By Virginia K. Trunkes and Conor O. Duffy

The need to update and implement new processes for delivering healthcare in response to the COVID-19 pandemic has resulted in the adoption of more automation, remote access and monitoring technologies. It also has brought data analytics into treatment and the patient environment. Healthcare providers have shifted from traditional waiting rooms and in-person visits for routine needs to remote check-ins, check-ups and updates via personal health record applications.

Providers increasingly rely on smart grid technologies, cloud computing, medical devices and health monitors connected via the internet of things (IoT), bio-sensing wearables, touchless technology, telehealth, online scheduling applications, electronic health records, virtual and remote triages, AI-based predictive analytics and machine learning, and most recently, interactive floor-plan images used by regulatory inspectors. 

These technologies and care-delivery approaches depend on seamless connected systems and instant access to data that create a recipe for cybervulnerability. Decades of HIPAA and extensive penalties for non-compliance ensure that healthcare organizations are cognizant of obligations to maintain the privacy of their patients’ personally identifiable information.

Cybercriminals and regulators are already aware of the security risks facing healthcare organizations because of the sensitive data they maintain. The Federal Bureau of Investigation (FBI) considers hospitals at high risk for ransomware attacks on its networks, noting that these types of attacks can delay or prevent a hospital from accessing lifesaving equipment. In October 2020, the U.S. Department of Health and Human Services, the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI issued a cybersecurity alert related to an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. 

In addition to protecting electronic health record systems, healthcare organizations also need to prioritize cybersecurity with respect to facility design and construction and the implementation of integrated technological approaches to care delivery. Cybersecurity is crucial to guard against hijacking of digital monitoring and automatic adjustments of: indoor air and water quality; inventory management and replenishment continuity; and automatic doors to ensure they open when desired. This makes it imperative that healthcare organizations address security requirements in contracts with construction and design firms, as well as equipment and other electronic-product vendors – all traditionally small businesses.

Although major corporations, governments and critical infrastructure are now principal cyber-attack targets, 28 percent of data breaches in 2020 involved small businesses, according to Interpol. Small businesses as a whole are comparatively deficient in guarding against a cyber incident, providing an easily overlooked weak link within the data systems of a larger entity with deep pockets and crucial electronic data and digital operations. With design and construction teams sharing confidential data — including blueprints and product specifications — during integrated project delivery on tablets and smartphones that also connect with hospital information systems, those devices can provide an insecure entry point for cybercriminals. The strongest internal firewall structure might not be as important as vetting contractors and vendors providing equipment, project management software and updates, and ongoing digital service.

About 59 percent of organizations experienced a breach directly caused by one of their vendors within the prior 12 months, according to a 2018 study by the Ponemon Institute. Consider these examples:

• The 2013 theft of credit card data from 110 million Target holiday shoppers stemmed from a cyberattack on the retailer’s refrigeration and HVAC vendor.

• That same year, Chinese hackers accessed the computers of a prime contractor and stole floor plans, communications cable layouts, server locations and security system designs for the Australian Secret Intelligence Organization's new headquarters then under construction.

• In 2019, Airbus suffered a data breach when hackers seeking information about particular aircraft engines targeted its third-party suppliers.

• In 2020, the largest HIPAA data breach was caused after a third-party vendor was hacked with ransomware.

Even if a third-party’s vulnerability does not result in a cyber incident, a cyber attack could slow down a construction project. In 2020, two U.K.-based construction companies experienced an attack while involved in building emergency coronavirus hospitals. One company had to shut down some of its computer systems, and the other company’s operational services were found to be impacted even several days after the initial discovery. Project managers cannot survey a project carrying portable building information modeling (BIM) designs on their mobile devices if they cannot access their employer’s digital database.

Compliance with HIPAA and related data privacy and security laws are a minimum legal obligation of healthcare organizations. While the pervasive enactment of breach-notification laws might be comforting, more should be expected from third-parties. The request-for-information process offers an opportunity to vet contractors and vendors based on insurance coverage and cyber security protocols.

Facility managers can perform vendor security assessments by requiring disclosure of vendor security policies and third-party vendor security reports, such as an SOC 2 report. These inquiries focus on whether the vendor has a compliance program, a written information security program, security policies and procedures, third-party vetting, and standard safeguards — organizational and technical — to protect devices and information systems. While these practices are routine when evaluating HIPAA business associates, they are no less important when assessing construction and facility vendors.

Construction and vendor contracts also can be leveraged to require the implementation of certain protections. In addition to imposing specific incident-response commitments, negotiating the contract terms is an opportunity to be proactive and focus on people, processes and technology.

For instance, the contract can limit access to sensitive data to an identifiable, limited group of individuals under limited circumstances, and it might provide that such individuals receive regular training on employee security awareness with an emphasis on their obligation to safeguard mobile devices.

Health Share of Oregon, the state’s largest Medicaid coordinated care organization, suffered a significant data breach after a laptop — unencrypted and containing the personally identifiable information of more than 650,000 members — was stolen from its medical transportation vendor. CISA recommends encrypting files on mobile devices, although it cautions users that doing so must remember their log-in information or risk losing their data altogether.

Organizations should consider requiring vendors to have in place processes, such as multi-factor authentication, complex passwords, regular review of people with access, and a mechanism for blocking access for non-business purposes. Recently, an ADT security technician pleaded guilty to hacking home security footage. He routinely added his personal email address to customers’ ADT Pulse accounts contrary to company policy, giving himself real-time access to the video feeds from their homes. A procedure to track the use and collection of a company’s sensitive data might help avoid transmission via rogue employees.

A contractor or vendor also might be required to have in place appropriate network security that downloads regular software updates, for instance. In late 2019 and early 2020, a massive cyber attack temporarily halted access to New York state agency information systems. The agencies used software for which patches to fix a known security issue had been sent a year earlier but not installed. A belated software update also was the alleged cause of hacking into a government contractor’s software that led to the theft of 30GB of data. 

A careful healthcare provider must vet its third-party providers, asking any and all relevant questions. The security of the healthcare provider’s patients might depend on it.

Virginia K. Trunkes is counsel in Robinson+Cole’s construction law group. Conor O. Duffy is an associate in the firm’s health law group.