A Case for Review of Your Network Privacy and Security Policies

Transcription

1 A Case for Review of Your Network Privacy and Security Policies Recent events have highlighted the vulnerability of almost all digital systems - not to mention paper and analogue systems in the health care industry. The cyber attacks on several popular retail and on line applications shed some light on the vulnerability of the systems as a whole but attacks or simple non-internet based privacy breaches in health care received very little attention until recently. Cyber breaches at Catholic Health Initiatives (where there were 2 in 2014), Community Health Systems (over 4 million patient records disclosed), LA County California and the Montana Health Department, and more recently the Anthem breach have served notice that health care is a prime target of hackers. Not only do many health care related companies and providers maintain detailed protected health information on hundreds to millions of patients/members (for which there is a growing black market), these entities and providers maintain detailed personal data, financial and other information of patients/members for which there is a market in fraud, theft and marketing. Unfortunately, many health care companies including hospitals and physician groups do not maintain up to date policies and procedures related to data and cyber security, or for more traditional forms of improper privacy disclosure. Privacy laws have been on the books in many states for decades and significant federal privacy laws related to health information have been around since However, the focus on digital and network security has been on banking and retail. As a result, the development and implementation of risk management strategies designed to prevent privacy breaches in health care is behind the curve. The evolution of business, insurance and health care technology, the push by the federal government to make all health care digital (record keeping, access, care management, billing and payment) and new federal and state statutes and regulations have complicated the effort to catch up. Although impossible in this format to provide a detailed strategy to address these issues, I can remind all in risk management of the need for a comprehensive strategy involving organizational leadership, legal, compliance, accounting and IT is required to achieve any success in reducing risk to the organization presented by data and record privacy and security. This is an enterprise obligation; all related and responsible segments of the business must be included to develop, implement, maintain and enforce a compliant response to these legislative initiatives to protect personal data from improper disclosure. Improper disclosure under these laws is, and can be almost any disclosure of protected information without the patient s consent. The zone of risk is far wider than many people realize. The Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH) and the Gramm-Leach Bliley Act (GLBA) are directed in whole or in part to the health care industry and the records, data and transactions created, maintained and transferred/transmitted by health care entities and providers. With the evolution of technology in business not only as a

2 matter of efficiency but as required by the Affordable Care Act, the necessity of detailed yet workable risk management strategy to prevent the improper disclosure of protected information is now urgently needed. The statutes extend liability for a breach to the actual owner of the records/data even if the breach was caused by, the fault of, or a cyber attack at a vendor. The United States Department of Health and Human Services (HHS) is primarily responsible for investigation and enforcement of these legislative schemes at the federal level. Interestingly, these laws do not entitle a person whose information is improperly disclosed by any means to sue for damages. The entity is obligated to disclose the breach, notify all possibly impacted and initiate corrective action. HHS does have the ability to fine an entity for improper disclosure but high profile fines are rare, most fines are under $100,000 and there have been very few that would cause financial hardship to any entity. However, the real cost of a breach is the cost of the investigation, corrective action, disclosure and notification, and the cost of civil litigation based on state laws. These federal laws require health care entities and providers to be proactive and to adopt security measures, policies and procedures (and maintain/enforce them) designed to ensure that the healthcare and personal information is not lost, stolen, "hacked", improperly accessed or used or otherwise inappropriately disclosed. The statutes and regulations promulgated under them recognize that some entities have a greater exposure and more resources to respond to the risk. Whether an entity has violated the requirements of the statutes depends, in part, on the size and resources of the entity and what the entity has done to comply. HIPAA and HITECH recognize that a "one size fits all" approach is unrealistic and unworkable, and allows the entity and its vendors flexibility in developing and implementing measures to maintain the privacy and security of health information. This is not a hall pass for a small entity for not adopting compliance measures simply because it has limited resources. These laws and regulations are intended to serve as a "floor or the minimum standard every entity and vendor is expected to meet to protect the privacy and security of individuals' healthcare and personal information. All entities are expected to meet the minimum standards. There have been approximately 110,000 breaches reported to and investigated by HHS since There were 3700 in That number was 13,000 in They are expected to top 20,000 per year by Many breaches, as one might imagine, go unreported. Not all breaches must be reported and voluntary reporting is not widespread. Reports are accepted from many sources including patients and whistleblowers. Breaches come in many sizes and occur under many circumstances, some of them are nefarious, some simply negligent or accidental. Although the large cyber attacks that make the news are known to the public, the majority are not at the hands of hackers. Theft of hardware at the hands of external and internal thieves is the primary source of most privacy breaches. The data and records (digital or hard copy) are simply content on the equipment or items that are stolen and is rarely used or even seen. Theft of data

3 by improper access primarily by employees or vendors is next. This includes employees not directly involved in patient care looking up information, vendors using records to which they have access for improper purposes, identity theft activities in house, or just blatant gossip and curiosity. Loss of hardware and digital storage devices is next. This includes the laptop, flash drive, PDA, smart phone or tablet left in the cab or on the train, simply lost or mistakenly sold with data still in the memory or taken or used by children of the owner. In many cases, the devises or hard copy records are never found and what happened to them remains unknown. However, as many personnel who work at hospitals or other medical facilities use their own devices and access the facilities data through it, safety is far more complicated than what might be first envisioned. Hacking is next and this can come at the hands of precocious teens and college students, groups like Anonymous, criminal enterprises or foreign governments. These cyber attacks are often through a backdoor created by malware installed on the system by attachment, a virus uploaded by a vendor, or through access to the system by personal devices. The Anthem and CHS hacks are both believed to have been by way of administrator user names and passwords that were acquired at a time other than at the time of the cyber attack. Improper disposal of data and records and improper disclosure are also breaches. There have been recent examples of prominent facilities cited for dumping records in the trash and entities that send bills or other mailings to patients with PHI visible through the envelope window pane. Many doctors offices and hospital admissions areas (especially in the ED) have had to significantly alter the way they admit patients for care because the open window and loud mouthed receptionist were violations of HIPAA. Gossip by employees in the cafeteria between those involved and those not involved in specific patient care can also be a breach. Despite the numbers and the ways a breach can occur, fewer than 1000 of these reported breaches has involved the records of more than 500 patients. As a result, they have been below the radar. HHS, in its investigations, has noted the primary reasons for the disclosures. These include failure to properly safeguard hardware, storage areas and storage devises; the failure to encrypt or employ other security measures, especially on personal mobile devices (including mobile medical devices); the improper use of personal devices; the failure to maintain updated policies related to network, storage and device security; the failure to properly train and discipline employees for violations; the failure to timely discover and disclose violations; and in last place the failure to utilize proper external network security or IT protocols. The offenders, by reported breach/violation, are not typically health plans or pharmacies. The majority of all breaches involve private physician offices, ancillary surgical centers, outpatient clinics and hospitals. Many of these breaches can be attributed to the lack of understanding, attention, resources devoted and the lack of proper policies and procedures to prevent them.

4 In addition to the noted federal laws, most states, including Florida, have a web of state based data/privacy protections, many of which carry separate fines and allow civil litigation against the entity involved. Forty-seven states and four territories have such laws. Florida has its own health care information privacy protection legislation including the new Florida Information Protection Act (FIPA). FIPA, which became effective July 1, 2014, expanded the requirements on covered entities that acquire, maintain, store or use personal information of Floridians. The law repealed Florida s prior data breach notification statue, Fl. Stat , and replaced it with Fla. Stat FIPA covers all personal identity information including electronic addresses and passwords, financial information, health records and insurance information. Personal information excludes information already made public or information that is encrypted in some fashion. By definition, all health care providers, facilities and insurance companies would be covered entities. This extends to any entity that is outside Florida that does business in Florida. Under FIPA the time period to report a breach is 30 days from the time the breach is discovered. If the breach affects 500 or more persons, FIPA requires that notice also be provided to the Florida Department of Legal Affairs. A covered entity subject to federal regulation still may defer to those applicable notice requirements if it provides the requisite notice to the Florida Department of Legal Affairs. If the breach affects 1,000 or more persons, additional notice must be given to all nationwide consumer credit reporting agencies. A significant difference between the federal laws and FIPA is that no notice is required to affected individuals under FIPA if, after an investigation by the entity and consultation with a law enforcement agency, the entity reasonably determines that no one has or is likely to suffer identity theft or any other financial harm. The basis for such a determination is vague, exactly how that is to be determined is unknown and the statute is ripe for litigation. Further, those breaches which require disclosure under HIPAA/HITECH would require compliance with federal, not state law. Any entity which, in reliance on the statute, decides not to advise those whose information has been improperly disclosed is walking on thin ice. Vendors and third-party agents that maintain a security system for covered entities and that suffer a data breach have only 10 days under FIPA to report a breach to the impacted entity. That notice then becomes the discovery date for the entity to comply with its obligations. It is still the obligation of the owner of the data/records to comply. FIPA requires the entities to use all reasonable measures to ensure proper disposal of records and data. This extends to the hard drives on office machines, the information contained on mobile medical devices and, where used for business purposes, the information stored on personal devices. FIPA unlike many state statutes related to privacy and security of health related information, does not create a private cause of action. FIPA authorizes the state to bring an enforcement action and to fine the offending entity up to $500,000. This does NOT mean that those adversely impacted by an improper disclosure cannot sue under other provisions of Florida law. FIPA does not usurp, but is in addition to the federal laws discussed above. Where those federal laws

