12 January 2019

Another fake doctor

Another bogus health practitioner, this time in the US, with reports that Oluwafemi Charles Igberase practiced as Dr. Charles Akoda before detection and conviction on a federal fraud charge, for which he served six months in prison. Over 200 former patients have now  joined a class-action against Dimensions Health Corporation, operator of the hospital where they were treated by Igberase posing as an obstetrician and gynaecologist. The litigants claims that the hospital was negligent in hiring and vetting 'Dr Akoda', with patient suffering “humiliation, shame, mortification and other injuries” under his care.

Readers may recall Australian fake practitioner instances, such as Raffaele Di Paolo, Sharobeem and Acharya (discussed in a recent Health Law Bulletin article by myself and Dr Wendy Bonython).

The US litigants claim that Igberase conducted unplanned emergency caesarean section surgeries that were “not medically necessary”, invaded their privacy and that given patients did not know his real identity they were incapable of providing authorisation or consent for medical procedures. The pleading in Russell et al. v. Dimensions Health Corp. (case number 8:17-cv-03106, in the U.S. District Court of Maryland) centres on the claim that over four years Igberase saw at least 1,000 patients and performed at least 500 caesareans. The plaintiffs allegedly suffered physical pain, emotional anguish, fear, anxiety, embarrassment, other emotional injures, intentional infliction of emotional distress, battery and negligent entrustment, and as a result of Dimension's alleged violations of the standards of care. That is reflected in reference to negligent and grossly negligent hiring, retention, supervision, selection, qualification and credentialing.

The plaintiffs argue that Dimensions as the entity responsible for patient safety should have been able to identify and quickly address any misconduct among its doctors, being negligent in vettingIgberase and letting him practice.
 Dimensions breached its common law duties and the applicable standards of medical practice on an ongoing basis by negligently failing to investigate, credential, qualify, select, monitor and supervise its medical personnel and to discover, stop and report Oluwafemi Charles Igberase, ... 
On information and belief, Oluwafemi Charles Igberase recommended and performed a statistically significant number of unplanned emergency cesarean section surgeries. Many of the unplanned emergency cesarean sections were not medically necessary.
The plaintiffs also argue that in March 2012 the federal government denied Igberase's application to enroll in Medicare reimbursement after determining he did o't provide an accurate Social Security number. Dimensions should have terminated Igberase  before that time, rather than  shortly after the commencement of criminal proceedings:  "In 2012, Dimensions knew or should have known that the Social Security number provided to Dimensions by Igberase belonged to another person".

US court documents reportedly list 11 pseudonyms used by Igberase, who appears to have been born in Nigeria and entered the US in 1991 on a nonimmigrant visa. It is unclear whether he actually attended and graduated from a medical school before entry to the US. During the following six years, he apparently fraudulently gained at least four Social Security numbers using different names and different permanent addresses, using those fraudulent identities in seeking certifications from the US Educational Commission for Foreign Medical Graduates, which licenses overseas medical school graduates before they can pursue graduate medical education in the United States. (Certification includes examinations; applicants are not allowed to take the exams multiple times.)

Igberase failed the exams on several occasions but in 1993 and 1994 gained certification under different names. Two certifications were revoked after authorities noticed he had used different names and dates in his applications. However in 1998 he gained a separate certification, which he used for a hospital residency program in New Jersey. Officials subsequently suspended him after realising he had used a false Social Security number and birth date.

Using fake ID he then gained a residency in gynaecology and obstetrics at Howard University in Washington, completing his residency at Prince George’s Hospital Center and gaining a medical license from the Maryland Board of Physicians in September 2011.

In practice over several years - relying on a medical license not in his legal name - Igberase performed physical examinations, made formal diagnoses, read sonograms, made birth plans and performed caesareans. The hospital appears to have responded by stating that Igberase's conduct failed to meet its expectations regarding "sound moral character" but that his credentials and experience appeared valid, with "Several highly reliable agencies [having] validated his credentials including the states in which he held medical licenses". The hospital is "exploring many aspects of this case, researching records, and evaluating processes and procedures upon which we rely to validate information".

 The court in the 2016 federal fraud trial found that Igberase had forged or altered his medical diploma, medical transcripts and letters of recommendation in addition to use of a fake passport, visa, birth certificate and immigration documents. The Justice Department's November 2016 media release thus states
A search warrant executed at Igberase’s residence recovered a false social security card in the Akoda name, a false Nigerian passport for Akoda, a false U.S. visa in the Akoda name, and fraudulent or altered documents related to immigration, medical diplomas, medical transcripts, letters of recommendation and birth certificates.
In its 2017 motion to dismiss the class action Dimensions argued the hospital owed the plaintiffs no legal duty to ensure Igberase  was not using an assumed name or fake Social Security number. Moreover, the plaintiffs had failed to show that a reasonable vetting would have provide the basis for rejecting his employment application. Any emotional harm allegedly experienced by the plaintiffs were not caused by learning Igberase  had used a fake name. His actions did not put patient safety at risk.
Whether Dr. Akoda practiced under his 'real' name of Igberase or whether he used a Social Security number that did or did not belong to him has nothing at all to do with patient safety ... [Use of false identifiers does not] transform routine prenatal, labor and delivery care into an invasion of the patient's privacy. 
As Shakespeare wrote over 400 years ago, 'What's in a name? That which we call a rose by any other word would smell as sweet.' Whether the patients knew him as 'Akoda' or 'Igberase,' both names denote the exact same person, and that person was a licensed physician, who was experienced and competent in the practice of obstetrics and gynecology.
The privacy claim states that Igberase
iintruded upon the solitude, seclusion or private affairs and concerns of named plaintiffs and class members by viewing private areas of each patient's body performing medical procedures on each patient, inserting his extremities inside each patient, performing surgical procedures on patients and other boundary violations all without authorization or consent.

