The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities. Therefore, in advising their companies’ management, general counsel and others might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Announcing the April 20 – May 5, 2017 comment period, the Standards Organization has noted the following:

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

The draft FAQ’s can be accessed here: https://www.isao.org/drafts/isao-sp-8000-frequently-asked-questions-for-isao-general-counsels-v0-01/

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

superfishReports in the last week stated that the computer manufacturer Lenovo had preloaded software onto various lines of computers which critically compromised cybersecurity. The software in question is a product called Superfish Visual Discovery, a program generally designed to replace advertisements seen while browsing the Internet with ads provided by Superfish. However, the method of implementation opens up a universe of potential problems.

What Does Superfish Do?

Superfish is designed to replace Internet advertisements with advertisements provided by their sponsors. In order to do this, Superfish installs its own signed root certificate to the operating system. Furthermore, the Superfish certificate key being used is the same across all the affected systems.

What Does This Mean?

Secure browsing is based on a system of certificates. When you look up any website starting with https://, you are loading a secure website whose identity is verified using a certificate, usually validated by a third party. Normally, sites claiming to be secure that are not will trigger warnings from your browser. Superfish installs its own certificate and functions as a Man in the Middle, injecting its own content into the ostensibly secure connection between your computer and the secure website.

Because the certificate key used by Superfish is the same across all affected systems, it is easy to exploit that certificate to attack systems with the software installed. Reports indicate that people have been able to decrypt all data sent by HTTPS, including passwords, using this exploit.

Which Computers Are Affected?

Lenovo has published information containing a list of affected computers. The affected computers are laptops not in the ThinkPad series manufactured between September 2014 and February 2015. ThinkPad laptops, desktops, and smartphones are unaffected. Enterprise systems (e.g., servers and storage) are also safe.

Even if your organization has computers on the list of affected products, your organization may be safe. Generally, your IT department should be installing a clean version of Windows or an organizational system image on any new computer before it is brought into your network ecosystem. If your IT department does not do this, or your organization allows personal computers to perform work functions, you may be at risk.

Another potential issue is remote access. If anyone with remote access was using an affected computer, the user’s logon information potentially could have been compromised.

How Do We Remove Superfish from Affected Systems? 

The easiest and most secure way to ensure the removal of any issues is to install a clean copy of Windows on the affected computer. This should not be the backup copy provided by Lenovo, as that copy will still have Superfish. However, reinstalling Windows will cause you to lose any data on the computer. If you need to keep the data on the computer or otherwise cannot back up the data, a good guide on how to uninstall Superfish without reinstalling Windows can be found at ExtremeTech.

What Else Should We Do?

If your organization does not install a clean version of Windows or an organizational system image on new computers, you should put into place a procedure ensuring that all new computers get a fresh install of Windows or a fresh system image prior to introducing them to the network.

Because your employees may potentially have used an affected computer for remote access, you should identify any employees who have used Lenovo computers for remote access in the past six months. Those users should have their credentials changed as a precautionary measure.

On January 9, 2015, New Jersey Governor Chris Christie signed new legislation that will require health insurance carriers authorized to issue health benefits plans in the state—including insurance companies, health service corporations, hospital service corporations, medical service corporations, and health maintenance organizations—to encrypt personal information. Triggered by a series of data breaches involving the health information of almost a million residents, Senate Bill No. 562 (“SB 562”) was passed unanimously by both houses of the state legislature and will take effect on August 1, 2015.

Under SB 562, health insurance carriers will be prohibited from maintaining computerized records that contain personal information unless the information is “secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” The use of a password protection program that prevents general unauthorized access will not suffice to meet the encryption requirement. “Personal information” is defined as an individual’s first name or first initial and last name linked with at least one of the following: (1) Social Security number, (2) driver’s license number or state identification card number, (3) address, or (4) identifiable health information.

The law applies only to end user computer systems and computerized records transmitted across public networks. “End user computer systems” include desktop computers, laptop computers, tablets and other mobile devices, and removable media.

The requirement to encrypt makes the New Jersey law stricter in this regard than the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), under which encryption of electronic protected health information (“ePHI”) is an addressable specification. Nonetheless, given that encrypted ePHI is exempt from HIPAA’s breach notification requirements, it is considered a best practice to encrypt ePHI.

