By: Capsicum Group LLC and Mark Mattioli, Greenberg Traurig
In late November of last year, an email on U.S. Department of Health and Human Services letterhead, which appeared to have been signed by the Office of Civil Rights (OCR) Director, circulated widely amongst HIPAA-Covered Entities. The email – which was fraudulent, a sophisticated phishing attack – led unsuspecting link-clickers to an unaffiliated site that was marketing cybersecurity services. The entire scam caused major headaches for the healthcare industry and related governmental entities, as it not only caused public relations issues, but also confused Covered Entities about the OCR audit program.
This incident serves as an important reminder: every industry, even the most strictly regulated and the most (typically) technologically and security-aware are susceptible to breaches and cyberattacks. Being proactive is not a choice anymore - it is a requirement. The healthcare sector has generally been required to stay at the cutting edge of cybersecurity because of the valuable and highly-regulated nature of personally identifiable and personal health information it safeguards. However, cybersecurity remains a moving target and requires constant proactive attention.
Data breaches, leaks and cyberattacks are different, and thus require different proactive measures. Threat vectors for both include internal employees, third-party vendors, competitors, organized crime or other malicious actors. Every industry can face problems from all of these vectors, but there are specific points of vulnerability that affect industries in unique ways. For example, as the recently released 2017 Verizon Data Breach Investigations Report (“Verizon Report”, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/) found, eighty-one percent (81%) of the retail sector’s threats are made up of denial of service attacks (which seek to make a network unavailable to intended users by disrupting service), web application attacks, and payment card skimmers. The retail industry is guided by data security standards set by the Payment Card Industry Data Security Standard (PCI-DSS), as well as other federal enforcement entities like the Federal Trade Commission (FTC).
The healthcare sector, however, finds itself with eighty-one percent (81%) of cybersecurity threats coming from insider and privilege misuse (including, but not limited to, unlimited privilege to digitized record databases, and wrongful access); accidents (i.e., poor record disposal and quality control related to publishing) and physical theft and loss (especially when devices are unencrypted – a problem that continues to rear its ugly head).
Healthcare regulation is expansive and complex in the United States, and the instruction surrounding privacy and security issues is no exception. HIPAA has established standards for protected heath data privacy and security, in addition to the data breach notification provisions set forth by the Health Information Technology for Economic and Clinical Health Act (HITECH). Without getting into too many acronyms, however, OCR recently launched what it is calling phase 2 of the HIPAA Audit Program – to assess HIPAA-covered entities’ compliance with health information privacy, security, and breach notification standards. More standardized and developed best practices are to follow suit, as OCR learns more about healthcare organizations’ compliance issues in this area. (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.) Examples of the basic standards many HIPAA-Covered Entities are held to include conducting a risk analysis to identify threats and vulnerabilities to digitized protected health information, also known as electronic protected health information (ePHI); create, implement and train employees regarding security procedures, especially related to malicious software protection and reporting incidents. (https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).
The first issue a health care provider must address is whether the event is a breach under the HITECH Act. Under HITECH, a “breach” is defined as the “acquisition, access, use or disclosure of protected health information in a manner not permitted under [the privacy rules].” 45 C.F.R. § 164.404. If a breach occurs, the practice must conduct a risk analysis utilizing the factors set forth in the HITECH regulations.
Ransomware attacks present unique challenges as they are not a typical type of breach where the goal is to steal information. Rather, the usual goal of a ransomware attack is extortion. Nevertheless, OCR now presumes that a ransomware attack is a breach under the HITECH, 45 C.F.R. 164.402 et seq. because the program “accesses” the files in order to encrypt them and also renders the data inaccessible to the proper user. This presumption can be overcome if an appropriate risk assessment determines that the probability of compromise is “low”. OCR asks providers to utilize the traditional factors associated with any breach:
- The nature and extent of the PHI involved including the types of identifiers and likelihood of re-identification;
- The unauthorized person who accessed the PHI;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risks have been mitigated.
