Whilst the concept of hacking and healthcare would, on the face of it, seem to be unrelated topics, in an increasingly digital world, healthcare institutions in South Africa find themselves grappling with the fast pace of advancement in the healthcare technology space. This has led to a new age of cyber vulnerabilities endangering the integrity of patient data and the overall safety of healthcare systems.

Whilst all industries can be affected by a cyber breach, the nature of healthcare poses a unique challenge, given that not only is there financial and organisational impact, but patients’ lives may also be at stake.

Data breaches is a prime example of how cyber-attacks impact on healthcare organisations. Storing a vast amount of sensitive patient data, a data breach can expose this personal information to unauthorised individuals, potentially exposing patients to identity theft, financial fraud and other crimes related to a cyberattack. A data breach can also have significant financial and reputational damage to a healthcare institution. In a local context, readers may recall that the Life Healthcare Group suffered such a breach in 2020.

Cyberattacks can cause disruptions in critical medical services, preventing healthcare professionals from accessing patient records, scheduling appointments, or even carrying out medical procedures. If patient care is compromised due to such disruptions, it can potentially lead to bodily injury due to delayed action and diagnosis.

In 2017, the UK’s National Health Service suffered a cyberattack perpetrated through the use of WannaCry ransomware. The attack disrupted health services in hospitals across Britain. The NHS cancelled approximately 19,000 appointments; radiology sessions, outpatient appointments, and elective admissions and emergency service runs had to be redirected to unaffected medical facilities. (The Impact of Cyberattacks on Healthcare | CurrentWare)’’

With the increasing use of interconnected medical devices, there is potential for cyber incidents to directly cause bodily harm to patients. If a cyberattack targets and manipulates these devices, it can endanger lives. In 2020, at the University Hospital Düsseldorf, a patient was set to receive emergency treatment – until a ransomware attack disabled the systems that supported their medical devices.  The hospital was forced to transfer the patient to another hospital approximately 30 kilometres away and the patient unfortunately died during the transfer (Cyber Attack Suspected in German Woman’s Death – The New York Times (nytimes.com)).

When a facility has been the target of a malicious attack the question then becomes where does the liability for injury or damage fall?

Determining this can be very complex and would depend on many different factors including the circumstances of the incident itself, the applicable jurisdictional laws, what contractual agreements are in place between the healthcare organisation and third parties, as well as the type of insurance purchased.

The regulatory landscape surrounding cybersecurity in South Africa is still evolving, however, legislation such as the Protection of Personal Information Act (POPIA) and the Health Professions Act provide a foundation for safeguarding patient data. Failure to comply with POPIA may lead to serious legal and financial consequences.

Liability could land at the feet of various players in a large-scale breach, for example:

  • The hospital or clinic could be liable if it is found to have failed to protect patient data. For example, if a hacker gains access to patient records of a big hospital group, (such as the aforementioned Life Healthcare incident) this may be the result of having inadequate security measures, poorly implemented cyber controls or inadequately trained staff.
  • Many establishments rely on third parties for various services such as data storage, cloud services or even IT support. If a breach occurred due to a third party’s negligence, then they may well share the liability with the organisation, depending on the terms of their contractual agreements.
  • If the employees of a facility are not adequately trained or made aware of the potential risks of cyber incidents, they may well fall for phishing scams or potentially inadvertently disclose pertinent information to malicious actors. They could also potentially sell private information for personal gain. If not acting criminally, then it is most likely that the facility would once again be liable, given the factors of vicarious liability.

Liability insurance plays a crucial role in protecting healthcare institutions from cyber breaches by providing financial support and assisting with risk mitigation. Healthcare institutions should ideally purchase both comprehensive cyber and medical malpractice insurance.

Traditional cyber policies would ordinarily respond to the scenarios listed above, in respect of covering the costs as a result of a cyber incident. However, cyber polices usually exclude bodily injury – and this is where medical malpractice insurance applies. Medical malpractice insurance cover normally limits cyber cover but some policies now include cyber extensions which cover elements of bodily injury as a result of a cyber incident.

Typically, insureds purchase individual policies for each risk class, however, this can result in gaps in cover. New virtual care insurance products are emerging to react to the expansion of digital health and wellness services and  package medical malpractice, products liability, cyber liability, and technology errors and omissions with bodily injury in one policy.

In an ideal world we would hold the hackers themselves responsible but they are often hard to identify given their remote and often anonymous nature. Given the increased risks, how does a facility then protect itself? In order to mitigate these threats, healthcare establishments need to prioritise their cybersecurity posture. This would include implementing robust security protocols, conducting regular security audits, ensuring comprehensive, regular employee awareness training, as well as regularly patching, and updates to their systems and networks. Investing in advanced threat detection and prevention technologies is also required.

The convergence of medical malpractice and cyber incidents presents a complex and ever-evolving challenge for the healthcare industry. In response to this critical issue, healthcare institutions must prioritize robust cybersecurity measures and the adoption of comprehensive risk management strategies. By embracing the intersection of medicine and cybersecurity, healthcare institutions can ensure the delivery of safe, high-quality care in the digital age, ultimately securing the well-being and trust of patients.