Violation of New Jersey’s encryption mandate will constitute a violation of the New Jersey Consumer Fraud Act, which imposes penalties of up to $10,000 for the first offense and up to $20,000 for any subsequent offense. The state Attorney General may also issue cease-and-desist orders to violators and award treble damages and costs to affected individuals. Given these potential penalties, health insurance carriers in New Jersey should carefully review their policies and procedures and ensure compliance with the new law.

On September 23 and 24, 2014, the National Institute of Standards and Technology (“NIST”) and the Department of Health and Human Services Office of Civil Rights (“HHS OCR”) hosted their annual HIPAA conference “Safeguarding Health Information: Building Assurance through HIPAA security.”

OCR officials and key industry leaders engaged in dialogue regarding developments and trends in data breach incidents with respect to health information as well as stakeholder responses and best practices to mitigate risk and respond to potential incidents.

VULNERABILITY AWARENESS: ASSESSING RISK

In her opening remarks, OCR Director Jocelyn Samuels highlighted the observation that information privacy compliance is poorly prioritized within organizations.  Specifically, Samuels identified the lack of widespread risk analysis and vulnerability assessment activities at the enterprise level as a key area meriting internal and agency prioritization.  Samuels reiterated that organizations dealing in protected health information (“PHI”) should, and in fact must, undertake to routinely assess and investigate vulnerability as part of an effective compliance program.

ENTERPRISE APPROACH

The aspiration of enterprise-wide security protocol for PHI, and adoption thereof, continues to be an ongoing work-in-progress.  This is especially true given the often divergent priorities within large provider systems and the endemic evolution of “local” IT systems that integrate with the sanctioned IT environment but often create network porosity and points of vulnerability.  Embracing comprehensive, end-to-end, privacy and security policies and procedures that serve the IT needs of the organization while operating within the security protocol established by the system is imperative to establish and maintain network integrity and compliance with the HIPAA Security Rule (“Security Rule”).

IF YOU LOOK FOR IT, YOU WILL FIND IT

OCR representative Linda Sanches proposed the thesis that “the question is not if you will have a breach, but more so when.”  To this end, the initial step to preparedness is the undertaking of a risk analysis as required by the Security Rule.  Stakeholders expressed frustration with the broadly stated requirements of the Security Rule that are non-specific as to what precise set of activities constitute compliance and how much is in fact enough.   This uncertainty adds to existing organizational tensions between resource allocations to business objectives versus compliance obligations with respect to the establishment and implementation of a reasonable compliance program.  Sanches indicated that a defensible and reasonable approach is what is required to establish compliance.

LESSONS FROM THE FIELD: REPORT FROM OCR

Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement at HHS OCR, reported on recent enforcement activities as well as OCR’s regulatory agenda.  With respect to reported incident activity, through August 31, 2014, theft and loss accounted for 51% and 9% of breach incidents, respectively followed by unauthorized access/disclosure at 18% among a total of 1176 reported breaches involving more than 500 people and in excess of 122,000 smaller breaches.

With respect to OCR’s regulatory agenda, Peters indicated that OCR is working on providing additional guidance and clarification to the Omnibus Final Rule including a breach safe harbor update, breach risk assessment tool, and clarification of the standards for minimum necessary. Peters also explained how the audit pilot program which is anticipated to go live in the near future will create a new enforcement channel for OCR outside of the breach response protocol.  She commented that although the audits will be mostly desk audits with shorter timelines than investigations, they will require covered entities and business associates to have their documents in order and respond quickly to requests.  Peters continued to state that “audits will be an enforcement tool which will result in compliance reviews and could result in enforcement actions up to and including civil monetary penalties. Peters stated “we may come to you because of an audit or a breach, but if we find gaps in the compliance program while there, we can’t walk away; it is our job to see it through”

RISK ELIMINATION: THE HOLY GRAIL

The global advice from OCR over the course of the conference was preparedness.  To that end, however, the best that healthcare stakeholders can aspire to is effective mitigation of risk.  OCR repeatedly stressed that “it is really important that covered entities and business associates prepare as much as possible” and take affirmative steps to protect their data.  A comprehensive and documented risk analysis is the key to identifying system vulnerabilities and stakeholders should undertake to conduct or update their risk analyses and work in concert with organizational management to prioritize security compliance.

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of breaches report to HHS, as well as the actions taken in response to those breaches.

