The post Charitable Giving Fraud and Other Online Dangers appeared first on Herrin Health Law, P.C..

The post Disrupting the Talk about Privacy and Security “Disruption” appeared first on Herrin Health Law, P.C..

The post Top 12 Information Security Recommendations for Businesses Operating in a Quarantined World appeared first on Herrin Health Law, P.C..

PHI can include physical records, electronic records or spoken information. Think medical bills, lab test results, health records and histories anything that includes a personal identifier. These types of data are highly sought after on the dark web, posing a critical need for strict policies and practices.

Staying vigilant applies to remote workers with company equipment as well as personal hardware. If you rely on third-party vendors to manage billing, medical records, precertification, quality reviews or the like, ask if measures are in place to combat hackers and breaches in this new environment.

In the meantime, here’s a customizable Remote Working Obligations template to help you think through safeguards. There is no such thing as too much cybersecurity.

Remote technology doesn’t have feel like we’re playing tin-can telephone (as nostalgic as that sounds). But we do need to play intelligently.

Our warmest wishes to all for staying healthy and safe.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 30 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology. Reach him at 404-459-2526 or barry.herrin@herrinhealthlaw.com. 

The post Teleworking due to COVID-19? Protect PHI from security threats, starting with this policy. appeared first on Herrin Health Law, P.C..

However, one place where this kind of list-building can really have an effect on your cybersecurity is to pay attention to the people that track commonly used — or, in many cases, stupidly used — passwords. There are many such lists, but TeamsID’s list[i] ranks the top 100 worst. In many cases, this list is similar to those published every year by the Wall Street Journal.[ii] Why is it similar? Because people can get lazy and systems haven’t been changed specifically to eliminate this behavior.

So, here’s a tip for all you system folk out there. Please, whatever you do, disable the following passwords in your systems:

• password
• Password
• passw0rd
• 123456
• 1234567
• 12345678
• qwerty
• princess
• 111111
• sunshine
• letmein
• admin
• iloveyou
• football
• All of the above variants with a ‘1’ or a “!” or both added at the end

Although everyone can’t agree on whether passwords are dead or dying, whether multi-factor authentication is the way to go, whether pass-phrases are better than passwords, and similar arguments, I hope everyone can agree that these password selection and retention behaviors are dangerous. Remember, the criminals read the same papers we do.

Happy New Year!

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 30 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology. Reach him at 404-459-2526 or barry.herrin@herrinhealthlaw.com.

[i] https://www.teamsid.com/100-worst-passwords-top-50/

[ii] https://www.wsj.com/articles/2018-in-the-numbers-caffeine-fixes-asylum-seekers-and-bad-passwords-again-11545393601?mod=searchresults&page=1&pos=8

The post Automation as a cure for stupid? When it comes to passwords, yes. appeared first on Herrin Health Law, P.C..

Potential insureds cannot wait for the waters to calm, and must critically evaluate cybersecurity insurance prices and coverage options. The first and most important of these coverages should be the coverage of costs related to managing breaches, to include expenses related to the investigation, remediation efforts, and patient notification. Other costs that may also be incurred are credit monitoring services, damages associated with identity theft, damages associated with recovery of data, damages incurred due to having to reset EHR systems, and damages to reconstruct or recover websites and other Internet presences. Business continuity expenses (for workarounds or loss of revenue due to a cybersecurity incident) might also need coverage, especially as most standard commercial policies now exclude cyber-related risks from their covered losses. Finally, coverage for rogue employees and insider threats needs to be a part of the insurance discussion and any available coverage needs to be understood.

What coverage a healthcare enterprise can purchase and how much that coverage costs may also change based on how the enterprise addresses these critical aspects of compliance:

• The enterprise should be able to show that it is in compliance with HIPAA, including those provisions that require security and privacy risk assessments and proof of a plan of mitigation and remediation. Insurers likely will not cover losses resulting from a gap in HIPAA compliance, especially because there is a legal obligation on the enterprise to find out what those are.

• Insurers may impose requirements for technology controls (such as encryption, for example) beyond those mandated by HIPAA. Some coverages require more secure and more robust email systems that are more resistant to phishing and spoofing, and other coverages may even require intentional phishing attacks by the insured’s IT department or vendors to gauge compliance with training.

• The training requirements for new employee onboarding and access by non-employee contractors may need to meet certain criteria beyond HIPAA workforce awareness training.

• Insurers may require that contractors providing ‘business associate’ services be separately insured as a first layer of defense against cost, and that those business associate policies explicitly cover the covered entity for losses and damages caused by the business associate.

• The purchased coverage, as with certain types of malpractice insurance, should be based on the ‘date of detection’ as opposed to ‘date of intrusion.’ It is so difficult, even with the best system monitoring tools, to determine when a breach or incident actually first occurred, so the enterprise does not want to be locked into a technical dispute with the insurer about when the hack ‘should have been’ detected.

• The policy should explicitly address whether offshore operations will be covered. Significant risks are associated with outsourcing certain data manipulation and management functions to countries or regions that have stronger privacy and data security rules than the United States.

Finally, and regardless of what specific coverage requirements your policy contains, any policy’s limits need to avoid ‘cannibalizing’ limits, in which the costs of defense reduce the limits available to pay damages or judgments. As with professional malpractice and commercial general liability coverage, the best coverage separates costs of defense from claims expenses.

