Class action complaint filed as St. Jude’s Medical responds to cybersecurity allegations

Following a report by Muddy Waters Capital LLC stating that St. Jude’s Medical (SJM) pacemakers, implantable cardioverter defibrillators (ICDs), cardiac resynchronization therapy (CRT) devices, and other implantable cardiac devices should be recalled due to the risk of cyberattack, attorneys for a patient with such a device filed a class-action complaint in the Central District of California alleging that the patient would not have undergone surgery to be implanted with the device if he had been aware of the “severe security vulnerabilities” alleged in the report. SJM responded to the Muddy Waters report in a press release, stating that the claims were misleading and unfounded.

Cyberattacks against devices

Muddy Waters claimed it has seen demonstrations of two types of cyberattacks against SJM implantable cardiac devices: (1) a “crash” attack causing the device to malfunction, for example, by pacing at a potentially dangerous rate, and (2) a battery drain attack that could be potentially harmful to device dependent users. Muddy Waters stated that it finds these vulnerabilities to be more worrying than other medical device hacks publicly discussed in the past, as they take less skill and can be directed randomly at any device within a roughly 50-foot radius.

SJM criticizes basis of report

In response, SJM said that the report’s claims of remote battery depletion are misleading, as the wireless communication of the devices is limited to approximately seven feet. “This brings into question the entire testing methodology that has been used as the basis for the [report.]” Additionally, a large-scale cyberattack like one described by Muddy Waters would require “hundreds of hours of continuous and sustained ‘pings’ within the [seven-foot] distance,” according to SJM. SJM also highlighted inconsistencies in the simulated attacks posed by Muddy Waters, noting one particular screen shot purportedly showing an impaired system when it actually shows a device that is functioning normally.

Complaint

In the California-based class action complaint, a patient with an implantable cardiac device alleges that he would not have had the device implanted if he had known about the vulnerabilities involved. The complaint lists 30 different devices that allegedly have serious security flaws, creating hundreds and thousands of claims from other patients against SJM for fraud and negligence.

HHS says sharing is preparing for cybersecurity threats

Cyber threat information sharing can help efforts to prevent, detect, and respond to cyber-attacks, according to the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR). Premised on the belief that health system preparedness requires knowledge of up-to-date threat information, the ONC and ASPR issued two funding opportunities to develop an Information Sharing and Analysis Organization (ISAO) for the health care sector.

Cyber Threats

As the health system becomes digital and health information takes on an increasingly electronic format, cyber threats have become a regular burden for health systems. Despite the growing threat, many components of the health care system lack the technological abilities to identify and protect themselves from cyber threats. Under the Cybersecurity Information Sharing Act (CISA) agencies, like HHS, were directed to develop tools that can help with the sharing of cybersecurity threat risks. Prior to the CISA, Executive Order 13691, signed on February 13, 2015, encouraged information sharing related to cyber threats between the government and private sector.

Recent Threats

Although some governmental efforts have focused on preparedness, data breaches continue to be a burden for the health care industry. This summer, Banner Health reported a cyberattack potentially affecting the protected health information (PHI) and payment card data of 3.7 million patients. The breach resulted from a hack of Banner’s point-of-sale systems, which may have been connected to its clinical systems. Such a lack of segmentation, may have contributed to the breach. Segmentation is the segregation of a network into areas that limits access to only those people, servers, and applications that need access, as a method of preventing hackers who enter part of a system from gaining complete control. However, the threat of cyber-attack reaches far beyond Banner Health. The scope of cyber threats is readily apparent from HHS’ “wall of shame,” which lists all of the breaches affecting 500 or more people that have been reported to the Office for Civil Rights (OCR).

ISAO

The idea behind the ISAO is to allow organizations with greater cyber threat knowledge share their understanding with less-equipped organizations. For example, with greater information sharing regarding the risks of segmentation, perhaps the scope of the Banner breach could have been mitigated. HHS hopes by sharing information between HHS and the health care and public health sector, the capacity to better prevent, detect and respond to cyber-attacks will improve. The funding directs an ISAO to:

  • provide cybersecurity information and education on cyber threats affecting the healthcare and public health sector,
  • expand outreach and education activities to assure that information about cybersecurity awareness is available to the entire healthcare and public health sector,
  • equip stakeholders to take action in response to cyber threat information, and
  • facilitate information sharing widely within the healthcare and public health sector regardless of the size of the organization.

HHS hopes its combined funding opportunities—$250,000 that can be renewed for up to five years—will help spread cyber threat information among industry stakeholders and federal partners.