By way of background, HITECH requires that both covered entities and business associates (as defined under HIPAA) provide notifications after a breach of unsecured protected health information (PHI).  These required notifications include the affected individuals, HHS, and also media outlets in cases where the breach includes more than 500 residents of a state or jurisdiction.  However, HHS has issued guidance explaining that encryption and destruction make PHI “unusable, unreadable, or indecipherable to unauthorized persons” and, thus, loss of such secured PHI does not trigger the breach notification requirements.

Report Findings

                Healthcare providers accounted for the majority of breaches affecting 500 or more individuals in both 2011 and 2012 while business associates and health plans accounted for the remainder, as illustrated below.

Breaching Entity 2011 2012 Change
Providers 63% 68% 5%
Business Associates 27% 25% (2%)
Health Plans 10% 7% (3%)
Total 100% 100%

 

Theft of PHI was the leading cause of a breach in both 2011 and 2012 followed by loss of PHI and unauthorized access/disclosures.  In 2011, theft was the cause for 24% of the total number of individuals affected by a breach and loss accounted for 54% of individuals affected. This high affected rate due to loss was the result of single breach incident involving a business associate and loss of back-up tapes containing information on 4.9 million individuals. In 2012, the causes of breach returned to expected rates with 36% of individuals affected due to theft and 13% due to loss. The below tables outline the frequency of breach causes in 2011 and 2012 as well as the sources of the breached information in each year.

 

Causes of Data Breach 2011 2012
Theft 50% 52%
Loss of PHI 17% 12%
Unauthorized Access 19% 18%
Hacking/IT incident 8% 27%

 

Sources of Breach 2011 2012 Change
Laptop 20% 27% 7%
Paper 27% 23% (4%)
Server 9% 13% 4%
Desktop Computer 14% 12% (2%)
Other Portable Device 13% 9% (4%)
Email 1% 4% 3%
Electronic Medical Records 2% 2% 0
Other 14% 10% (4%)

 

Audit Information

                HITECH authorizes and requires HHS to conduct periodic audits of covered entities and business associates to ensure compliance with HIPAA rules. Unlike compliance reviews (which occur after a major breach) or compliance investigations, these audits are not triggered by an adverse event or incident.  Instead, they are “based on application of a set selection criteria.”

                The Office for Civil Rights (OCR) (the office within HHS that is responsible for administering the Breach Notification Rules) implemented a pilot program of the audit process to assess the privacy and security compliance which was described in the Breach Report. The audit revealed that 31 out of 101 audited entities had at least one negative audit finding related to the Breach Notification Rule.  Specifically, the audit examined the following four areas:  (1) notification to individuals, (2) timeliness of notification, (3) methods of individual notification, and (4) burden of proof.  All four areas had a similar number of deficiencies noted.

Implications and Recommendations for Healthcare Entities

                Breaches involving 500 or more individuals accounted for less than 1% of reports filed with HHS, yet represent almost 98% of the individuals affected by a PHI breach.  It is likely that OCR will continue investing significant resources into large scale PHI breaches due to the extensive impact of these breaches. Additionally, theft remains one of the top causes of PHI breaches and covered entities and business associates must take appropriate measures to ensure that any PHI stored or transported on portable electronic devices is properly safeguarded.  Chronic vulnerabilities include:

Encryption: Even if a device is stolen or misplaced, the Breach Notification Rule will not apply if the data is properly encrypted. Thus, it is imperative that covered entities and business associates encrypt portable electronic devices (such as laptops) and all CDs or USB thumb drives. 

Access Control: Healthcare entities must pay close attention to the physical access to and proper disposal of devices that contain PHI.  Server rooms should be locked with limited access, and the physical access to buildings, floors, and offices should be secured to prevent theft of desktop computers containing PHI. 

Disposal: Electronic devices need to be purged and the data securely erased (also known as “scrubbed”) prior to the device being discarded, recycled, sold, or transferred to a third party, such as a leasing company.  Such devices include computers, external storage media, and photocopiers.

Lastly, as explained in the Breach Report discussion of OCR’s audit pilot program, covered entities most often explain noncompliance with the various aspects of the Breach Notification Rule by pleading unawareness of the requirements of the Rules. Covered entities and business associates should ensure that comprehensive privacy and security policies and procedures are developed and implemented to mitigate the risks of a breach and to effectively respond to a breach should one occur.