Barry Herrin (barry.herrin@herrinhealthlaw.com) is an attorney and Fellow of AHIMA. He is admitted to the bar in Florida, Georgia, North Carolina, and the District of Columbia and often speaks at the FHIMA Annual Meeting.

• “Putting It All Together,” The Economist (October 24, 2002)
• Koo, “More Incident Data Needed for Cybersecurity Insurance,” Bloomberg BNA (March 28, 2016)
• Even though there is almost a universal recognition in the law enforcement and security communities that these programs do no good at all, as the sophisticated hacker knows to wait out the 1 to 2 years of service before making use of the stolen data.

As published in the November 2018 FHIMA Monthly Newsletter. Reprinted with permission.

The post Cybersecurity insurance — the basics appeared first on Herrin Health Law, P.C..

In case you missed them, several federal agencies, including the Federal Trade Commission (FTC) and Federal Bureau of Investigation (FBI), publish safety advisories this time of year to help folks not get scammed or predated upon by cyberspace criminals. For purposes of this reminder, let’s analogize them to the ‘hide, lock, take’ signs you see at all shopping mall parking lots in America.

HIDE

• Buy online only from reputable sites that you have shopped with in the past. Beware of gift card offers or “too good to be true” pricing on sought-after gifts, especially from unknown sites.
• Don’t respond to ‘click here’ offers from merchants. Don’t respond to ads on social media sites. Don’t respond to surveys online or on social media asking for personal information. Don’t download apps or attachments from links in emails. Just don’t do it.
• If you’re one of those people who can’t resist posting pictures of everything you do, don’t post pictures of concert or sports tickets, because criminals will use the bar codes to create fake tickets and take your seat.
• If you get a phone call, text or email from someone purporting to be the fraud control agents of your bank or credit card company, don’t respond. Instead, call the number on the back of your card or on your bank statement and ask if there has been any unusual activity.

LOCK

• Use different passwords for different online shopping sites.
• Encrypt your computer.
• Use antivirus and other defensive software, and keep updates current.
• Don’t use truthful information in those “security questions” that you are asked to backstop your identity online. If I
  can get your mother’s maiden name, the street where you grew up, your first car, your high school mascot, and your best friend from your social media posts, so can the bad guys.
• Don’t give out your social security number unless it’s absolutely necessary. HINT: in most cases, it’s not absolutely necessary. And especially be wary of a person asking for your SSN AND your date of birth, as this is an invitation for financial identity theft.
• “Freeze” your credit report with the three main agencies (Equifax, Experian and TransUnion) so you control when to apply for new credit.

TAKE

• If you’re one who upgrades to the newest phone each year, be sure to scrub all data from those phones and remove any portable storage devices that live in them.
• Ditto for new computers. Once you transfer the data to the new box, destroy the data on the old box with a Department of Defense quality wiping/overwriting program. Or, simply take out  the drive and break it into tiny bits with a hammer.
• Make sure you maintain control of your credit cards and driver’s license.
• Limit what you carry when you shop. Leave all cards that aren’t for shopping at home, because their loss or theft could compromise your identity.
• If possible, shop online with only one card. It will make looking for and finding fraud easier. Use the same strategy for physical shopping as well. This may mean you lose some sales or point accumulation possibilities, but those aren’t worth the hassle of recovering from theft or impersonation. Or just get that gold card — you know, the one that advertises for extra points or extra cash; yeah, THAT one.
• Have the merchant email you a receipt instead of taking a physical receipt, if possible.

And let’s not forget to practice physical security and situational awareness while we are all out and about:

• Park in well-lit spaces.
• Don’t leave valuables visible in your car.
• Ask for a security escort to your car if you’re uneasy.
• And, even though the Boy Scout in me rebels at this notion, decline help from well-meaning people to load your car or hold your keys/purse/children while you fumble around. Get store staff or mall security to do this for you. Or, better yet, shop with other adult friends and family members who can help do this.

Finally, with all of the online shopping and delivery happening this time of year, remember:

• If someone isn’t going to be home to receive a delivery, have the packages delivered to another physical location. Both FedEx and UPS allow for delivery to one of their storefronts at no additional charge in most cases.
• Shred return labels and shipping documents you won’t use later. This prevents criminals from knowing where you shop and sending you a spoofed email from that merchant (which you should NOT click on). You should already have a shredder for those credit card offers, convenience checks, prescription documents that come with your pharmacy refills, and other sensitive papers. If not, tell Santa you need one.
• Break down shipping boxes and make sure they fit in the trash can. Piling lots of boxes at the curb is a ‘welcome mat’ for the home break-in teams that cruise about.

Data privacy is spotlighted during our frenzy of holiday shopping, but you need this to be a year-round way of life. Otherwise, your financial and personal data will be a gift that keeps on giving to the cybercriminal community even after you’ve taken down the tree and blown your New Year’s resolution to start exercising more.  Maybe if you had an app that Bluetooths to your scale so you can track your weight on your phone, and then send that personal data to a website that analyzes your BMI and diet. Oh, wait, that’s another blog.

Merry Christmas!

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 30 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology. Reach him at 404-459-2526 or barry.herrin@herrinhealthlaw.com.

The post All I want for Christmas is … to keep my data private and secure appeared first on Herrin Health Law, P.C..

Abstract

The need for constant availability and integrity of patient data means that many organizations compromise on privacy and security, often to their detriment. This article discusses the current state of healthcare data privacy and security, examines the legal issues requiring attention, discusses risks of the growing use of remote technologies, health and wearable technology, and finally discusses cybersecurity insurance as a way to mitigate the financial costs of breach.

