Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate. These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.
On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million). This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people. The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months. Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people. Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls.
Lessons Learned
The parties in both of these cases entered into comprehensive Resolution Agreements and Corrective Action Plans. These settlement documents provide an informative checklist of considerations for similar entities to implement as proactive as well as reactive measures. In particular, these Corrective Action Plans stressed the importance of implementing proactive policies, procedures and training around access controls. OCR also required augmenting reactive policies and procedures relating to auditing and monitoring system activity. Moreover, the incidents also serve as a reminder for all organizations regarding the importance of engaging in an enterprise-wide risk analysis around cybersecurity, and implementation of risk management and controls measures. In fact, these Corrective Action Plans included requirements to conduct such risk analyses and implement risk management plans accordingly.
Big Picture View on Best Practices
Although OCR’s enforcement authority is limited to HIPAA, it is critical to note that enterprise-wide risk analyses should account not only for PHI, but also for other personally identifiable information (PII). Nearly every organization will possess PII, and nearly every healthcare entity will possess PHI and PII, with each bearing privacy and security obligations under a variety of federal laws and regulations (beyond HIPAA) specifically addressing cybersecurity practices (such as Gramm-Leach-Bliley Act of 1999, Federal Trade Commission Act of 1914 and SEC Regulation S-P). Organizations must also be mindful of state and local requirements concerning cybersecurity, such as the NY SHIELD Act or California Consumer Privacy Act, as well as possible international considerations (e.g., GDPR). Further, these requirements will continue to evolve as additional laws are passed or amended. For example, California voters will vote in November on Proposition 24 which would further amend the CCPA and, among other things, establish an enforcement arm-the California Privacy Protection Agency-to defend consumer rights and extend enforcement including imposing penalties for negligence resulting in theft of consumers’ emails and passwords.
In light of ever-present cyber risk and aggressive regulatory enforcement on many fronts, organizations should consider addressing the following in order to develop, or update their existing policies and procedures around cybersecurity and data breach response:
-
Assemble the Right Team. There is not a one-size fits all approach to cybersecurity management. Depending on the size of your organization, data security may reside solely within the confines of the IT department’s scope of responsibility or may extend upward all the way to executive leadership and the Board. Regardless of organizational size, given the severity of potential risks and penalties associated with a cyber-breach, best practices involve establishing a dedicated team to develop cybersecurity policies and data breach response protocols. This team may be multi-disciplinary and include members from such areas as IT, risk management, legal, compliance and human resources. The organization should commit to investing in robust data security software and hardware, and retain (where appropriate) outside service providers to assist with data protection efforts and incident response.
-
Prepare, Prepare, Prepare. Cybersecurity programs are often only as strong as the workforce interacting with your organization’s network. As such, it is imperative to implement robust cybersecurity training requirements for employees as well as security event notification processes related to phishing, ransomware, and other cyber threats. Yet even with the most robust training, given enough time, data breach becomes an inevitability. Thus, it is important for organizations to know who to contact in the event of breach, when to bring in law enforcement agencies, when to notify the organization’s governing body, and government agencies. Likewise, it is critical to designate “on-call” members of the team to support in the context of a security event. This should include coverage schedules for off-hours and specific holidays to ensure that a member of the team is available to lead a response in the event of a cyber-breach. The team should also conduct table top testing exercises to prepare response coordination. By preparing to respond to a breach, organizations can ensure that damage will be contained as efficiently and effectively as possible. These “people and process” exercises, should be done in tandem with robust “technology” testing such as penetration testing, vulnerability scanning, and other contingency planning.
-
Conduct a Risk Assessment. A risk assessment is the first critical step in a cybersecurity compliance plan to identify the vulnerabilities in the organization’s system. The HIPAA Security rule specifically requires conducting them. Further, The National Institute of Standards and Technology (NIST) has placed great emphasis on conducting a risk assessment as the foundation for data security. As part of this assessment, an organization should also be able to identify the types of data that it collects, stores, and transmits in order to properly secure it and address data retention policies in accordance with applicable laws. For guidance on how to conduct these exercises, see NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments.
-
Implement and Update Audit Controls. Audit controls give a company visibility into their systems, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach. HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). Further, HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. NIST audit control standards provide more granular guidance on conducting proactive system monitoring and activity logging. If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.
-
Implement and Update Cybersecurity Policies. As the cyber threat landscape continues to evolve, and novel federal and state requirements come online, it is prudent to ensure that your organization’s policies and procedures are reasonable and appropriate and comport with best practices. Your organization should also ensure vendor cyber risk is managed through due diligence and robust contractual obligations such as data privacy and protection agreements. To the extent your organization collects data that is subject to the GDPR, a Data Protection Impact Assessment ought to be performed relating to personal data collection, maintenance and processing activities. Finally, your organization should also review its cyber liability insurance policies to ensure you have adequate “rainy day” coverage and funds in case a data breach, or the resulting regulatory obligations or enforcement, require significant capital outlays.
The time is now for all organizations to ensure that the proper cybersecurity policies and procedures and data breach response plans are in place, and implemented enterprise-wide. Many of these activities require significant time and resource investments coupled with expert guidance from cybersecurity professionals. Further, many of these activities (particularly risk analyses and table top exercises) surface compliance gaps and carry compliance implications. As such, it is prudent to conduct such activities under attorney-client privilege to ensure the right compliance documentation is generated, while the “bad paper” identifying negative findings are protected from discovery.