Page 22 - Cyber Defense eMagazine June 2024
P. 22
Spoiler alert: While both kids came into the world weighing less than two pounds a piece, following a
three-month stint in the NICU at Overland Park Regional Medical Center (HCA), (and six years later), we
have happy, rambunctious, and perfectly healthy kindergartners.
The relevance to this (cybersecurity) story stems from the fact that we chose, in large part, to forego
using a well-known pediatric hospital in our city because of breach events that had occurred beginning
in 2016 and continuing through January 2018, resulting in the theft of approximately 70,000 patient
records.
Between our two kids, the NICU bills (covered by insurance) were nearly $3-million dollars. Patient
identity and safety concerns aside, the decision we made as parents and consumers had a detrimental
monetary impact to the pediatric hospital in the form of a significant, lost revenue opportunity. Amongst
others, that event, or I should say decision, poured gasoline on the vision I had in founding PatientLock,
and a few years later, JurisLock. That vision (turned Mission) was to make “enterprise grade”
cybersecurity available and affordable to any size of business using channels servicing the Defense
community.
Those in the healthcare and legal professions, specifically, are tasked with protecting and serving patients
and clients in some of their most vulnerable times. Their goal as professionals is to provide help during
some of the most stressful, life-threatening, or otherwise impactful times an individual may ever go
through. On the medical side, this could be delivering premature babies, assisting a patient through a
cancer diagnosis and treatment, or making the end-of-life process as comfortable and painless as
possible. On the legal side, this might be working with a client who has suffered a catastrophic injury. It
might be a divorce, a child custody case, working through criminal/civil litigation matters involving freedom
or one’s life savings, or helping a business make a strategic acquisition.
I would not imagine that during these interactions, cybersecurity is priority one (or two, or ten, or twenty).
However, because these professionals often meet and work with extremely sensitive information during
their work, this information must be properly safeguarded. Otherwise, there can be significant, negative
results. Cyber criminals could gain access to a provider’s network, compromising a surgery already in
process. Information in a patient’s electronic medical record could be deleted, or changed (think allergies,
dosing information, or other significant information like a patient’s blood type), or a physician office or
hospital could be locked out of its computers such that patient care is disrupted (also leading to significant
revenue loss). Worse yet, a double extortion tactic including data exfiltration and ransomware might be
used simultaneously. This occurs when a bad actor steals records to then sell on the Dark Web, while
also executing a ransomware attack and demanding payment.
Due to these factors, those practicing law and medicine have special and unique obligations to protect
the information of those they serve. Just to name a few:
• Doctor-patient privilege/attorney-client privilege
• Ethical obligations/ABA Rule 1.6
• HIPAA
• Special laws protecting substance abuse information
• State law requirements
Cyber Defense eMagazine – June 2024 Edition 22
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