The Current State

Notwithstanding the imperative of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its Privacy and Security Rule,³ the era of interoperability has created a de-emphasis on the confidentiality of medical information while, at the same time, creating a tremendous emphasis on integrity and availability.

Findings from the Health Care Industry Cybersecurity Task Force in its final report of June 2, 2017⁴show that, of the three aims of cybersecurity confidentiality, integrity, availability), availability is the most important. You cannot take care of patients without having availability of information. Having high availability of patient information is especially important with hospitals that operate 24×7 and 365 days a year. Second to availability was integrity of data. The HCIC report specifically stated that integrity of data is important for protecting patient safety, which is directly implicated when it comes to connected medical devices and patients whose health can be directly impacted by the operation of the medical device. However, the report recognizes that the drive to interoperability has resulted in the confidentiality of medical information being de-prioritized and asserts that healthcare data confidentiality must remain top of mind.

A 2017 KLAS survey reports that 41 percent of respondents said their health systems dedicate less than three percent of the IT budget to cybersecurity, primarily because IT leadership has been focused on implementing electronic health record systems and dealing with interoperability challenges.⁵

Task Force Imperative four calls for an increase [in] healthcare industry readiness through improved cybersecurity awareness and education. However, the increase in readiness requires a holistic cybersecurity strategy. Organizations that do not adopt a holistic strategy not only put their data, organizations, and reputation at risk, but also – most importantly – the welfare and safety of their patients.

In the healthcare industry specifically, the financial impact of cybersecurity breaches is grim. One in three Americans were affected by healthcare breaches in 2015, according to a report from Bitglass.⁶ That’s more than 113 million individuals. Each lost or stolen medical record costs a healthcare organization $363 per record on average, per a Ponemon Institute report.⁷ The anecdotal record is not any more pleasant: Hollywood Presbyterian’s information systems were held hostage in Feb. 2016 for $3.6 million in Bitcoin,⁸ and more and more healthcare enterprises are creating reserves for data ransom. A 2016 IBM study quoted by SC Media UK showed that, in the United States, 70 percent of businesses receiving a ransomware demand paid to get their data back, with 50 percent of those paying more than $10,000 and a further 20 percent paying more than $40,000.⁹

No matter the technology used in the healthcare industry today – e-signature software, EHR platforms, wearable devices, smartphones, tablets, or other software or hardware – providers can either work to mitigate risk or watch the organization spiral into potentially uncontrollable vulnerability. Today’s electronic environment leaves little room for laissez-faire security efforts if a healthcare provider wants to remain safe from attack and protected from the financial consequences of the inevitable.

Why HIPAA Still Matters

HIPAA in general, and the Security Rule in particular, imposes specific compliance burdens on healthcare covered entities. Any use or disclosure of electronic protected health information (ePHI) not in compliance with the Privacy and Security Rules or more stringent state law constitutes a violation of HIPAA.¹⁰ The failure of a covered entity to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level is also a violation.¹¹ Likewise, a failure to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within its facility, are violations.¹² And, once a security incident occurs, the failure to timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome are all violations.¹³

At the time of writing, most of the Security Rule fines and penalties assessed by the US Department of Health and Human Services Office for Civil Rights (OCR) relate solely or primarily to either (1) theft of devices containing unsecured ePHI or (2) failure to conduct a security risk assessment that is discovered when another privacy or security breach is investigated. Examples of such traditional enforcement activity in recent times include the August 2015 announcement of a $750,000 settlement against Cancer Care Group, P.C. for the theft of an employee laptop containing ePHI on 55,000 individuals, the December 2013 announcement of a $150,000 settlement against Adult & Pediatric Dermatology, P.C. for the theft of a thumb drive containing ePHI on 2,200 patients, and the announcement of settlements by Idaho State University and University of Washington Medicine for failure to conduct privacy and security risk assessments and failure to adequately adopt security measures. Were this still the level of involvement by OCR in ePHI enforcement, a shrug of the CIO’s shoulders and a promise to encrypt all ePHI data at rest would be the universal response.

However, in recent times the enforcement focus has shifted to more core system security functions and away from the low hanging fruit of lost or stolen data-carrying devices. For example, a $850,000 settlement paid by Lahey Clinic Hospital in 2015 specifically references the failure to assign a unique user name for identifying and tracking user identity with respect to a particular workstation,¹⁴ failure to have a working audit trail capability with respect to workstation activity,¹⁵ and the failure to restrict physical access to workstations generally to authorized personnel. A similar enforcement activity against South Broward Hospital District in February 2017 resulted in a $5,500,00 settlement payment based on improper access to ePHI by over a dozen individuals exposing in excess of 80,000 patient records and the failure of the covered entity to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports¹⁶ and to implement policies and procedures that establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.¹⁷ Several enforcement activities also resulted in settlements for failure to have business associate agreements in place with third-party vendors responsible for storing ePHI.¹⁸ Just as the environment for bad cyber behavior has matured, so has the OCR’s level of understanding of system and enterprise failures of the healthcare community.

