Cybersecurity Expert Witness
WannaCry ransomware attaches in May 2017 increased the focus on securing health data. Cybersecurity expert witness work in the health care industry requires knowledge of special federal and state statutes, principles, generally accepted standards, industry best practices and guidelines. The Wannacry ransomware cyberattack raises the visibility of the issue and has focused more health care industry security professionals on best practices, processes and technologies. When there are breaches that impact patients of health care providers or members of a health plan, litigation that alleges harm to patients raises questions as to whether all that could be done was done to protect the plaintiff’s information.
Cybersecurity healthcare context
Cybersecurity in a general sense is described as , “…the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access…” Cyber security, also referred to as information technology security, focuses on protecting software, computers, networks that carry data between software and computers, and protect them from unintended or unauthorized access, change, or destruction. There are also best practices for endpoint security, threat intelligence, and incident responses.
A cybersecurity expert witness must be able to articulate key components of the cause or efforts to prevent the cause of a cybersecurity breach. Cybersecurity breaches in healthcare are often called HIPAA breaches, because information is protected in healthcare under the Health Information Portability and Accountability Act (HIPAA) of 1996. Within HIPAA there are both HIPAA Privacy Rule and HIPAA Security Rule statutes that contain specific mandates for the protection of health information. The American Recovery and Reinvestment Act (ARRA) instantiated new statutes under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5). The Health Information Technology for Economic and Clinical Health Act, abbreviated HITECH Act, sometimes referred to as the ARRA HITECH Act or simply the HITECH Act adds additional responsibilities for HIPAA Covered Entities. In some respects, HITECH is quid pro quo for the stimulus funds that Covered Entities who are Eligible Hospitals (EHs) or Eligible Professionals (EPs) could receive for moving their paper based information to Electronic Health Records (EHRs).
New regulations propose to end the Meaningful Use stimulus funds paid out to EHs and EPs, but continue to maintain HIPAA Privacy Rule and HIPAA Security Rule as well as HITECH Act information safeguards. The proposal does not focus on any new provisions in the regarding threats posed by cybersecurity vulnerabilities or fend off hackers and ransomware. HIPAA Covered Entities as well as their patients and insureds need to take all reasonable steps to ensure the privacy and security of their information.
WannaCry Guidance from U.S. Health and Human Services
As the WannaCry attack spread, the Trump Administration’s U.S. Department of Health and Human Services set provider calls to help them understand facilities the government’s response to WannaCry. According to HealthcareIT News, the [WannaCry HHS Call] had more than 2,500 participants, most of them from the healthcare community.
In our experience even large Covered Entities never have all of the resources under one roof for compliance and security threat management. Make sure to get outside expertise to complement your internal team.