By Keely E. Duke and Elizabeth D. Sonnichsen
The Wolf, a brilliant four-part advertising campaign by Hewlett-Packard, depicts Christian Slater hacking into a business by targeting an unsuspecting employee who is enticed to print a counterfeit spa gift card on her birthday.[i] This seemingly innocent act results in unfettered access to details of a major acquisition through an unsecured printer.
Once granted access to these documents, Slater looks deadpan at the camera and states: “First, I got control of their printers, then I got control of their network, then I got control of their data. And now, this. All the juicy details of a major acquisition. These guys are in for a really bad day.”
Instances of these “really bad days” are on the rise across the nation, with the healthcare industry ranking as the highest targeted industry in 2018, accounting for 25% of the total industries affected.[ii] One area of particular concern is telehealth, a subsection of the healthcare industry using technological advances for both patient and provider use.
Telehealth is increasing substantially, especially in rural areas, with the number of users growing as quickly as 643% nationally. [iii] It is a perfect target for these attacks. To guard against these attacks, it is important to understand why telehealth is a target for cyberattacks, how the Government is responding, what litigation is occurring in the telehealth realm, and what steps telehealth providers and healthcare litigators can take to protect patients’ information.
Telehealth: An Enticing Target
Cyberattacks are prevalent in telehealth because health information is often accessed via applications on smartphones and tablets, which are easily lost or stolen, making the data stored on the devices particularly susceptible to risk. Nationwide, more than 80% of physicians use mobile technology to provide patient care and more than 25% of commercially insured patients use mobile applications to manage their health.[iv] This mobility has many benefits, including increasing patient access to healthcare and specialists, timely communication of test results and care plans, and improving continuity of care.
This is particularly true in rural Idaho. Recognizing the many benefits of telehealth, the Idaho Telehealth Council developed and passed the Idaho Telehealth Access Act in 2015, which allows for patient-provider relationships to be established without an in-person visit using two-way audio and video communication and allows prescription drug orders to be issued using telehealth services.[v]
While such access has many positives, the risks associated with data hacks of such communications and data exchanges are prevalent. For example, in 2015 alone, 113 million healthcare records were maliciously accessed through either a breach in hospital systems or through hacking into telemedicine systems.[vi] Idaho, with its growing population and massive rural areas, is a target for such telehealth cyberattacks.
Hospital data security breaches can cost a single hospital as much as $7 million in fines, litigation, and damaged reputation.[vii] The healthcare industry lags behind other industries in securing data often because of the considerable capital necessary to protect hospital systems. Hospitals vary significantly in their prioritization of cybersecurity—70% of hospital boards include cybersecurity in their risk management oversight while only 37% of hospitals perform annual incident response exercises.[viii]
As such, cybercriminals are highly active in targeting healthcare organizations, especially when electronic records can be sold online for $10-$50 each—about 10 to 20 times the value of a U.S. credit card number—making them an easy and profitable target for hackers.[ix] Furthermore, by targeting telehealth as opposed to bank records or email, a cybercriminal’s use of healthcare records upends the feeling of safety that a user of telehealth may have.
Telehealth Cybersecurity Litigation
Not surprisingly, the case law related to cybersecurity and fraud connected to it is in its infancy. Across the nation, in cases examining situations where a party’s information is fraudulently obtained by a hacker, the evolving case law suggests that the party in the best position to avoid the fraud bears the loss.[x] That said, the causes of action related to a data breach have deep roots in state law – negligence and gross negligence, among others, and the potential for punitive damages if the telehealth provider or hospital willfully and recklessly failed to put certain safeguards into place.
When a telehealth provider acts reasonably using the suggested safeguards, a plaintiff may face a difficult hurdle in meeting her burden. In addition to the question of standing, she must also present facts that the telehealth provider’s actions were outside the standard of care—a constantly moving target.
In Attias v. CareFirst, Inc., the United States Supreme Court was presented with the opportunity establish precedent regarding a plaintiff’s burden as to harm suffered from a data breach.[xi] Instead, the Court denied Maryland-based CareFirst Blue Cross Blue Shield’s request to review the D.C. Circuit’s ruling that despite not suffering any actual harm from a data breach, the customers affected could pursue a class action lawsuit against the insurer based on their personal information being exposed.
To date, there is no clear precedent as to whether an individual who pleads that her data is exposed in a breach may maintain a lawsuit against a company when there is no actual harm. In absence of a precedent at the federal level, states must take the lead in applying cybersecurity laws as they relate to data security statutes, breach notification statutes, and statutory developments.
