Cybercriminals are audacious. Michael Daugherty, the founder of LabMD has lived through their daring, and it has been epic. Worth a docuseries. His riveting 60-minute headliner at the inaugural Smart Health Summit held at The Houghton in Johannesburg wielded substantive lessons that went beyond cybersecurity in the healthcare industry.
Daugherty’s story begins with the creation of LabMD situated in Atlanta, Georgia. He designed it to provide medical testing services to patients. His company did pretty well for itself, quickly gaining recognition for its dedication to accurate and efficient testing procedures.
They were, he notes, one of the “two best pathologists in the world at reading tissue.” Then Daugherty got hit with a security breach, and LabMD’s success would soon be overshadowed by a legal battle that would almost unhinge Daugherty, testing his resolve and changing him irrevocably. It would put him in the crosshairs of the Federal Trade Commission (FTC) in the US in 2013 following accusations that the company failed to adequately protect patient data, claiming LabMD’s alleged negligence had led to a data breach.
His staunch resistance is captured in his book, The Devil Inside the Beltway: The Shocking Exposé of the U.S. Government’s Surveillance and Overreach into Cybersecurity, Medicine, and Small Business. In it are gripping details of his battle with the FTC and what he still believes to have been a study of government overreach and regulatory excess. The Devil Inside the Beltway highlighted challenges faced by small businesses in complying with complex data protection regulations and the consequences they face when accused of inadequate data security measures.
Daugherty maintained LabMD had implemented robust data security practices; that the alleged data breach had been blown out of proportion for his 9,000 clients. The legal battle shed light on the balance between regulatory enforcement and the ability of businesses to operate effectively. The case was embedded with highly complex legal arguments that spanned several years. Daugherty, a sought-after speaker, added to the case’s visibility. His engagements at conferences and events provided platforms for him to share his insights and experiences. All these factors contributed towards extensive media coverage, generating a great deal of public interest.
Advocating not just for LabMD, Daugherty understood his need to fight for other businesses navigating the complex landscape of data protection regulations. That it would have far-reaching consequences for the future of data security, despite the toll it took on him. “The real game here is just to exhaust you till you get to run out of resources,” he says. Though he found pro bono representation, the bill effectively landed at $16 million. He won the case, and FTC awarded him $800,000 in what might have felt like a Pyrrhic victory save for the part where he cleared his reputation. “People don’t run to help you when they (FTC) accuse you. People will stand down. That’s not good when you’re in healthcare.”
Today, LabMD exists with a transformed focus as a legal entity suing guilty parties for what occured. While Daugherty’s legal battle may have taken its toll, his commitment to data security remains unwavering. The lessons he learned from his experiences have empowered him to educate others and promote best practices in data protection. The LabMD case came to a close in 2018. Daugherty contended that “90 per cent of people aren’t corrupt, but 90 per cent of people look the other way because they want to save their careers.”
Why do his protracted legal battle and terrifying narrative matter here, at this Summit? “We are all in this stew together. Your data in South Africa is everywhere. Everyone’s data is everywhere… It’s a terrible story. And it’s a clarion call. It’s what can happen if you’re inside cybersecurity, and these people who are supposed to save it, have no clue. I am the story that is supposed to make you afraid.”
CISOs, he points out, “have moved from tech advisers to boardroom level. They are supposed to protect the company, but what happens is they get blamed not for their failure to protect the organisation, but for not protecting the board, hence their high turnover and the high pay of CISOs.” He has other takeaways. Organisations need to know that they are no longer black swans. “Prepare for it (a cyber breach) by knowing your organisation’s primary essential services. Why do you exist? What makes you successful? What could disrupt or kill your business?” adding “Make sure you take care of your basic hygiene. Use the many tools that will take care of that now. Do not take risks with cybersecurity because crazy town can happen.” His pointers: