As published in Health Law Developments, The Newsletter of the Health Law Section State Bar of Georgia
Winter 2018

Abstract

The need for constant availability and integrity of patient data means that many organizations compromise on privacy and security, often to their detriment. This article discusses the current state of healthcare data privacy and security, examines the legal issues requiring attention, discusses risks of the growing use of remote technologies, health and wearable technology, and finally discusses cybersecurity insurance as a way to mitigate the financial costs of breach.

The Current State

Notwithstanding the imperative of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its Privacy and Security Rule,the era of interoperability has created a de-emphasis on the confidentiality of medical information while, at the same time, creating a tremendous emphasis on integrity and availability.

Findings from the Health Care Industry Cybersecurity Task Force in its final report of June 2, 20174show that, “of the three aims of cybersecurity confidentiality, integrity, availability), availability is the most important. You cannot take care of patients without having availability of information. Having high availability of patient information is especially important with hospitals that operate 24×7 and 365 days a year.” Second to availability was integrity of data. The HCIC report specifically stated that “integrity of data is important for protecting patient safety,” which is “directly implicated when it comes to connected medical devices and patients whose health can be directly impacted by the operation of the medical device.” However, the report recognizes that the drive to interoperability has resulted in the confidentiality of medical information being de-prioritized and asserts that “healthcare data confidentiality must remain top of mind.”

A 2017 KLAS survey reports that 41 percent of respondents said their health systems dedicate less than three percent of the IT budget to cybersecurity, primarily because IT leadership has been focused on implementing electronic health record systems and dealing with interoperability challenges.5

Task Force Imperative four calls for an “increase [in] healthcare industry readiness through improved cybersecurity awareness and education.” However, the increase in readiness “requires a holistic cybersecurity strategy. Organizations that do not adopt a holistic strategy not only put their data, organizations, and reputation at risk, but also—most importantly—the welfare and safety of their patients.”

In the healthcare industry specifically, the financial impact of cybersecurity breaches is grim. One in three Americans were affected by healthcare breaches in 2015, according to a report from Bitglass.That’s more than 113 million individuals. Each lost or stolen medical record costs a healthcare organization $363 per record on average, per a Ponemon Institute report.The anecdotal record is not any more pleasant: Hollywood Presbyterian’s information systems were held hostage in Feb. 2016 for $3.6 million in Bitcoin,8 and more and more healthcare enterprises are creating reserves for data ransom. A 2016 IBM study quoted by SC Media UK showed that, in the United States, 70 percent of businesses receiving a ransomware demand paid to get their data back, with 50 percent of those paying more than $10,000 and a further 20 percent paying more than $40,000.9

No matter the technology used in the healthcare industry today—e-signature software, EHR platforms, wearable devices, smartphones, tablets, or other software or hardware—providers can either work to mitigate risk or watch the organization spiral into potentially uncontrollable vulnerability. Today’s electronic environment leaves little room for laissez-faire security efforts if a healthcare provider wants to remain safe from attack and protected from the financial consequences of the inevitable.

Why HIPAA Still Matters

HIPAA in general, and the Security Rule in particular, imposes specific compliance burdens on healthcare “covered entities.” Any use or disclosure of electronic protected health information (ePHI) not in compliance with the Privacy and Security Rules or more stringent state law constitutes a violation of HIPAA.10 The failure of a covered entity to implement sufficient security measures regarding the transmission of and storage of ePHI to “reduce risks and vulnerabilities to a reasonable and appropriate level” is also a violation.11 Likewise, a failure to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within its facility, are violations.12 And, once a security incident occurs, the failure to “timely identify and respond to a known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome” are all violations.13

At the time of writing, most of the Security Rule fines and penalties assessed by the US Department of Health and Human Services Office for Civil Rights (OCR) relate solely or primarily to either (1) theft of devices containing unsecured ePHI or (2) failure to conduct a security risk assessment that is discovered when another privacy or security breach is investigated. Examples of such “traditional” enforcement activity in recent times include the August 2015 announcement of a $750,000 settlement against Cancer Care Group, P.C. for the theft of an employee laptop containing ePHI on 55,000 individuals, the December 2013 announcement of a $150,000 settlement against Adult & Pediatric Dermatology, P.C. for the theft of a thumb drive containing ePHI on 2,200 patients, and the announcement of settlements by Idaho State University and University of Washington Medicine for failure to conduct privacy and security risk assessments and failure to adequately adopt security measures. Were this still the level of involvement by OCR in ePHI enforcement, a shrug of the CIO’s shoulders and a promise to encrypt all ePHI data at rest would be the universal response.