The Healthcare Internet of Things

The task of HIPAA compliance and compliance with cybersecurity best practices is being made harder with the proliferation of Internet-connected services in the healthcare industry. As recently as 2012, a Ponemon Institute survey reported that 69 percent of respondents did not even address the security of US Food and Drug Administration (FDA) approved medical devices in their IT security or data protection activities.¹⁹ Since that time, over five billion devices – not including smartphones – have connected to the Internet, and that number is expected to grow to between 25 billion and 50 billion by 2025.²⁰

The healthcare industry has particular patient safety risks associated with these devices, as revealed in a 2012 US Government Accountability Office report on the lack of action by the FDA to expand its consideration of information security for medical devices.²¹ A November 2015 Wired.com survey listed the seven healthcare device types most vulnerable to hacking or other violation which included drug infusion pumps, Bluetooth-enabled defibrillators, blood refrigeration units, and CT scanners – the failure of any of which would create tremendous patient risk. We have grown far beyond the fear of hacking the vice president’s pacemaker.²²

The fact that smartphones are not included in this total is worrisome, as the growth in potential cyber risk due to smartphone use is even more troubling. 84 percent of health applications for smartphones that were approved by the FDA were found to create HIPAA violations and were hackable.²³ Also worrisome is the continued increase in the use of smartphones to transmit and receive unsecured ePHI (primarily by text message) for patient treatment by healthcare professionals, in spite of HIPAA’s requirements and facility rules attempting to limit such activity.²⁴ Most health care enterprises gave up the fight over bring your own device, or BYOD, rules due to provider pressure a long time ago anyway. Although study results vary, as of 2014 upward of 90 percent of healthcare organizations permit employees and clinicians to use their own mobile devices to connect to a
provider’s network or enterprise systems.²⁵

One has to wonder what OCR’s response to all of this would be in light of the settlement agreements mentioned earlier: the decision not to impose device accountability for provider convenience may be fertile ground for future fines and penalties. And there is always the modern privacy paradox: health care consumers voluntarily share endless amounts of personal health information with applications on their smartphones, resulting in data being stored who knows where on the Internet without them thinking if it is convenient for them²⁶; however, these same consumers continue to resist the same sharing activities by their own healthcare providers, even if such activity would result in faster and better health care.²⁷

Cybersecurity Insurance

In October of 2002, The Economist magazine opined²⁸ that total security was impossible and that insurance would be the way that businesses mitigated the financial risk caused by this lack of security. Since that time, both security defenses and security attacks have proliferated, changed, and become more aggressive and complex. However, the cybersecurity insurance market, though maturing, is not developing at as rapid a pace. Some issues that remain to be explored are due to the relative newness of the coverage and the lack of good predictive actuarial models.²⁹

While the market matures, there are various factors that potential insureds should evaluate closely as they shop for and price out cybersecurity insurance. The first and most important of these coverages should be the coverage of costs related to managing breaches, to include expenses related to the investigation, remediation efforts, and patient notification. Other costs that may also be incurred are credit monitoring services,³⁰ damages associated with identity theft, damages associated with recovery of data, damages incurred due to having to reset EHR systems, and damages to reconstruct or recover websites and other Internet presences. Business continuity expenses related to workarounds or loss of revenue due to a cybersecurity incident might also need coverage, especially as most commercial policies of this type are figuring out how to exclude cyber-related risks from their covered losses. Finally, but not least importantly, coverage for rogue employees and insider threats needs to be a part of the insurance package.

The type of coverage a healthcare enterprise can obtain, and the premiums therefor, may be affected by certain underwriting considerations, all of which should inform the enterprise’s compliance efforts:

• The enterprise should be able to show that it is in compliance with HIPAA, including those provisions that require security and privacy risk assessments and proof of a plan of mitigation and remediation. Insurers likely will not cover losses resulting from a gap in HIPAA compliance, especially because there is a legal obligation on the enterprise to find out what those are.
• The potential insured needs to know what the insurer’s requirements are for encryption beyond those mandated by HIPAA. Some coverages require more secure and more robust email systems that are more resistant to phishing and spoofing, and even other coverages may require intentional phishing attacks by the insured’s IT department or vendors to gauge compliance with training.
• The training requirements for new employee onboarding and access by non-employee contractors may need to meet certain criteria beyond HIPAA workforce awareness training.
• Insurers may require that contractors providing business associate services be separately insured as a first layer of defense against cost.
• The potential purchaser needs to be on the lookout for what is referred to in the industry as cannibalizing coverage, in which the costs of defense reduce the limits available to pay damages or judgments. The best coverage separates costs of defense from claims expenses.
• The purchased coverage, as with certain types of malpractice insurance, should be based on the date of detection as opposed to date of intrusion. It is so difficult, even with the best system monitoring tools, to determine when a breach or incident actually first occurred, so the enterprise does not want to be locked into a technical dispute with the insurer about when the hack should have been detected.
• The prospective insured needs to know whether offshore operations will be covered. Significant risks are associated with outsourcing certain data manipulation and management functions to countries or regions that have stronger privacy and data security rules than the United States. In particular, the European Union takes a dim view of American-style discovery and most likely will not permit the compelled return of data from an EU vendor in litigation pending in United States courts.

