A Q&A with Antony Kim and John Wolfe of Orrick, Herrington and Sutcliffe
The recent HIPAA breach at St. Elizabeth’s Medical Center in Brighton, MA, brought some key issues to light. With the continual outsourcing of healthcare sector computing for ePHI data to external third-party clouds, it’s becoming increasing vital that the covered entity (CE) and/or business associate (BA) has a good handle on their cloud provider’s actual operational and data security practices. I talked to Antony Kim and John Wolfe of Orrick, Herrington and Sutcliffe about vigilance in the face of this vulnerability.
What are some practical steps an organization can take to ensure a reasonable level of due diligence for a cloud provider?
Tony: CEs and BAs should approach cloud vendor security much like they would their own internal security programs: Review the vendor’s security risk assessments, overall information security program, and incident response plan. But they shouldn’t rely exclusively on documents and questionnaires. Engage in discussions with key vendors that handle critical ePHI/EHR data. Talk to the vendor’s security team about encryption deployment, intrusion detection systems (IDS), data loss prevention solutions (DLP), employee security training, their own downstream vendor management, and their previous experience (if any) with cyberattacks or breaches, and how these issues were addressed. Armed with this type of information, you can build in appropriate contractual commitments and liability protections, and consider whether you will require—or even help the vendor achieve—compliance with standards such as ISO 27018 (for cloud security).
John: “Diligence” for critical vendors who handle sensitive ePHI cannot be a static, one-time proposition. The monitoring and enforcement aspects are equally important. All of the action items that Tony noted in his comments should be operationalized into an ongoing, iterative process. Security threats evolve, and are both internal and external, so CEs/BAs must review and audit vendors on a regular cadence (and obtain contractual commitments enabling such audits) to ensure that their security programs continue to reflect appropriate levels of protection. This is not only a good idea, but critical to compliance with HIPAA Security Rule.
On the surface, a $218k settlement might not seem like a lot, but when you consider that only 1100 records were impacted (and factored into the settlement) at St. Elizabeth then the cost of $198 per record might arguably seem very significant to healthcare organizations with millions of records. Do you feel that that a non-compliance penalty, in addition to any class action litigation, could be an incentive for organizations to take reasonable precautionary steps?
John: Absolutely. The prospect of the government shining a bright light on all of your internal policies and procedures, and potential past missteps that may not be the initial focus of the investigation is great incentive. Indeed, the press release and corrective action plan (CAP) indicate that OCR’s review covered the landscape of potential security concerns, including: the circumstances of the workforce complaint and security breach; internal security and vendor-management policies and procedures; internal workforce training; and incident reporting protocols. The reputational impact and potentially disruptive effects on business cannot be overstated. Remember, HHS OCR received a complaint in November 2012, but the settlement with St. Elizabeth’s was not reached until July 2015. That means there were potentially three years of detailed inquiry and investigation by the government.
What were the key remedial points addressed in the CAP?
Tony: Under the CAP, St. Elizabeth’s must conduct a self-assessment of its workforce that focuses on compliance with policies and procedures for, among other things, transmission and storage of ePHI on information systems; removal of ePHI; prohibition on sharing accounts and passwords that can be used to access ePHI; use of encryption on mobile or portable devices that access or store ePHI; and the reporting of security incidents. This self-assessment must be conducted through unannounced site visits to five core St. Elizabeth departments, interviews with workforce members, and inspections of portable devices at each visited department. The self-assessment then feeds into reports to HHS, and also into revisions and updates to St. Elizabeth’s policies and procedures and employee training, all of which must be cleared in advance by HHS. None of this is easy or cheap. But is it consistent with good general security hygiene? Absolutely.
How might whistleblowers increase the chance of regulatory action (and class action litigation) for healthcare sector organizations?
John: Whistleblowers in general are not new. In fact, the HIPAA regime encourages self-reporting of ePHI disclosures to the government or private counsel if the workforce member or business associate believes in good faith that the CE has violated the HIPAA Security Rule. What is new is that employees are becoming more sophisticated about the existence and importance of cyber- and data-security requirements. Whistleblowers—who are often in the best position to observe lax security—add new dimensions of complexity to traditional data breach investigations. The addition of potential financial incentives available to whistleblowers creates another (and possibly better) source of leads for regulators and the plaintiffs’ bar.
Why is a security risk assessment important?
Tony: You can only effectively protect data that you know you have. As its core, a security risk assessment is about thinking like a hacker to gain a better understanding and identification of gaps or vulnerabilities in your physical, technical, administrative and policy-driven programs. This workflow typically involves an element of data mapping (i.e., identifying how important data assets, such as ePHI and EHR, are collected, stored and protected), and determining the ways in which data is shared with third parties such as cloud vendors. If you don’t understand the data flows or vendors in the chain, and their associated vulnerabilities, it’s incredibly difficult to develop an effective security program.
John: Security companies are constantly developing technologies and tools to address vulnerabilities in the blind spots of your network environment, so that you might indeed be able to protect against unknown threats. Ultimately, these assessments are crucial to developing risk mitigation and management strategies that are closely tied to your specific situation and environment, and they enable efficient and effective deployment of limited resources.
Assessing your company and third party vendors should be done on a regular basis because regulators such as HHS, FTC, FCC, SEC etc. are becoming much more proactive with enforcement actions. More importantly the exercise of having an assessment is like an annual health check, it not only helps companies improve their cyber security it also gives them direction to prioritize their efforts and confirm due diligence from their third party vendors.
NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations of all types and sizes. With cyber risks growing daily, many organizations don’t know where they’re most vulnerable; who has access to their data; whether their network security measures meet legal standards for prudent and reasonable safeguards. NetDiligence can help answer these critical questions. NetDiligence QuietAudit® Cyber Risk Assessments document the organization’s Risk Profile, so the management team knows where their exposures are and can take the appropriate actions to mitigate them. For more information about NetDiligence QuietAudit Cyber Risk Assessments, contact firstname.lastname@example.org.