11 January 2019

Manipulation

'Online Manipulation: Hidden Influences in a Digital World' by Daniel Susser, Beate Roessler and Helen Nissenbaum comments
 Privacy and surveillance scholars increasingly worry that data collectors can use the information they gather about our behaviors, preferences, interests, incomes, and so on to manipulate us. Yet what it means, exactly, to manipulate someone, and how we might systematically distinguish cases of manipulation from other forms of influence — such as persuasion and coercion — has not been thoroughly enough explored in light of the unprecedented capacities that information technologies and digital media enable. In this paper, we develop a definition of manipulation that addresses these enhanced capacities, investigate how information technologies facilitate manipulative practices, and describe the harms — to individuals and to social institutions — that flow from such practices. 
We use the term “online manipulation” to highlight the particular class of manipulative practices enabled by a broad range of information technologies. We argue that at its core, manipulation is hidden influence — the covert subversion of another person’s decision-making power. We argue that information technology, for a number of reasons, makes engaging in manipulative practices significantly easier, and it makes the effects of such practices potentially more deeply debilitating. And we argue that by subverting another person’s decision-making power, manipulation undermines his or her autonomy. Given that respect for individual autonomy is a bedrock principle of liberal democracy, the threat of online manipulation is a cause for grave concern.

The Complementary Medicine Taskforce: A Homeopathic Consultation?

Homeopathic products purport to cure a range of general of specific ills through pills, potions, linaments and other 'medications' in which the claimed active ingredient is undetectable. The Commonwealth appears to have adopted a homeopathy model for consultation about labelling of complementary medicine products: consultation is being done quickly, privately, without public engagement with consumers or independent health experts and potentially without much benefit for consumers.

Last month the national Minister for Industry, Science and Technology, Karen Andrews, announced the Complementary Medicine Taskforce: a review of "the impact of recent consumer law changes on the complementary healthcare sector".

The announcement is pitched as helping to meet consumer demand for more information on where products are made, after changes to the Australian Consumer Law and Country of Origin Labelling requirements last year.

After controversy last year about adulteration and labelling of products such as honey ('Australian' honey apparently doesn't have to have much material from Australian bees and indeed not to have much honey as distinct from beet/cane syrup) and fish oil you might expect that the review is concerned with looking after consumers. Apparently not; it's concerned with exports (typically by overseas-owned groups).

The announcement states
 "The Morrison Government is committed to helping local industry tap into our export markets, and ensuring our business community has opportunities to sell more products overseas," Minister Andrews said. 
"We’re helping Australian businesses sell more of their high-quality products and services to overseas consumers, helping these businesses expand and employ more staff, driving economic growth." 
"The Morrison Government has heard the strong industry representations on this issue, and this Taskforce will assist our manufacturers by enabling further consideration and assessment of industry concerns." 
The law change has led to some complementary healthcare producers no longer being able to claim their product is made in Australia or carry the Australian Made, Australian Grown logo. This logo is widely recognised in export markets and promotes Australian high-quality products. 
Minister Andrews said it’s important for all industry stakeholders and consumer groups to understand "Made in Australia" and use of the logo. 
"The Taskforce will examine the impact of changes to Country of Origin Labelling laws on manufacturers of vitamins, minerals and supplements and their origin claims," Minister Andrews said. 
"The complementary healthcare sector in particular is an important and growing contributor to our economic prosperity. The industry employs around 29,000 people and estimates show that exports currently exceed $1.2 billion. "We are proud of the quality of Australian made products and want to ensure the regulatory environment facilitates these products being exported into global markets."
The industry is of course also a major donor to political parties and affiliates.

The announcement states that the taskforce is expected to report to government in early 2019.

The review's Terms of Reference apparently have not been released publicly.