5 are more comprehensive or establish greater obligations, the federal law will pre-empt FIPA. Although far more detailed for a discussion here, there are a number of steps risk managers can take to help ensure compliance with these legislative schemes, to reduce the risk associated with an improper disclosure and to lessen the financial impact of a breach. First, the risk management department (RMD) must work with the C-Suite, legal department, compliance, medical, billing and acquisitions/contracting departments to develop a workable plan. Security of this type is a weakest link in the chain process. If the entity takes all necessary steps, then contracts with a vendor which is not as vigilant or doesn t carry proper insurance for a breach, the devised system is worthless. If all hardware and personal devices are secured, and a staff doctor accesses the system though an infected personal device, the system is worthless. If an employee takes home data to work on reports in an insecure format and the laptop or flash drive is lost or stolen, the system is worthless. All moving parts must be involved. Second, finance, the RMD, CFO or others associated with risk transfer need to investigate advanced and cost efficient methods of risk financing through insurance or other vehicles to assist with the financial impact of data protection and network privacy and security. There are a number of insurance products available in the market from stand alone cyber policies to limited protections inside professional liability, errors and omissions or general liability policies which can address the impact of disclosure, notification, civil liability and investigative expenses. What is best for any given office or entity is a matter of analytics, risk tolerance, assets/resources, policy language, etc. Third, acquisitions/contracting and the legal department (if one external counsel if not), must build into vendor contracts indemnification, insurance and compliance criteria to help protect the entity from the failures of any vendor. This, given the service being acquired, is a scaled requirement. Allowing vendors whose actions can create huge risk for the entity to work with the entity without the necessary protections is an unnecessary risk. Contract language requiring the vendors to meet certain minimum security standards before being awarded the contract, having them maintain that level of security, carry necessary amounts of specific insurance coverage with a highly rated carrier and include the entity as an other named insured should all be evaluated. Indemnification clauses are a necessity but they are no substitute for high industry standards and proper insurance. For leasing contracts (office, phone/tablet and medical equipment) this must include either destroying or cleaning all hard drives before the equipment is replaced or returned. Business Associate agreements should be updated to meet the requirements of the entity and the latest revisions and regulations under all applicable federal and state legislation. Fourth, the entity must develop strict hardware and software security protocols that cannot be altered or overridden. Maintaining up to date self executing security software, encryption, rotating passwords, limited access by department/personnel, limited access

6 to hardware and other protocols is a must. These policies must be extended to all staff (physician and non-physician), employed or not, and any external but related business entities like parent companies, owned health plans, medical education entities and staff, etc. These policies and procedures must be updated far more often than standard policies and procedures. The technology and digitization of health care is moving far to quickly to look as the policies annually. The entity must also develop strict use, storage and disposal policies to limit access and secure storage sites in house or off site (in the cloud, whatever that is). Fifth, education and training is required. This must be a priority despite its cost in terms of time and resources. All employed and staff personnel must be taught what is and is not permissible, when and how they can access data, for what purpose, the limitations on the use of personal devices, etc. They must be taught how to report and how to handle any suspected breach. This includes all departments from the C-Suite to the janitorial staff. Again it s the weakest link that must be upgraded and walled off as much as possible. Sixth, distinct IT protocols should be identified to regularly review systems for any possible breach, malware or virus, to ensure passwords are being altered, and that hardware and software is being upgraded and protected. Seventh, the RMD should have on hand all requirements related to investigation, disclosure, notification and any other agreed upon responses to any suspected breach or improper disclosure so that fast implementation of the protocol can be effectuated something that may prevent much of the financial impact of a breach. It is, indeed, time for all health care entities to evaluate their policies and procedures related to data protection from all perspectives. Unfortunately, its not a matter of if, but when, your organization will be the site of a breach or improper disclosure of protected information. Reducing the size, scope and impact of a breach and preventing it from happening again are all within the preview of the risk manager. No matter the size of the organization, all moving parts must be included, the policies and procedures must be properly drafted, taught and updated, and all possible measures taken to insulate the organization from the financial impact of a breach. This is time consuming and can be a difficult and expensive process. However, failure to do what is necessary will expose the organization to the costs associated with investigation, disclosure, notification, remediation, fines and civil liability. Kenneth White, J.D. Willis Group - Health Care Practice National Managed Care Practice Leader