You are currently viewing Cybersecurity Expert Witness & WannaCry in Healthcare
A WannaCry ransomware message appeared on medical devices and Health IT systems

Cybersecurity Expert Witness & WannaCry in Healthcare

Cybersecurity Expert Witness

When WannaCry ransomeware harms the patients of health care providers or members of a health plan, litigation raises questions.  Were all measures taken to protect the plaintiff’s information? Either plaintiff or defendant may retain a Cybersecurity expert witness.  

First of all, WannaCry ransomware increased focus on securing health data.  Consequently, by raising the visibility of the security issue, the Wannacry ransomware cyberattack causes the healthcare industry to focus on best practices, processes, and technologies.  

WannaCry is a global development.  It displays its ransom in English, Chinese, and other languages.  In the past, Cybersecurity efforts  focused on generic approaches. In Healthcare, specific standards embody best practices to protect against ransomware.

Cybersecurity expert witness must know principles, generally accepted standards, industry best practices and guidelines.

Cybersecurity is “…the body of technologies, processes, practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access…” Cybersecurity is referred to as “information technology security”.  

As a result, there should be focus is on protecting software, computers, and the networks that carry data between them.  

In addition, protection from unauthorized access, change, or destruction are all part of the best practices strategy.  The field of cybersecurity also offers the best practices for endpoint security, threat intelligence, and hence, incident responses. 

Cybersecurity in Healthcare

Consequently, cybersecurity expert witness should understand and communicate key components to prevent a breach.  Breaches in healthcare cybersecurity are often HIPAA breaches.  This is because healthcare information is protected under the Health Information Portability and Accountability Act (HIPAA) of 1996.

Therefore, HIPAA has both a Privacy Rule and a Security Rule.  These statutes that have specific mandates for the protection of health information. The American Recovery and Reinvestment Act (ARRA) off 2009 presented new mandates.  These are found in Title XIII of ARRA (Pub.L. 111–5). 

Furthermore, the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, creates new responsibilities.  Any HIPAA Covered Entity that received stimulus funds also is accountable to HITECH standards.  

Therefore, Eligible Hospitals (EHs) or Eligible Professionals (EPs) receive a carrot and a stick for moving from paper to Electronic Health Records. 

It is noteworthy that new regulations propose to end the Meaningful Use stimulus funds. The HIPAA Privacy Rule and HIPAA Security Rule continue.  The HITECH Act information safeguards also continue.   At this time, there are  proposed changes to Meaningful Use.  

These changes do not offer any new provisions for cybersecurity, fending off hackers, or ransomware.  In the future, HIPAA Covered Entities, as well as their patients and insureds, need to take all reasonable steps to ensure the privacy and security of their information.

WannaCry U.S. Health and Human Services 

As a result, as the WannaCry attack spread, the Trump Administration’s  Health and Human Services set provider calls to help.  Thus, HealthcareIT News, reported that HHS held calls that more than 2,500 people attended.

Cybersecurity Expert Witness Must Understand WannaCry with respect to HITECH and HIPAA

Most of all, in our experience, even large Covered Entities don’t have all of the resources under one roof.  Compliance and security threat management require outside expertise to complement an internal team.  

Thus, a Cybersecurity expert witness should understand that HITECH Act and HIPAA Privacy and Security Rules together combat ransomware attacks such as WannaCry.

Related Posts
Cybersecurity Standards in Healthcare – HIPAA
Cybersecurity Standards in Healthcare – HITECH Act

Michael F. Arrigo

Michael Arrigo brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health IT, and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations who provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and medical billing, fraud damages, as well as electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, medical malpractice, insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software SA (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls IT audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and is published in Healthcare IT News.

Leave a Reply