They appear to be as follows, noting rebadging of the review as the "Complementary Healthcare Sector Country of Origin Labelling (CoOL) Taskforce
1. Background 
The purpose of the Complementary Healthcare Sector Country of Origin Labelling (CoOL) Taskforce (the Taskforce) is to examine concerns raised by the Complementary Healthcare Sector (the Sector) about changes to the use of the ‘Australian Made, Australian Grown’ (AMAG) logo, and investigate options that may address these concerns while maintaining consumer confidence in the authenticity of ‘Made in Australia’ claims. 
The Sector reports that a rapid increase in international sales of vitamins, minerals and supplements has led to greater domestic investment and job creation. The Sector has identified that claiming Australian origin and using the AMAG logo is a key marketing advantage when selling into both domestic and export markets. 
The overall sector revenue is reported by industry as $4.9 billion in 2017 across 82 Australian-based manufacturers. Industry representatives say that if a significant reduction in sales occurs in export markets, impacts could include reduced employment and growth in the sector. 
The AMAG logo is licensed to industry by Australian Made Campaign Limited (AMCL) in accordance with the Deed of Assignment between the Commonwealth of Australia and AMCL and the AMAG Logo Code of Practice (certified trade mark rules). The AMAG logo can only be licensed for products that are consistent with Australian Consumer Law (ACL) safe harbour defences. 
The February 2017 changes to the substantial transformation test under the ACL, meant for claims of ‘Made in Australia’ to qualify for the relevant ACL safe harbour defences, a new product with imported ingredients needs to be fundamentally different in identity, nature or essential character from the imported ingredients. 
The Australian Competition and Consumer Commission’s (ACCC) guide to the Sector in March 2018 outlined a number of production scenarios that the ACCC considers likely to either meet or not meet safe harbour defences. The Sector is concerned that many of its products will not meet the ACCC’s interpretation of substantial transformation and therefore will not be allowed to use the AMAG logo. 
2. Purpose 
The Taskforce will consider and assess reported impacts on the Sector of the changes to the substantial transformation test under the ACL. Both industry and consumer interests will be considered in this process. 
3. Scope 
The Taskforce shall:
1. Assess how the current CoOL policy framework, including ACCC guidance regarding the substantial transformation test, interacts with the complementary healthcare sector. This shall include reporting on industry concerns about how this policy and guidance may be impacting upon business decisions within both the Sector, and AMCL in licensing use of the AMAG logo. 
2. Assess the commercial impacts of the current substantial transformation test under the ACL on the complementary healthcare sector regarding products generally referred to as vitamins, minerals and supplements. 
3. Assess Australian consumer expectations relating to suggested changes by the Sector regarding rules governing the use of the AMAG logo. This will include consideration of impacts on consumer choices in purchasing products, and the need to protect and ensure the integrity of Australian made claims and the AMAG logo. 
4. Give consideration to broader market or industry impacts regarding CoOL and AMAG logo use beyond the complementary healthcare sector. 
5. Identify appropriate next steps for responding to the Sector’s concerns 
4. Membership 
The Taskforce will comprise representatives from the:
1. Department of Industry, Innovation and Science; 
2. Department of the Prime Minister and Cabinet; 
3. Treasury; 
4. Department of Foreign Affairs and Trade/ AusTrade; 
5. Department of Agriculture and Water Resources; 
6. Therapeutic Goods Administration; 
7. Department of Health; and 
8. Australian Competition and Consumer Commission. 
In conducting its activities the Taskforce will consult with:
- Relevant State Government agencies; 
- Complementary Medicines Australia; 
- manufacturers within the complementary healthcare sector; 
- other industry stakeholders with an interest in ‘Made in Australia’ claims 
- consumer organisations; 
- Australia Made Campaign Ltd; and 
- other agencies and/or stakeholders as required. 
5. Operations 
The Taskforce:
1. Will meet as required. If required, members can ask the chair to hold additional meetings, providing at least two weeks’ notice is given. 
2. Will meet via teleconference with the option to meet in person if appropriate. Members may (on agreement with the Chair) undertake work out-of-session to inform and support the deliberations of the Taskforce. 
The Department of Industry will provide the Chair and Secretariat for the Taskforce. 
Members will contribute professional knowledge and expertise to discussions of the Taskforce. 
Members may be requested to contribute data to establish an evidence base for the Taskforce to consider options. 
Some sales, employment or marketing data (or other commercial information) relevant to Taskforce deliberations may be commercial-in-confidence. The Taskforce will seek advice as appropriate to manage the confidentiality of data provided to the group. 
The Taskforce may draw upon the expertise of non-members to inform the discussions of the group on an ad-hoc basis. The Chair will consider and approve such requests. The Chair will consider for approval requests for the attendance of non-members (outside of the Secretariat) at Taskforce meetings. 
6. Deliverables 
The Taskforce shall provide Government with a report addressing each of the issues identified for examination within scope for the Taskforce. The Taskforce will provide advice to Government by the end February 2019. 
7. Review and reporting 
Members of the Taskforce will have scope to review and comment on the final report. The final report will be delivered to the Minister for the Department of Industry, Innovation and Science and the Assistant Treasurer.
What we have here is a review with no commitment to releasing a report on a timely basis, bearing in mind the Government's recalcitrance in the face of releasing the report of the review of pharmaceuticals a few years ago. We might hope that Government's stated commitment to 'Open Government' is given effect through early release of the report and details of the concerns voiced by the sector

It is a review that is weighted towards industry; consumer advocates and other health advocates appear as an afterthought, particularly given
  • the limited publicity about the review 
  • non-release of the Terms of Reference 
  • non-release of indications of how advocates can engage with the review). 
We might be asking a more challenging question: should governments be encouraging domestic and overseas consumption of products that are often expensive, therapeutically unnecessary but replete with the puffery that delights consumer law scholars and attracts attention from the ACCC. Some examples are here,  here and here.

Among the literature see  'Commercialism, choice and consumer protection: regulation of complementary medicines in Australia' by Harvey, Korczak, Marron and Newgreen in (2008) 188(1) Medical Journal of Australia 21-25, Vitamania: Vitamins in American Culture (New Jersey: Rutgers University Press 1996) by Rima Apple, 'Dietary Supplements: Can the Law Control the Hype' by Iona Kaiser in (2000) 37 Houston Law Review 1249-1277, 'The effectiveness of popular, non-prescription weight loss supplements' by Egger, Cameron-Smith and Stanton in (1999) 171(11) Medical Journal of Australia 604-608 and 'Truth and Consequences: The Perils of Half-Truths and Unsubstantiated Health Claims for Dietary Supplements' by Vladeck in (2000) 19(1) Journal of Public Policy & Marketing 132-138.