The Government’s Response to “The Wolf”
In 2015, Congress enacted The Cybersecurity Act of 2015, which has three healthcare-specific provisions. These provisions include the development of (1) a plan within each division of the Department of Health and Human Services spelling out responsibilities for addressing cyberthreats in the healthcare sector; (2) a Health and Human Services industry task force to examine, among other things, the cyber challenges facing the healthcare sector, as well as lessons the sector can learn from other industries; and (3) a common set of voluntary consensus-based guidelines, best practices, and methodologies to help healthcare organizations better address cyberthreats.[xii]
In addition, developers and manufacturers of mobile health applications and devices that support telehealth services must comply with multiple privacy and security regulations promulgated by various federal agencies, which are as follows:
- The Food and Drug Administration has established regulations regarding the safety and effectiveness of hardware and software of telehealth devices and mobile medical applications.[xiii]
- The Federal Communications Commission is working to raise awareness about the value of broadband in healthcare sectors through its Connect2Health Task Force. The task force identifies regulatory barriers and incentives to build stronger partnerships with public and private stakeholders in the areas of telehealth, mobile applications, and telemedicine to accelerate the adoption of advanced healthcare technologies.[xiv] The task force promotes effective policy and regulatory solutions and works to strengthen the nation’s telehealth infrastructure through its Rural Health Care Program and other initiatives.
- The Federal Trade Commission has established regulations regarding disclosures about the collection and use of consumer data to avoid false, misleading, and deceptive trade practices and provided a privacy-by-design framework for protecting mobile privacy and is currently examining healthcare competition, including regulatory barriers that prevented telehealth across state lines.[xv]
- The Office of National Coordinator for Health Information Technology established regulations to adopt standards and certification criteria for health information technology.[xvi]
While the Cybersecurity Act and these various regulations are a significant step in the right direction to preventing and addressing cyberattacks in healthcare, these regulations are often conflicting and fall short of enacting actual change for procedural safeguards against such attacks. In addition, regardless of the regulations, cyberthreats are very difficult to prevent given that telehealth applications remain capable of connecting to other medical devices, the internet or other networks, or portable media vulnerable to cybersecurity threats. Cybersecurity breaches continue to rise, with the top five causes consisting of phishing, network intrusion, inadvertent disclosure, stolen devices, and system misconfiguration, respectively.[xvii]
Defending Against “The Wolf”
From our clients’ perspectives, the FDA recommends telehealth application developers provide security controls to maintain the confidentiality, integrity, and viability of information stored in telehealth apps.[xviii] Telehealth providers should create an infrastructure that provides for secure communications between providers and patients, allowing for remote communication without reducing the amount of security. HIPPA suggests the following for securing telehealth on mobile devices connecting to a network:
- Performing regular risk assessments to ensure continued protection;
- Conducting regular staff training on data privacy, security, and the latest threats, to develop a “risk aware” culture;
- Tracking data to allow for a quick and easy forensic analysis after a cybersecurity attack;
- Permitting network access to only those devices certified as having appropriate security controls;
- Segregating personal and work data on bring your own devices, permitting the easy deletion of protected data without erasing personal files and contacts;
- Considering data encryption for all data stored on mobile devices;
- Disallowing the use of SMS messages to communicate Protected Health Information at work;
- Allowing remote data erasure from a centrally controlled system;
- Implementing and enforcing password policies on password length, composition, and validity period; and
- Regularly scanning device security before any device is allowed to connect to a healthcare data network.[i]
Regardless of these measures, however, one of the biggest hurdles for protecting healthcare information from hackers are the patients themselves. While patients should know that certain standard practices—such as having antivirus protection, using secure passwords, not visiting unprotected websites, and not opening links from unknown or suspicious senders—are crucial to preventing illegal access to their information, many patients do not take these precautions, rendering their data vulnerable. A handout reminding patients of these basic safeguards may help insulate the healthcare provider from the patient’s failure to protect his or her data.
As practitioners who represent patients, doctors, hospitals, or telehealth providers, we owe a duty not only to our clients but to all involved parties to ensure that when we receive records in litigation, we utilize the same safeguards we expect of our clients. The nature of our work allows us to accumulate highly sensitive information and, just like our clients, we are vulnerable to potential breaches. We should follow recommended practices when it comes to cloud computing and storage, email, WiFi, network security, physical security, mobile device management, and privacy notices and policies. These recommended practices include:
- Implementing the data storage guidelines drafted by the Health Information Technology for Economic and Clinical Health Act;[i]
- Never clicking on unknown links in emails, even if the email is legitimate;
- Never opening attachments from an unknown third-party;
- Not giving out personal information over email unless it is completely secure;
- Setting secure passwords and avoiding use of common words, phrases, or personal information as part of the passwords;
- Updating passwords every 90 days;
- Using encrypted cites—never email—to transfer protected health information;
- Keeping your operating system, browser, anti-virus and other critical software up to date; and
- Turning off the option to automatically download attachments in email.[ii]
As a final note, there are cyber insurance policies available for attorneys and law firms and now is the time to add that insurance to provide coverage if “The Wolf” strikes.
“The Wolf” will always be after our clients’ data, but if our clients and our firms continue to take steps to improve security practices, we can keep him at bay. The opportunities that telehealth provides for members of our communities as well as for our clients is incentive enough to work through the regulations and potential threats of litigation. These efforts will limit the “really bad days” and promote important access to healthcare across all of Idaho.