By Marshall Jackson and Alaap Shah

If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.

There is no doubt that a primary concern raised by these data breaches is risk to consumers’ financial wellbeing. Chiefly, hackers that seek out personal information tend to sell or use the data to commit identity theft and credit card fraud. Yet, an often overlooked concern involves risk to the medical wellbeing of individuals. It is commonplace for retail chains to operate pharmacies within their facilities where electronic protected health information (“e-PHI”) is received, used, stored and transmitted. Although current information regarding known breaches does not indicate that pharmacy files were accessed, the vulnerability of e-PHI stored by these entities is a serious concern in the field of health care privacy. To manage these risks, entities should take heed of the privacy and security concerns raised in the most recent data breaches, and proactively craft comprehensive and sophisticated approaches to data security.

Historically, data security is reactive in nature: corporations store data on their systems; hackers break into the systems (or the systems of their business partners); companies, if aware of the breach, modify their security to prevent a similar data breach; hackers find a different weakness and again breach the system. This cycle continues ad infinitum.

While there is definitely value in defensive security, as cybersecurity risks grow and lead to increasing volume of data breach, healthcare entities may want to consider strategies to remain on the offensive when it comes to data security of e-PHI. The laws applicable to the security of e-PHI provide a flexible framework to address these risks, but most entities have not designed effect risk management programs to address risk proactively. Nevertheless, the HIPAA Security Rule requires entities to implement a number of technical safeguards which can be used proactively. For example, HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.

Offensive security requires a proactive mindset and approach to protecting computer systems, networks, and protected information from attack. While proactive security can take several forms, some liken the proactive approach to purchasing insurance. Assets are invested and measures are taken to protect against the risk that something will occur resulting in liability or loss. In the modern digital world it is often not a question of “if” but rather “when” a company will experience a data breach. According to a 2012 independent study by the Ponemon Institute, a staggering 94 percent of health care organizations have had at least one data breach in the last two years alone. The same study estimated that overall economic impact of a breach has risen six-fold over the last few years and now costs millions. With this in mind, here are just a few reasons why proactive data security should be a priority for health care entities:

1) Rapid & Continuous Evolution of Cyber Security Threats. Hackers are not only more sophisticated, they are more prevalent; threats to cyber security do not remain static in nature or volume. This unrelenting growth may be a result of the success rate of the illicit activity. Merely reacting to hackers’ successful attempts puts the industry at a major disadvantage because hackers are incentivized to evolve.

2) Ignorance. It is a common misconception that data security breaches are rare—more often data breaches go undetected or unreported. The simple truth is that no organization is immune, and may be an unwitting victim of a breach at any moment.

3) Monetary & Reputational Damage. Data breaches have a reverberating effect on a company. Damages are not limited to fines or sanctions, and they exceed the cost of mitigating the breach for consumers. Frequently, the greatest damage done is that to the company’s reputation. Consumers may second-guess their choice of providers based on an organization’s perceived failures, and the company’s reputation across the industry may diminish their competitive advantage for years to follow.

What Your Company Can Do

The prevalence of data breaches has led many to ask the question “Is proactive data security the solution?” There are many proactive measures that healthcare entities can implement to combat data breaches, the following summarizes just a few.

Risk Assessment

A risk assessment is the first critical step a health care entity should take when implementing a proactive data security plan. The HIPAA Security rule requires conducting risk assessments. Further, The National Institute of Standards and Technology (NIST) have placed great emphasis on conducting risk assessments as the foundation for data security. Risk assessments systematically identify vulnerabilities that even the most sophisticated organizations may not have anticipated. Identification of vulnerabilities can help a company stay ahead of hackers by knowing where to utilize security resources.

Invest in Data Security

Depending on the size of the company, data security may be a dual function for the company’s IT Department. Based on the severity of the potential risk, security should not be just one of many tasks for the IT department. According to a 2013 Ponemon Study, the average cost of a data breach exceeds $5 million without even considering reputational harm. Studies show that each year U.S. hospitals alone incur costs of an estimated $1.6 billion each year for security incidences. Although certain actions might initially seem redundant, measures such as establishing a dedicated data security team or department, appointing specific data-security personnel within an IT department, or investing in robust data security software and hardware, are all worthwhile investments which will likely prove less costly than a data breach.