Singapore Population-scale Data Breach

The Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database considers the "events and contributing factors leading to the cyber attack on Singapore Health Services Private Limited patient database system". SingHealth experienced a population-scale health data breach in 2017 and last year.

The damning 454 page public report states 
Between 23 August 2017 and 20 July 2018, a cyber attack (the “Cyber Attack”) of unprecedented scale and sophistication was carried out on the patient database of Singapore Health Services Private Limited (“SingHealth”). The database was illegally accessed and the personal particulars of almost 1.5 million patients, including their names, NRIC numbers, addresses, genders, races, and dates of birth, were exfiltrated over the period of 27 June 2018 to 4 July 2018. Around 159,000 of these 1.5 million patients also had their outpatient dispensed medication records exfiltrated. The Prime Minister’s personal and outpatient medication data was specifically targeted and repeatedly accessed. 
The crown jewels of the SingHealth network are the patient electronic medical records contained in the SingHealth Sunrise Clinical Manager (“SCM”) database. The SCM is an electronic medical records software solution, which allows healthcare staff to access real-time patient data. The SCM system can be seen as comprising front-end workstations, Citrix servers, and the SCM database. Users would access the SCM database via Citrix servers, which operate as an intermediary between front-end workstations and the SCM database. The Citrix servers played a critical role in the Cyber Attack. 
At the time of the Cyber Attack, SingHealth was the owner of the SCM system. Integrated Health Information Systems Private Limited (“IHiS”) was responsible for administering and operating the system, including implementing cybersecurity measures. IHiS was also responsible for security incident response and reporting. 
The Committee’s Terms of Reference (“TORs”) include (i) establishing the events and contributing factors leading to the Cyber Attack and the exfiltration of patient data (“TOR #1”), and (ii) establishing how IHiS and SingHealth responded to the Cyber Attack (“TOR #2”). The Committee’s findings on these TORs are set out in Parts III-VI of the main report. 
. In the present section, the Committee will first provide a summary of the key events of the Cyber Attack and the incident response by IHiS and SingHealth. The Committee will then present five Key Findings in respect of TORs #1 and #2. 
The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks. The attacker then lay dormant for several months, before commencing lateral movement in the network between December 2017 and June 2018, compromising a number of endpoints and servers, including the Citrix servers located in SGH, which were connected to the SCM database. Along the way, the attacker also compromised a large number of user and administrator accounts, including domain administrator accounts. 
Starting from May 2018, the attacker made use of compromised user workstations in the SingHealth IT network and suspected virtual machines to remotely connect to the SGH Citrix servers, and tried unsuccessfully to access the SCM database from the SGH Citrix servers.  
IHiS’ IT administrators first noticed unauthorised logins to the Citrix servers and failed attempts at accessing the SCM database on 11 June 2018. Similar malicious activities were detected on 12, 13, and 26 June 2018. Unknown to them, the attacker had obtained credentials to the SCM database on 26 June 2018. Starting from 27 June 2018, the attacker began querying the SCM database, stealing and exfiltrating patient records, and doing so undetected by IHiS. 
On 4 July 2018, an IHiS administrator for the SCM system noticed suspicious queries being made on the SCM database. Working with other IT administrators, ongoing suspicious queries were terminated, and measures were put in place to prevent further queries to the SCM database. These measures proved to be successful, and the attacker could not make any further successful queries to the database after 4 July 2018. 
. Between 11 June and 9 July 2018, the persons who knew of and responded to the incident were limited to IHiS’ line-staff and middle management from various IT administration teams, and the security team. On 9 July 2018, IHiS senior management were finally informed of the matter. On 10 July 2018, the matter was escalated to the Cyber Security Agency of Singapore (“CSA”), SingHealth’s senior management, the Ministry of Health (“MOH”), and the Ministry of Health Holdings (“MOHH”). 
. Starting from the night of 10 July 2018, IHiS and CSA carried out joint investigations and remediation. Several measures aimed at containing the existing threat, eliminating the attacker’s footholds, and preventing recurrence of the attack were implemented. In view of further malicious activities on 19 July 2018, internet surfing separation was implemented for SingHealth on 20 July 2018. No further suspicious activity was detected after 20 July 2018. 
. After being notified of the Cyber Attack, SingHealth’s senior management, in consultation with MOH, IHiS, CSA, and the Ministry of Communications and Information, began making plans for a public announcement, and for patient outreach and communications. 
. The public announcement was made on 20 July 2018, and patient outreach and communications commenced immediately thereafter. SMS messages were used as the primary mode of communication, in view of the need for quick dissemination of information on a large scale. Other modes of communication Executive Summary iv included letters, telephone hotlines, and various online channels. In total, SingHealth intended to contact 2.16 million patients. At the time of the Inquiry, 2.9% of the patients could not be contacted despite SingHealth’s efforts. 
The Committee has made numerous findings in respect of TORs #1 and #2. From these findings, the Committee has identified five Key Findings. 
Key Finding #1: IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack
  • A number of IHiS’ IT administrators are commended by the Committee for their vigilance in noticing suspicious activity, such as unauthorised logins to the Citrix servers, suspicious attempts at logging in to the SCM database, presence of unauthorised software, and suspicious queries being run on the SCM database. 
  • However, these same IT administrators could not fully appreciate the security implications of their findings, and were unable to co-relate these findings with the tactics, techniques, and procedures (“TTPs”) of an advanced cyber attacker. 
  • They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA. There was also no incident reporting framework in place for the IT administrators. 
  • Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings. 
