Category — Information Management
Ransomware has become a major threat to electronic records systems worldwide. The US government reported recently that there have been 4,000 daily ransomware attacks so far in 2016! This represents a 300% increase to the number of attacks that occurred in 2015. Hospitals and other healthcare organizations have become popular targets for ransomware attackers. Nearly one half of all U.S. hospitals reported at least one ransomware attack during the past year. The healthcare industry is especially vulnerable because ransomware attacks can block access to Electronic Medical Records (EMR) which can result in patient care services being disrupted. Hospitals and other healthcare providers are updating their Continuity of Operations Plans to address prolonged loss of the EMR and rapid implementation of back-up electronic or paper systems.
The rise in ransomware attacks in the healthcare industry has also led to many questions about HIPAA compliance before, during and after an attack. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) issued guidance on July 11, 2016, to address some of these questions. OCR is responsible for HIPAA enforcement and responding to complaints alleging HIPAA violations. The way in which OCR views the interaction of HIPAA and ransomware is relevant for every healthcare organization and every HIPAA business associate. Here are some key take-aways from the OCR guidance:
- A ransomware attack constitutes a “security incident” under the HIPAA Security Rule, and once the ransomware is detected, the covered entity or business associate must implement its security incident response and reporting procedures. The high incidence of ransomware attacks on healthcare providers means that every provider should be conducting exercises to test their security incident and response procedures using ransomware based scenarios.
- A ransomware attack will probably result in a reportable data breach as defined by HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act). The ransomware virus works by encrypting data within the EMR so that it cannot be accessed by users. The OCR guidance makes clear that when electronic Protected Health Information (ePHI) is encrypted as a result of a ransomware attack, a data breach has occurred. This is because the act of encryption means the ePHI was “acquired” by the attacker which is an unauthorized disclosure of the ePHI under HIPAA. Unless the covered entity or business associate can prove that there is a “low probability that the ePHI has been compromised” under the Breach Notification Rule, then the breach must be reported.
- Congress is calling for HHS to declare that every ransomware event is automatically a reportable breach, but the guidance does not go that far. The covered entity or business associate that is the victim of a ransomware attack can attempt to demonstrate that there is a low probability that ePHI has been compromised as a result of the attack so that no breach notification is required. The burden of proof is squarely on the covered entity or business associate to prove this. The documentation supporting this determination must be rock-solid, since it could be challenged later. The guidance requires the covered entity or business associate to act in good faith in making this determination and to retain the documentation supporting its determination.
- Even if the ePHI is encrypted within the EMR, the guidance makes clear that a ransomware attack might still be a reportable breach. There must be a fact-specific investigation about how the ePHI was being used at the moment of the ransomware attack in order to determine whether a reportable breach has occurred.
The threat of ransomware is not going away. New viruses are being developed and deployed every single day. Every healthcare organization must assume that it will be attacked by ransomware in the near future and prepare accordingly. This means updating your security incident response plan, educating employees about the ransomware threat, conducting realistic exercises simulating a ransomware attack to identify gaps in your organization’s response, and addressing those gaps quickly.
For additional information, please contact Troutman Sanders Partner and Healthcare Practice Leader, Steve Gravely, at email@example.com and Troutman Sanders Partner, Erin Whaley, at firstname.lastname@example.org.
July 14, 2016 No Comments
Lately there’s been a flurry of activity related to health IT in the 114th Congress. At the end of March, the House passed the SGR bill, or “Doc Fix,” by an overwhelming vote of 392-37. If there are no hang-ups, the Senate is expected to pass it Tuesday night.
The SGR bill repeals the old formula to pay doctors and creates a new formula for a value-based Medicare payment system. The bill also includes a few key HIT measures: it requires HHS to create metrics to determine if EHRs are interoperable by July 2016, it defines interoperability as the ability of two health systems to exchange clinical data, and it includes language requiring providers to show they are not blocking information – just to name a few provisions. [Read more →]
April 15, 2015 No Comments
Everyone by now has heard the rhetoric, foreign policy debate and Hollywood gossip surrounding the massive data breach at Sony Pictures Entertainment, reportedly engineered by the government of North Korea. While its immediate impact affects popular culture — withdrawal of the film The Interview from its U.S. premiere and theatrical exhibition — far less discussed have been the likely effects of the high-profile intrusion and theft on cybersecurity issues at the corporate officer and Board of Directors level.