Conclusions

The growth of connected devices, connected physicians, and connected patients will continue to push healthcare facilities to provide more interoperability for health data than ever before. These same technological pressures will make it easier for cybercriminals and disgruntled employees to compromise the data upon which everyone relies for reliable patient care, because an increase in interoperability in most cases creates an increase in gaps in security. Healthcare systems need to recognize this risk as a direct threat to patient care, and not just to its financial and technology resources. A holistic security approach, combining effective cybersecurity practices, HIPAA training and compliance, and appropriate insurance coverages will be the best way to address this growing area of opportunity and risk in the future.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

Endnotes

1. Originally published in the September 2017 ISSA Journal, the monthly publication of the Information Systems Security  Association (ISSA)  Developing and Connecting Cybersecurity Leaders Globally  www.issa.org/?page=ISSAJournal. Reprinted with permission.
2. Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law P.C. in Atlanta, Georgia. Herrin has over 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is both a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association and holds a Certificate in Cyber Security from the Georgia Institute of Technology. He may be reached at https://barry.herrin@herrinhealthlaw.com.
3. 45 CFR Parts 160 and 164; the enabling legislation is found at 42 U.S.C. Section 1320a-7c.
4. Report on Improving Cybersecurity in the Health Care Industry, Health Care Industry Cybersecurity Task Force (June 2017)  https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf.
5. Center for Connected Medicine report, The Internet of Medical Things: Harnessing IoMT for Value-Based Care, July 2017  https://www.connectedmed.com/files/assets/common/downloads/publication.pdf.
6. Bitglass. Bitglass Healthcare Breach Report 2016, Bitglass  https://pages.bitglass.com/BR-Healthcare-Breach-Report-2016_PDF.html.
7. Larry Ponemon, Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data Breach Study: Global Analysis,’  Security Intelligence, May 27, 2015  https://securityintelligence.com/costof-a-data-breach-2015.
8. Vincent Lanaria, Hackers Hold Hollywood Hospital’s Computer System Hostage, Demand $3.6 Million As Patients Transferred, Tech Times, 16 February 2016  http://www.techtimes.com/articles/133874/20160216/hackers-hold-hollywood-hospitals-computer-system-hostage-demand-3-6-million-as-patientstransferred.htm. The hospital eventually paid $17,000 in Bitcoin.
9. Max Metzger, Your Money or Your Files: Why Do Ransomware Victims Pay Up? SC Magazine UK, May 25, 2017  https://www.scmagazineuk.com/your-money-or-your-files-why-do-ransomwarevictims-pay-up/article/664211/.
10. 45 C.F.R. §§ 160.103 and 164.502 (a). NOTE: CFR 45, Parts 160 and 164 can be found at US Electronic Code of Federal Regulations: Title 45 Public Welfare, Subchapter C Administrative Data Standards and Related Requirements: 160-164  https://www.ecfr.gov/cgi-bin/text-idx?SID=fbc57ba7be313c69e19aa1e78ac97adf&mc=true&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl
11. 45 C.F.R. §164.308(a)(1)(ii)(B)
12. 45 C.F.R. § 164.310(d)(1)
13. 45 C.F.R. § 164.308(a)(6)(ii)
14. 45 C.F.R. § 164.312(a)(2)(i)
15. 45 C.F.R. § 164.312(b)
16. 45 C.F.R. §164.308(a)(l)(ii)(D)
17. 45 C.F.R. § 164.308(a)(4)(ii)(C)
18. As examples, see the July 18, 2016 Resolution Agreement with Oregon Health & Science University in which $2,7 million was paid and the September 23, 2016 Resolution Agreement with Care New England Health System in which $400,000 was paid.
19. John Glaser, The Risky Business of Information Security: With Growing Threats to Patient Privacy and Increasing Sanctions by Regulators, Make Data Security Central to Your Business, Hospitals & Health Networks, August 12, 2014  http://www.hhnmag.com/articles/4064-the-risky-business-of-informationsecurity.
20. The Florida Bar, 8th Annual FUNdamentals: The Legal Implications of the ‘Internet of Things’, Course 2232R (September 16, 2016)
21. GAO, Report to Congressional Requesters: Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices, United States Government Accountability Office, August 2012  http://www.gao.gov/assets/650/647767.pdf.
22. Lisa Vaas, Doctors Disabled Wireless in Dick Cheney’s Pacemaker to Thwart Hacking, Naked Security, Sophos, 22 Oct 2013 https://nakedsecurity.sophos.com/2013/10/22/doctors-disabled-wireless-indick-cheneys-pacemaker-to-thwart-hacking/.
23. Ibid.
24. Ibid. (citing a 2015 University of Chicago survey finding that over 70 percent of its medical residents improperly sent ePHI by text messages).
25. John Glaser, The Risky Business of Information Security: With Growing Threats to Patient Privacy and Increasing Sanctions by Regulators, Make Data Security Central to Your Business, Hospitals & Health Networks, August 12, 2014  http://www.hhnmag.com/articles/4064-the-risky-business-of-informationsecurity.
26. Shannon Barnet, Millennials and Healthcare: 25 Things to Know, Becker’s Hospital Review, August 04, 2015  http://www.beckershospitalreview.com/hospital-management-administration/millennials-and-healthcare-25-things-to-know.html. 71 percent of Millennials surveyed by Harris would use a mobile app to share health care data with providers. See also Mintel, Sixty Percent of Millennials Willing to Share Personal Info with Brands, Mintel, March 7, 2014  http://www.mintel.com/press-centre/social-andlifestyle/millennials-share-personal-info, in which the study reports that 60% of Millennials would be willing to provide details about their personal preferences and habits to marketers, and, of those that would not initially provide such information, 30% would do so after receiving an incentive offer such as a discount off future purchases.
27. Denver Nicks, Survey: Millennials Care about Privacy (But Not So Much in Japan), Time, Nov. 07, 2013  http://techland.time.com/2013/11/07/survey-millennials-care-about-privacy-but-not-somuch-in-japan/. Only 4% of respondents would be comfortable with data being used for a purpose outside of its original context. The study also says that these preferences vary by economic status, with high-income worried more about data privacy than low-income people.
28. Putting It All Together, The Economist (October 24, 2002)
29. Koo, More Incident Data Needed for Cybersecurity Insurance, Bloomberg BNA (March 28, 2016)
30. Even though there is almost a universal recognition in the law enforcement and security communities that these programs do no good at all, as the sophisticated hacker knows to wait out the 1-2 years of service before making use of the stolen data.