In the case of a malware attack, these factors mostly do not squarely apply. Perhaps recognizing this, OCR also recommends that the covered entity review the following:
Although entities are required to consider the four factors listed above in conducting their risk assessments to determine whether there is a low probability of compromise of the ePHI, entities are encouraged to consider additional factors, as needed, to appropriately evaluate the risk that the PHI has been compromised. If, for example, there is high risk of unavailability of the data, or high risk to the integrity of the data, such additional factors may indicate compromise. In those cases, entities must provide notification to individuals without unreasonable delay, particularly given that any delay may impact healthcare service and patient safety. (https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).
OCR has commented that it believes that most ransomware attacks will require notification. Often, a malware attack that requires notification is due to a security vulnerability which could give rise to a violation of the Security Rules. Key issues here are the failure to have an adequate disaster recovery plan and failing to conduct periodic testing. Indeed the latter is a concern with OCR. A HIPAA risk assessment is not a “one and done” activity. The Security Rules provide:
(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. 45 C.F.R. § 164.308.
From our experience in this area, a Covered Entity should look at the following regulatory issues:
- Review your contingency plan to make sure it accounts for the latest threats;
- Test your backup procedures and plans. For example, do you know that your backup systems actually work and do you keep off-line backups in case of a malware attack? The time to find out is not after a malware attack;
- Review your security policies and privacy policies on an annual basis and make sure you understand what is required by the policies;
- Review vendor agreements, especially those with EHR and IT firms to ensure that they are complying with all HIPAA security regulations;
- Have a breach security checklist available to all employees outlining the steps to be followed in the event of an incident;
- Develop policies regarding the use of personal electronic devices from home to prevent spread of malware to systems containing PHI.
From a technical perspective, there are many significant practices and policies that should be part of a proactive approach for healthcare entities. Based on HIPAA, HITECH, and OCR, we have gathered six (6) significant tech tips:
- Inventorying Data & Mapping Data Flow – Understanding what exists and where it exists is the most important first step for healthcare entities. Determining the collection, use, storage, protection, and disposal of ePHI remains the foundation for solid security protocols. This also includes the maintenance of the principle of least privilege - meaning, the least amount of people necessary having access to the least amount of data for the least amount of time necessary. This should be a guiding principle for healthcare organizations.
- Consistent Security Assessments – Penetration testing and vulnerability audits allow for a better understanding of what the real and potential threat vectors are – and how to remediate them. While cybersecurity is always a moving target, and new types of malware are created every hour, these types of assessments can guide organizations as to vulnerabilities in the network as well as human errors (when was the last time IT pushed out device and antivirus patches?).
- Creation & Testing of an Incident Response Plan – This plan must be customized, detailed, and comprehensive to be useful in the healthcare field. There are multiple steps in an Incident Response Plan, following the lifecycle of a security Incident – the Plan must be useful for responding to a stolen, unencrypted laptop containing patient records, or a ransomware attack on a major network. It is best to have individuals from legal, IT, PR, privacy, and any necessary outside vendors (i.e., digital forensics professionals) chosen and on hand to review and test the Plan periodically.
- Auditing Vendor Security – You are only as strong as your weakest link. Choosing vendors and partners, be it for cloud-based data storage or customer service hotlines, should include a process to audit cybersecurity processes and review any relevant certifications.
- Encryption – Encoding ePHI, and more generally, mobile devices including laptops and cellphones, is a key proactive measure in the healthcare industry. This type of security mechanism is effective and essential – especially in a field where advances in telecommunication (telemedicine) require the use of mobile devices, thereby expanding a new set of vulnerabilities.
- Training - Knowledge is a powerful tool – and employees need to understand what threats exist, what a phishing email looks like, what to do in the event of a data breach, and how to maintain good cyber hygiene.
An ounce of prevention is worth a pound of cure – both for patients, and healthcare entities themselves in the sphere of cybersecurity. For the multitude of reasons provided herein, and for the many newspaper headlines that continue to appear related to the latest data breach, covered healthcare entities must be proactive about cybersecurity.