With hackers quickly gaining greater access to sensitive health and insurance data, a March 29 conference offered lawyers strategies to help clients understand, prevent and respond to cyberattacks.
The conference, held at the Kline Institute of Trial Advocacy, was organized by Professor Paul Flanagan, director of the Compliance program, Professor Barry Furrow, director of the Health Law program, adjunct Professor Sara Goldstein, ’11, an associate at Baker Hostetler, and practice Professor David Hoffman, the founder of Hoffman & Associates PC.
Over the next three years, industries will incur damages of $6 trillion due to cyberattacks, said Barbara Holland, mid-Atlantic regional manager of the U.S. Department of Health and Human Services’ Office of Civil Rights, citing a Cybersecurity Business Report released by Cybersecurity Ventures.
“This is the greatest transfer of economic wealth in history,” said Holland, whose office enforces laws designed to protect patients’ rights, including privacy.
While all industries are vulnerable, health care incurs the most frequent cyberattacks, Holland said, adding that the pace of occurrences is expected to quadruple by 2020.
Health care is an easy target, both because the industry has been slow to update its cybersecurity practices and because data involving personal health records has significant value, said Sarah Wolfe, an assistant U.S. Attorney in the Eastern District of Pennsylvania who focuses on cybercrime and national security.
Hackers have expanded their capacity to steal, alter and sell patient records, encrypt data, extort ransom payments and bring down entire data networks, Wolfe said.
The number of ransomware attacks rose 89 percent in 2017, Wolfe said, adding that the six largest events were in the health sector. Attackers were able to shut down the entire health care system in the United Kingdom for more than a week, and they made inroads closer to home, accessing 300,000 records from the Pennsylvania-based Women’s Health Care Group.
Since December 2017, organizations victimized by ransomware have paid nearly $1 million, a practice that law enforcement officials discourage, Wolfe said.
It’s wise to involve law enforcement, Wolfe added, since they have a unique perspective and can bring insights to specific attacks, through undercover operations in the black markets.
Brian Karcher, an FBI cyberagent based in Philadelphia, agreed.
“We don’t recommend paying,” Karcher said, acknowledging that health care organizations need immediate access to sensitive patient information. “It’s a life or death situation.”
Numerous nation-states have built massive government apparatuses that permit cyberattacks, while criminal groups are pursuing them separately.
“There’s an explosion of activity,” he said, adding that health care organizations are at risk for cooperation from insiders, due to high staff turnover and a workforce that includes low-paid employees.
Once hacked, health care organizations face a gauntlet of procedures and uncertainty, said Pablo Molina, the chief information security officer for Drexel University
When law enforcement gets involved, Molina said, there are roadblocks to disclosing information quickly.
“They tell you not to disclose technical details surrounding the breach,” Molina said. “You’ll compromise the investigation and alert other bad guys to your vulnerabilities.”
It’s critical for in-house attorneys to help assemble a response team that has all of the knowledgeable parties at the table, said Sharon Sorokin, senior counsel for Main Line Health, where the records of 11,000 employees were compromised through a phishing attack.
In addition to bringing in outside counsel, the FBI and the IRS to address a range of issues the attack caused, Sorokin said, the organization redoubled efforts to keep employees informed and well trained.
Tech companies have begun advising companies about steps they should take, but they lack the expertise on compliance issues that attorneys can provide, said Rebecca Rakoski, managing partner of XPAN Law Group, a boutique firm that handles cybersecurity issues.
Much of XPAN’s practice involves working with clients to promote a culture of security and awareness of how their data is handled, Rakoski said.
Health care organizations should be careful about contracting with vendors who lack a sophisticated understanding of cybersecurity issues, since interactions with their systems can render their own networks and servers vulnerable to attack, she said.
Baker Hostetler handled more than 570 incidents involving data breaches in 2017, more than a third of which involved health care providers, Goldstein said.
When contacted by a provider or a cyber liability insurance carrier, the firm assesses the scope of the issue and the degree to which federal and state laws come into play, Goldstein said.
After a forensic review is completed and a determination is made where affected patients live, Goldstein said, the firm pinpoints steps that need to be taken, based on laws that may apply in those states.
State attorney general offices have begun to step up enforcement efforts significantly, Goldstein said.
Leonard Deutchman, the vice president of KLDiscovery, said clients should be encouraged to back up their data frequently.
An archive that includes numerous pre-breach as well as post-breach backups may permit forensic analysts to find important evidence, Deutchman said.
“Before you might recognize the problem, evidence of the problem may be building,” he said.