However, in recent times the enforcement focus has shifted to more “core” system security functions and away from the “low hanging fruit” of lost or stolen data-carrying devices. For example, a $850,000 settlement paid by Lahey Clinic Hospital in 2015 specifically references the failure “to assign a unique user name for identifying and tracking user identity” with respect to a particular workstation,14 failure to have a working audit trail capability with respect to workstation activity,15 and the failure to restrict physical access to workstations generally to authorized personnel. A similar enforcement activity against South Broward Hospital District in February 2017 resulted in a $5,500,00 settlement payment based on improper access to ePHI by over a dozen individuals exposing in excess of 80,000 patient records and the failure of the covered entity to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports”16 and “to implement policies and procedures that establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.”17 Several enforcement activities also resulted in settlements for failure to have business associate agreements in place with third-party vendors responsible for storing ePHI.18 Just as the environment for bad cyber behavior has matured, so has the OCR’s level of understanding of system and enterprise failures of the healthcare community.

The Healthcare Internet of Things

The task of HIPAA compliance and compliance with cybersecurity “best practices” is being made harder with the proliferation of Internet-connected sevices in the healthcare industry. As recently as 2012, a Ponemon Institute survey reported that 69 percent of respondents did not even address the security of US Food and Drug Administration (FDA) approved medical devices in their IT security or data protection activities.19 Since that time, over five billion devices—not including smartphones—have connected to the Internet, and that number is expected to grow to between 25 billion and 50 billion by 2025.20

The healthcare industry has particular patient safety risks associated with these devices, as revealed in a 2012 US Government Accountability Office report on the lack of action by the FDA to expand its consideration of information security for medical devices.21 A November 2015 Wired.com survey listed the seven healthcare device types most vulnerable to hacking or other violation which included drug infusion pumps, Bluetooth-enabled defibrillators, blood refrigeration units, and CT scanners—the failure of any of which would create tremendous patient risk. We have grown far beyond the fear of hacking the vice president’s pacemaker.22

The fact that smartphones are not included in this total is worrisome, as the growth in potential cyber risk due to smartphone use is even more troubling. 84 percent of health applications for smartphones that were approved by the FDA were found to create HIPAA violations and were “hackable.”23 Also worrisome is the continued increase in the use of smartphones to transmit and receive unsecured ePHI (primarily by text message) for patient treatment by healthcare professionals, in spite of HIPAA’s requirements and facility rules attempting to limit such activity.24 Most health care enterprises gave up the fight over “bring your own device,” or BYOD, rules due to provider pressure a long time ago anyway. Although study results vary, as of 2014 “upward of 90 percent of healthcare organizations permit employees and clinicians to use their own mobile devices to connect to a
provider’s network or enterprise systems.”25

One has to wonder what OCR’s response to all of this would be in light of the settlement agreements mentioned earlier: the decision not to impose device accountability for provider convenience may be fertile ground for future fines and penalties. And there is always the modern privacy paradox: health care consumers voluntarily share endless amounts of personal health information with applications on their smartphones, resulting in data being stored who knows where on the Internet without them thinking if it is convenient for them26; however, these same consumers continue to resist the same sharing activities by their own healthcare providers, even if such activity would result in faster and better health care.27

Cybersecurity Insurance

In October of 2002, The Economist magazine opined28 that “total security was impossible” and that insurance would be the way that businesses mitigated the financial risk caused by this lack of security. Since that time, both security defenses and security attacks have proliferated, changed, and become more aggressive and complex. However, the cybersecurity insurance market, though maturing, is not developing at as rapid a pace. Some issues that remain to be explored are due to the relative newness of the coverage and the lack of good predictive actuarial models.29

While the market matures, there are various factors that potential insureds should evaluate closely as they shop for and price out cybersecurity insurance. The first and most important of these coverages should be the coverage of costs related to managing breaches, to include expenses related to the investigation, remediation efforts, and patient notification. Other costs that may also be incurred are credit monitoring services,30 damages associated with identity theft, damages associated with recovery of data, damages incurred due to having to reset EHR systems, and damages to reconstruct or recover websites and other Internet presences. Business continuity expenses related to workarounds or loss of revenue due to a cybersecurity incident might also need coverage, especially as most commercial policies of this type are figuring out how to exclude cyber-related risks from their covered losses. Finally, but not least importantly, coverage for rogue employees and insider threats needs to be a part of the insurance package.

