November 2018 Dallas Medical Journal 29
substances. The shutdown lasted
more than a week and interrupted
services to approximately 1,500
healthcare organizations. Hundreds of
physicians and thousands of patients
were affected.
Many of the affected practices were
small physician groups that began
using paper records and manual
processes to avoid interrupting patient
care. One Allscripts customer said,
“We immediately converted to
paper and kept moving forward.
This time I created an appointment
schedule on Excel and we manually
put in several days of the schedule
from the mobile app, and everyone
has access to the Excel spreadsheet
to see who is coming in and to add
appointments.”2
Although this type of solution is
not ideal, it is important for practices
to consider creating an incident
response plan if business operations
are interrupted.
Time down equals high loss
According to research from Accenture
and the AMA, “Nearly two thirds
(64 percent) of all physicians who
experienced a cyberattack experienced
up to four hours of downtime
before they resumed operations,
and approximately one third (29
percent) of physicians in mediumsized
practices that experienced a
cyberattack said they experienced
nearly a full day of downtime.”3
How much a data breach can cost
varies based on the size of the data
loss and how quickly it is contained.
A recent report from Ponemon
Institute says that “response time
means everything,” and that the time
it takes to identify and mediate a data
breach can determine the final costs
to an organization.4
A hypothetical example of a
breach scenario that involved a cloud
solution provider (CSP) suggests the
following:
• Malicious code makes its way into
a CSP, infecting 25–50 percent of
the system.
• It takes 24 hours for security
experts to mobilize and identify the
entry point of the malicious code.
• It takes 24 hours to develop patches
for the found vulnerability and
system crashes.
• It takes another 24 hours for the
next tier of security providers to
help investigate, secure and fix the
problem.
• It takes 6 to 48 hours ramp-up time
for security.
• One to 12 hours of additional time
is needed for affected companies to
bring their systems online after the
CSP has restored service.
Total outage time: 55 hours
minimum.5
According to a report from
NetDiligence, “Healthcare and
professional services were the most
breached sectors, each representing
18 percent of all breaches.” In
addition, the “average cost of a
breach was $394,000 — but in health
care, the cost was much higher at
$717,000.”6
After a breach, the medical practice
may experience a reduction in
revenue due to a drop-off in patient
appointments. A practice’s failure to
properly safeguard protected health
information can lead to diminished
patient trust.
Who is liable for lost
or compromised data?
Many Service Level Agreements used
by CSP and HER vendors include
provisions that stipulate a shared
responsibility with the customer for
the security of the data being stored.
Most CSPs will try to limit their
liability for both service outages and
breach incidents.
“Notably, the shared responsibility
model leaves the cloud customer fully
accountable for the data that is being
stored outside the business, which,
in the event of a breach, makes
them most liable for any third-party
damages or responsible for regulatory
action.”7
Therefore, it is advisable that
healthcare entities carefully review
third-party service contracts with
legal counsel to determine exactly
what damages they may be liable
for in the event of a breach. Make
sure you understand any contractual
obligations with regard to liability
assumed under contract, particularly
as it relates to the use, disclosure
or safeguarding of your electronic
protected health information (ePHI).
In a breach investigation, the US
Department of Health and Human
Services Office for Civil Rights likely
would look first at the owner of the
data’s cybersecurity management
and obligations. Depending on the
circumstances, some or all of the
following issues would be addressed.
• Who owns the data?
• Who notifies the affected
individuals, local media and
regulatory authorities?
• Who pays for the notifications and
press releases?
• Who pays for the forensics to
determine the causation of the
breach and whether personal data
was stolen?
• Who pays for the credit monitoring
and identity theft restoration
services for the affected
individuals?
• Do the contracting parties have
cyber insurance that covers any
liability assumed under contract?
Again, reviewing these contracts
(including the above questions)
with legal counsel and amending
them where possible can help you
minimize this liability and associated
costs. Also, review your cyber
liability insurance coverage to make
sure it can fully protect you in case of
a business interruption.
Risk management considerations
The costs associated with a breach —
whether it is on site or in the cloud —
can be devastating. Therefore, it is
important to understand affiliated
costs of a breach; minimize your
liability by reviewing and amending
third-party service agreements; assess