Key Finding #2: Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack
  • The Security Incident Response Manager (“SIRM”) and Cluster Information Security Officer (“Cluster ISO”) for SingHealth, who were responsible for incident response and reporting, held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported. 
  • The SIRM delayed reporting because he felt that additional pressure would be put on him and his team once the situation became known to management. 
  • The evidence also suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm. 
  • The Cluster ISO did not understand the significance of the information provided to him, and did not take any steps to better understand the information. Instead, he effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident. 
Key Finding #3: There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack
  • A significant vulnerability was the network connectivity (referred to in these proceedings as an “open network connection”) between the SGH Citrix servers and the SCM database, which the attacker exploited to make queries to the database. The network connectivity was maintained for the use of administrative tools and custom applications, but there was no necessity to do so. 
  • The SGH Citrix servers were not adequately secured against unauthorised access. Notably, the process requiring 2-factor authentication (“2FA”) for administrator access was not enforced as the exclusive means of logging in as an administrator. This allowed the attacker to access the server through other routes that did not require 2FA. 
  • There was a coding vulnerability in the SCM application which was likely exploited by the attacker to obtain credentials for accessing the SCM database. 
  • There were a number of other vulnerabilities in the network which were identified in a penetration test in early 2017, and which may have been exploited by the attacker. These included weak administrator account passwords and the need to improve network segregation for administrative access to critical servers such as the domain controller and the Citrix servers. Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack. 
Key Finding #4: The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group
  • The attacker had a clear goal in mind, namely the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients. 
  • The attacker employed advanced TTPs, as seen from the suite of advanced, customised, and stealthy malware used, generally stealthy movements, and its ability to find and exploit various vulnerabilities in SingHealth’s IT network and the SCM application. 
  • The attacker was persistent, having established multiple footholds and backdoors, carried out its attack over a period of over 10 months, and made multiple attempts at accessing the SCM database using various methods. 
  • The attacker was a well-resourced group, having an extensive command and control network, the capability to develop numerous customised tools, and a wide range of technical expertise. 
Key Finding #5: While our cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable
  • A number of vulnerabilities, weaknesses, and misconfigurations could have been remedied before the attack. Doing so would have made it more difficult for the attacker to achieve its objectives. 
  • The attacker was stealthy but not silent, and signs of the attack were observed by IHiS’ staff. Had IHiS’ staff been able to recognise that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives. C
The Committees recommendations are prefaced with the comment that
The Committee’s TORs also include recommending measures to (i) enhance the incident response plans for similar incidents (“TOR #3”); (ii) better protect SingHealth’s patient database system against similar cyber attacks (“TOR #4”); and (iii) reduce the risk of such cyber attacks on public sector IT systems which contain large databases of personal data, including in the other public healthcare clusters (“TOR #5”). The Committee’s recommendations on these TORs are set out in Part VII of the main report. 
The Committee makes sixteen recommendations, comprising seven Priority Recommendations and nine Additional Recommendations, all of which have been explored and examined in great detail. 
The seven Priority Recommendations include strategic and operational measures to uplift the cybersecurity posture of SingHealth and IHiS, and steps must be taken to implement these Priority Recommendations immediately. The nine Additional Recommendations relate to other specific concerns raised in the course of this Inquiry, including technical, organisational, training, and processrelated issues. The measures, which are similarly aimed at uplifting the cybersecurity posture of SingHealth and IHiS, must be implemented or seriously considered. 
. All sixteen recommendations are made in respect of TORs #3 and #4, and apply equally to TOR #5. They range from basic cyber hygiene measures to more advanced measures which may be more relevant after a certain level of cybersecurity maturity has been attained by the organisation. 
While some measures may seem axiomatic, the Cyber Attack has shown that these were not implemented effectively by IHiS at the time of the attack. For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cybersecurity competencies and the ability to counter the real, present, and constantly evolving cybersecurity threats.
The Priority Recommendations are -
Recommendation #1: An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions
  • Cybersecurity must be viewed as a risk management issue, and not merely a technical issue. Decisions should be deliberated at the appropriate management level, to balance the trade-offs between security, operational requirements, and cost. 
  • IHiS must adopt a “defence-in-depth” approach.  Gaps between policy and practice must be addressed. 
Recommendation #2: The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats
  • Identify gaps in the cyber stack by mapping layers of the IT stack against existing security technologies. 
  • Gaps in response technologies must be filled by acquiring endpoint and network forensics capabilities. 
  • The effectiveness of current endpoint security measures must be reviewed to fill the gaps exploited by the attacker. 
  • Network security must be enhanced to disrupt the ‘Command and Control’ and ‘Actions on Objective’ phases of the Cyber Kill Chain. 
  • Application security for email must be heightened. 
Recommendation #3: Staff awareness on cybersecurity must be improved, to enhance capacity to prevent, detect, and respond to security incidents
  • The level of cyber hygiene among users must continue to be improved. 
  • A Security Awareness Programme should be implemented to reduce organisational risk. 