The type of coverage a healthcare enterprise can obtain, and the premiums therefor, may be affected by certain underwriting considerations, all of which should inform the enterprise’s compliance efforts:

  • The enterprise should be able to show that it is in compliance with HIPAA, including those provisions that require security and privacy risk assessments and proof of a plan of mitigation and remediation. Insurers likely will not cover losses resulting from a gap in HIPAA compliance, especially because there is a legal obligation on the enterprise to find out what those are.
  • The potential insured needs to know what the insurer’s requirements are for encryption beyond those mandated by HIPAA. Some coverages require more secure and more robust email systems that are more resistant to phishing and spoofing, and even other coverages may require intentional phishing attacks by the insured’s IT department or vendors to gauge compliance with training.
  • The training requirements for new employee onboarding and access by non-employee contractors may need to meet certain criteria beyond HIPAA workforce awareness training.
  • Insurers may require that contractors providing “business associate” services be separately insured as a first layer of defense against cost.
  • The potential purchaser needs to be on the lookout for what is referred to in the industry as “cannibalizing” coverage, in which the costs of defense reduce the limits available to pay damages or judgments. The best coverage separates costs of defense from claims expenses.
  • The purchased coverage, as with certain types of malpractice insurance, should be based on the “date of detection” as opposed to “date of intrusion.” It is so difficult, even with the best system monitoring tools, to determine when a breach or incident actually first occurred, so the enterprise does not want to be locked into a technical dispute with the insurer about when the hack “should have been” detected.
  • The prospective insured needs to know whether offshore operations will be covered. Significant risks are associated with outsourcing certain data manipulation and management functions to countries or regions that have stronger privacy and data security rules than the United States. In particular, the European Union takes a dim view of American-style discovery and most likely will not permit the compelled return of data from an EU vendor in litigation pending in United States courts.

Conclusions

The growth of connected devices, connected physicians, and connected patients will continue to push healthcare facilities to provide more interoperability for health data than ever before. These same technological pressures will make it easier for cybercriminals and disgruntled employees to compromise the data upon which everyone relies for reliable patient care, because an increase in interoperability in most cases creates an increase in gaps in security. Healthcare systems need to recognize this risk as a direct threat to patient care, and not just to its financial and technology resources. A holistic security approach, combining effective cybersecurity practices, HIPAA training and compliance, and appropriate insurance coverages will be the best way to address this growing area of opportunity—and risk—in the future.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