Keely E. Duke is an attorney and managing member of Duke Scanlan Hall PLLC in Boise. She has dedicated her career to defending companies, employers, and individuals in complex litigation. She received her J.D. from Willamette University College of Law and was admitted to the Idaho State Bar in 1999.
Elizabeth D. Sonnichsen is an associate attorney with Duke Scanlan Hall PLLC in Boise. She worked as a civil litigation attorney in California prior to joining Duke Scanlan Hall. She received her law degree from the University of Idaho College of Law and was admitted to the Idaho State Bar in 2014.
[i] Acord, Lance. “The Wolf.” https://vimeo.com/223119985
[ii] Hoffman, Craig, Managing Enterprise Risks in a Digital World, Privacy, Cybersecurity, and Compliance Collide, BakerHostetler 2019 Data Security Incident Report
[iii] Kent, Jessica, Research Shows Telehealth Service Use, Availability on the Rise, mHealth Intelligence, (Mar. 26, 2018), https://mhealthintelligence.com/news/research-shows-telehealth-service-use-availability-on-the-rise
[iv] Press Release, Healthcare Info. & Mgmt. Sys. Soc’y Analytics, HIMSS Analytics 2013 Mobile Technology Survey Examines mHealth Landscape (Feb. 26, 2014), http://bit.ly/1uBlbFa; Matt Mattox, 10 Key Statistics about mHealth (Jan. 15, 2013), http://bit.ly/1lwaaFr.
[v] I.C. § 54-5700, et seq.
[vi] HIPPA Journal, OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule, http://www.hipaajournal.com/ocr-issues-crosswalk-between-nist-cybersecurity-framework-and-hipaa-security-rule-832
[vii] Berg, Nate, Hackers Have Figured Out How Easy it is to Take Down a Hospital, Splinter (Mar. 10, 2016), http://splinternews.com/hackers-have-figured-out-how-easy-it-is-to-take-down-a-1793855277
[viii] Jalali, Mohammad S., PhD. And Jessica P. Kaiser, Cybersecurity in Hospitals: A Systematic, Organizational Perspective, Journal of Medical Internet Research. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5996174/
[ix] Humer, C. & Finkle, J. Your Medical Record is Worth More to Hackers (Sept. 24, 2014) http://www.reuters.com/article/us-cybersecurty-hospitals-idUSKCN-0HJ2I20140924
[x] See, e.g., Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., 8:14-CV-2052-T-30-TGW, 2015 WL 4936272 at 3 (M.D. Fla. Aug. 18, 2015); Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 17-4177, 208 WL 6181643 at *5 (6th Cir. Nov. 28, 2018); Bile v. RREMC, LLC, 3:15CV051, 2016 WL 4487864 at *10 (E.D. Va. Aug. 24, 2016).
[xi] Attias v. Carefirst, Inc., 865 F.3d 620, 623, 431 U.S.App.D.C. 273, 276 (C.A.D.C., 2017).
[xii] Kolbasuk McGee, Marianne, Analysis: Cybersecurity Law’s Impact on Healthcare: HIMSS Legislative Expert Outlines Key Provisions and Their Implications, GovInfoSecurity (Dec. 22, 2015), http://www.govinfosecurity.com/interviews/analysis-cybersecurity-laws-impact-on-healthcare-i-3027.
[xiv] Telehealth, Telemedicine and Telecare: What’s What?, Connect2Health FCC Consumer Tips https://transition.fcc.gov/cgb/c2health/c2h-telemedicine-telehealth-telecare-tipsheet.pdf
[xv] Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policy Makers, FTC Report, March 2012, https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf
[xvi] 81 FR 72404
[xvii] Hoffman, Craig, Managing Enterprise Risks in a Digital World, Privacy, Cybersecurity, and Compliance Collide, (Apr. 5, 2019), https://www.lexology.com/library/detail.aspx?g=5d04c72c-0e7a-479e-9db4-861840c6a224
[xviii] Klein, Sharon, Esq. and Jee-Young Kim, Esq. Telemedicine and Mobile Health Innovations Amid Increasing Regulatory Oversight, https://www.aamc.org/system/files/c/2/386042-telemedicineandmobilehealthinnovationsamidincreasingregulatoryi.pdf
[xix] HIPPA Guidelines on Telemedicine, HIPPA Journal, https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/
[xx] 45 CFR Part 160; HIPPA Administrative Simplification: Enforcement
[xxi] Department of Homeland Security, Protect Myself from Cyber Attacks, (Sept. 20, 2019) https://www.dhs.gov/how-do-i/protect-myself-cyber-attacks
[i] HIPPA Guidelines on Telemedicine, HIPPA Journal, https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/
[i] 45 CFR Part 160; HIPPA Administrative Simplification: Enforcement
[ii] Department of Homeland Security, Protect Myself from Cyber Attacks, (Sept. 20, 2019) https://www.dhs.gov/how-do-i/protect-myself-cyber-attacks