  • IT staff must be equipped with sufficient knowledge to recognise the signs of a security incident in a real-world context. 
Recommendation #4: Enhanced security checks must be performed, especially on CII systems
  • assessments must be conducted regularly. 
  • Safety reviews, evaluation, and certification of vendor products must be carried out where feasible. 
  • Penetration testing must be conducted regularly. 
  • Red teaming should be carried out periodically. 
  • Threat hunting must be considered. 
Recommendation #5: Privileged administrator accounts must be subject to tighter control and greater monitoring
  • An inventory of administrative accounts should be created to facilitate rationalisation of such accounts. 
  • All administrators must use two-factor authentication when performing administrative tasks. 
  • Use of passphrases instead of passwords should be considered to reduce the risk of accounts being compromised. 
  • Password policies must be implemented and enforced across both domain and local accounts. 
  • Server local administrator accounts must be centrally managed across the IT network. 
  • Service accounts with high privileges must be managed and controlled. 
Recommendation #6: Incident response processes must be improved for more effective response to cyber attacks
  • To ensure that response plans are effective, they must be tested with regular frequency. 
  • Pre-defined modes of communication must be used during incident response. 
  • The correct balance must be struck between containment, remediation, and eradication, and the need to monitor an attacker and preserve critical evidence. 
  • Information and data necessary to investigate an incident must be readily available. 
  • An Advanced Security Operation Centre or Cyber Defence Centre should be established to improve the ability to detect and respond to intrusions. 
Recommendation #7: Partnerships between industry and government to achieve a higher level of collective security
  • Threat intelligence sharing should be enhanced. 
  • Partnerships with Internet Service Providers should be strengthened. 
  • Defence beyond borders – cross-border and cross-sector partnerships should be strengthened. 
  • Using a network to defend a network – applying behavioural analytics for collective defence. I
Additional recommendations are
Recommendation #8: IT security risk assessments and audit processes must be treated seriously and carried out regularly
  • IT security risk assessments and audits are important for ascertaining gaps in an organisation’s policies, processes, and procedures. 
  • IT security risk assessments must be conducted on CII and missioncritical systems annually and upon specified events. 
  • Audit action items must be remediated. 
Recommendation #9: Enhanced safeguards must be put in place to protect electronic medical records
  • A clear policy on measures to secure the confidentiality, integrity, and accountability of electronic medical records must be formulated. 
  • Databases containing patient data must be monitored in real-time for suspicious activity. 
  • End-user access to the electronic health records should be made more secure. 
  • Measures should be considered to secure data-at-rest. 
  • Controls must be put in place to better protect against the risk of data exfiltration. 
  • Access to sensitive data must be restricted at both the front-end and at the database-level. 
Recommendation #10: Domain controllers must be better secured against attack
  • The operating system for domain controllers must be more regularly updated to harden these servers against the risk of cyber attack. 
  • The attack surface for domain controllers should be reduced by limiting login access. 
  • Administrative access to domain controllers must require two-factor authentication. 
Recommendation #11: A robust patch management process must be implemented to address security vulnerabilities
  • A clear policy on patch management must be formulated and implemented. 
  • The patch management process must provide for oversight with the reporting of appropriate metrics. 
Recommendation #12: A software upgrade policy with focus on security must be implemented to increase cyber resilience
  • A detailed policy on software upgrading must be formulated and implemented. 
  • An appropriate governance structure must be put in place to ensure that the software upgrade policy is adhered to. 
Recommendation #13: An internet access strategy that minimises exposure to external threats should be implemented
  • The internet access strategy should be considered afresh, in the light of the Cyber Attack. 
  • In formulating its strategy, the healthcare sector should take into account the benefits and drawbacks of internet surfing separation and internet isolation technology, and put in place mitigating controls to address the residual risks. 
Recommendation #14: Incident response plans must more clearly state when and how a security incident is to be reported
  • An incident response plan for IHiS staff must be formulated for security incidents relating to Cluster systems and assets. 
  • The incident response plan must clearly state that an attempt to compromise a system is a reportable security incident. 
  • The incident response plan must include wide-ranging examples of security incidents, and the corresponding indicators of attack. 
Recommendation #15: Competence of computer security incident response personnel must be significantly improved
  • The Computer Emergency Response Team must be well trained to more effectively respond to security incidents. 
  • The Computer Emergency Response Team must be better equipped with the necessary hardware and software. 
  • A competent and qualified Security Incident Response Manager who understands and can execute the required roles and responsibilities must be appointed. 
Recommendation #16: A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered
  • IHiS should consider working with experts to ensure that no traces of the attacker are left behind.
In relation to the  implementation of its recommendations the Committee states
IHiS and SingHealth should give priority to implementing the recommendations. Adequate resources and attention must be devoted to their implementation, and there must be appropriate oversight and verification of their implementation. Most importantly, implementation of the recommendations requires effective and agile leadership from senior management, and necessary adjustments to organisational culture, mindset, and structure. 
These imperatives apply equally to all organisations responsible for large databases of personal data. We must recognise that cybersecurity threats are here to stay, and will increase in sophistication, intensity, and scale. Collectively, these organisations must do their part in protecting Singapore’s cyberspace, and must be resolute in implementing these recommendations.

