Beruflich Dokumente
Kultur Dokumente
What threats does the health care is “a type of malicious software designed
industry face? to block access to a computer system
The health care industry today faces a new until a sum of money is paid.”¹ While data
threat in the form of cyber-attacks, from breaches can have long-term negative
both internal and external actors. This effects on a huge number of patients, ran-
threat is exacerbated by a lack of institut- somware has the potential to shut down a
ional support from the government. Thus, health care institution, leaving its patients
the burden is now on health care provi- in dire need of medical aid, without any
ders to secure their own data and protect chance of getting the care they need.
their clients. Unfortunately, health care
institutions are uniquely vulnerable, not A cyber-attack can happen in the blink of
only to data breaches, where customer an eye, or more aptly the click of a mouse.
data is com-promised, but also to A mid-level patient records administrator
ransomware, which receives an email inquiring about an
(Continued on page 4)
Three recent health care antitrust cases The Advocate Health and Hershey an extremely adversarial situation where
illustrate the point: FTC v. Advocate cases are just at the beginning of their time was of the essence, only to be
Health Care, et al.; FTC, et al. v. Penn saga: The FTC’s motions for preliminary followed, as ProMedica illustrates, by
State Hershey Medical Center, et al.; injunctions were denied and are on years of litigation and uncertainty.
and ProMedica Health System, Inc. v. expedited appeal, with the prospect
FTC. These cases arose out of chal- of the FTC administrative hearings still Is there a more effective, studied and
lenges by the FTC to hospital mergers ahead. ProMedica is an example of cost-efficient approach to weighing
in the metropolitan Chicago; Hershey, what may lay ahead: The FTC just these interests and resolving the dispute
Pennsylvania; and Lucas County, Ohio, approved ProMedica’s divestiture of to protect the public’s interest in both
areas, respectively. In each case, the nearby St. Luke’s Hospital, finally ending competition and affordable, quality
merging hospitals asserted that the six years of litigation and uncertainty, health care?
merger would produce economic and following an FTC determination (and
health care benefits. In Advocate Health federal court decisions affirming the Courts have recognized that the ap-
Care, the hospitals promised that the FTC) concluding that the transaction pointment of a knowledgeable, neutral
merger would create a new low-cost, violated the antitrust laws. third-party, or a special master, can
high performing network throughout streamline discovery, focus the parties on
the Chicago area, bringing benefits to These cases involve complex issues and key evidence, settle discovery disputes
consumers. In the Hershey case, the interests, in the framework of an evolv- and explore the pros and cons of settle-
hospitals argued that their merger was ing and developing health care system. ment alternatives while keeping an eye
in furtherance of finding innovative Predicting the potential outcomes of a on the various interests. Special masters,
ways to best serve patients and the merger is such a difficult task that it is as discovery masters and settlement
community by providing the “high- unrealistic to expect a judge to under- masters, serve as a knowledgeable
est-quality and most cost-effective care stand all the criticisms of an economet- neutral between the parties and a helpful
possible.” ProMedica did not advance ric study and all the nuances of provid- buffer between the parties and court to
precompetitive benefits as a justification er-payor contracts and then assess what manage discovery plans and assist in
for its merger, but rather the absence is likely to happen in the years following reaching a resolution.
of anticompetitive impact. The FTC’s the merger. Yet in these examples, the
complaints, on the other hand, alleged cases were put before judges with little Special masters are relatively common-
that the mergers would create dominant or no antitrust experience or health care place in many cases in 2016, including
providers of general acute care inpatient expertise, presented by expert teams government environmental cases,
hospital services in the relevant markets of advocates and teams of experts, in desegregation cases, water disputes
and would likely lead to increased health
care costs and reduced quality of care.
employment opportunity. Although sible to back up data in more secure hacked. It is an unfortunate inevitability
he is not expecting any applications, ways and in doing so render most that with the prevalence of cyber-threats,
and he is not a point of contact for cyber-threats harmless, but it is not an any given health care provider will be
employment inquiries, the administrator easy project to undertake. The legal, forced to deal with a cyber-attack. Even
opens the resume anyway. While he is risk, and compliance teams need to the above steps, if performed perfectly,
reviewing the applicant’s credentials, work collaboratively with the IT and in- only mitigate the risk of a cyber-attack.
a cyber-criminal’s malware is delivered formation security groups to understand Thus, health care providers should take
to the hospital’s network. The malware the nuances of the company’s systems steps to prepare themselves for the fall-
quickly captures the administrator’s and develop plans that ensure critical out from a cyber-attack. While incident
login credentials, and because he has data, such as patient records, is both response is critical, as discussed above,
broad administrative rights to company secure and somewhat readily accessible your cyber-insurance provider may be
systems, the malware quickly spreads in the event of a cyber-attack. able assist in developing an incident
across the hospital’s network and response plan. One step that can be
encrypts patient data. In a matter of Cyber-insurance: Even with the two taken to help mitigate legal costs asso-
minutes to hours, patient records are above steps, it is impossible for a health ciated with a cyber-breach is to employ
not available, and health care providers care provider to eliminate the risk of arbitration as a mechanism for dispute
are unable to treat the patients they a cyber-attack, which means provid- resolution.
