Capsicum’s Leeza Garber, Esq. authored an article in The Legal Intelligencer entitled “Health Care: Cybersecurity in an Insecure World”. The original article is available here.
We are currently witnessing the most expansive digitization of health care in history (Professor Jonathan Weiner, Johns Hopkins School of Public Health, September 26, 2014; Graham, M.B., Thomas Jefferson School of Population Health Capstone Proposal, July 2016). The national push to digitize comes with new regulatory standards for securing data and increased enforcement of the standards. The federal government is the main enforcement body for data security standards in health care. But the one thing we learned in the last year is that no system is secure—even our federal government systems are vulnerable to attack. Besides the splashy hack of the Democratic National Convention servers in 2016, the U.S. military computer system was hacked in 2008 through an infected flash drive. Just last month, Oregon Sen. Ron Wyden issued an open letter stating that Senate email accounts lack the option to enable dual factor authentication—one of the most basic cybersecurity measures that exists. So how should a health care entity, operating in one of the most cyberattacked industries, approach compliance in this kind of environment?
In 1996, HIPAA standardized electronic transactions in the health care sector and regulated the use of health data. HIPAA regulated the privacy and security of health data that constituted protected health information (PHI). The privacy rule protects PHI from unauthorized disclosure, including oral, paper based and digital. The security rule, which only applies to electronic PHI, requires specific safeguards.
The HIPAA regulations were drafted with a certain flexibility. Generally, the security rule requires that data safeguards be reasonable and appropriate. The reasonableness factors include: the complexity and capabilities of the organization; technical infrastructure; costs and the probability and criticality of the potential risks. Specifically, the security rule has 42 standards to safeguard PHI, of which 22 are addressable. The addressable standards do not mandate specific technologies or uniform practices. The commentary to the rule makes clear that it was structured to be "reasonable and appropriate" due the "diversity of regulated entities and ... unique characteristics of their environments."
Beginning in 2009, Congress enacted legislation to expand the national health information infrastructure. The HITECH Act was passed to, among other things, improve health care through the adoption of electronic health records (EHR).
In 2010, HITECH authorized the payment of $25.9 billion in financial incentives through the meaningful use program to build infrastructure. The program provided funding to Medicare- and Medicaid-eligible providers to adopt EHRs. To quantify progress, the providers were required to meet data security standards.
HITECH also expanded the scope of entities regulated, and strengthened enforcement. Entities became subject to increased OCR civil money penalties, post hoc OCR breach investigations, ad hoc OCR compliance audits and Federal Trade Commission (FTC) enforcement for deceptive and unfair trade practices.
HHS and ONC continue to encourage the use of EHRs and enforcement of the security standards. In its 2017 strategic plan, HHS seeks to expand adoption of telemedicine technologies for remote care, increase health information exchange by providers across public and private systems and for notification and reporting between public health and clinical entities. At the same time, OIG's 2017 workplan states that OIG will use audits to recoup meaningful use funds from providers that do not meet the security standards.
Prior to HITECH, OCR enforced HIPAA through post-breach investigations in response to complaints and reports. After HITECH, the OCR enforcement process changed. First, HITECH mandated OCR to conduct random compliance audits in addition to targeted post breach investigations. Phase 2 of the HIPAA audit program, launched in 2016, is currently underway. The Phase 2 audit protocol focuses on areas of noncompliance identified during Phase 1. It is interesting to note that in November 2016, OCR issued an alert to HIPAA regulated entities of a phishing attack disguised as an OCR audit communication.
Secondly, OCR changed the scope of the post breach investigations. In 2015, an OIG report determined that OCR enforcement was reactive rather than proactive to breach investigations. In response, OCR updated its database tracking system to recurrent breach data and we are seeing more enforcement actions.
FTC is now getting in on the HIPAA enforcement game. Historically OCR enforced HIPAA pursuant to its statutory mandate, while FTC enforced non-HIPAA regulated data security standards pursuant to Section 5 of the FTC Act. But in recent years, FTC has begun enforcing consumer facing HIPAA regulated entities, claiming concurrent jurisdiction under the act.