10 January 2019

Liability for injury to prisoners

Australian states have come to acknowledge some responsibility for injury to inmates in correctional institutions. In R v Fern (1989) 51 SASR 273, an appeal against the sentence for a sexual assault on a fellow prisoner, King CJ noted that prisoners are not outside the law and commented that the Court
has a very serious responsibility to extend what protection it can to persons who are incarcerated by force of law in penal institutions. Those people have no choice about being there; they are sent there by the courts as punishment for their crimes. They are entitled to serve their punishment free of abuse and indignity and interference with their basic rights as human beings. 
In Hartwick v State of Victoria [2018] VCC 2187, currently attracting some attention from the mass media, the Supreme Court has awarded damages to a prisoner injured by a peer while on remand in Victoria's Metropolitan Assessment Prison. The state government had admitted liability.

The judgment states
 On 12 January 2015 the plaintiff, Dylan Hartwick , was arrested in relation to assault related offences and was held in custody. On 16 January 2015 he was transferred to the Metropolitan Assessment Prison (“MAP”). 
On 17 January 2015, whilst still in custody at MAP, Mr Hartwick was allocated to a three bed shared cell. 
On 19 January 2015 another prisoner with a known history of mental instability and a potential for erratic and aggressive behaviour (“the assailant”) was placed in the cell with Mr Hartwick and another prisoner. 
In the early hours of 20 January 2015 Mr Hartwick was assaulted by the assailant. The nature of the assault involved the assailant stabbing the plaintiff multiple times in the face, head and arm with a metal butter knife, causing bleeding and requiring medical treatment. 
Mr Hartwick claims that the assault occasioned upon him and his injuries were a result of negligence on behalf of the State of Victoria, the named defendant. 
The defendant has admitted negligence and the matter before me proceeded as an assessment of damages. The parties have agreed that the assessment would be specifically limited to general damages only. There was little dispute between the parties as to the nature of the initial physical injuries sustained by the plaintiff. 
Mr Hartwick additionally claims damages in relation to the non-organic consequences flowing from the assault. The extent of these consequences and the question of causation was largely the area of dispute.
Further
Mr Hartwick gave evidence concerning his assault while in the prison. He described being in a three person cell, initially with an older man who was transferred before the assault occurred. On the afternoon prior to his assault two other prisoners were transferred into his cell, including the assailant who eventually attacked him. 
Mr Hartwick described the behaviour of his assailant after lock-down on the evening before the assault:
.. initially when we got locked down he was pacing, talking about satellites and bombs and terrorists and young girls in wheelchairs. Me and the other fellow were having a bit of a chat and trying to watch the TV show. So we asked him politely if he could settle down a bit and if he wanted to watch the show. He then sat on his bed with his head facing the wall, headbutting the wall continuously ...
Mr Hartwick described being woken by an intercom in the cell the following morning at what he believed to be about 7.30. He then stated:
So I dozed off back to sleep and then I woke up to a huge scream, like a shriek, and I looked up and he was stabbing me in the eyes... . I heard this huge scream, it was like a shriek, I looked up, he was stabbing me in the eyes with the butter knife. I managed to get up out of the bed and put my right arm above my head. ... my vision in my right eye was gone because when he stabbed me the right eye was fully closed, and the left eye, he had already got me above in eye on the eyelid and below the eye, so I had the right arm up. He did get me with the knife a couple of times on the arm. As I got up there was some scratch marks. ... So I had the right arm up and then I could wipe my left eye and probably get about two or three seconds vision before the blood would run back into it. I think it was at that time that he got me somehow in the side of the head, there were two in the side, two at the back and a big one on the top. (Mr Hartwick indicated the left side of his head). 
Mr Hartwick described being assisted by the third prisoner in the cell before prisoner officers arrived and subdued his assailant. He was taken to a reception part of the prison and then by ambulance to Royal Melbourne Hospital. He believed he remained there for two or three nights. He recalls having stitches in both eyelids and staples on the top and back of his scalp. 
After being discharged from hospital, Mr Hartwick remained in prison for approximately another eight days before he was granted bail. During that time he initially shared a cell with another prisoner, who he described as “a really nice guy.”
As one student commented, you don't go to prison to get 'done over with a butter knife' and headlines such as that in The Age ("Man who assaulted ex-wife wins $125,000 payout after prison stabbing") are problematical.

 Hartwick argued the state of Victoria was negligent in its duty of care to him by placing him in a cell with a man who was “mentally unstable, acutely disturbed, behaving erratically and posed a foreseeable risk of harm”.

