Lynette Hornung
ISU INFAS (Cybersecurity) and Political Science Alum
We have already seen how some of the recent large data breaches have resulted in very significant compromises of personal data of citizens. What is even more troubling is that there has been a persistent targeting and attacking of certain individuals with these breaches. If we combine the sensitive data in the United States Office of Personnel Management (OPM) data breach with the Anthem Blue Cross Blue Shield, Equifax, Marriott, Quest Diagnostics, and LabCorp data breaches, then we see a pattern emerging of attacks on security clearance, financial, and health data. This starts to get more complicated and even more disconcerting when we add compromise of social media accounts of those impacted by the OPM data breach as well as the selling of account holder information with those using Trend Micro Anti-virus. The Trend Micro breach was caused by insider threat and those who were English speaking had their data sold. We know that some of these targeted attacks are state-sponsored by nations that are hostile to the US, but there are also rogue cybercriminals or the various consortiums of cybercriminals that work together to steal various data and sell it on the dark web or use it for other nefarious purposes.
When we analyze and deconstruct the aforementioned data breaches, important questions need to be asked such as whether any early warning signs were missed, what additional security and technical measures are needed, what additional training, tools, and budgetary allocation are needed, and are we appropriately analyzing the ethical responsibility on the part of the entity breached? How are we fully measuring the impact of the data breach on the individuals impacted by the breach? Do legal remedies need to be adjusted to include individuals who were repeatedly breached with specific forms of sensitive data, including Personally identifiable information (PII), sensitive financial information, and protected health information? Will the statute of limitations need to be adjusted in dealing with long-term effects of various drug treatments and other procedures in the field of medicine?
The recent LabCorp data breach not only compromised protected health information, but it also included payment information and other personally identifiable information. It is another example of cancer data being gathered by unauthorized sources and, once again, cancer patients had their protected health information and sensitive financial information breached along with PII. How can we truly measure the multiple levels of damage to the individuals impacted by having multiple sensitive data compromised? This is an area where more creative solutions and approaches are needed to bridge the gap by assisting the legal world in being able to truly understand the damages involved and in helping the medical community understand the true impact of financial and other long-term consequences for the medical patient.
Cancer research is constantly under attack by state-sponsored actors as well as other threat actors because there is financial gain in introducing cancer drugs that are less expensive into the market. Like many other forms of valuable data, such as intellectual property, military information, and other sensitive information with corporate, government, and research entities, threat actors are constantly engaged in looking for ways to gain this information. However, there is another important level of analysis with cancer research, which is based upon principles of transparency, traceability of technical dependencies and data flows, and accountability of medical professionals. The recent class action lawsuits with Taxotere and Herceptin revealed some very troubling actions on the part of the drug manufacturers responsible for these drugs as well as the medical professionals who failed to inform patients of the side effects of these drugs. In terms of ethics this situation begs many questions, including why were breast cancer patients not informed of the very real risks to potential permanent hair loss with Taxotere and why were the same group of cancer patients not informed as to the significant risk posed to heart health by Herceptin? Do we truly understand the full health impact beyond these noted areas of risk? Have we truly captured all the residual risk? Will more negative health consequences continue to reveal themselves over time and does the legal world need to adjust the statute of limitations for lawsuits in this area and other areas of medicine? What exactly is the ethical responsibility, in terms of full disclosure of side effects with chemotherapy drugs, radiation, and other drugs used with cancer treatment, of the doctor to the patient? What are the legal remedies not only if there is a failure of full disclosure and transparency, but also if the surgeon fails to follow the patient’s request to not install metal surgical clips, for example? Technological advancements in the era of privacy and security by design have changed the way we do business for companies and governments, and it has raised the bar for full disclosure and informed consent in the field of medicine.
As we search for better approaches and formulas to measure the full impact of data compromise, and along with it the ethical responsibilities on the part of the entities that use, store, and transmit sensitive data, perhaps we should consider applying the risk management framework from IT security and data protection to the fields of medicine and law. Not only are patients much more informed on the very real risks posed to their overall health by traditional cancer treatments, but there is also more visibility into the data used in research. Technology has provided patients with the ability to share experiences, both good and bad, which can increase the accountability and ethical responsibility of the medical community. As we continue to struggle to understand the ethical implications of the technology that we create, such as with data analytics, artificial intelligence, facial recognition, and Internet of Things (IoT) devices that may measure biometric information, we also need to analyze the ethical responsibility of various data stewards such as doctors and other management stakeholders who use, store, and share sensitive medic