As cyber and data risks continue to grow, understanding the exposures and finding ways to put in place preventative measures and compliance programmes are key.
The recent NotPetya/ExPetr cyber-attack caused widespread damage to businesses around the globe. Following an initial 'watering hole' attack on a Ukraine based tax software vendor, M.E.Doc, NotPetya spread to Ukraine's electrical grid, airports and government offices. It reportedly infected a number of multinational companies including FedEx, Merck, Cadbury, Rosneft and AP Moller-Maersk.
NotPetya masquerades as ransomware (i.e. malicious software which blocks access to files temporarily until a ransom is paid). However, it is better categorised as a sabotage attack due to the fact that, as of today's date, there is no viable way to recover the encrypted files. It is unclear whether or not this was intentional or accidental as a result of a lack of sophistication on the part of the attackers.
NotPetya struck while many organisations were still recovering from the impact of the WannaCry virus, which infected the IT systems of over 200,000 businesses in more than 150 countries in April 2017 (see our May 2017 update). In both cases, the impact was particularly acute for organisations holding substantial amounts of information on individuals as the attacks put that data at risk of loss, destruction or theft.
Healthcare Sector Vulnerability
WannaCry brought the operations of 48 UK hospitals to a standstill and the NotPetya attack reportedly infected Heritage Valley Health System, a hospital and healthcare provider in the US.
Arguably, businesses operating in the healthcare sector are at a higher risk of being targeted by cyber criminals due to the fact that they hold high volumes of sensitive and valuable health data. This risk has increased in some jurisdictions because of factors such as public sector funding cuts and increased operating costs , which can mean that projects which require significant investment (such as an enterprise software or IT systems upgrade) are postponed or carried out incrementally to spread the cost.
Also, the sector is increasingly exploring options for more integrated healthcare with the establishment and maintenance of health information exchanges. While this can deliver better and more efficient care to patients, it can also create more vulnerability and risk through the number and types of connected stakeholders and devices.
Consequences of Cyber Breach
A cyber attack resulting in the loss or disclosure of personal data can have substantial consequences for the affected organisation. As well as financial liabilities and regulatory sanctions, the reputational damage can be significant. In addition, the organisation may face costs associated with engaging forensic IT consultants, legal and PR advisers, data reinstatement and potentially an IT security upgrade.
It is particularly important in the healthcare sector that patients and stakeholders feel safe, have trust and confidence in the system and are reassured not only in the current methods of healthcare delivery but also with regard to the new steps and developments that are to be introduced. The protection of personal information is a critical trust factor for patients.
Compliance Obligations in MENA
A number of countries have implemented laws to combat cybercrime. Typically, these criminalise hacking and denial of service attacks as criminal offences with severe penalties for those that infringe the law.
However, Qatar has gone much further in the fight against such crime and is the first GCC country to introduce a comprehensive national data protection law. The Personal Information Privacy Protection Law (PIPPL) came into force on 29 December 2016 and introduces a range of key requirements and measures that businesses must address to safeguard personal data. Organisations established or conducting business in Qatar should now be implementing compliance programmes so that systems and controls are put in place to meet the requirements of PIPPL.
The new Qatari law reflects a number of best international practices as well as supporting the country's intention to mitigate legal and reputational risk arising from data privacy breaches and cyber-attacks. Organisations that have not appropriately secured personal data could face a fine of up to QAR 5 million (USD 1.36 million). Any breach of the security measures in relation to health data is also likely to cause 'gross harm' to the patient concerned and therefore gives rise to an obligation to report the incident. The publicity flowing from a cyber breach will need to be carefully managed.
Similar data protection regimes are likely to be adopted across the GCC in the coming years, which means thinking about current processes now is vital.
Ensuring Compliance and Implementing Best Practice
In Qatar, a number of key principles reflecting standard organisational best practices have been codified by PIPPL:
- The entity which is ultimately in charge of collecting the data (and any service provider it engages) is bound to 'take necessary measures to protect personal data from loss, damage, alteration and disclosure from any accidental or unlawful access or use.'
- When determining what measures are appropriate, organisations are required to adopt measures that are 'consistent with the nature and significance of the personal data to be protected'.
- A recognition that sensitive personal data (including health information) may not be processed without specific authorisation and controls.
It is likely that the Qatari Ministry of Public Health (MoPH) will work closely with the Ministry of Transport and Communications (MoTC) to ensure appropriate safeguards and precautions in relation to healthcare data. The MoTC is the competent authority for the implementation and enforcement of PIPPL.
The MoPH has also published a National Health, EHealth and Data Management Strategy which provides for a comprehensive vision and plan for future e-health developments to improve healthcare delivery in Qatar. It includes a legal and regulatory framework for digitisation and standards for e-health data with robust privacy and security principles.
A six-month grace period was implemented to give organisations in Qatar more time to comply with the significant change programme for PIPPL compliance. This expired on 29 June 2017, which means businesses operating in the healthcare sector in Qatar must move swiftly to meet the significantly higher bar for compliance and to avoid falling victim to the significant regulatory fines in the event of a breach.
Organisations operating elsewhere in the MENA region should also be considering their data handling and breach management policies to mitigate the more general risks and to prepare for expected future legislation.