have and are forced to turn new patients ers should look to cyber-insurance to
away. Law enforcement is called, but mitigate and control its risk exposure. Health care providers can include arbi-
there is no solution. The hospital ends Cyber-insurance is a developing product tration clauses related to cyber-claims in
up on the front page of the next day’s in the insurance marketplace, and due patient agreements, which will allow any
New York Times, and it eventually elects to the complexities of cyberspace, there potential litigants to select an arbitrator
to pay the ransom. is little agreement as to what the product with significant technical experience,
is and what it should cover. Each insur- who will be able to expedite the reso-
How should the health care ance company builds its own product, lution of claims by utilizing his or her
industry respond to these threats? which has led to a largely heterogeneous expertise to cut away many of the pro-
marketplace and makes it nearly im- cedural and technical hurdles that may
Training: The goal of implementing a possible for a non-specialist to make an be present in educating a fact-finder
training program is to change the culture educated comparison of insurance pol- without technical expertise. Arbitration
within a company so that every employ- icies. A lawyer experienced in cyber-in- is not a magic bullet for dealing with cy-
ee believes that information security is surance can be invaluable in assessing ber-attacks, but it is certainly a tool that
their personal responsibility, not just the the coverage of a particular policy and can be utilized to help mitigate time and
responsibility of behind-the-scenes IT matching it to the requirements of the cost, as well as allow the health care
and information security personnel. With company; additionally, certain brokers provider to get back to the valuable work
proper training, the situation described specialize in cyber-insurance. Between of saving people’s lives. •
above never would have occurred. The these two specialists, a health care
employee would have understood that provider will be able to properly control ¹ Malware and Ransomware, Montana Tech,
http://www.mtech.edu/cts/security/malware.
he received a suspicious email, and he and mitigate its risk exposure. Further, it htm.
would have forwarded it to the individu- is important to note that many insurers
als responsible for information security, provide services along with the insur-
who would promptly detect the threat. ance when an incident occurs.
Daniel B. Garrie, Esq.
Backing up and securing data: This What should you do if your is an arbitrator, forensic
sounds simple, but the sophistication of security is breached? neutral and technical
special master at JAMS,
modern attacks threatens the security To paraphrase FBI Director James available in Los Angeles,
of traditional data backups. Even when Comey, there are two kinds of compa- New York and Seattle.
He can be reached at
backing up into the cloud, company nies: those who’ve been hacked and
dgarrie@jamsadr.com.
data still faces some risks. It is pos- those who don’t know they’ve been
Among the most difficult disputes health law practice after years of prac- recovered more than $2.5 billion in
facing participants in the health care tice in white collar criminal prosecution 2010 and $4.6 billion since January
industry are False Claims Act (FCA) and defense work with little 2009 in health care fraud cases.
cases brought by federal or state ADR experience. Several reported recoveries against
agencies (often initiated by relators) pharmaceutical and device companies
for alleged fraud in connection with Some private lawyers in fraud cases have exceeded $100 million. According
payments under government health are skeptical about whether government to the DOJ, “Fighting fraud committed
care programs, including Medicare agencies are genuinely interested in me- against public health care programs
and Medicaid. The high stakes involved diating fraud cases, although anecdotal is a top priority for the Obama Admin-
in these cases is one important reason interviews with both private and govern- istration.” Recent legislative changes
why parties should carefully consider ment lawyers, as well as our experience have enhanced the ability of the federal
attempting settlement through with these cases at JAMS, reflect both government and FCA qui tam relators to
mediation. genuine interest and successful experi- pursue claims:
ences regarding both federal and state
Despite the fact that at least three governments in mediating appropriate • The Affordable Care Act (ACA)
organizations (JAMS, American Arbitra- health fraud cases. § 6402 amended the federal
tion Association and American Health Anti-Kickback Statute to make
Lawyers Association) offer panels of The stakes are high in federal FCA clear that violations of that statute
mediators and arbitrators specializing cases, which can result in civil penalties, can be brought under the FCA.
in health care, there has historically corporate and individual criminal liability
been resistance to mediating health and exclusion from government health • The Fraud Enforcement and
care disputes. One possible explanation care programs. Most states provide for Recovery Act imposed FCA
is that health care lawyers, especially similar liabilities. The U.S. Department liability for overpayments,
in the health fraud bar, have come to of Justice (DOJ) has reported that it expanded the DOJ’s power to