Improve Audit Controls

HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. Audit controls must be sufficient to examine system activity comprehensively. NIST audit control standards provide substantial guidance on conducting proactive system monitoring and activity logging. Audit controls give a company visibility into their own system, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach.

Conduct Breach Drills

Preparation is the key to mitigating damage that cannot be prevented. Similar to a fire drill, companies should maintain a plan for implementation in case of a data breach, and that plan should be put to practice regularly. HHS has teamed with HITRUST to launch CyberRx, an industry-wide effort to simulate cyberattacks. Twelve organizations will participate in these simulated cyber-attacks. The goal of CyberRx is to help industry participants identify ways to better prepare for, and respond to cyber-attacks. This is an exercise of great value and can be done independent of HHS. By preparing to respond to a breach, companies can ensure that damage will be contained as efficiently and effectively as possible when one occurs.

 

For updates on Health Privacy and Security follow Marshall Jackson on Twitter: @MJacksonJr_ESQ

Follow Alaap Shah on Twitter: @HealthITLawyers

   By:  Alaap Shah and Ali Lakhani

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.  To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards.  Health care companies also have resources to assist them with managing this risk.  Specifically, the Federal agency for oversight of the Health Insurance Portability and Accountability Act (“HIPAA”), the Department of Health and Human Services, Office for Civil Rights (“OCR”) is tasked with providing technical assistance to guide companies to achieve compliance with the HIPAA security rules.  Further, when companies fail to comply, OCR has enforcement authority to “obtain” compliance.

The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by DHHS in 2009 under the Health Information Technology for Economic and Clinical (“HITECH”) Act.  Nonetheless, anyone that reads the news is aware that data breaches within the health care sector are commonplace.  As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards.  Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance.

Lack of Insight into Industry Security Compliance

According to a recently released report by the Department of Health and Human Services (“DHHS”) Office of Inspector General (“OIG”), OCR’s compliance efforts reveal significant gaps in their oversight activities between 2009 and 2011.  Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.”  As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective.

OCR responded to the OIG’s report explaining their performance citing that “no funds [have] been appropriated . . . to maintain a permanent audit program.”  Going forward, however, Rodriguez said he expects that OCR “will leverage more civil penalties” and that OCR will be permitted to use collected penalties to fund enforcement actions and “to maximize funding [for] our auditing and breach analysis” activities.  OCR has already committed $4.5 million from monies it collected from prior enforcement actions.

Interestingly, this is not to suggest OCR has not been active in promoting security compliance.  For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations.    Yet, OCR’s report card, although somewhat changed, is not materially improved since OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended.  In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.

OCR is Transforming into OIG

As early as May 2012, the Director of OCR, Leon Rodriquez, indicated that the agency is headed toward the Office of Inspector General enforcement model.  OCR director Leon Rodriguez has warned that “the same level of vigilance that providers have used to steer clear of OIG’s fraud enforcement now needs to be applied in the HIPAA environment.”  Coupling these comments with the findings of the recent OIG report suggest that OCR will be taking its oversight and enforcement activities even seriously moving forward.

Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement.  According to federal regulators, the permanent HIPAA Audit program is planned to begin early in the new-year and that covered entities should identify and mitigate outstanding non-compliance.  Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.

In short, the health care industry should expect even more audits and enforcements in the future.

Follow Alaap Shah on Twitter: @HealthITLawyers

By: Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered.  It seems to be business as usual, as your health care organization continues to digitize its operations.  You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices.  However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive patient information.

Unfortunately, this scenario is commonplace, and brings with it hefty costs.  To the extent electronic protected health information (“e-PHI”) is compromised in a cyber security breach, health care entities can expect to spend on average $233 per record to clean up the problem.  As health care operations digitize, organizations should be cognizant of the cyber security risks impacting the data that flows through their systems.  Further, health care entities need to understand how to assess and manage these risks to meet Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”) requirements.

 

The facts of “cyber” life…

Although health care organizations have not always been a primary target for a cyber-attack, hackers are recognizing the value of data held by health care companies.  Research indicates that electronic data in the health care sector is among the most vulnerable. Additionally, health care entities account for the highest percentage of incidents, more than one-third of all data breaches in the country.  In one report 94% of health care entities have experienced security breaches impacting their data.  Moreover, patients have experienced over a 19% increase in medical identity theft due to cyber security breaches over the last year.