In the LabMD case, FTC commenced enforcement against a clinical laboratory, regulated by HIPAA as a business associate, after the company experienced a data breach. FTC claimed that LabMD's lack of basic security measures for its medical data was an unfair and deceptive trade practice in violation of Section 5 of the FTC Act. LabMD challenged the enforcement action arguing that FTC lacked authority to enforce HIPAA. The case is currently pending in the U.S. Court of Appeals for the 11th Circuit. As FTC has not promulgated any of its own data security standards this raises many questions. Among them, do the HIPAA reasonable and necessary factors promulgated by HHS apply to FTC enforcement of data security standards?
Health care falls prey to cybersecurity threats for, arguably, three main reasons. First, records remain consistently valuable to criminals: any random "health care record" could contain a smattering of personal information, including Social Security numbers, driver's license numbers, and marital status alongside PHI. Access to this information combination could allow malicious actors to undertake a variety of transactions and create many types of fraudulent accounts from, potentially, a single stolen record. It is important to note, however, that these records' actual monetary value on the dark net can be as low as one cent, depending on what the record contains.
Second, health care records exist in multiple forms depending on the entity. Digital records can be housed on networks and devices, and paper records are still common in many facilities.
Third, access control is a balancing act. As this type of information must be accessible quickly if necessary, it is difficult to add on security procedures as an afterthought if they have not been baked in beforehand. Verizon's 2017 Data Breach Investigations Report points out that the health care industry is the only industry studied where "employees are the predominant threat actors in breaches." Employees want the data for a variety of reasons, including to sell it/snoop/and commit identity theft. And unfortunately, this type of "insider misuse" is easily accomplished without a protocol for the principle of least privilege, meaning, the least amount of people necessary have access to the data for the least amount of time necessary. Other buzzy headline cybersecurity threats pop up in health care as well, but generally, the health care industry still suffers from more old-fashioned issues, like lost laptops, incorrect disposal of records, and misdelivery.
This is not to say that ransomware, one of the buzziest of cyberthreats of late, isn't on the rise in the health care field as well. Ransomware, a method by which criminals lock victims out of their data until a ransom is paid (unless, the criminals simply keep the money and forgo delivery of the promised encryption passcode), accounts for 72 percent of malware incidents in health care. The health care industry is certainly a ransomware target, be it the boutique cardiologist's office or the major city hospital. The Verizon 2017 DBIR doesn't count ransomware attacks as breaches because "we cannot confirm that data confidentiality was violated," but: HHS "has given guidance that ransomware incidents should be treated as a breach for reporting purposes"—meaning, a digital forensic expert will need to review and analyze the affected system. Which provides a perfect point of transition to best practices, or put another way, how to play offense against a constantly moving, adapting, and changing target.
It is normal for health care entities to feel overwhelmed in an environment where they are high value targets for cybercrime. But compliance should be guided by the reasonable and necessary factors. The key to balancing these factors is to foster an internal culture of compliance and leverage external resources.
For the multitude of reasons provided herein, covered healthcare entities must be proactive about cybersecurity, and once a breach happens (because it will), must be able to react quickly and effectively. Having legal and digital forensics teams ready and waiting—who already possess a thorough knowledge of the entity's technological system architecture, data flow, employees and compliance issues, is key. Simple tips like utilizing encryption for mobile devices, activation of dual factor authentication, and standing up policies and procedures addressing data privacy, malware, phishing and passwords are important. But also—understanding when to call in the attorneys (i.e., is the employee clicking on a phishing link an HR issue, or a potential breach?) and when to call in the forensic experts (i.e., that ransomware email is not an IT problem—but a forensic call to arms to analyze what the malware touched and potentially leaked) is equally significant. Assembling the right legal and digital forensic teams is a necessity for operators in the health care space. •