The Best Lawyers in America 2018
- Mary Holloway Richard – Health Care Law
From NewsOK / by Paula Burkes
Published: April 12, 2017
Click to see full story – FBI warns against doctors, dentists using ‘anonymous mode’ computer servers
Q: What attention has the FBI recently given to protect Protected Health Information (“PHI”) from cyber criminals?
A: Under a “Private Industry Notification” dated March 22, the FBI’s Cyber Division has provided guidance that’s applicable specifically to medical and dental providers and focuses on protection of sensitive, identifiable health information.
Q: What does the notice specifically recommend?
A: The notification recommends these health care providers request that their IT services personnel take steps to further secure the information from cyber threats by checking networks for File Transfer Protocol (“FTP”) servers running in anonymous mode. FTPs routinely are used to transport information between network hosts. This is the case, for example, when a covered entity such as a hospital or group practice transfers information to a business associate, such as a billing company or a third-party payer, for the purpose of submitting claims for services provided.
Q: What does “anonymous mode” mean and what threat does it represent?
A: “Anonymous mode” refers to the situation where an FTP server can be structured to permit users who are anonymous, doesn’t require a password to enter, and accepts common user names such as “anonymous” or “FTP.” The danger is that, in such circumstances, sensitive patient information stored on a server could be accessed with little or no security.
Q: Why does the FBI guidance focus specifically on health care?
A: Research conducted at the University of Michigan in 2015 resulted in a finding that more than one million FTP servers would allow such access. According to the FBI, some computer security researchers seek servers in anonymous mode as part of legitimate research, but others make such connections to facilitate nefarious activities such as launching cyber attacks, hacking, blackmailing, harassing and intimidating business owners. It’s the FBI’s purpose issuing this new guidance to both make health care business aware of the risks represented in their IT systems and to shore up weaknesses that pose cyber security risks. In addition to the precautions urged in the notice, the FBI has previously urged companies to buy and implement ransomware.
Q: Should additional actions be taken by medical and dental health care entities to provide additional protections against cyber crime?
A: The FBI encourages medical and dental health care entities to report suspicious or criminal activity to the local FBI field office (locate via www.fbi.gov/contact-us/field) or the FBI’s 24/7 Cyber Watch, CyWatch 855-292-3937 or CyWatch@ic.fbi.gov. Submitted reports must include available information regarding the date, time, location, type of activity, number of people and type of equipment used for the activity, the name and contact person for the entity submitting the report. Victim complaints can be filed with the internet Crime Complaint Center at www.ic3.gov.
Mary Holloway Richard, leader of the Firm’s Health Care Practice, was quoted in a Journal Record article by Sarah Terry-Cobo regarding an attempted merger by OU Medical System and how best to financially achieve that mission.
Read Richard’s comments from the article below:
OKLAHOMA CITY – When it comes to complicated relationships, sometimes it just takes the right partner. After a failed hospital merger was announced Monday, OU Medical System could still find its better half.
But making that match probably won’t be easy, said industry observers. Health care attorney Mary Holloway Richard said a potential partner needs the business expertise as well as the financial backing to purchase a large teaching hospital.
Richard said teaching hospitals have historically had higher costs than non-academic hospitals.
A potential partner has to evaluate the economic feasibility, regardless of whether parties are considering an outright acquisition or a joint venture, she said.
“Will it fit in with your overall business model?” Richard said. “(A teaching hospital) is a complex system, so how you incorporate that complex system into an existing system requires mastery of both the business model and the financial feasibility, as well as recognition of the compliance issues at play.”
By Mary Holloway Richard
This column was originally published in The Journal Record on January 18, 2017.
Behavioral health is a unique subset of health care law. I long have been privileged to see firsthand the challenges in working as a therapist while successfully avoiding liability and regulatory land mines, and I am empathetic with patients and families.
I believe it is important to provide protection from liability for therapists and to eschew expansion to predicting dangerousness of patients as the standard of care to which they are held. Therapists must adhere to standards of care that, when breached, result in liability to a patient for harm caused by that breach. Forty years ago the therapist’s burden was expanded to encompass a duty to warn third parties under certain circumstances in Tarasoff v. Regents of Univ. of California.
Recently the Washington Supreme Court decided Volk v. DeMeerleer, expanding liability of mental health professionals to unidentified individuals. As in Tarasoff, reactions among states can range from adopting to rejecting the rule in response. Such decisions are framed in reliance on laws in other states, scholarly articles and treatises, such as the creation of post-Tarasoff California statutory immunity for the therapist’s duty to warn third parties.
The Washington Supreme Court ruled in Volk that a psychiatrist could be liable for homicides even though the victims were not identified as targets of violence. The decision expands the scope of liability beyond the professional’s traditional duty to create a duty to identified third parties and may also result in expanding the rule from mental health professionals to other providers.
It is true that the Volk case concerned the murders of a young mother and her son as well as the suicide of the patient who killed them, and we are all too familiar with the facts of Columbine and Newtown. And society must protect these individuals. We must balance the need to protect our communities from violence with the need to protect our providers from the reprehensible burden of liability for predicting violent propensities.
The Washington Supreme Court stated that whether the patient’s violent actions were foreseeable should have been resolved by a jury and created instability concerning professional liability. It remains to be seen if this holding reflects a national trend of expanding the scope of liability for mental health and other health care professionals.
Mary Richard is a health care attorney and a member of the Behavioral Health Task Force of the American Health Lawyers Association.
The Journal Record will honor Phillips Murrah directors Sally A. Hasenfratz, Dawn M. Rahme, and attorney Mary Holloway Richard as those named on the 2016 Fifty Making A Difference list.
Judge Jane P. Wiseman will be the keynote speaker at the 2016 Journal Record Woman of the Year gala set for Nov. 2 at the National Cowboy & Western Heritage Museum.
The Fifty Making A Difference list spotlights female business and community leaders, and honorees are chosen from nominations received across the state.