From hacking to health care: McCarter & English attorney says advancing tech paints cybercrime bull’s-eye on industry

By Brett Johnson
New Jersey | Feb 15, 2019 at 7:05 am
Focus On ...

Scott Christie led the computer hacking division for the U.S. Department of Justice’s Newark office, where he went after big-time cybercrime intrusions.

It has a surprising overlap with his current gig — representing health care clients.

Christie is an attorney that assists these clients with data privacy matters and cybersecurity issues. And this industry is one of the top targets for cyberattacks, with various sources putting the dollar figure in terms of damages within the ballpark of an annual $5 billion, or sometimes more.

The longtime expert on hacks said that picture is only getting more complicated. The same technologies in the health care industry that sound most exciting also bring the potential of opening up new vulnerabilities to hackers and making for a murky legal landscape.

“All of the technology that is revolutionizing medical care carries with it concerns that may not be fully addressed — some might not have even been considered,” Christie said. “The proliferation of technology as well as health care data ups the consequences.”

The health care industry is perhaps better than most industries at thwarting these threats, but with the pace of medical technology being also more rapid than most, the assurances are few.

Christie, who practices at McCarter & English LLP, said health care innovations in some cases might be trading security for greater flexibility. Telemedicine might be one of the most broadly adopted of recent health care technologies — and it’s certainly not immune.

“As we sit here today, telemedicine is becoming a much more common and accepted practice with new advances in technology,” Christie said. “Platforms such as Skype or Facetime are becoming more popular for this real-time interactivity. And videoconferencing tools have ratcheted telemedicine up a level.”

From a legal perspective, there are clear benefits — doctors have an objective record of what is said to a patient if there were to be a claim that led to a malpractice lawsuit. Patients profit from that session being preserved because they have something to refer back to when part of the conversation was missed.

But, with any sensitive information transmitted electronically — particularly when it’s potentially being stored — there’s a target for hackers. Christie said those concerns are intensified by the fact that the content might be a patient in some state of undress, as might be required to diagnose a condition.

Besides privacy matters, there are other legal challenges that come up, including the uncertainty regarding where a patient is located and how that interacts with a physician’s licensing.

“So, you run the risk if you’re dealing in a telemedical manner with people as a New Jersey doctor, that you’re unwittingly treating a patient in Hawaii or some other state in which the doctor is not licensed to practice,” Christie said, adding that third-party services were cropping up now to validate the state of residence of patients that contract with doctors permitted to practice there.

Patients should expect the same level of care and professionalism during a telemedicine visit as with an in-office visit. That means the medical staff follows all HIPAA laws and information is secure.”— James C. Wittig, chairman, orthopedic surgery, Morristown Medical Center

Telemedicine has many local pioneers; Atlantic Health System is definitely one. Among the many new ways it is used by the organization is to connect neurologists with patients who are having strokes, beginning an assessment of the time-sensitive condition during the ambulance trip to the hospital. That’s starting to be introduced as well for cardiac patients and those suspected to have sepsis.

James C. Wittig, chairman in the orthopedic surgery arm of Atlantic’s Morristown Medical Center, said that, last year, the system also began offering around-the-clock access to physicians with “virtual visits.” The remote appointment is sometimes done on a live video conference.

Wittig, who also serves as a medical director for orthopedic surgery, orthopedic oncology and sarcoma surgery, said the service is conducted using a platform called MDLive. It’s a secure tool, he said, designed specifically for the purpose of these virtual doctor visits.

“Atlantic Health System has produced a series of standards, guidelines and best practices for providers to ensure that they are using these online platforms responsibly,” he said. “Patients should expect the same level of care and professionalism during a telemedicine visit as with an in-office visit. That means the medical staff follows all HIPAA laws and information is secure.”

While local health care providers are finding the right protective mechanisms for current telemedicine uses, an attorney such as Christie sees potential pitfalls in the way these technologies may start to be utilized as it becomes even more widespread.

Also on Christie’s radar are some next-gen medical innovations that might be extraordinarily difficult to totally secure. 

For example, radio-frequency identification — or RFID — is a technology that’s starting to gain more relevance in the health care setting. This technology is starting to be more widely adopted for keeping track of scalpels and other instruments in the surgical theater, to make sure everything is located where it should be.

“But, very quickly, this technology is not used for things as narrow as tracking surgical instruments but also to help identify the location of patients in a hospital,” he said. “These RFID tags on a bracelet can store data, much more than you could print on those bracelets. … Attendant to that are privacy issues, because this sensitive data — unless you could encrypt the radio-frequency content — could be intercepted in transmission. That’s a problem.”

Even further on the horizon, Christie expects virtual reality to introduce additional privacy problems, particularly once it begins to realize its potential to be used for treatment of dementia or other mental illnesses.

If Christie seems to see the potential for a hacker disruption anywhere, it’s because time dealing with them has taught him this: When it comes to new technology, he said, “It’s only a matter of time before a hack occurs.”

Conversation Starter

Reach Scott Christie of McCarter & English LLP at: schristie@mccarter.com, or 973-848-5388.