Identifying The Potential Foreseeable Risks

Published Date: 02 Nov 2017

Introduction

Security legislation may be:

Sector and/or data specific

Pro companies/shareholders, employees, or customers

Pro government. [1] 

The spreading of obligations in various legislations [2] might increase the risk that requirements will be ‘ignored,’ due to the numerous clauses. [3] In the end, security is a relative concept, [4] because legislations state that measures need to be ‘appropriate or necessary to protect….’ Yet, the notion of ‘reasonable security’ and ‘foreseeability of the risk’ are becoming a ‘norm,’ to the extent that courts [5] assess the type of security and the manner of application, in cases of liability actions.

Introduction

Security legislation may be:

- Sector and/or data specific

- Pro companies/shareholders, employees, or customers

- Pro government.

The spreading of obligations in various legislations might increase the risk that requirements will be ‘ignored,’ due to the numerous clauses. In the end, security is a relative concept, because legislations state that measures need to be ‘appropriate or necessary to protect….’ Yet, the notion of ‘reasonable security’ and ‘foreseeability of the risk’ are becoming a ‘norm,’ to the extent that courts assess the type of security and the manner of application, in cases of liability actions.

The organization chosen is a healthcare facility. This may be run privately or publicly, may also be affiliated or funded by insurances, pharmaceutical companies, and/or charitable institutions.

Data security is imperative, both to protect against outsiders and insiders, especially (but not necessarily) in cases involving:

- Insurances e.g. because there may be the temptation to profile individuals (and indirectly their families vis-à-vis insurance claims or premia);

- Pharmaceutical companies e.g. data espionage by competitors to obtain advanced information about formulas and results. Moreover, the pharmaceutical company, to which the hospital is associated, may itself desire to view/edit data before an FDA report is issued.

Health data security must be BOTH ‘reasonable and appropriate.’ Moreover, the EU covers not only services but equipment used by EU companies, or based in the EU.

This requires a protocol run by highly trained staff and personnel, together with tailor-made programs. Any alterations in the protocols must balance the society’s medical needs v. the patients’ rights, without hindering the ability of the medical team from providing proper care.

Medical facilities also deal with financial and insurance transactions. Once a transaction is made, e.g. with an insurance, security must be provided so that patients’ are not discriminated against.

Requirements

These are ‘security, availability and access, authenticity, integrity and confidentiality’ and may be found under:

1. Privacy legislation;

2. E-transaction laws;

3. Corporate governance laws;

4. Unfair trade practice laws;

5. Sector-specific laws.

A health facility needs to:

1. Identify security risks

2. Monitor the system and perform routine checks/dry runs

3. Be security selective

4. Continually upgrade

5. Assess the outsource

6. Ensure that employees receive proper education in security.

This leads us to the issues of Common Law and Contractual Obligations

Common Law Obligations –This obligation may be translated into a tortious liability against the collector and extended to hackers.

Contractual obligations

In order to protect themselves from security issues, legal entities may enter into standard contractual agreements. They demand the consent of the customer to allow third parties to use their data. Usually the ‘excuse’ to justify this demand is that the company outsources contracts, so that the data collected can be accessed by a third party. This should be discouraged in health facilities.

As Smedinghoff rightly states in his article, ‘both the EU Data Privacy Law and U.S. GLB Safeguard Rules mandate that the customer impose appropriate security obligations on the outsource provider.’ However, I tend to disagree with the ratio behind this statement. The mere fact that there is a law to ‘protect’ the consumer when giving consent it is superfluous, since the wording tends to override the consumer’s consent anyway. Once the consumer consents to a standard contract, he has no more legal protection. Perhaps the UFCT Act might apply in the UK, but not all jurisdictions have the UFCT Act. Moreover, once data is hacked, it is out there (cyberspace) forever.

Ancillary obligations arising from expressed and implied duties

Healthcare facilities may oblige themselves to provide/reassure a certain security standard through advertisements or agreements, in order to attract customers. However, if standards are not met, the company exposes itself to liability, fraud or misleading practices.

