurer has less than stellar coverage.”

We often associate cyber-risks with financial institutions, like banks, insurance companies and credit card firms, but while the financial sector certainly does deal with cyber-risks, it is by no means the only industry facing such woes. Health care providers are also vulnerable to cyber-liability risks. In fact, according to Tom Kellerman, chief executive of Strategy Cyber Ventures, “The most exploitable industry in the world is the health care sector,” and it doesn't help, he says, that the health care industry is chronically hobbled by regulation and by inadequate investment in computer security. Washington Post, 5/13/17, “Ransomware Attacks Cripple Tens of Thousands of Systems,” p. A11.

Health care professionals' cyber-risks are not just hypothetical. Witness the May 12, 2017, ransomware attacks that crippled thousands of computer systems, many in the health care sector. In the United Kingdom, hospitals were forced to cancel medical procedures and reduce emergency room services. Patients scheduled for surgery were told that procedures were canceled due to a cyber attack. Physicians used pen and paper as Britain's National Health Service worked to get computers back online. And the May 12 incident is not a one-off: Among other incidents, in 2016, Los Angeles' Hollywood Presbyterian Medical Center was forced to pay $17,000 to unlock files after hackers disabled part of its computer systems.

Many Sources of Concern

Medical practices, physicians and hospitals harbor vast chunks of personal and medical data, including information on doctors who use and prescribe medication, patients who receive medical products, and clinical trial subjects. Health care professionals must use this data responsibly, and preserve and protect it so that it does not fall into the hands of unauthorized parties. To do this, they must comply with increasingly stringent privacy laws.

“Cyber-risk” can be defined as a range of computer-related problems and tech vulnerabilities inherent in information technology and systems. These include:

1. Hacker attacks;
2. Phishing — trying to defraud an online account holder by sending an email and posing as a legitimate business;
3. Viruses — a type of (usually) malicious software that inserts copies of itself into other computer programs, and typically performs some type of harmful activity on infected computers, including stealing private information, corrupting data or logging keystrokes;
4. Worms — standalone computer malware programs that need not attach themselves to an existing computer program, but often harm computer networks or cause other ill effects to a company's information technology infrastructure;
5. Spybots — a/k/a spyware, an application that collects computer information and Internet use data without the knowledge of the computer user; and
6. Inadvertent disclosure of private or proprietary information due to intentional sabotage.

I attended a risk management conference in Charlotte, NC, featuring a talk given by a cyber-risk expert. He cited to the case of a medical device manufacturer that was implementing layoffs. A “surviving” employee, upset about reductions in force, took a company laptop computer to a McDonald's, ordered coffee, and then remotely shut down the company's manufacturing processes. He did this in retaliation for what he felt were unfair layoffs. The FBI investigated, traced the laptop's IP address to a specific McDonald's, and culled store purchase records to find debit card receipts linked to a specific company employee. FBI reps questioned the worker, who confessed, but not before the company suffered substantial business interruption, losing a week's worth of manufacturing.

While this vignette spotlights the woes of a medical technology company, it is a cautionary tale for any business, including those of health care professionals and providers. Disgruntled staff or ex-employees can cause cyber losses, but so can intrusions due to too-casual oversight, preoccupation with other risks, or the inertia of lax data security procedures. Then, there are the various motivations that drive deliberate cyber attacks, such as gathering patient information, harming a patient's health, ego gratification or holding medical data ransom for financial gain.

The FDA Enters the Picture

Now, let's add to the above concerns the problems that may accompany the advent of implantable mechanical devices, some of which can be manipulated remotely. According to Adam Gollner in his recent work, The Book of Immortality: “Every technological appliance … has glitches. They don't always work properly … Do we really want tiny robots malfunctioning in our bodies? Computers are fragile, not foolproof. Imagine having to fix an intracellular motherboard crash. What about computer viruses infiltrating our bloodstream? They can already be programmed to contaminate chips and pacemakers, defibrillators and cochlear implants.” The Book of Immortality, Adam Leith Gollner, Scribner, 2013, p. 272.

As medical treatment and protocols become more complex, complications and risks are accentuated. The FDA addressed some of these concerns when, in June 2013, it issued a safety communication on cyber security for medical devices and hospital networks. The FDA places the onus on manufacturers to identify and mitigate cyber security risks. When medical devices interface with hospital IT systems, data breaches and unauthorized patient information disclosure can result. This can significantly harm a hospital or medical practice's financial health. If an attacker penetrates a hospital's network via unpatched or unprotected medical devices, patient safety and privacy breach worries exacerbate.

Health care providers should see that their computer systems run on up-to-date software, that the software is encrypted, and that devices relying on software have antivirus protection. Further, hospitals and medical practices must apply timely patches or fixes to software exhibiting vulnerabilities to security breaches.

Next month, we will look at some risk-management and loss-control strategies, and we will discuss cyber-insurance options.

*****
Kevin Quinley, CPCU, a member of the Medical Malpractice Law & Strategy Board of Editors, is Principal of Quinley Risk Associates, a risk-management consulting firm in the Richmond, VA, area. He is the author of Bulletproofing Your Medical Practice: Risk Management Strategies That Work. Reach him at http://www.kevinquinley.com or at [email protected].