James Castro-Edwards, head of ProDPO, an outsourced data protection service at law firm Wedlake Bell, discusses the legal implications of healthcare related data falling victim to a cyber-attack.
The National Cyber Security Centre (NCSC), part of GCHQ, published its Fourth Annual Review on 3rd November. The Review reports that the NCSC handled 723 incidents, an increase compared to the preceding three years and that of those, around 200 incidents related to Coronavirus. In a year dominated by the pandemic, the NCSC provided particular support to the healthcare sector. They scanned more than one million NHS IP addresses for vulnerabilities, which revealed 51,000 indicators of compromise. To help combat criminals' continued attempts to exploit the pandemic, the NCSC and the City of London Police launched the Suspicious Email Reporting Service, which in four months received 2.3 million reports, that in turn lead to thousands of malicious websites being taken down.
The Review revealed a sharp increase in ransomware, with the NCSC handling more than three times as many ransomware attacks as in the previous year. The nature of ransomware attacks has also changed; historically, these typically involved denying victims access to their own data until a ransom was paid. However, the Review reveals an increasing trend in hackers threatening to leak sensitive information to the public. Clearly, this could be particularly concerning for medtech manufacturers that hold large volumes of sensitive data about patients' health. Perhaps more worrying is the risk that connected medical devices could be hacked, for instance by altering the flow of insulin from a connected insulin pump or disrupting the rhythm from a pacemaker. While to date no such attacks have been reported in the public domain, the risk was recognised as long ago as 2013 when former US Vice President Dick Cheney had the wireless function of his heart implant disabled due to fears that it might be hacked in an assassination attempt.
The Coronavirus pandemic has resulted in an increase in attacks generally, in part as a result of criminals exploiting the security vulnerabilities arising from homeworking. The disruption has also provided cyber attackers with a ready cover story for phishing attacks. For instance, a report on COVID-19 purportedly shared by the World Health Organisation (WHO), but which was in fact a phishing email, was shared so widely by email that the WHO issued a public warning on its website. Thousands of scams involving Personal Protective Equipment (PPE) have also been reported, where healthcare workers have been duped into paying for sub-standard or non-existent PPE.
Worryingly, earlier this year, the NCSC reported that Russian cyber-attackers were targeting organisations involved in Coronavirus vaccine development. The NCSC reported that hacking group APT29, also known as 'the Dukes' or 'Cozy Bear' almost certainly operates as part of Russian intelligence services. The NCSC specifically mentioned healthcare providers as being among APT29's targets, from which the group continues to attempt to steal valuable intellectual property.
As well as the obvious disruption, potential reputational damage and clear-up costs of an attack, medtech manufacturers may face regulatory action under applicable data protection law. For instance, the General Data Protection Regulation (GDPR) applies to businesses established in the European Union, as well as those established outside the EU, but which offer goods or services to citizens in Europe. Among other things, the GDPR requires organisations to implement appropriate technical and organisational security measures to ensure that personal data is protected. The GDPR treats health data as a 'special category' of personal data, that requires a higher standard of care, so businesses that handle information about individuals' health must apply more stringent measures to ensure that it is protected.
Following a cyber-attack, the application of the GDPR may appear counterintuitive; in 2014, the British Pregnancy Advisory Service (BPAS) was hacked by an anti-abortion campaigner, who accessed the personal data of almost 10,000 people. The Information Commissioner's Office (ICO) investigation found that BPAS had failed to implement adequate security measures and issued a fine of £200,000. The incident took place while the Data Protection Act 1998 was still in force, under which the maximum fine was £500,000, however the GDPR, which took effect in May 2018 enables the ICO to issue fines of up to 4% worldwide annual turnover, or €20,000,000, whichever is greater. The ICO has already exercised these powers, fining British Airways £20,000,000 earlier this year (a reduction from the initial proposed figure of £183,000,000) for security failings.
Medtech manufacturers that operate internationally should be aware that data protection law is not just confined to Europe; for instance, in the US, operators in the healthcare section may be subject to the Health Insurance Portability and Accountability Act of 1996 (commonly known as HIPAA). HIPPA includes privacy and security obligations, and heavy penalties for non-compliance. Many other jurisdictions outside the EU are adopting data protection laws, which frequently include security obligations. This means that global medtech operators may have to negotiate a patchwork of data protection legislation. In addition, in the UK, developments in the common law mean that individuals may claim compensation where their personal data has been misused in such a way that causes them damage or distress. This creates the possibility of a business being fined by the ICO for a breach of applicable data protection law and then pursued through the civil courts for damages by the affected individuals.
Faced with these risks, how should medtech manufacturers protect themselves from enforcement action and legal claims? Clearly a technical security review is not only essential, but a legal obligation. However, data protection law requires more than simply keeping information secure; individuals have a number of rights, in particular that the handling of their personal information is fair and transparent. As well as scrutinising their technical security measures, med-tech manufacturers must also review their data handling practices, to ensure that they comply with applicable law. This includes raising awareness amongst staff, providing training and ensuring ownership of the data protection function within the organisation. Finally, there is an adage amongst cybersecurity professionals that there are two sorts of organisation; those that have been hacked and those that just don't know it yet. With this in mind, medtech businesses must prepare an action plan for what they would do if and when the worst happens.