Chicago Lawyer - www.ChicagoLawyerMagazine.com

The new security reality: Health data fetches high prices on the black market

May 01, 2017
By Chicago Lawyer
Neville M. Bilimoria is a partner in the health law practice group, in the Chicago office of Duane Morris.

NMBilimoria@duanemorris.com

With the increase in the sophistication of cyberterrorists, our world seems to get scarier and scarier each year. In the health-care sector, we have seen Health Insurance Portability and Accountability Act, or HIPAA, security breaches, resulting in payments of fines in the amount of more than $23.5 million in 2016, up from $7 million or $8 million per year in years past. Certainly much of the recent uptick in HIPAA fines and penalties comes from cyberattacks and/or stolen protected health information at the hands of cybercriminals or outright thieves.

Not many people understand or even believe it when I tell them that stolen health information is worth 10 to 20 times more in the marketplace than your stolen credit card information. That is because stolen health information takes, on average, longer to detect than other forms of banking cyberbreaches. That extra time gives hackers more valuable use of protected health information for purposes of stolen identities and other cybercrimes. Plus, health-care providers don’t have the sophisticated security in place that banks have had for many years running.

Recent stories in the press and media reveal cyberattacks on hospital electronic medical records, or EMR, through ransomware: holding EMR systems hostage or unreadable with encryption software until a ransom is paid by the hospital to “release” the EMR. Of course, there is the Anthem breach in 2015 which resulted from a few phishing e-mails sent to five employees that allowed the hacker to break in to Anthem’s system, allegedly resulting in 78 million patient records being compromised.

Perhaps the scariest and perhaps most sophisticated cyberattack is called “social engineering.” In these attacks, a cybercriminal will pose as someone you know and send you an e-mail asking you to do something. These are not the old Prince of Nigeria e-mail virus attacks we’ve seen before. Now these attackers are more sophisticated, posing as your fellow workers, with no semblance of any criminal imposter involved, in an attempt to get you to respond or even send money in the guise of valid business operations.

Amid this milieu of cyberterror and the recent ever-increasing, sophistication of cyberterrorism, I’ve come to realize that cybersecurity breaches for health-care providers are going to happen. Why? Because we are all human. We all want to communicate and respond to e-mails. This is what cyberterrorists feed on. We all make mistakes with choosing passwords or sending, storing or disclosing information. The question is, will that health-care provider be prepared and have a defensible argument in the face of a cybersecurity breach to minimize its liability.

Looking at most of the robust penalties offered by the Office for Civil Rights for HIPAA violations would reveal that almost all of the HIPAA breaches of recent date were a result of either 1) a third party cybercriminal attack or 2) a very simple result of human error.

Defending against crimes to reduce health-care provider liability is difficult. Crime will be crime. It is hard for health-care providers to “stop” criminals from hacking into systems or stealing information. However, health-care providers can, and must, now more than ever, be prepared for cyberbreach with proper policies, procedures and security systems in place to mitigate damage.

I’m reminded of situations where a nurse left some medical records in her vehicle, the vehicle was stolen, resulting in a HIPAA breach. Even third-party criminal acts can result in fines and penalties under HIPAA for failure to have proper procedures in place to prevent or mitigate such criminal activity. Inevitably, Office of Civil Rights will claim that the health-care provider should have better secured those records, using the powerful tool of 20/20 hindsight.

Undoubtedly, human error can be corrected through proper HIPAA training in cybersecurity policies, however, humans will be humans, I have found. Even the most carefully concocted HIPAA defense and compliance team, no matter how much money is poured into a HIPAA compliance program, can still result in a breach, just by a simple human error.

These days, a missing character in an e-mail, or a missed digit on a fax can all result in breaches. Plus, all the HIPAA training in the world will not prevent us humans from taking that next photo or posting something on Facebook that inadvertently involves protected health information.

For example, a simple posting of a nursing home resident on Snapchat recently resulted in a breach of privacy, not to mention felony charges against that certified nursing assistant.

Don’t get me wrong, as a health lawyer we must counsel our clients to take privacy and security seriously and comply with proper physical, technical and administrative safeguards to protect health information. Having a compliance program in place, despite the inevitable, is the best legal advice to avoid a breach, and to lessen fines, penalties and damages after a breach.

We can’t always control our employees, and we have even less control of cybercriminals and their recent uptick in sophistication. But one thing is sure: Cyberattacks are on the rise, they will continue and we have to keep fighting the fight.

The best we can hope for in health care is robust cyberliability insurance and a HIPAA compliance plan that will kick into gear and avoid costlier penalties and fines.

© 2017 Law Bulletin Publishing Company

Unless you receive express permission from LBPC, you may not copy, reproduce, distribute, publish, enter into a database, display, perform, modify, create derivative works, or in any way exploit the content of LBPC’s websites, except that you may download one copy of material or print one copy of material for personal interest only. You may not distribute any part of LBPC’s content over any network nor offer it for sale, nor use it for any other commercial purpose.