Health Law Advisor

Healthcare organizations continue to be prime targets of cyberattacks. It is well-established that cyberattacks can lead to financial loss, reputational damage, and, in some cases, risks to patient care and safety. The recent and well-publicized cybersecurity incident affecting Change Healthcare further evidences these risks. As a result of the widespread and disruptive impact of this most recent cyberattack on the healthcare ecosystem, on March 5, 2024 the U.S. Department of Human Services (HHS) issued a public statement and has also announced that it opened an ...

Establishing and maintaining effective systems to protect sensitive personal data and confidential business information from outside interference while also assuring that privacy interests are protected is among an organization’s highest priorities. Our security and privacy team at Epstein Becker & Green has written extensively about the guidance and best practices issued by federal and state regulatory and enforcement agencies. Execution, monitoring and continually updating these preventive practices define an organization’s first line of defense. But what happens in the event that an organization actually suffers a breach? Is there guidance that might be available, particularly to healthcare organizations, to deal with continuity and disaster planning (BC/DR) directed towards assuring resilience and recovery in the event of a potentially-disastrous cyberattack?

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and ...