08 January 2019

Competition

'Online Digital Services And Competition Law: Why Competition Authorities Should be More Concerned About Portability Rather than About Privacy' by Stefano Lucchini, Jacques Moscianese, Irene de Angelis and Fabrizio Di Benedetto in (2018) 9(9) Journal of European Competition Law and Practice 563–568 comments
 In her highly quoted dissenting opinion in the Google/DoubleClick case in 2007, Commissioner Jones Harbour of the Federal Trade Commission (FTC) – citing Professor Swire’s testimony – included privacy as a non-price dimension of competition, assuming that (in the field of search engines) undertakings compete (also) on ‘privacy protections or related non-price dimensions’.
As Professor Swire argued two years later, non-price (or qualitative) dimensions of competition would have been important for online markets in the coming years, including privacy, considering that already in 2009, some online companies had competing announcements for why each of their services was better in terms of privacy protection.
However, since 2009, there has been an expansion of online markets and, especially, of ‘zero price’ services offered through the web and digital technologies. In particular, all we have perceived our inclination to accept to share personal data in order to obtain a ‘zero price’ service that we deem beneficial for us. It could be said that, provided that the service at stake is for free, we are willing to share any kind of personal data, ours or even those regarding other people.
This is not a provocation, but the result of a study conducted in June 2017 by some researchers of the National Bureau of Economic Research (NBER) regarding the behaviour of a group of students of the MIT in Boston. In the context of a wider project aiming at establishing a cryptocurrency (Bitcon) community within the University, students were asked to make at least three digital privacy choices: ‘whether they wanted to disclose the contact details of their closest friends; whether they wanted to maximise the privacy of their transactions from the public, a commercial intermediary or the government; and whether they subsequently wanted to take additional actions to protect their transaction privacy when using Bitcoin’. Afterwards, researchers gave an incentive to a sub-group of these students, i.e., a pizza that participants could share with their closest friends in exchange for more data on such friends. Results show that, notwithstanding the importance that students recognised to their privacy, a little incentive (like a pizza) can have an important effect on the behaviour of people in terms of availability to share personal data.
Beyond the details of this interesting research, NBER’s researchers traced back the difference between what students said regarding the importance of their privacy, on the one hand, and what students did in presence of a little incentive, on the other, to the concept of ‘digital privacy paradox’. Therefore, to properly assess whether privacy (and its protection) could be considered as a non-price element of competition in the digital online environment, it would be necessary to consider the paradox highlighted by the just mentioned research. Indeed, it suggests that customers do not really take into consideration their privacy when they act in the online market and, specifically, when the only money they spend to buy an online digital service is represented by their own data.4 In other words, a ‘zero price’ service seems to be a sufficient incentive for people to superficially share their personal information. Once companies are able to provide efficient ‘zero price’ services, customers do not really care about their personal data and, consequently, their privacy is not perceived as a decisive element for their choices on the market.
From the above considerations, it should follow that privacy can be hardly considered as a qualitative dimension of competition in the digital world (platforms, social networks, apps, etc.). Thus, in online digital services, it would be unlikely that undertakings engaged into anticompetitive agreements to collude on the terms of their privacy policies,5 provided that such a cartel should not be able to modify the normal conditions of competition within the market and, thus, should not ensure any concrete advantage to the cartelists involved. Similarly, it appears that no abuse of dominant position could be found in the collection of large amounts of data (so-called big data) by companies through their customers’ use of ‘zero price’ services, although this could be realised by undertakings with large market shares. Indeed, once established that the collection of great amounts of data is a common practice in markets characterised by ‘zero price’ services, rather than an unfair business term that a dominant firm impose on its customers due to its market power, any competition abuse would be hard to identify. In fact, as the NBER’s research suggests, the inclination of customers to provide data in presence of little incentives (such as ‘zero price’ services) is a natural response, and it does not need to be forced by, for example, exploitative conducts. Obviously, that would be without prejudice to possible privacy law violations committed by the undertaking concerned, whether dominant or not, which would be in any case investigated by the relevant authorities.
As convincingly stated by the then FTC Commissioner Ohlhausen (now FTC’s Chair) in 2015, ‘[a]ttempting to unify the competition and consumer protection laws [including privacy protection] creates needless risks for the Internet economy and could destabilise the modern consensus on antitrust analysis, again pulling it away from rigorous, scientific methods developed in the last few decades and reverting back to the influence of subjective noncompetition factors. Indeed, trying to expand competition law as some have proposed better reflects legal thinking in 1915, not 2015’.
 The authors conclude
The ‘dynamic duo’ composed by data portability under the GDPR and data portability forced through the antitrust enforcement against abuses of dominance seems to be able to introduce a wide concept of portability that has much to do with the concept of interoperability. Its relevance for antitrust purposes demonstrates how much the interconnection between companies is vital to guarantee competition.
In this regard, competition authorities should be more concerned about portability rather than privacy. Indeed, given the opportunity provided by both the internet and the expansion of (ever cheaper) digital technologies, the success of companies does not depend only on the production capacity of their material assets and people, but it also (and even more) relies on an immaterial asset which is represented by data produced by their customers, who have become ‘prosumer’ of data.
A highly digitalised society, where a large share of people lives their life online, can become a deposit of information, which is useful for any undertaking and especially for those who provide online services. The consumer leaves behind him traces of himself and of his preferences surfing online, often giving a careless consent to the use of his own personal data in exchange for online digital services (especially if ‘zero price’, as we saw above).
However, as it happens for all the deposits of resources, an undertaking who wishes to exploit it to obtain an economic value must equip itself with the proper technologies to transform large amounts of data into an information that can be useful for business and commercial purposes. In this regard, as oil can be extracted only by drills over oil wells, also this new kind of ‘digital oil’ that is represented by big data needs its drills, i.e., artificial intelligence composed by algorithms, software and hardware with a very high computational capacity that are more and more able to efficiently exploit data, extracting their real value for an undertaking. Indeed, as it has been recently argued: ‘data is like crude oil with potential value but is of limited economic value in its raw form. Data is refined with analytics that has more potential value in the form of customer, product and operational insights. However the kinetic value of data is not realised until the analytics are ‘put into motion’ to optimise key business processes, uncover new monetisation opportunities or create a more compelling customer engagement’.
Competition in the digital economy, thus, it’s all about the ability to analyse and properly use data. And companies spend a lot of money in these processes. Where such an exploitation of data by undertakings amounts to an anticompetitive behaviour, such as abusive conducts, competition authorities should force the transmission of data (i.e., the portability) to actual and potential competitors of dominant companies, where portability right under the GDPR does not apply. Along with data, also their potential value will be transferred to their competitors, reinforcing competition among undertakings and benefitting consumers. In this regard, it cannot be denied that the real ‘sanction’ for an undertaking who infringes competition law is represented by the obligation to share its data and their value with competitors, rather than by the obligation to reinforce its privacy policy.