The post Cybersecurity Risk in Health Care appeared first on Herrin Health Law, P.C..

By Mike Miliard | March 30, 2018 | 09:49 AM
As published in Healthcare IT News.  

Enterprise risk management is a tall order, as healthcare organizations strive in earnest to mitigate their exposure to a wide array of threats and uncertainties. But what if there was a roadmap already written that could help guide the way?

There is, says healthcare attorney Barry Herrin, founder of Herrin Health Law. It’s just too often seen as something to be filed away with health systems’ cybersecurity plans.

The NIST Cybersecurity Framework will be familiar to many hospital IT and security personnel as they grapple with this frightening new era of weaponized malware, insider threats and nation-state hacking, of course.

[Also: Hackers are prepping for future attacks. Are you?]

But it also contains some key provisions that could be very useful to healthcare organizations as they try to get their arms around myriad other risks and vulnerabilities, said Herrin – particularly with regard to access control.

It can help inform approaches to people, process and technology (in that order) for mitigation of risks across the healthcare enterprise, he said.

“I’ve been trying to evangelize it,” said Herrin of the idea that the cyber risk management framework can be expanded “to set expectations about how we’re going to use it to manage enterprise security – not just data security, but all kinds of security.”

“Most people believe that access control relates to passwords – how you get into the dataset. It can mean how you physically gain access to the data room, says Barry Herrin of Herrin Health Law.

It’s especially pressing these days, as the industry pursues interoperability in earnest, he said, which many seem to think should be defined as ubiquitous access to data, all the time.

“We make our systems porous on purpose so as many people as possible can access the data for patient care,” said Herrin. “When we do that, we create massive gaps in confidentiality, privacy and security.”

So how to patch those gaps? Technology isn’t enough. Since the FBI tells us that 80 percent of the threats to data come from people who’ve already been given access to it on purpose, “building the Great Firewall around your enterprise is not going to work.”

That means organizations have to refocus their thinking, concentrating on efforts beyond technology and casting a wider view of their workforce and the access employees are given to data. Sure, there’s tech that can help with that. “But we have to look at the controls inside the risk management framework in ways other than technology,” said Herrin.

The cyber framework’s first two steps are 1) to categorize your information systems’ security controls, taking stock of the management, operational and technical safeguards available to protect against risk, and 2) to select an initial set of security controls, tailoring and supplementing as needed.

The third step is to implement those controls. But Herrin points out that the language used tends to focus on words such as “purchase,” “install,” “configure” and “test.”

That’s where too many healthcare organizations stop thinking about the people and the people and processes involved in risk management and begin to think of it only in terms of technology.

“You’ve already given the game up if that’s the talk you talk because you just assume that the control is something you buy,” he explained.

“Here’s the example I always use: Access control,” said Herrin. “Most people believe that access control relates to passwords – how you get into the dataset.”

But “access control” also can mean other things.

“It can mean how you physically gain access to the data room, or how to get access to the level of the data you’re supposed to get based on your job description,” he said. “It can mean an assessment of you as a threat vector rather than a vulnerability. It can mean lots of things: ‘Why would I let you have access to this, under these circumstances.'”

For example, the guidelines for the control set for access control say organizations should revalidate employees’ credentials whenever their access level is increased inside the data structure.

“If you’re going to have access to more stuff, we need to re-vet you to make sure that it is consistent with your job description and that you don’t pose an insider threat,” said Herrin

During a presentation on this topic at HIMSS18, he asked the audience whose organization does that, and “no one’s hand went up,” he said. “Nobody does that. They just respond to the email from the IT department that says, ‘Give so and so access.'”

If employees had to “sign a piece of paper and sit down in front of an IT manager” to get expanded access to a hospitals data, that could lead to substantial decrease in insider threat risks.

“It costs you nothing but time,” said Herrin. “And it eliminates tons of vulnerabilities. There’s no FBI agent on the cyber squad, anywhere in the country, that would disagree with that statement. I’ve asked them myself.”

So what about expanding on the access control guidance of the cyber risk framework, and applying it other circumstances in other parts of the enterprise?

“Who gets access to the premises? How do we do badging? How do we verify identity? What’s our policy on looking to see whether people have badges? That’s all part of access control. You have to scope people’s access based on their job description, and in healthcare that’s absolutely mission critical.”

But telescoping HIPAA’s Minimum Necessary Requirement out to other parts of the enterprise is just one aspect where a more creative reading of the cybersecurity framework could lead to more robust processes and protections, said Herrin.

“There are tons of things you can do easily that someone has already given you guidance for if you just open the box up and look and see what’s inside,” he said. “But you have to reorient your thinking about the cybersecurity risk management framework. It cannot be about buying toys and tools. It has to be about implementing controls.”

For many organizations, however, the fact that it’s “not about buying something, it’s about doing something” is exactly the reason that creative thinking doesn’t take hold more often. Technology is easy; people and process are harder.

