You are currently viewing Cybersecurity Expert Witness & WannaCry in Healthcare
A WannaCry ransomware message appeared on medical devices and Health IT systems

Cybersecurity Expert Witness & WannaCry in Healthcare

Cybersecurity Expert Witness

When WannaCry ransomeware harms the patients of health care providers or members of a health plan, litigation raises questions.  Were all measures taken to protect the plaintiff’s information? Either plaintiff or defendant may retain a Cybersecurity expert witness.  

First of all, WannaCry ransomware increased focus on securing health data.  Consequently, by raising the visibility of the security issue, the Wannacry ransomware cyberattack causes the healthcare industry to focus on best practices, processes, and technologies.  

WannaCry is a global development.  It displays its ransom in English, Chinese, and other languages.  In the past, Cybersecurity efforts  focused on generic approaches. In Healthcare, specific standards embody best practices to protect against ransomware.

Cybersecurity expert witness must know principles, generally accepted standards, industry best practices and guidelines.

Cybersecurity is “…the body of technologies, processes, practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access…” Cybersecurity is referred to as “information technology security”.  

As a result, there should be focus is on protecting software, computers, and the networks that carry data between them.  

In addition, protection from unauthorized access, change, or destruction are all part of the best practices strategy.  The field of cybersecurity also offers the best practices for endpoint security, threat intelligence, and hence, incident responses. 

Cybersecurity in Healthcare

Consequently, cybersecurity expert witness should understand and communicate key components to prevent a breach.  Breaches in healthcare cybersecurity are often HIPAA breaches.  This is because healthcare information is protected under the Health Information Portability and Accountability Act (HIPAA) of 1996.

Therefore, HIPAA has both a Privacy Rule and a Security Rule.  These statutes that have specific mandates for the protection of health information. The American Recovery and Reinvestment Act (ARRA) off 2009 presented new mandates.  These are found in Title XIII of ARRA (Pub.L. 111–5). 

Furthermore, the Health Information Technology for Economic and Clinical Health Act, or HITECH Act, creates new responsibilities.  Any HIPAA Covered Entity that received stimulus funds also is accountable to HITECH standards.  

Therefore, Eligible Hospitals (EHs) or Eligible Professionals (EPs) receive a carrot and a stick for moving from paper to Electronic Health Records. 

It is noteworthy that new regulations propose to end the Meaningful Use stimulus funds. The HIPAA Privacy Rule and HIPAA Security Rule continue.  The HITECH Act information safeguards also continue.   At this time, there are  proposed changes to Meaningful Use.  

These changes do not offer any new provisions for cybersecurity, fending off hackers, or ransomware.  In the future, HIPAA Covered Entities, as well as their patients and insureds, need to take all reasonable steps to ensure the privacy and security of their information.

WannaCry U.S. Health and Human Services 

As a result, as the WannaCry attack spread, the Trump Administration’s  Health and Human Services set provider calls to help.  Thus, HealthcareIT News, reported that HHS held calls that more than 2,500 people attended.

Cybersecurity Expert Witness Must Understand WannaCry with respect to HITECH and HIPAA

Most of all, in our experience, even large Covered Entities don’t have all of the resources under one roof.  Compliance and security threat management require outside expertise to complement an internal team.  

Thus, a Cybersecurity expert witness should understand that HITECH Act and HIPAA Privacy and Security Rules together combat ransomware attacks such as WannaCry.

Related Posts
Cybersecurity Standards in Healthcare – HIPAA
Cybersecurity Standards in Healthcare – HITECH Act

Michael F. Arrigo

Michael is Managing Partner & CEO of No World Borders, a leading healthcare management and IT consulting firm. He serves as an expert witness in Federal and State Court and was recently ruled as an expert by a 9th Circuit Federal Judge. He serves as a patent expert witness on intellectual property disputes, both as a Technical Expert and a Damages expert. His vision for the firm is to continue acquisition of skills and technology that support the intersection of clinical data and administrative health data where the eligibility for medically necessary care is determined. He leads a team that provides litigation consulting as well as advisory regarding medical coding, medical billing, medical bill review and HIPAA Privacy and Security best practices for healthcare clients, Meaningful Use of Electronic Health Records. He advises legal teams as an expert witness in HIPAA Privacy and Security, medical coding and billing and usual and customary cost of care, the Affordable Care Act and benefits enrollment, white collar crime, False Claims Act, Anti-Kickback, Stark Law, physician compensation, Insurance bad faith, payor-provider disputes, ERISA plan-third-party administrator disputes, third-party liability, and the Medicare Secondary Payer Act (MSPA) MMSEA Section 111 reporting. He uses these skills in disputes regarding the valuation of pharmaceuticals and drug costs and in the review and audit of pain management and opioid prescribers under state Standards and the Controlled Substances Act. He consults to venture capital and private equity firms on mHealth, Cloud Computing in Healthcare, and Software as a Service. He advises ERISA self-insured employers on cost of care and regulations. Arrigo was recently retained by the U.S. Department of Justice (DOJ) regarding a significant false claims act investigation. He has provided opinions on over $1 billion in health care claims and due diligence on over $8 billion in healthcare mergers and acquisitions. Education: UC Irvine - Economics and Computer Science, University of Southern California - Business, studies at Stanford Medical School - Biomedical Informatics, studies at Harvard Medical School - Bioethics. Trained in over 10 medical specialties in medical billing and coding. Trained by U.S. Patent and Trademark Office (USPTO) and PTAB Judges on patent statutes, rules and case law (as a non-attorney to better advise clients on Technical and Damages aspects of patent construction and claims). Mr. Arrigo has been interviewed quoted in the Wall Street Journal, New York Times, and National Public Radio, Fortune, KNX 1070 Radio, Kaiser Health News, NBC Television News, The Capitol Forum and other media outlets. See and for more about the company.

Leave a Reply