Endnotes

  1. Originally published in the September 2017 ISSA Journal, the monthly publication of the Information Systems Security  Association (ISSA) – Developing and Connecting Cybersecurity Leaders Globally – www.issa.org/?page=ISSAJournal. Reprinted with permission.
  2. Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law P.C. in Atlanta, Georgia. Herrin has over 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is both a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association and holds a Certificate in Cyber Security from the Georgia Institute of Technology. He may be reached at https://barry.herrin@herrinhealthlaw.com.
  3. 45 CFR Parts 160 and 164; the enabling legislation is found at 42 U.S.C. Section 1320a-7c.
  4. “Report on Improving Cybersecurity in the Health Care Industry,” Health Care Industry Cybersecurity Task Force (June 2017) – https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf.
  5. Center for Connected Medicine report, “The Internet of Medical Things: Harnessing IoMT for Value-Based Care,” July 2017 – https://www.connectedmed.com/files/assets/common/downloads/publication.pdf.
  6. Bitglass. “Bitglass Healthcare Breach Report 2016,” Bitglass – https://pages.bitglass.com/BR-Healthcare-Breach-Report-2016_PDF.html.
  7. Larry Ponemon, “Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data Breach Study: Global Analysis,’ ” Security Intelligence, May 27, 2015 – https://securityintelligence.com/costof-a-data-breach-2015.
  8. Vincent Lanaria, “Hackers Hold Hollywood Hospital’s Computer System Hostage, Demand $3.6 Million As Patients Transferred,” Tech Times, 16 February 2016 – http://www.techtimes.com/articles/133874/20160216/hackers-hold-hollywood-hospitals-computer-system-hostage-demand-3-6-million-as-patientstransferred.htm. The hospital eventually paid $17,000 in Bitcoin.
  9. Max Metzger, “Your Money or Your Files: Why Do Ransomware Victims Pay Up?” SC Magazine UK, May 25, 2017 – https://www.scmagazineuk.com/your-money-or-your-files-why-do-ransomwarevictims-pay-up/article/664211/.
  10. 45 C.F.R. §§ 160.103 and 164.502 (a). NOTE: CFR 45, Parts 160 and 164 can be found at US Electronic Code of Federal Regulations: Title 45—Public Welfare, Subchapter C— Administrative Data Standards and Related Requirements: 160-164 – https://www.ecfr.gov/cgi-bin/text-idx?SID=fbc57ba7be313c69e19aa1e78ac97adf&mc=true&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl
  11. 45 C.F.R. §164.308(a)(1)(ii)(B)
  12. 45 C.F.R. § 164.310(d)(1)
  13. 45 C.F.R. § 164.308(a)(6)(ii)
  14. 45 C.F.R. § 164.312(a)(2)(i)
  15. 45 C.F.R. § 164.312(b)
  16. 45 C.F.R. §164.308(a)(l)(ii)(D)
  17. 45 C.F.R. § 164.308(a)(4)(ii)(C)
  18. As examples, see the July 18, 2016 Resolution Agreement with Oregon Health & Science University in which $2,7 million was paid and the September 23, 2016 Resolution Agreement with Care New England Health System in which $400,000 was paid.
  19. John Glaser, “The Risky Business of Information Security: With Growing Threats to Patient Privacy and Increasing Sanctions by Regulators, Make Data Security Central to Your Business,” Hospitals & Health Networks, August 12, 2014 – http://www.hhnmag.com/articles/4064-the-risky-business-of-informationsecurity.
  20. The Florida Bar, “8th Annual FUNdamentals: The Legal Implications of the ‘Internet of Things’,” Course 2232R (September 16, 2016)
  21. GAO, “Report to Congressional Requesters: Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices,” United States Government Accountability Office, August 2012 – http://www.gao.gov/assets/650/647767.pdf.
  22. Lisa Vaas, “Doctors Disabled Wireless in Dick Cheney’s Pacemaker to Thwart Hacking,” Naked Security, Sophos, 22 Oct 2013 https://nakedsecurity.sophos.com/2013/10/22/doctors-disabled-wireless-indick-cheneys-pacemaker-to-thwart-hacking/.
  23. Ibid.
  24. Ibid. (citing a 2015 University of Chicago survey finding that over 70 percent of its medical residents improperly sent ePHI by text messages).
  25. John Glaser, “The Risky Business of Information Security: With Growing Threats to Patient Privacy and Increasing Sanctions by Regulators, Make Data Security Central to Your Business,” Hospitals & Health Networks, August 12, 2014 – http://www.hhnmag.com/articles/4064-the-risky-business-of-informationsecurity.
  26. Shannon Barnet, “Millennials and Healthcare: 25 Things to Know,” Becker’s Hospital Review, August 04, 2015 – http://www.beckershospitalreview.com/hospital-management-administration/millennials-and-healthcare-25-things-to-know.html. 71 percent of Millenials surveyed by Harris would use a mobile app to share health care data with providers. See also Mintel, “Sixty Percent of Millennials Willing to Share Personal Info with Brands,” Mintel, March 7, 2014 – http://www.mintel.com/press-centre/social-andlifestyle/millennials-share-personal-info, in which the study reports that 60% of Millennials would be willing to provide details about their personal preferences and habits to marketers, and, of those that would not initially provide such information, 30% would do so after receiving an incentive offer such as a discount off future purchases.
  27. Denver Nicks, ”Survey: Millennials Care about Privacy (But Not So Much in Japan), Time, Nov. 07, 2013 – http://techland.time.com/2013/11/07/survey-millennials-care-about-privacy-but-not-somuch-in-japan/. Only 4% of respondents would be comfortable with data being used for a purpose outside of its original context. The study also says that these preferences vary by economic status, with high-income worried more about data privacy than low-income people.
  28. “Putting It All Together,” The Economist (October 24, 2002)
  29. Koo, “More Incident Data Needed for Cybersecurity Insurance,” Bloomberg BNA (March 28, 2016)
  30. Even though there is almost a universal recognition in the law enforcement and security communities that these programs do no good at all, as the sophisticated hacker knows to wait out the 1-2 years of service before making use of the stolen data.