Cyber Security

HIGHLIGHTS

Data Breaches at Hospitals Associated with Thousands of Additional Patient Deaths

CLOUD Act Could Ease Confusion Over International Data Storage Law

Zuckerberg Says Facebook Probe Into Apps Won't Uncover All Data Abuse

Google to Ask Publishers to Get Users' Data Consent in Europe

Editor’s News Picks: Germany wants Facebook answers., Israel wants answers, too., California aims to measure cyber risk.

Advertisement

Commentary & Analysis

Data Breaches at Hospitals Associated with Thousands of Additional Patient Deaths

By Adam Janofsky

Trends in the proportion of heart attack patients who die within 30 days of being admitted to a hospital, based on data from the Centers for Medicare and Medicaid Services. DR. SUNG CHOI

Security specialists have warned that lax cybersecurity at hospitals could lead to patient deaths. One researcher says that’s already happening.

More than 2,100 patient deaths per year are linked to data breaches at hospitals, according to Dr. Sung Choi, a researcher at Vanderbilt University’s Owen Graduate School of Management.

The findings, which were presented Thursday at a cyberrisk quantification conference hosted by Drexel University’s LeBow College of Business in Philadelphia, highlight the need for health-care organizations to invest in cybersecurity and improve their post-breach remediation efforts. They also illustrate how data breaches can compromise the performance of organizations, even if lives aren’t involved.

Data breaches create distractions for doctors that can last years, and these interruptions likely lead to an increase in patient mortality rates, said Dr. Choi.

“A breach triggers remediation activities, regulatory inquiries and litigation in the years following a breach… [these activities] disrupt and delay hospital services, and therefore leads to care quality problems,” said Dr. Choi.

Additionally, costs to fix damages from a data breach might divert resources away from patient care, Dr. Choi added.

The effect of these disruptions was apparent in May 2017, when WannaCry ransomware hit dozens of health-care organizations across England. Some hospitals had to record information using pen and paper and find manual workarounds for a variety of tasks, according to a report from the U.K.’s National Audit Office.

The research presented Thursday used data from the U.S. Department of Health and Human Services and the Centers for Medicare & Medicaid Services to compare patient-care metrics at hospitals that have and have not experienced a data breach. There were 305 hospital breaches that exposed 14 million records between 2012 and 2016, according to HHS data.

One of those care metrics was the proportion of heart attack patients who die within 30 days of being admitted to a hospital. This rate increased by 0.23% one year after a breach and by 0.36% two years after a breach, which represents 2,160 additional patient deaths annually, according to Dr. Choi.

“Before a breach, the control group and breached hospitals are similar, then after a breach there appears some change in trend that made the breach hospitals have worse quality,” said Dr. Choi.

Additionally, hospitals that experienced a breach took a significantly longer time to administer an electrocardiograph to newly admitted patients, which is a common way to measure patient care quality, said Dr. Choi.

Write to Adam Janofsky at adam.janofsky@wsj.com.

CLOUD Act Could Ease Confusion Over International Data Storage Law

By Jeff Stone

Congress this week passed a bill that could resolve some confusion over conflicting international data storage laws.

The Clarifying Lawful Overseas Use of Data Act on Friday passed Congress as part of the omnibus spending bill. The CLOUD Act would amend the Stored Communications Act to force firms to preserve, backup or disclose user communication data, regardless if was stored in or outside of the U.S. The bill next must be approved by the White House, which has supported the legislation.

The issue is at the heart of the legal dispute in Microsoft Corp. v. the Department of Justice, a case before the U.S. Supreme Court in which Microsoft argued U.S. warrants have no jurisdiction over data stored on servers located in Ireland. Both Microsoft and the Department of Justice have endorsed the CLOUD Act.

The bill would resolve confusion in the courts about law enforcement access to data stored in the cloud by removing judges from the process. The bill would authorize the U.S. to enter into direct partnerships with qualifying foreign governments. The agreements would allow the U.S. and its partner nation to obtain wiretaps and surveillance orders on citizens located within each partners’ borders.

The CLOUD Act would help resolve confusion about the application of the Stored Communication Act, and the Electronic Communications Privacy Act, which forbids U.S internet companies from providing user data directly to international governments without the U.S. government’s involvement, said Aaron Cooper, vice president, global policy at the Business Software Alliance, a trade group.

“Legislation like this will provide certainty about what companies are responsible for doing,” said Mr. Cooper. “The biggest problem here is the lack of a clear international framework, and the CLOUD Act is an important first step in achieving that.”

The Microsoft case is one of several that reflect unclear or conflicting international laws.

• A Pennsylvania court last year ordered Alphabet Inc.’s Google to comply with warrants issued under the Stored Communications Act, demanding emails that Google said were stored in “shards” of data in the U.S. and abroad. Google had cited the Microsoft case to argue the Stored Communications Act did not apply to data stored overseas. A Pennsylvania district court upheld the original magistrate judge’s ruling.