To that, Herrin has a simple answer: “HIPAA is out there as the hammer,” he said. “You need to pay attention to this stuff. What we know, based on what OCR is doing, that they’re looking at whether you audit people’s access to systems where you’ve not configured limitations on control. They’re spending their time right in that wheelhouse.

“If you’re interested in not paying a fine with two commas in it, you should at least look in the mirror and say, ‘What can I do to limit access to this data set,'” he said. “You have to stop looking at technology as the sole solution to system security problems. It’s going to require cultural change.”

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

The post Beyond passwords: How NIST cybersecurity framework gives risk management a boost appeared first on Herrin Health Law, P.C..

As published in the ISSA Journal February 2018. ISSA is the Information Systems Security Association International 

Executive Summary: Federal and state laws governing notification of breach of patient medical information vary, and some of those variations are material. It is important for health care providers to understand the differences between these regulatory schemes and to comply with each. Providers located in one state and treating patients from another state may also have a regulatory burden of which they are unaware. The assistance of experienced privacy and data breach counsel should be sought when examining these issues.

Introduction

The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted by Congress as a part of the American Recovery and Reinvestment Act of 2009, places a duty on covered entities to notify patients, the Secretary of the Federal Department of Health and Human Services through its Office for Civil Rights (“OCR”) and, in some cases, the media, of any breach of unsecured protected health information (“PHI”).¹  Because of this obligation, it is important that health care providers develop internal systems for investigating security incidents involving unsecured PHI. Critically, although every breach of unsecured PHI is an impermissible disclosure under HIPAA, not every impermissible disclosure under HIPAA is a breach. Being able to tell the difference between the two will help covered entities avoid unnecessary, embarrassing, and potentially costly notification requirements and penalties.

Adding to this regulatory burden are the requirements of the several states governing patient information and its privacy. Although many states default to the federal HIPAA standard, many do not. In these states, covered entities may have different reporting requirements, definitions of data that are covered by the protections of state law, and differing penalties. Providers need to be aware of both and not make the mistake that HIPAA pre-empts all state privacy rules. Remember: only those state regulations that provide less protection for patients are replaced by HIPAA – in all other circumstances, the state scheme survives.²

The Federal Framework

For federal purposes, “unsecured PHI” is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by OCR.³ Currently approved encryption technologies and destruction methodologies are outlined in the National Institute of Standards and Technology (“NIST”) Special Publications 800-111, 800-52, 800-77, 800-113, and 800-88.⁴ The definition should remind us that the federal HITECH breach and notification requirements cover both paper and electronic records: this is not just an expansion of the HIPAA Security Rule covering only electronic PHI.

A breach of unsecured PHI under the federal regulations occurs where (1) the PHI is acquired, accessed, used, or disclosed in a manner not permitted under the HIPAA Privacy Rule;⁵ and (2) that compromises the security or privacy of the protected health information. The security or privacy of the information is presumed compromised for the purpose of this analysis UNLESS an exception applies (described below) OR the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

Even if the breach does not pass the above analysis, it is still not a breach requiring notice and disclosure under the federal scheme if the information meets any one of the following three (3) criteria:

(a) It is individually identifiable health information held by the covered entity or business associate in its capacity as an employer. For example, workers’ compensation information on a hospital’s employee would contain health information, but it would not be subject to these provisions.

(b) It is PHI that does not include one of the sixteen (16) identifiers listed at 45 C.F.R. § 164.514(e)(2) or the patient’s date of birth or the patient’s zip code.

(c) It is information that has been “de-identified” in accordance with the HIPAA Privacy Rule.⁶

A Smattering of State Schemes

As one might expect, state legislators and regulators take very different approaches to privacy of their citizens’ personal health information and when notification of a security incident is required. A brief examination of three such regulatory schemes will illustrate the problem for health care businesses with a presence in more than one state.

California

Section 1280.15 of the California Health & Safety Code requires certain medical providers to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the [California Department of Public Health] no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected by the provider, and to make the same report to the affected patient or the patient’s representative.⁷

Medical information means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. Individually identifiable means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.⁸ A breach in this context means any unlawful or unauthorized access to, [or] use [or] disclosure of medical information.⁹ Unauthorized in this context means access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act or any other statute or regulation governing the lawful access, use, or disclosure of medical information.¹⁰

One can see immediately that the California statute is remarkably similar to the current HIPAA/HITECH statute in both the breadth of information covered and the circumstances under which that information is compromised. And both the California statute and HIPAA/HITECH exempt from the breach notification requirements incidents involving any information that is encrypted. However, the California statute does not contain any exemption from breach notification if there is a low probability that the [PHI] has been compromised as the federal scheme does: any breach meeting the California definition (and therefore, arguably, the HIPAA/HITECH definition) would require patient notification.¹¹

But, and importantly for our comparison, California does provide a safe harbor for health care entities involved in a breach that would qualify under both California law and HIPAA. Entities that are covered entities under HIPAA need only comply with the patient notification requirements articulated in HITECH in order to comply with the patient notice provisions of California law; however, those entities will still have to notify the California attorney general if required to do so.