For five reasons, this episode may well (and to this author, should) turn out to be a tipping point in the adoption by corporate boards and officers of strong cyber threat prevention, detection and remediation practices.
- Corporate IP and Trade Secrets Are Valuable. In addition to the internal and embarassing hacked emails, the Sony Pictures cyber intruders also absconded with the script of a forthcoming, new James Bond film along with internal Sony P&Ls, and actual expense compilations, for movie productions. These are intellectual property (IP) and very sensitive trade secrets, different and far more valuable corporate assets than routine customer social security or credit card information; they represent the results of R&D, thus directly undercutting profitability, and reflect non-public business information subject to extremely limited distribution. Per-picture budgets and profitability, for instance, have been a huge Hollywood issue for decades, with writers, stars and directors all jockeying for a share of profits but largely lacking documentation of actual profit margins. That’s bad enough, but imagine (as a hypothetical) that hackers manage to steal the digital plans for Boeing’s next commercial aircraft or source code for Microsoft’s next release of Windows or the even more secret formula for Coca-Cola? Those jewels of corporate intellectual property could be the Chernobyl of cyber breaches if hacked by competitors, extortionists or both.
- Plaintiffs Have Standing to Sue. The federal courts to date have largely been unresponsive to consumer class actions arising from merchant and retailer data breaches, on the theory that until stolen data is actually used against a victim, he or she has not been directly injured and thus lacks standing to sue. That is not the case where it is corporate IP that is hacked, because (a) the stock market quickly adjusts share prices downwards for the costs of legal defense and likely loss of sales revenue, and (b) stockholders by definition have standing to sue where share prices fall, which is classic financial “injury.” This means that claims under the federal securities laws for misleading statements or lack of disclosure related to cybersecurity incidents, as well as so-called derivative actions against directors and officers for negligence or breach of fiduciary duty, are far more likely to be filed and make it to the merits, that is trial. The 100+ lawsuits against Target for its late-2013 consumer breach could understate the claims potentially leveled against Sony management and directors by an order of magnitude.
- Insurance May Not Cover the Losses. Many corporate boards are indemnified by the company, for all but malfeasance or gross negligence, which increases the costs of corporate legal claims arising from cyber breaches. Yet those costs may or may not be covered by ordinary liability and “errors or omissions” insurance policies. The coverage question is complicated, and beyond the scope of this blog, but it’s a fervent area of insurance law with lots of room for missteps, on both sides. Without insurance coverage, management and corporate boards will be forced to take significant charges or reserves against earnings to cover those potentially huge expenses, which only reinforces the financial and likely stock price impacts of hacking.
- State-Sponsored Corporate Hacking is Warfare. The major cybersecurity public policy issue in 2014 was whether threat information should be shared between the private sector and government. Legislation (the Cybersecurity Information Sharing Act or “CISA”) to jump-start threat sharing, by creating public records release and antitrust exemptions, failed in the U.S. Senate. Now it seems that the most immediate result of the Sony Pictures breach will be a non-partisan push for enactment of that bill ASAP, with expansion to include the Department of Defense as well as DHS being rumored. The Washington Post has already reported that “As the fallout from the cyberattack against Sony Pictures grows amid reports that the hack may be linked to the North Korean government, lawmakers and the Obama administration are calling on Congress to focus heavily on cybersecurity legislation after the holiday recess.” Where the cyber threat is from a foreign state, in other words, even the robust capabilities available in private sector data protection are likely insufficient to robustly guard a company’s IP. State-sponsored hacking is corporate espionage on steroids.