• A Brazilian court in February ordered Yahoo Inc. to produce for a criminal court customer emails that were stored outside the country. Yahoo’s Brazilian unit had refused to do so because the emails in question were stored in the U.S.

• Brazilian police in 2016 arrested a Facebook Inc. executive after the company refused to provide data from Facebook’s WhatsApp messaging service to law enforcement. Complying with the order might have put the executive in violation of the Electronic Communication Privacy Act, according former acting undersecretary of commerce Justin Antonipillai.

“It’s literally not possible to comply with all the rules around the world because they are so inconsistent with each other,” said Victoria Espinel, president and chief executive of the Business Software Alliance. “Anyone can appreciate that for companies to take a gamble when complying with one country’s laws versus another can have all sorts of negative impacts.”

The CLOUD Act also would take precedence over the Mutual Legal Assistance Tracking process. Now, foreign law enforcement agencies seeking data from a U.S. company need to file a request with the U.S. Department of Justice, which seeks a warrant and then approaches the company in question, according to Mr. Antonipillai, now CEO of WireWheel, which provides data privacy services.

“It’s a pain, to say the least,” he said. “There is a reason every major tech company is supporting the CLOUD Act.”

Write to Jeff Stone at Jeff.Stone@WSJ.com

Advertisement

More From Dow Jones

Zuckerberg Says Facebook Probe Into Apps Won’t Uncover All Data Abuse

By Deepa Seetharaman

Facebook Chief Executive Mark Zuckerberg said the investigation would cost ‘many millions of dollars.’ JOSH EDELSON/AGENCE FRANCE-PRESSE/GETTY IMAGES

Facebook Inc.’s investigation into outsiders’ handling of its users’ information will help identify and deter bad actors but won’t be able to uncover where all the data ended up and how it is being deployed, Chief Executive Mark Zuckerberg said Thursday.

Facebook will examine tens of thousands of apps that collected large amounts of user data, an effort that may cost “many millions of dollars,” Mr. Zuckerberg said in an interview.

Facebook will dispatch auditors to analyze the servers of developers who scooped up a suspicious amount of data, and interrogate them about their business practices. It isn’t clear how many apps will need audits—which Facebook expects will be most expensive part of the process—and Facebook still doesn’t know whether its investigation will take a matter of months or longer to complete, Mr. Zuckerberg said.

“Like any security precaution, it’s not that this is a bulletproof solve,” Mr. Zuckerberg said. “It’s not that any process by itself is ever going to find every single thing,” but it will be a strong deterrent to stop developers who are “doing bad things” and help Facebook track down what users’ data was mishandled, he added.

“The real point of what we’re trying to do is to make it a lot harder for anybody to misuse the data,” he said.

The comments underscore the challenge confronting Facebook as it seeks to quell a controversy that has knocked its stock price lower and triggered renewed calls for governments to better regulate technology businesses that hold mountains of information about their users. It is notoriously difficult to track down and secure personal information once it has been unleashed online, experts and former Facebook employees say.

Mr. Zuckerberg reiterated his openness to regulation requiring more disclosure about online advertising—an area Facebook is already working on.

“There’s no reason why the internet advertising industry should have a lower transparency standard than print or TV ads,” he said. But he didn’t say other specific areas where Facebook would be open to more regulation.

Over the past 18 months, Facebook has promised to hire more content moderators and security experts to help the company handle its various challenges. Mr. Zuckerberg said the company’s artificial intelligence tools will help Facebook bolster its human-review process.

“Because of the tools that we have...we can get leverage and we hire 20,000, 30,000, 40,000 people and that is a reasonable amount,” he said.

Facebook’s current crisis began last Friday, when it said it was looking into reports that data-analytics firm Cambridge Analytica, which worked with the Trump campaign in 2016, retained Facebook user data obtained by Aleksandr Kogan, a psychology professor at the University of Cambridge, years after the parties certified to Facebook that the records had been expunged.

Mr. Kogan collected the data by creating a personality-quiz app in 2013 that plugged directly into Facebook’s platform.

At the time, the social-media company’s platform allowed outsiders access to extensive data about its users as well as their Facebook connections. By 2015, Facebook had severely restricted the amount of data available to outsiders, but by then app developers like Mr. Kogan already had data about Facebook users in hand.

It isn’t clear how many other developers might have done the same.

Many of the offending apps may no longer exist and it is hard to pin down how much of the data they collected was copied or distributed or where those copies might exist.

Mr. Zuckerberg said, internally, company officials discussed whether “there are enough trained audit teams in the world to go audit the number of apps that were using our platform.”

Write to Deepa Seetharaman at Deepa.Seetharaman@wsj.com

Google Wants Publishers to Get Users’ Consent on Its Behalf to Comply With EU Privacy Law

By Lara O’Reilly

Google is expected to announce steps toward compliance with a new EU data-privacy law as early as this week. Above, a Google Popup Digital Workplace in Amsterdam. BART MAAT/EPA/SHUTTERSTOCK

Alphabet Inc.’s Google will ask web publishers to obtain consent on its behalf to gather personal information on European users and target ads at them using Google’s systems, according to people familiar with the matter, part of a plan to keep up with data-privacy rules in Europe.

