What Are the Bad Guys Up to Now? Hacking Health-Care Records, Apparently

What Are the Bad Guys Up to Now? Hacking Health-Care Records, Apparently

 As if it were not bad enough that hackers are attacking retail businesses like Target and Neiman Marcus to obtain consumer credit card information, it turns out that the bad guys are also targeting health-care records. According to sources cited in a February 18, 2014 Wall Street Journal report entitled “Nursing Homes Are Exposed to Hacker Attacks” (here), investigators have uncovered a Internet file-sharing site where hackers have posted critical health-care organization network systems information that could allow others to access electronic medical records and payment information from health-care providers.

According to sources cited in the Journal article, the networks of about 375 U.S-based health related institutions, including hospitals, physicians’ offices, pharmaceutical companies, and health-plan managers were compromised by hackers in September and October 2013. Some of the information accessed by these intrusions has wound up on a file-sharing site, where hackers dump data. The information on the site details the type of equipment used in computer networks, the internal addresses for computers and other devices, and the passwords to network firewalls run by health-care providers.

Information available on the file-sharing cite drawn from three specific nursing homes identified in the article apparently was obtained by access to the software of a specific medical software vendor that the three institutions used. The article also states that health-care organizations increasingly are having trouble protecting data because medical equipment such as dialysis and imaging machines can be accessed through the Internet. (The machines are attached to the Internet so that the machines’ software can be administered or updated remotely.) There are, the article notes, an increasing number of entry points hackers can use to access health-care facilities to try to access electronic medical records or billing systems containing credit card information.

The incentives for the hackers’ are significant. According to the article, medical records sell for about $60 each on the black market, while credit-card information typically goes for about $20. For that reason, “the bad guys in the cyberuniverse definitely have set their sights on health-care records,” according to one commentator quoted in the article. However, according to a report cited in the article, security practices at health-care providers generally are not keeping pace with the high volume of attacks.

The findings in the article have a number of important implications for health-care providers and their service providers, particularly the importance of assessing network security vulnerabilities and addressing concerns. However, as the sequence of events following the disclosure of the Target breach shows, another concern for these companies is their potential litigation exposure. Target has been hit with a wave of consumer class actions following news of the breach in its systems, as were other retailers whose networks were recently hacked. The hackers’ focus on health-care records underscores that fact that health-care organizations may face the same litigation exposures as the retailers. This exposure is not limited just to hospitals and other patient care facilities (such as nursing homes and diagnostic testing centers), but also includes health care service and equipment providers, including potentially even software firms and medical equipment manufacturers.

These litigation risk exposures, as well as the need for companies hit with a breach to try to deal with notification requirements and remediation issues, highlight the need for companies in these industries to ensure that their insurance program includes a robust program of privacy liability and network security insurance. Nor are these concerns limited just to firms in these health-care related industries – there is not a day that goes by that there is not a report of another company experiencing a breach. Today, it was Kickstarter, the Internet funding portal (about which refer here). Tomorrow it will be another company in another industry.

The point is that we have long since reached the point where privacy liability and network security insurance is an indispensable part of every organization’s insurance program.

It is also important to keep in mind that the litigation exposure associated with a network security breach is not limited to just the possibility of consumer actions. As was evidenced in connection with the Target breach, a significant network security breach can also lead to D&O lawsuits as well (as discussed here).  I suspect that we will find in the months ahead that these kinds of lawsuits may become increasingly common.  As I have noted previously, among the risks of D&O litigation arising from the possibility of a cyber breach includes the prospect of shareholder litigation arising from disclosures regarding the company’s privacy and network security practices.

We are already to the point where companies need to take these litigation possibilities into account when considering such basic issues as how much D&O insurance to purchase.

What “Transactional” Skills Should Lawyers in Training Be Taught?: The American Bar Association and a number of other bar groups are exploring the possibility of establishing minimum requirements within accredited law schools related to building practical skills and competencies. The issue these initiatives present is the question of what topics constitute “skills and competencies,” particularly for transactional attorneys.

To address this issue, the Berkeley Center for Law, Business and the Economy at Boalt Hall Law School, UC Berkeley, has developed an on-line survey to try to establish what competencies professional s in transactional practices consider important. The survey’s authors hope the survey results will help both practitioners and legal educators assess and if appropriate work to amend the current proposed guidelines. Though the survey is directed to practicing attorneys, it is also open to others who work with transactional attorneys (such as bankers, accountants, etc.).

The survey’s authors hoping to get as broad of a response as possible. The authors are asking everyone to complete the survey and to ask colleagues and contacts to complete the survey as well. The survey can be found here. When the survey is complete, the results will be available on the Center’s website, here.

Can You Please Do That Somewhere Else?: I frequently think newspaper editors don’t read their own headlines. The latest example of this appeared  in the February 18, 2014 issue of USA Today, which carried an article headed “Monster Asteroid Whizzes by Earth.”

 Read other items of interest from the world of directors & officers liability, with occasional commentary, at the D&O Diary, a blog by Kevin LaCroix.

For more information about LexisNexis products and solutions connect with us through our corporate site.

Comments

Alice
  • 11-29-2014

It unique content  and I like this version. It is one of the best article to read knowledge will increase. Your approach to this post is unique and appreciating. www.assignmentmarket.co.uk

Micheal Elijah
  • 03-03-2015

The article also states that health-care organization more and more are have problem defensive data because health check tackle such as dialysis and imaging equipment can be access throughout the Internet. See at more: http://www.aonepapers.com

RichardSpencer
  • 03-30-2015

You done certain good points there. I did a search on the subject and found nearly all persons will agree with your blog.

<a href="www.assignmentgeek.co.uk/">assignment writing service</a>

Stefany
  • 06-18-2015

I really can't express to you how much I appreciate your post!

<a href="http://ukessaywriter.co.uk">ukessaywriter.co.uk</a>

Stefany
  • 06-18-2015

Don't feel stressed during your studying in college or university with http://ukessaywriter.co.uk

Ivy Ball
  • 08-11-2015

Thanks for telling me about this brand new things I just love this all totally a nice and the best one.

www.assignmentarena.co.uk

Nikkimaria
  • 08-28-2015

Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. www.assignmentcafe.co.uk/assignment-writing-service-uk

Ashley
  • 09-17-2015

This is truly a great acknowledgement such as  imaging equipment can be access throughout the Internet.

www.peakdissertation.co.uk

Mace
  • 10-04-2015

That makes therapeutic information more important than Mastercards, which have a tendency to be immediately wiped out by  once extortion is identified.  http://essayleaks.com/

Earnest
  • 10-05-2015

The fact of the matter is that we have since a long time ago came to the point where protection obligation and system security protection is a crucial piece of each association's protection program. http://www.aciano.net/

Anna
  • 10-29-2015

As contrasted with the numerous articles I have already browsed on the material, the one is replete with original concepts. This site permanently delivers dozens of fascinating materials on the popular problems.

<a href="http://toptermpapers.org/ ">toptermpapers.org/.../a>

Holly Murray
  • 01-30-2016

A report cited in the article, security practices at health-care providers generally are not keeping pace with the high volume of attacks. Your reputation is our aim and cheap http://customessayonline.com/ service helps you to fulfill your needs of writing.