 

Criminal attacks cause most breach incidents, report says

For the second year in a row, more health care organizations reported that criminal attacks are the leading cause of data breaches than any other threat, with 50 percent of covered entities (CEs) attributing data breaches that occurred in their organizations within the last two years to criminal attacks, compared to 41 percent claiming that they were caused by a “third-party snafu.” According to a Ponemon Institute report sponsored by ID Experts, 89 percent of CEs had a data breach in the past two years, and 45 percent experienced more than five breaches in the same time period. Despite the type of attacks, however, employee negligence was a larger concern among health care organizations and their business associates (BAs) than cyberattackers, themselves. The results indicated that organizations may need to reallocate their resources but confirmed that security incidents are now part of the normal course of business.

Breach causes

In addition to reporting that breaches resulted from criminal actions and third-party snafus, CEs reported that only 36 percent of breaches resulted from unintentional employee actions and 8 percent resulted from intentional, but non-malicious, employee actions. Stolen computing devices (39 percent), technical systems glitches (29 percent), and malicious insiders (13 percent) also played a role.

Despite these figures, 69 percent of CEs reported that employee negligence was among their three top concerns related to the security of sensitive and confidential information, compared to only 45 percent who worried about cyberattackers. In an interview with Wolters Kluwer, however, Mac McMillan, FHIMSS, CISM, CEO of CynergisTek, Inc., stated, “I believe the stats are clear hacking accounted for well over 90 percent of the records lost last year with all other categories combined contributed to less than 10 percent of that number . . . It’s the impact of the incident that matters and clearly hacking is having a larger negative impact.”

Rick Kam, President and Co-founder of ID Experts, told Wolters Kluwer, “In health care, there are many ‘data touches’ including multiple employees who can be careless and third parties handling patient data,” including third-party snafus, stolen computing devices, and unintentional employee actions. Unlike CEs, BAs cited unintentional employee actions as the biggest driver of breaches, at 55 percent, with third-party snafus accounting for 52 percent and criminal attacks accounting for 41 percent. Interestingly, only 53 percent of BAs reported employee negligence as a top concern.

Types of attacks

In the realm of cyberattacks, CEs and BAs were both most concerned about denial of service (DoS) attacks, in which attackers make a machine or network resource unavailable to its intended users, for example, by temporarily suspending services of a host connected to the internet. This concern was followed by the threat of ransomware, in which attackers infect systems with malware, which is hostile or intrusive software, and effectively hold system access hostage until the victim agrees to pay a ransom; and malware, in general. Although McMillan acknowledged these threats, he expressed concern that “many health care executives do not fully appreciate the cyber threat they face today.”

Among CEs, medical files far and away contained the data most commonly lost, accessed without authorization, or stolen, with 64 percent of CEs mentioning them, compared to 45 percent reporting billing and insurance records. Among BAs, however, 56 percent reported that billing and insurance records were the data affected, followed by 45 percent reporting payment details.

Patient impact

Covered entities recognized the impact that data breaches can have on patients. Seventy-nine percent stated there is a risk that personal health facts will be disclosed, 66 percent believed patients are subject to an increased risk of medical identity theft, and 61 percent believed they are subject to an increased risk of financial identity theft. Thirty-eight percent of CEs were aware of medical identity theft affecting customers within the past two years, although 48 percent of those instances were attributed to unintentional employee action, compared to 9 percent attributed to criminal attacks. Perhaps those attribution percentages are the reason that only 56 percent of CEs believed that they should provide data breach victims with credit monitoring or medical identity theft protection. McMillan noted a “glaring disconnect” between the figures, but suggested that it may result because “very few ever use the credit protection provided so it becomes a huge expense for nothing.” Kam opined, “organizations are becoming more knowledgeable about what consumer remedies to offer based on the risk presented by the types of information lost or stolen in a data breach.”

Budgets

Health care CEs and BAs believe they are more vulnerable to data breaches than other industries. Fifty-six percent of CEs that have instituted an incident response plan say that more funding and resources are necessary to make the plans effective. However, 52 percent of CEs reported that their security budgets remained the same over the past two years. Only 30 percent reported budget increases, while 10 percent reported decreases. The reported suggested that breaches could be costing the health care industry $6.2 billion.

Report

The report is Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. It is the second report to include BAs among its surveyed entities, reflecting responses from 91 CEs and 84 BAs. (For the 2015 report, see This time it’s crime: the lawlessness of health care data breaches, Health Law Daily, May 8, 2015). Fifty percent of responding CEs were private health care providers; thirty-two percent of BAs were part of the pharmaceutical industry, compared to only 24 percent in the information technology (IT) services/cloud services industries.