- Even Embarrassing Stuff Has Big Legal Consequences. State law has established a number of torts related to the publication of true but embarrassing, or private, information on people, often compiled into a catch-all “invasion of privacy” moniker. Ordinarily it is the publisher or speaker who is liable and the target of litigation claims. But those same torts apply to anyone with a duty of care to the plaintiff, and it is difficult to see how a company does not have a duty to keep private and potentially embarrassing email discussions reasonably safe from theft by outsiders. The legal framework is complicated by more archaic doctrines of ownership of corporate email content, but the risk is extremely large where the industry is a lucrative one. Silicon Valley executives make as much, if not more via stock and options, than their Hollywood counterparts. So the consequence is that more of the privacy tort claims already filed agianst Sony will become commonplace if internal corporate communications become — as the publicity surrounding Sony Pictures executives’ racially insensitive jokes suggests clearly — a target of hackers looking for blackmail evidence.
Like all prognostications, these are predictions, not guarantees. But the one certain thing is that after the Sony Pictures breach, corporate boards and management will be paying much closer attention to cybersecurity, at the very least because it is now hitting them where it hurts the most: in the pocketbook and bank account.
For more information, please contact Glenn Manishin.
December 19, 2014 No Comments
If you have a union in your workplace, or if unions have tried to organize workers in your workplace, you know that unions need ways to communicate with your employees. Before the current digital age, unions relied primarily on communicating through informational picketing and leafleting, posters and mailings, and individual and group meeting to encourage unionization or to communicate with members and represented employees. Today, with the modern workplace and internet-connected workers, communications can be conducted far more quickly, efficiently, cheaply and often more effectively through electronic means, such as email. But historically, unions have not been permitted access to company email systems. The current rule is that “employees have no statutory right to use the[ir] Employer’s e-mail system” for non-work-related purposes. If unions and the current Presidential administration get their way, that all might change.
July 22, 2014 No Comments
Twice previously this year, we posted about the potential consequences to cloud-based media from the legal dispute between streaming video service Aereo and the television broadcast industry. Last week, the Supreme Court, in a 6-3 opinion, resolved much of the uncertainty detailed in those earlier posts. While the Court ruled against Aereo – holding that its transmission of the broadcasters’ content amounted to a public performance and thus violated the networks’ copyright – the majority’s decision took pains to limit its decision to the facts at issue. Justice Breyer, delivering the opinion of the Court, noted that “we have not considered whether the public performance right is infringed when the user of a service pays primarily for something other than the transmission of copyrighted works, such as the remote storage of content.”
June 30, 2014 No Comments
It should no longer be news that, for parties to most lawsuits, responding to discovery entails searching, reviewing, and producing electronically stored information. Also widely recognized is the fact that electronic discovery can be a costly, time-consuming burden. This burden is magnified for a nonparty subject to a request for ESI who likely won’t see any corresponding upside – that is, no need to use the documents produced to support a claim or defense of their own and no need to receive documents from others for the same purposes. Fortunately, therefore, there are some protections built into the Federal Rules that may minimize the burden to a nonparty on the receiving end of a subpoena. But given the relative scarcity of legal authority on the topic, the varying approaches at the state level, and specific facts of any particular case, nonparties facing discovery demands should try to negotiate a response plan that reduces legal risks and costs. A reasonable plan may even include cost shifting.
June 23, 2014 No Comments
Over the past few years, both the Equal Employment Opportunity Commission and the Federal Trade Commission have been closely scrutinizing the time-honored practice of employee background checks. We’ve posted about background checks before – particularly the risky business of relying on online information brokers instead of, or in addition to, a bona fide credit reporting agency. But the EEOC and FTC recently took the very unusual step of jointly issuing two guides on employment background checks, so we thought it might be helpful to give our readers a refresher.
May 1, 2014 No Comments
Recently the United States federal antitrust enforcement agencies — the Federal Trade Commission and the Justice Department’s Antitrust Division — issued a joint policy statement designed to “make it clear that they do not believe that antitrust is, or should be, a roadblock to legitimate cybersecurity information sharing.” The release made headlines globally, but the real story is that the risk of antitrust exposure for exchange of cyber risk information, even among direct competitors, was and remains almost non-existent.
