In the context of a DDoS attack impacting Protected Health Information (“PHI”) shared among multiple custodians, while responsibility for data privacy is shared, it ultimately rests with the data owners and holders.
One approach to establishing accountability for privacy violations stemming from information flow during a DDoS attack - Boston Children’s Hospital (“BCH”) - calls for a nuanced application of Helen Nissenbaum’s Contextual Integrity framework. This involves carefully considering the complexity and variability of the contextual constraints that shape an individual’s expectations of privacy regarding how information should flow. For example, because BCH used the same Internet Service Provider (“ISP”) as seven other care institutions, the organized attack shad the potential to bring down multiple pieces of BCH’s critical infrastructure for healthcare. It is important to realize the fact that we have entered an era in which cyber-attacks are not just disruptive and expensive, but also potentially deadly.
When analyzing the DDoS attack on BCH through the lens of Contextual Integrity, it is essential to consider the key actors involved as interrelated power structures. These actors operate within behavior-guiding norms that define their roles, obligations, prerogatives, and privileges – ultimately upholding the integrity of the information-sharing context:
· Patients who share their PHI with healthcare providers in exchange for care inherently expose themselves to significant privacy and security risks.
· Data owners and custodians face the risk of disclosing PHI in ways that may be deemed inappropriate. Within the healthcare context, the appropriateness of information flow is grounded in the fundamental right to privacy - anchored in principles of patient confidentiality, data security, and ethical information governance.
· In the BCH’s case, the initial attack on March 20, 2014, was preceded by a message sent to hospital leadership demanding disciplinary action against specific clinicians and the return of the child to her parents, threatening retaliation if these demands were not met.
· The attackers publicly disclosed the personal information of several individuals involved in the case - including their home and work addresses, email addresses, and phone numbers.
While Contextual Integrity serves as a paradigm-shifting framework, it distinctly highlights the relationship between the appropriateness of information flow and the contextual constraints governing it - elements that stand as the framework’s most defining and insightful contributions:
· Patient Privacy and Confidentiality:
o Health Insurance Portability and Accountability Act (“HIPPA”)
o General Data Protection Regulation (“GDPR”)
o My Health My Data Act (“MHMDA”)
· Data Security
· Interoperability and Data Standards
· Data Governance
By upholding these principles, healthcare organizations can facilitate the secure and ethical flow of information - advancing patient care, enhancing operational efficiency, safeguarding data integrity, and, ultimately, contributing to the preservation of human life.
Despite the healthcare sector’s vulnerability to DDoS attacks—owing to their complexity, sophistication, and rapid execution—the incident at Boston Children’s Hospital underscored the profound impact such cyberattacks can have on patient care. One of the most critical takeaways is the sobering realization that no individual or institution is immune to becoming a target.