Identifying the potential foreseeable risks and their source of origin:

1. Human accidental or intentional security breach

2. Technological:

(i) Program flaws due to lack of checking, sporadic or routine monitoring;

(ii) Wireless medical devices are especially vulnerable to hacking. The aim is to have a fast inter/intra communications between the medical staff within and outside the hospital.

Once these threats are identified, one has to assess the impact v. the cost.

Availability of personal data.

The quality and quantity of data collected includes:

- The authenticity and integrity of data, during the collection, access and storage.

- Patients details, family history, condition/s, suggested analysis and treatments, results from screenings and tests, progress.

- Informed consent is imperative (unless not required by law). The patient consents for collection, storage, access and sharing of data. Data sharing may be imposed by law e.g. public health or optional e.g. surveys.

Monitoring

1. Primary data-collector/users are clinicians and paramedics;

2. Ancillary collector/users. All non-primary users.

Primary users should have access to medical data, while ancillary users should only access the patient’s details.

Access

Patient health records belong to the health facility. However, the patient has a right to information. Parents may view their children’s health records, unless there is a court order or emancipation. Adolescents may decide to limit parental access.

Authorization for access should be monitored with respect to:

1. sensitivity

2. access by data-collector/user

3. reason

4. patients request/reasons

5. whether the material requested is analysed on its own or combined with the patient’s details e.g. blind trial.

Security should be proportionate with the classification of data:

• Not accessible

• Privileged

• Non-sensitive

Monitoring/traceability

This may be done by using ‘e-signatures, PIN, passwords, I.D. numbers; biometrics, encryption, and trail audit.’ The tools to secure data should be proportionate with the sensitivity, risks and costs.

Separate access

Certain conditions (e.g. SDT, cancer, social cases) may compromise confidentiality. For example, an orthopedic surgeon need not access the substance abuse dossier.

Hospitals should be insured against such breaches. In cases of employee disclosure, the hospital should investigate and prosecute proportionately.

Accuracy/integrity

Data should be comprehensive. Errors or revised statements and previous annotations should not be deleted. They should be recorded in the system, including date, time and access code.

Data sharing

Access should be limited to doctors and consultants. Moreover, data transferred should be encrypted, with a request of receipt by the end user. At this stage, the end user is responsible for any breaches.

Patient’s data in data sharing with government agencies should be deleted to avoid the creation of a data-bank.

Conclusion

Present legislation directs its attention to ‘specific sectors,’ when in reality it should be ‘security specific.’ The present position is that hospitals/companies are not obliged to incorporate specific security measures, but to deal with ‘a reasonable foreseeable risk.’ Moreover, governments should advocate education, so that security becomes a culture.

The organization chosen is a healthcare facility. This may be run privately or publicly, may also be affiliated or funded by insurances, pharmaceutical companies, and/or charitable institutions. [6] 

Data security is imperative, both to protect against outsiders and insiders, especially (but not necessarily) in cases involving:

- Insurances e.g. because there may be the temptation to profile individuals (and indirectly their families vis-à-vis insurance claims or premia);

- Pharmaceutical companies e.g. data espionage by competitors to obtain advanced information about formulas and results. Moreover, the pharmaceutical company, to which the hospital is associated, may itself desire to view/edit data before an FDA [7] report is issued. [8] 

Health data security must be BOTH ‘reasonable and appropriate.’ Moreover, the EU covers not only services but equipment used by EU companies, or based in the EU. [9] 

This requires a protocol run by highly trained staff and personnel, together with tailor-made programs. [10] Any alterations in the protocols must balance the society’s medical needs v. the patients’ rights, without hindering the ability of the medical team from providing proper care. [11] 

Medical facilities also deal with financial and insurance transactions. Once a transaction is made, e.g. with an insurance, security must be provided so that patients’ are not discriminated against.

