Dubai Tech News

Is Malware The New Frontier Of Medical Malpractice?

Innovation Is Malware The New Frontier Of Medical Malpractice? Greg Murphy Forbes Councils Member Forbes Technology Council COUNCIL POST Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author. | Membership (fee-based) Jul 11, 2022, 08:45am EDT | Share to Facebook Share to Twitter Share to Linkedin As President and CEO of Ordr , Greg is responsible for the overall vision and strategy of the enterprise IoT security company.

getty The stakes for poor cybersecurity readiness in healthcare are rising, and lawmakers are taking notice. Recent events may have even put the healthcare industry on the precipice of a new era in which a failure to follow best practices and defend against known threats could make device manufacturers and healthcare delivery organizations (HDOs) liable for not just compromised data but harm to patients. On July 16, 2019, Teiranni Kidd checked in to Springhill Medical Center in Mobile, Alabama, for a cesarean section.

The next day, her baby was delivered with its umbilical cord wrapped around its neck, resulting in severe brain trauma. The infant died the following April due to ongoing complications. Two months later, Kidd sued Springhill stating she “was not told that the hospital’s computer systems had been hacked, that they were not operating as needed and that patient safety was implicated and could be compromised.

” Kidd alleges that the ransomware attack prevented medical professionals at Springhill from conducting tests that might have revealed the infant’s condition, possibly preventing the injury. Had she known, Kidd says she would have chosen to deliver her baby elsewhere. The case remains before the Circuit Court of Mobile County, Alabama, the outcome of which could have major implications on how the courts view healthcare cybersecurity and its role in medical malpractice.

Even if Kidd does not prevail, similar lawsuits are likely to follow. A Duty To Take Responsible Steps In December 2021, concurrent with ongoing litigation between Kidd and Springhill, a vulnerability in open-source Apache software known as Log4j was discovered that left organizations open to attack. Cybercriminals eagerly took advantage.

Fortunately, mitigating the Log4j vulnerability was relatively simple, and the Apache Foundation issued a patch for the flaw. Many organizations quickly fixed the problem, but, as is often the case, others did not. And some device manufacturers and technology providers were slow to determine and disclose whether they were impacted, making it difficult for their customers to mitigate the risk.

MORE FOR YOU Google Issues Warning For 2 Billion Chrome Users Forget The MacBook Pro, Apple Has Bigger Plans Google Discounts Pixel 6, Nest & Pixel Buds In Limited-Time Sale Event As the problem persisted, the Federal Trade Commission (FTC) issued a stern warning in a January 4, 2022 memo. “When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act.

It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action. ” Citing its $700 million action against consumer credit broker Equifax for a failure to patch a known vulnerability, the Commission said, “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future. ” What is medical malware malpractice? The FTC and other regulatory agencies’ position is that tech vendors and user organizations are responsible for protecting their products and infrastructures against well-known threats, and a failure to mitigate those threats makes them liable for the outcome.

Given what is transpiring with Kidd v. Springhill , the healthcare industry should pay attention because these assertions and any subsequent actions taken to prosecute organizations that fail to protect themselves from “known software vulnerabilities” could implicate hospitals and HDOs hit by ransomware and other common attacks. Hospitals are frequent targets of threat actors.

According to industry reports, 679 hospitals were breached by cyberattacks in 2021 —an all-time high for the industry—and the U. S. Department of Health and Human Services warns that those numbers could rise.

And while most malicious hackers do not set out to cause physical harm to patients, deploying ransomware to gain control of medical devices and disrupt operations has deadly potential. A cyberattack using a known preventable attack vector that hinders a hospital’s ability to provide sufficient care to their patients could make them liable for any associated outcomes. In other words, poor cybersecurity practices could be tantamount to medical malpractice.

We know cyberattacks are coming. We know their potential to harm patients. Physicians have complained for decades about the rise in malpractice lawsuits and must follow established best practices to address known risks associated with a procedure; cybersecurity professionals in healthcare have a similar obligation.

“We didn’t know” is an unacceptable defense. Policymakers Losing Patience Recent research found that 53% of connected medical devices , known as the Internet of Medical Things (IoMT), contain vulnerabilities. The threat to hospitals and their patients prompted the FDA to issue draft guidance for improving IoMT security.

A bill known as the PATCH Act that would require stronger IoMT security is also before Congress and could give the FDA enforcement authority for noncompliance. While initial regulation has focused primarily on the obligations of vendors and device manufacturers, these developments suggest that tolerance for organizations that fall victim to cyberattacks is waning, especially among policymakers who want to hold critical infrastructure operators to a higher standard of readiness. Talking to MIT Technology Review , Senator Ron Wyden said, “There’s a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other so-called acts of God.

That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility. But once the facts come out, the public has seen repeatedly that the hackers often get their initial foothold because the organization failed to keep up with patches or correctly configure their firewalls. ” Wyden is right.

While no organization can ever be immune from cyberattacks, organizations known to be under frequent assault from threat actors should invest in the tools available to help them understand their risks, defend themselves against attacks and respond quickly when attacks occur. By better protecting themselves and their patients in this way, they fulfill their sacred obligation to “do no harm. ” Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.

Do I qualify? Follow me on LinkedIn . Check out my website . Greg Murphy Editorial Standards Print Reprints & Permissions.

From: forbes

Exit mobile version