Florida

The Florida Information Protection Act of 2014 (FIPA)¹² requires covered entities¹³ to notify persons if a breach of security occurs with respect to a person’s personal information. FIPA defines personal information as either one of two types of information: (1) an individual’s first name or first initial and last name in combination with at least one of (a) a social security number; (b) a driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; (c) a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account; (d) any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (e) an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual OR (2) a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.¹⁴ A breach of security occurs when there is unauthorized access of data in electronic form containing personal information.¹⁵ However, a breach is not a breach requiring notice if after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.¹⁶

Several things are apparent when comparing FIPA with HIPAA. First, there are fewer exceptions to the notification standard if a breach has occurred in FIPA; however, the risk protected against in FIPA (identity theft and financial harm) is arguably more narrow than the risk framework contemplated by HIPAA, which would include reputational and other non-financial risks, and could therefore more easily result in a no notice breach. Second, the exception available under FIPA requires active collaboration with law enforcement, whereas there is no such requirement in HIPAA. Third, although HIPAA could consider a breach to occur when any of the information listed in FIPA is used, accessed, acquired, or disclosed, FIPA requires those data elements to be accessed in combination with the patient’s name; thus, a release of just a patient’s name would not cause a breach under FIPA when it would under HIPAA. Fourth, FIPA requires the release of both the person’s email account AND password or access credential, whereas HIPAA requires only one of the two to be involved in a breach. Finally, and most importantly, FIPA only covers electronic information, whereas HIPAA applies to all PHI, regardless of the format in which it is maintained.

North Carolina

The Identity Theft Protection Act of 2005¹⁷ requires businesses¹⁸ and state and local government to notify people when there is a security breach involving their personal information.¹⁹ For the purposes of this statute, a security breach is an incident of unauthorized access to and acquisition of unencrypted²⁰ and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.²¹

In the healthcare context, the North Carolina act may have limited application, as the types of data generally are only those relating to financial resources. However, a patient’s name, Social Security number, email addresses, biometric identifiers, fingerprints, and any other numbers or information that can be used to access a person’s financial resources,²² which could include health plan beneficiary numbers and account numbers,²³ are protected under the North Carolina act and under HIPAA as well.

Without even considering the definition of personal information, note the important distinctions between the federal HIPAA framework and the North Carolina act. First, the data must be illegally accessed and acquired for the North Carolina act to apply, whereas HIPAA requires only one or the other. Second, and similar to the rule in Florida, whereas encryption of the data provides a complete exception to the breach and notice framework under HIPAA, the acquisition of the data along with the key to the encryption still constitutes a breach requiring notice in North Carolina. Third, unless criminal activity is involved, a security breach is not presumed under the North Carolina act; an analysis still must be conducted to determine whether there is a material risk of harm, which is the approach to the HIPAA breach notification scheme before its most recent amendment.

Conclusion

States take a varied approach to the regulation of losses of patient health information. Some regulate only electronic information (such as Florida), others only apply regulatory scrutiny if it can be shown that the information has been both accessed and acquired by an unauthorized person (such as North Carolina), and some, such as California, provide even broader protections than those found in HIPAA/HITECH. Providers operating in states with such statutes and regulations must be mindful of the differences between the federal and the operative state schemes. In addition, some states, of which North Carolina is one, would purport to regulate providers outside of the state who have protected information on its own citizens, a situation which could prove harmful to providers holding licenses in that state even though they may not have a physical presence in that state. Careful review of all of the statutes, rules, and regulations applicable to patient data safety and release is ever more critical. Providers would be well advised to seek knowledgeable counsel to guide them through these requirements.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

Citations

1. The combined regulations can be accessed at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
2. 45 C.F.R. Section 160.202.
3. 45 C.F.R. Section 164.402
4. 45 C.F.R. Section 164.310 requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.” The NIST criteria for electronic data destruction are available at http://csrc.nist.gov/.
5. 45 C.F.R. § 164.500, et seq.
6. 45 C.F.R. Section 164.502(d) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in §164.514(a)-(b).
7. Section 1280.15(b) of the California Health & Safety Code.
8. Section 56.05(j) of the California Civil Code.
9. Section 1280.15(a) of the California Health & Safety Code.
10. Id. The Confidentiality of Medical Information Act is found at Section 56 of the California Civil Code.
11. Section 1280.15(b) of the California Health & Safety Code.
12. Fla. Stat. Section 501.171.
13. The definition includes arguably only commercial entities and all units of state and local government that maintain, store, or use personal information. Fla. Stat. Section 501.171(1)(b).
14. Fla. Stat. 501.171(1)(g)(1).
15. Fla. Stat. Section 501.171(1)(a).
16. Fla. Stat. Section 501.171(4)(c).
17. N.C.G.S. Chapter 75-60 et seq.
18. The business must either be located in North Carolina or the data must be that of North Carolina residents.
19. N.C.G.S. Section 75-65(a). The term personal information: includes the information governed by N.C.G.S. Section 14-113.20(b) regarding identity theft, and includes the following pieces of information in combination with a person’s first name or first initial and last name: (1) Social Security or employer taxpayer identification numbers; (2) driver’s license, State identification card, or passport numbers; (3) checking account numbers; (4) savings account numbers; (5) credit card numbers; (6) debit card numbers; (7) Personal Identification (PIN) Code;(8) electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names; (9) digital signatures; (10) any other numbers or information that can be used to access a person’s financial resources; (11) biometric data; (12) fingerprints; (13) passwords; and (14) parent’s legal surname prior to marriage.
20. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall [also] constitute a security breach. N.C.G.S. Section 75-61(14)
21. N.C.G.S. Section 75-65(a).
22. N.C.G.S. Section 14-113.20(b)((10).
23. 45 C.F.R. Section 164-512(b)(2)(i)(H), (I), (P).

The post Security Incidents and Breaches in the Healthcare Industry (Case Study) appeared first on Herrin Health Law, P.C..