Requirements [12] 

These are ‘security, availability and access, authenticity, integrity and confidentiality’ [13] and may be found under:

Privacy legislation;

E-transaction laws;

Corporate governance laws;

Unfair trade practice laws;

Sector-specific laws. [14] 

A health facility needs to:

Identify security risks

Monitor the system and perform routine checks/dry runs

Be security selective

Continually upgrade

Assess the outsource

Ensure that employees receive proper education in security. [15] 

This leads us to the issues of Common Law and Contractual Obligations

Common Law Obligations –This obligation may be translated into a tortious liability against the collector [16] and extended to hackers. [17] 

Contractual obligations [18] 

In order to protect themselves from security issues, legal entities may enter into standard contractual agreements. They demand the consent of the customer to allow third parties to use their data. Usually the ‘excuse’ to justify this demand is that the company outsources contracts, so that the data collected can be accessed by a third party. [19] This should be discouraged in health facilities.

As Smedinghoff rightly states in his article, ‘both the EU Data Privacy Law and U.S. GLB Safeguard Rules mandate that the customer impose appropriate security obligations on the outsource provider.’ [20] However, I tend to disagree with the ratio behind this statement. The mere fact that there is a law to ‘protect’ the consumer when giving consent it is superfluous, since the wording tends to override the consumer’s consent anyway. [21] Once the consumer consents to a standard contract, he has no more legal protection. Perhaps the UFCT Act might apply in the UK, but not all jurisdictions have the UFCT Act. Moreover, once data is hacked, it is out there (cyberspace) forever. [22] 

Ancillary obligations arising from expressed and implied duties [23] 

Healthcare facilities may oblige themselves to provide/reassure a certain security standard through advertisements or agreements, in order to attract customers. However, if standards are not met, the company exposes itself to liability, fraud or misleading practices. [24] 

Identifying the potential foreseeable risks [25] and their source of origin: [26] 

Human accidental or intentional security breach

Technological:

Program flaws due to lack of checking, sporadic or routine monitoring;

Wireless medical devices are especially vulnerable to hacking. The aim is to have a fast inter/intra communications between the medical staff within and outside the hospital. [27] 

Once these threats are identified, one has to assess the impact v. the cost. [28] 

Availability of personal data.

The quality and quantity of data collected includes:

The authenticity and integrity of data, during the collection, access and storage. [29] 

Patients details, family history, condition/s, suggested analysis and treatments, results from screenings and tests, progress.

Informed consent is imperative (unless not required by law). The patient consents for collection, storage, access and sharing of data. Data sharing may be imposed by law e.g. public health or optional e.g. surveys.

Monitoring

1. Primary data-collector/users are clinicians and paramedics;

2. Ancillary collector/users. All non-primary users. [30] 

Primary users should have access to medical data, while ancillary users should only access the patient’s details. [31] 

Access

Patient health records belong to the health facility. However, the patient has a right to information. Parents may view their children’s health records, unless there is a court order or emancipation. Adolescents may decide to limit parental access.

Authorization for access should be monitored with respect to:

1. sensitivity

2. access by data-collector/user

3. reason

4. patients request/reasons

5. whether the material requested is analysed on its own or combined with the patient’s details e.g. blind trial.

Security should be proportionate with the classification of data:

Not accessible

Privileged

Non-sensitive [32] 

Monitoring/traceability

This may be done by using ‘e-signatures, PIN, passwords, I.D. numbers; biometrics, encryption, and trail audit.’ [33] The tools to secure data should be proportionate with the sensitivity, risks and costs.

Separate access

Certain conditions (e.g. SDT, cancer, social cases) may compromise confidentiality. For example, an orthopedic surgeon need not access the substance abuse dossier.

Hospitals should be insured against such breaches. In cases of employee disclosure, the hospital should investigate and prosecute proportionately.

Accuracy/integrity

Data should be comprehensive. Errors or revised statements and previous annotations should not be deleted. They should be recorded in the system, including date, time and access code. [34] 

Data sharing

Access should be limited to doctors and consultants. Moreover, data transferred should be encrypted, with a request of receipt by the end user. At this stage, the end user is responsible for any breaches.

Patient’s data in data sharing with government agencies should be deleted to avoid the creation of a data-bank. [35] 

Conclusion

Present legislation directs its attention to ‘specific sectors,’ when in reality it should be ‘security specific.’ The present position is that hospitals/companies are not obliged to incorporate specific security measures, but to deal with ‘a reasonable foreseeable risk.’ Moreover, governments should advocate education, so that security becomes a culture.