The Global Cyber Attack on Healthcare
As of late, ransomware attacks are inspiring a reassessment of cybersecurity in the healthcare industry. Cyberattacks in the healthcare industry are spreading…
September 28, 2017 at 04:50 PM
5 minute read
The original version of this story was published on Law.com
As of late, ransomware attacks are inspiring a reassessment of cybersecurity in the healthcare industry. Cyberattacks in the healthcare industry are spreading like wildfire across the globe, affecting thousands of individuals and healthcare companies. So, what should the response be to these threats?
David P. Saunders, partner at Jenner & Block, sat down with Inside Counsel to discuss steps for companies to take to better defend against the next cyberattack. As evidenced by many recent attacks, it is likely that the volume of cyber incidents will increase before it decreases, according to Saunders.
“Going for medical treatment is typically a scary enough experience, which puts everyone on edge. Now imagine a world in which patients are told by their doctors, hospitals, and other healthcare providers that they must wait, go to another facility, or worse yet, have their treatment postponed because the healthcare provider cannot access necessary records or machinery,” he explained. “Such is the age we live in.”
For several years, IT and cybersecurity consultants have been warning that hospitals and healthcare providers who historically have used outdated operating systems, software, or technology were prime targets for a ransomware or other cyberattack. Yet, cybersecurity is expensive and has received a lower priority in the healthcare space as opposed to upgrading the equipment needed to perform services like new MRI tubes or better physical spaces. With the recent surge of cyberattacks, business people who drive healthcare spending are finally reprioritizing that spending to fund cybersecurity.
When WannaCry effectively shut down medical treatment in the United Kingdom, and then weeks later, another attack hit the medical and healthcare providers in the Ukraine, the healthcare industry was served a wakeup call that few outside the IT and cybersecurity world could have imagined. In June 2017, just a few weeks after WannaCry swept the globe, the Health Care Industry Cybersecurity Task Force issued a report on improving cybersecurity in the healthcare industry. While the Task Force's report spanned many issues related to healthcare, there was one theme: the need to improve awareness of cybersecurity threats from the doctors to the board room.
According to Saunders, the recent cyberattacks have demonstrated to everyone that the risk of lax cybersecurity measures is real and costly. While upgrading and enhancing electronic systems to be more secure is expensive, that cost pales in comparison to the cost of breach penalties and fines; defending litigation arising out of cyberattacks; and brand damage that occurs to major hospitals that are struck by an attack. Over the past several years, healthcare providers, electronic health records companies and insurance providers have been the targets of cyberattacks. A big reason for the increased attention of hackers on healthcare services is because the industry has a lot of sensitive information like social security numbers, insurance IDs, and bank account or credit card information.
“The seriousness of WannaCry, Petya, and subsequent attacks has caused those in the healthcare space to reassess how to prepare for a cyberattack, and identify and mitigate cybersecurity risks,” he said. “We are seeing increased spending on cybersecurity, increased attention being paid to it in the board room, increased training and awareness efforts, and industry-wide efforts to share information to combat attacks as they happen.”
The key steps for companies to take to better defend against the next cyberattack, according to Saunders, include the following:
Update Operating Systems and Retire Legacy Systems: Most cybersecurity threats focus on low-hanging fruit: companies, tools, and applications that rely on operating systems that are no longer supported by their designers. These older systems leave exposed security flaws and gaps that hackers and others can readily exploit.
Test, Test, Test: Test infrastructure and employees. Make sure that the systems are responding the way they should to pings and other attempted penetrations. For your employees, send fake phishing emails and see if people take the bait. If they do, direct them to a training page, where they can learn the risks of their actions. Make sure that your infrastructure and your people know how to identify and appropriately respond to potential attacks.
Plan: What happens when you detect an attack? This question should be clearly answered in an internal document that is distributed to the appropriate personnel at the company.
“The wealth of information that can be obtained or the value of preventing access to the information is immense,” he explained. “Therefore, the smart money is on an increased volume of cyber incidents until the healthcare services industry proves that it is no longer low-hanging fruit. Only when a hack becomes easier somewhere else, or when the healthcare services industry has fortified its defenses to deter attacks, will the amount of incidents decrease in the healthcare arena.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Senate Panel Postpones Vote on Reconfirmation of Democrat Crenshaw to SEC
Trending Stories
- 1The Tech Built by Law Firms in 2024
- 2Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 3For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 4As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
- 5General Warrants and ESI
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250