Even given what we know, much of cyber security related breaches remains uncertain.  There are namely two reasons for this uncertainty:

  1. Most cyber security breaches go undetected; and
  2. Many cyber security breaches go unreported.

Across all industries, one report asserted that approximately 69% of cyber security breaches go undetected.  Of those breaches that are detected, 94% are unreported until months or longer until finally being discovered.  Yet, there is one certainty in this climate—There are only two types of organizations:  those that have already been hacked and those that will be at some point . . . .

Why cyber security is important now more than ever…

Recently, there has been increased scrutiny given the increased risk of data breaches.  The Health and Human Services, Office of Civil Rights (“OCR”) has responded to data breaches by aggressively enforcing HIPAA, which reinforces that compliance with HIPAA requirements is a top priority.  Chiefly, the HIPAA breach notification rule was amended to lower the reporting threshold from a “risk of harm” standard to a “probability of compromise” standard.  As a result, the health care industry will see increased breach reporting, which will likely result in increased enforcement for noncompliance.  This is bad news for health care companies because penalties for noncompliance with HIPAA have also been ramped up under the HIPAA Final Rule promulgated under HITECH.

With an increased focus on data breaches under HIPAA and HITECH, health care organizations don’t want to be the last to know how their e-PHI is being compromised.  Not understanding the organizations cyber security threats can be:

  • Bad for patients because it can lead to identity theft;
  • Bad for the organization because regulators may use that as evidence of noncompliant security practices; and
  • Lead to noncompliance with reporting obligations under HIPAA and HITECH.

In addition to increased enforcement on the part of OCR, the FBI has joined the effort to investigate cyber security breaches.  For example, in October 2013, the FBI opened an investigation of a cyber security breach affecting a network of hospitals and clinics, in which someone gained unauthorized access to the medical records of up to 1,800 patients.

The FBI also recognized that collaborative efforts are needed to solve the cyber security problem.  These include investigating insider threats, detecting external threats, and informing the health care industry of cyber security threats.  However, even with these collaborative efforts, health care organizations must be cognizant that assistance from the FBI could lead to increased scrutiny about the organization’s security practices.  As such, proactive cyber security risk management is the best approach to ensure compliance with HIPAA and HITECH.

 

What can you do…

The stakes are getting higher regarding cyber security and HIPAA compliance.  However, there are several steps health care organizations can take to protect against cyber security data breaches.  Further, taking these steps can protect health care companies in the context of increasing investigatory activity on the part of OCR and other agencies, such as the FBI.

First, organizations should conduct periodic risk analyses to determine cyber security related risks.  The risk analysis can help organizations to:

  • Identify key systems and locations;
  • Determine where e-PHI is located;
  • Identify vulnerabilities and threats;
  • Evaluate security safeguards; and
  • Evaluate risk to e-PHI.

Second, health care organizations should evaluate whether the draft cyber security framework established by the National Institute of Standards and Technology (“NIST”) can improve the organization’s risk management process. The NIST cyber security framework contains five core elements, which help an organization:

  1. Identify critical infrastructure,
  2. Protect the organization’s critical infrastructure using appropriate safeguards,
  3. Detect cyber security events,
  4. Respond to cyber security events using pre-defined and prioritized activities, and
  5. Recover from cyber security events  to restore critical infrastructure.

The framework’s core elements then further subdivide into categories and subcategories and provide cross-references to a number of different standards from industry and government that address each subcategory within those functions.  Health care organizations can review these references and select the standard that best addresses the organization’s particular needs.  Note that the cyber security framework is currently open for discussion, which means the components may change when the framework is finalized.

Ultimately, as the health care industry continues to digitize, organizations must be cognizant of the cyber security risks affecting their networks, systems and data.  Further, as the number of cyber security related breaches increases, health care companies must prepare to identify and report such breaches as required by HIPAA and HITECH.  Yet, to avoid the pain and cost of recovering from a breach and also paying hefty fines for noncompliance with HIPAA, health care companies should proactively leverage HIPAA risk analyses (potentially incorporating the NIST cyber security framework) to identify, prioritize, mitigation and monitor risk affecting ePHI.

 

Follow Alaap Shah on Twitter: @HealthITLawyers