Healthcare News first published this article “Infecting the Hippocratic Oath” on April 9, 2019.
–Carl Edward Sagan
Medicine Gets Sick
Somewhere deep within the labyrinth of regulations promulgated since Congress passed the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) in 2009 exists health care’s very own Kobayashi Maru. Mindful of the draconian consequences in deviating from the so-called HIPAA Privacy Rule, health care practitioners who follow these national standards to defend individual medical records and other protected health information (“PHI”) sometimes must stand down like a Star Fleet cadet forced to watch the entire crew and passengers of another vessel perish. On the other hand, those rogue clinicians who chose rescue over risk may face attack from federal and state authorities.
Governmental response to lapses in safeguarding PHI is due, in part, to algorithmic steps undertaken by malware, including exfiltration attempts between the malware and attackers’ command and control servers, not to mention the possibility of malware propagating to other systems, potentially affecting additional sources of electronic PHI (“ePHI”). While digitizing patient medical records remains a top national priority, fear of compromising confidentiality is still its greatest obstacle. To the unwitting health care provider, the choice between an investigation by the Office of Civil Rights (“OCR”) or a threat from ordinary malware may be just as devastating as an attack from a Klingon Negh ‘Var-class warship.
The Cost to Comply
Health care must finally surrender to systemic futility when providers wage war against disease with an arsenal that protects PHI first. Even under the guise of the Hippocratic Oath and its sacrosanct directive to help or at least do not harm the patient, the physician may not risk PHI exposure. Hippocrates’ lesser known principle included an obligation to keep the “holy things” of medicine confidential, and federal and state regulations remain vigilant as to both. Those responsible for drafting patient privacy laws, however, never imagined a malicious software from cryptovirology could make public PHI or perpetually block all access until a ransom is paid, or that it would occur 181.5 million times in the first six months of 2018 alone.
Nevertheless, in addition to the estimated business loss of $8,500 per hour due to ransomware-induced downtime, health care providers must also determine whether or not the presence of a virtual infection constitutes a breach under the HIPAA Privacy Rule, defined as “the acquisition, access, use, or disclosure of PHI in a manner not permitted . . . which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6. When ransomware attacks encrypt ePHI, this may be a breach of the HIPAA Privacy Rule because the encrypted ePHI was “acquired” (unauthorized individuals have taken possession or control of the information).
Unless the covered entity or business associate can demonstrate a “low probability that the PHI has been compromised,” there is a presumption of breach and obligation to comply with notification provisions, including a report to the Secretary of Health and Human Services (“HHS”) and possibly even the media (for breaches affecting over 500 individuals). See 45 C.F.R. 164.400-414. Only a risk assessment considering specific, statutory factors can establish a low probability of compromised PHI. A provider may show mitigation following a successful ransomware attack through the implementation of a robust contingency plan, including disaster recovery and data backup protocol, all of which must be thorough, conducted in good faith, and reasonable.
Modern Day Rules of Engagement
Computer viruses, however, are a funny thing, especially when mixed with politics and high profile victims. In 2014 a devastating cyberattack on Sony Pictures established partisan lines on how to characterize such threats, ranging from President Barack Obama downplaying the hostility to rhetoric from the recently-deceased Senator John McCain vigilantly calling cyber-vandalism a new form of war. This distinction is hardly semantics, especially in assessing the appropriate role a health care provider must play when under cyberattack. Does a response fall within the bailiwick of the provider or the nation within which the provider conducts business? Moreover, why is the provider always to blame, even if a foreign nation launches the cyberattack?
Article I, Section 8, Clause 15 of the U.S. Constitution grants Congress the power “[t]o provide for calling forth the Militia to execute the Laws of the Union, suppress insurrections and repel invasions.” Clause 11 authorizes Congress to “declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water.” Such language supports the Constitution’s preamble, to “insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity.”
When the Japanese air force bombed Pearl Harbor on December 7, 1941, the federal government did not punish the citizens of the Hawaii Territory. Likewise, Wall Street did not endure regulatory penalties following the aerial attack on both towers once known as the World Trade Center. Even Dolly Madison escaped a fine when she gathered the Lansdowne portrait before British soldiers set fire to the White House in 1814. Instead, the federal government took charge each time, joining the allied forces in the Second World War, launching missiles into the bedrock of Afghanistan following the attacks on September 11, 2001, and eventually forcing the United Kingdom back across the Pond after signing the Treaty of Ghent. Indeed, a fundamental tenet of federalism, codified throughout the U.S. Constitution, is a national military relieving each state from the need to defend its own territory.
Beware of the Fail Whale
Those charged with protecting the nation one patient at a time, however, are mindful the federal government punishes victims of cyberterrorism, whether the attack comes from an antiquated virus or the latest and greatest in technology. In health care, modern day cyberwarfare focuses on PHI that is not secured through the use of a technology or methodology specified by the federal government. Only if a rogue third party encrypts ePHI in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer “unsecured PHI,” then breach notification is not required. However, additional analysis must still ensure that the encryption solution, as implemented, rendered the affected PHI unreadable, unusable and indecipherable to unauthorized persons.
For example, if a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance is properly shut down and powered off before lost or stolen, the data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. Because the PHI on the laptop is not “unsecured PHI”, a covered entity or business associate need not perform a risk assessment to determine a low probability of compromise or provide breach notification. However, if a third party traveling across the Internet stumbles upon a powered up laptop for an authenticated user who happens to click on a link to a malicious website that infects the laptop with ransomware, there could be a breach of PHI.
Whether attack comes from militia or malware, times of war can blur the lines between negligent and fortuitous. Somewhere between its July 2006 launch and 2013 initial public offering, the online news and social networking service known as Twitter struggled to maintain an infrastructure that by 2016 would support 319 million monthly active users. When Twitter servers tanked, the iconic Fail Whale appeared on screen to gently notify those in the midst of a Tweet about the Website’s overload, a kinder, gentler response than simply flashing user’s with “ERROR_DISK_FULL” or some functional equivalent. While the 140 or 280 characters used to create a Tweet rarely contain compromised PHI, there is a lesson learned when a company valued at $31 billion after its IPO relied almost exclusively in its early years on the image of a whale held up by birds and nets to notify users of a system-wide issue.
Health care’s room for Internet error is practically non-existent, which is problematic in an industry where profit margins can be anemic at best. A meaningful solution to meaningful use created a $24.9 billion industry in 2017, and that may exceed $33.3 billion by 2023. A seemingly prohibitive cost, tales of Anthem’s 2015 breach that resulted in a $16 million fine by the federal government and a $115 million class action settlement should provide incentive for providers to pay the price before, not after. In health care’s no-win situation, however, most providers recognize with even the strongest safeguards, there may still be a need to pay twice.