That is because the U.S. antitrust laws (principally Section 1 of the Sherman Act) prohibit horizontal conspiracies and agreements among rivals, like price fixing, that harm competition. In some areas, information exchange can be competitively problematic, for instance where firms share non-public bidding or price data, or M&A transactions where the deal parties “gun jump” by acting as if they were already merged instead of continuing to compete independently. Yet as the policy statement confirmed, “cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans” and is thus “highly unlikely to lead to a reduction in competition.”
That’s hardly new. More than a decade ago DOJ said exactly the same thing in approving a proposal for cybersecurity information sharing in the electric industry, and Antitrust Division chief Bill Baer called the 2014 reaffirmation “an antitrust non-brainer.” But perceptions can have consequences, and some had voiced the fear that the exchange of IT security information among competitors could present a slippery slope, a forum for the kind of hard-core anticompetitive agreements the government loves to prosecute. At least that is what the White House, which called antitrust law “long a perceived barrier to effective cybersecurity,” reasoned in encouraging the FTC-DOJ clarification. So clearing away the underbrush of misinformation should help reassure business executives that companies which share technical cybersecurity information such as indicators, threat signatures and security practices, and avoid exchanging competitively sensitive information like business plans or prices, will simply not run afoul of the antitrust laws.
April 25, 2014 No Comments
It has now been a few months since AB 370, California’s new “Do-Not-Track” law, went into effect on January 1, 2014. So, now seems like a good time to ask: are you in compliance with AB 370’s mandates? AB 370 requires that operators of websites and other online services and mobile applications, to the extent they collect personally identifiable information through the Internet, must either: (1) disclose how they respond to do-not- track signals from Internet browsers; or (2) provide a clear and conspicuous hyperlink to an online location containing a description of a consumer choice privacy program the operator follows and explain the effects of that program. The law also requires these operators to disclose the type and nature of any third-party tracking occurring on their sites, services, or applications. Technically, AB 370 is limited to online services directed to California, but if your online service is NOT directed at more than 12% of the country’s population, you may need to revisit your online marketing strategy. Regardless, it’s the first do-not-track law in the country and, as such, merits attention. [Read more →]
April 1, 2014 No Comments
From the Internet’s first commercial availability, porn reined supreme when it came to Internet usage, and, if we’re honest, innovation. In fact, much of the early Internet innovation we now all take for granted happened first through the Internet porn industry, including such things as credit card payment systems, streaming content and live chat. But for a couple of years now, it’s been widely reported that social media has overtaken porn as the most popular activity on the Internet. Social media’s Internet dominance has even changed the Internet porn industry, with YouTube-like copycat sites devoted to porn.
But in an ironic twist, the two most popular Internet past-times have come together in a peculiarly sinister way that neither the social media gurus nor the porn pros ever intended – the unfortunate, disturbing and growing Internet phenomenon known as of “Revenge Porn.” You’ve probably heard or read something about it by now. But in case the phrase is completely new to you, Wiktionary defines Revenge Porn as “sexually explicit media of a person, such as a former partner, that is distributed online in order to humiliate them as revenge.” So, in perhaps its most “innocent” form, two young love birds caught up in the bliss of a new, mobile-technology-age romance share some nude selfies of each other via text. All is well until the romance fades and ends. Then the guy posts the nude photos of the former apple of his eye online, out of spite. Seriously . . . this actually happens. Don’t people have anything better to do? Clearly, some folks don’t have much of a life.
As distorted as this behavior probably seems to you, however, you most likely read this blog because you have some business or legal interest that involves “the intersection” of the topics we cover here. You’re not likely to take nude selfies, much less share them with anyone. And absent the sickening possibility that some day one of your children might be victimized by this unsavory conduct, why should you even care about Revenge Porn?
March 28, 2014 No Comments