Under the European Union’s coming General Data Protection Regulation, global companies will be required in many cases to get user consent to gather personal information, and generally the consent will have to be more explicit. Companies will also be required to be more transparent about the data they collect and how it is used.

Companies found in violation of the sweeping regulation—known as GDPR and set to go into effect May 25—will face fines of up to 4% of their annual global revenue. Google could announce its steps toward compliance for its ad-technology platforms as early as this week, the people familiar with the matter said.

The company will be gathering consent directly from users for data usage on its own properties such as Google.com, Gmail and YouTube. But for third-party websites and apps that use Google’s ad technology to sell ads, the tech giant wants those publishers to be responsible for obtaining consent.

Publishers will be able to use their own permission forms and wording, but Google is asking them to keep consent records and offer users clear instructions for revoking their permission.

Google’s new policy could complicate a compliance process that publishers already find confusing. There is debate in the industry about which types of companies will be required to obtain consent directly from consumers, and what will count as “unambiguous” consent under the new regulations.

Google also plans to offer publishers a way to serve nonpersonalized ads to users who don’t consent to their data being used for ad-targeting, a person familiar with the matter said.

In a statement, Carlo D’Asaro Biondo, president of partnerships at Google for Europe, the Middle East and Africa, said the company already requires publishers and advertisers employing its advertising services to get consent from users to use its services, as stipulated under existing EU law. The GDPR will “further refine those requirements,” he said in a statement.

“We don’t want to stand between publishers and their users. That’s why we are asking our partners to get consent for the way they use our services on their sites,” he said.

Google’s plans come amid heightened sensitivity about the way technology platforms handle consumer data. Revelations that Cambridge Analytica, a data firm with ties to the Trump presidential campaign, improperly accessed and retained data on up to 50 million Facebook users, has put the social-media giant on the defensive, sparking a U.S. regulatory inquiry and an outcry from lawmakers in several countries.

That puts added pressure on Google to get its GDPR strategy right. In January, Deutsche Bank analyst Lloyd Walmsley wrote in a research note that the new European privacy rules could trim Google’s global revenue by 2 percentage points if 30% of European users were to opt out of some data sharing.

“GDPR is on the minds of most of us in the industry,” Sridhar Ramaswamy, Google’s senior vice president of ads and commerce, said Wednesday on stage at an ad-industry conference in London.

Google hasn’t yet briefed many publishers on its new tack. But people with some knowledge of Google’s plans said publishers might be concerned that they will end up having to deal with different procedures among their ad-tech partners.

Under GDPR rules, a “controller” is the company that determines the purposes and means for processing of personal data. A “processor” is a third-party vendor that digests data on behalf of the controller and keeps records of personal data and processing activities. The controller must ensure its processors’ contracts are in compliance.

Google is asking publishers to let it be the “co-controller” of their users’ data, the people familiar with the matter say.

Meanwhile, publishers have been working for months on creating their own systems and policies to comply with GDPR.

Earlier this month, the Interactive Advertising Bureau Europe—a trade association that counts Google among its members—released a GDPR framework for standardizing how publishers gain consent on behalf of all their ad-tech vendors to process user data.

Mr. Ramaswamy said users already have the option in their account settings to disable personalized ads. Google plans to unify the branding from its “My Account” section across its various apps to make it easier for users to access their settings from any webpage or app, he said.

Benjamin Mullin contributed to this article.

Write to Lara O’Reilly at lara.o'reilly@wsj.com

Advertisement

Editor's News Picks

Germany wants Facebook answers. Katarina Barley, Germany’s justice minister, on Thursday called for a meeting with Facebook executives to determine if personal data on any of the country’s 30 million users was accessed by Cambridge Analytica, the London-based consultancy that allegedly tapped the social media giant’s user info to create profiles of American voters in the 2016 federal election, Reuters reports. Ms. Barely said she wanted to know “what Facebook plans to do to prevent this from happening again.” Germany last year passed a law aimed at curbing online hate speech and has launched an anti-trust inquiry into Facebook’s use of personal data.

Israel wants answers, too. Israel is looking into whether Cambridge Analytica’s use of Facebook data infringed upon its citizens’ privacy. The Justice Ministry said Thursday that the probe will determine “whether personal data of Israeli citizens was illegally used in a way that infringes upon their right to privacy and the provisions of the Israeli Privacy Law.” It said that personal data can be used only for the purpose which it was provided and with the consent of the individual.

California aims to measure cyber risk. The California Department of Technology this week announced the release of metrics to provide an apples-to-apples comparison of cybersecurity risk across state agencies, StateScoop reports. The metrics include measurements of risk, threat, impact and maturity, rated on a scale from 0 to 4 based on existing data from audits, anecdotal reports and existing measurement policies. The data will be bundled and passed through an algorithm that allows the state to compare risk levels across agencies, State CIO Peter Liebert said.

Cyber Security