More than just HIPAA: IT security considerations for providers

A Law Review Q&A

The FBI recently warned the health care community that it is especially vulnerable to cyber risks. Continued reports of significant data breaches and the risks caused by various vulnerabilities, like the recent Heartbleed software defect, shed light on the importance of vulnerability management and being proactive regarding cybersecurity.

We spoke with Melodi Gates of Patton Boggs, LLP to discuss IT security issues beyond HIPAA and legal considerations for providers regarding data breach prevention and mitigation.

What IT security issues should providers be concerned about besides HIPAA?

First, providers should be concerned about the Federal Trade Commission (FTC) assuming broad authority over cyber and information security under the FTC Act. Over the past few years, the FTC has taken a variety of enforcement actions against those inside and outside of the health care industry, indicating that cybersecurity enforcement is now a top priority.

To prevent FTC scrutiny, providers—especially those that have an internet presence—need to develop and maintain an information security program to protect patient and consumer information. Providers must uphold their promises to protect patient information because recent cases indicate that the FTC is particularly targeting organizations that break the commitments they make in their posted privacy policies. The FTC's broad authority over cybersecurity is being challenged by some organizations, but those cases are generally trending in favor of the Commission and providers must assume that the FTC will continue to play a regulator role.

Next, providers should be aware of the President's Executive Order 13636 – Improving Critical Infrastructure Cybersecurity, which calls for better securing the nation’s critical infrastructure across sixteen sectors, including healthcare.

Some providers—especially hospitals and others that provide acute care or play important roles in supporting public health services—are considered "critical infrastructure." Under the Executive Order, in cooperation with the Department of Homeland Security (DHS), the National Institute of Standards & Technology (NIST) has developed a risk management-based approach for organizations to use in evaluating and managing their information security programs, called the Cybersecurity Framework.

All providers, especially those that are considered "critical infrastructure," should become more familiar with the Cybersecurity Framework because it can help promote better cybersecurity and because, in situations where an adverse cybersecurity event occurs, DHS, other regulators, and patients could question whether or not an organization followed a "reasonable standard of care." Providers following this voluntary risk management approach should be better positioned to demonstrate such a standard and should also be better prepared for data breach prevention and mitigation.

Lastly, providers need to be cognizant of state-level breach notification and information protection statutes. Some states' breach notification statutes have exceptions for HIPAA covered entities while some do not, and some otherwise specifically address medical information breaches while others do not.

As part of their cybersecurity risk management program, providers should consider state breach notification statutes, in addition to the HIPAA Breach Notification Rule, in their breach response plans. Some states, like Massachusetts and California, also require organizations that handle personal information to have a proactive information protection program established to prevent breaches and better protect consumer information.

Geographically-dispersed health systems, and hospitals whose catchment areas cross state lines, should be prepared to analyze breach events individually to determine which statutes apply, since most state laws only apply to their residents, and a provider that serves citizens from multiple states may need to comply with each applicable statute.

What actionable steps should providers take to prevent and mitigate a breach?

When vulnerability crises like the recently reported Heartbleed bug arise, providers should already have an action plan addressing how to react and protect their respective environments ready for deployment.

Providers must be ready to patch vulnerable software on a timely basis, if and when vulnerabilities are reported, in order to close the window of risk as much as possible. Thus, providers should establish a comprehensive information security program that includes all of the administrative, technical, and physical safeguards necessary to prevent and mitigate data breaches and other unauthorized activity, including cyber-attacks.

Providers should explain to workforce members the importance of not interacting with suspicious emails or otherwise compromising security settings. Also, providers should thoroughly describe how workforce members are to recognize and report adverse events, and who should manage them.

If a breach does occur, providers must quickly evaluate the event in collaboration with legal counsel to determine whether they are obligated to notify individuals, regulators, and/or state attorneys general, and act accordingly.

What are some challenges providers may encounter when addressing IT security?

One of the biggest challenges providers face is managing the ongoing onslaught of vulnerabilities.

Day in and day out, providers must understand and track the technology they have in place, a responsibility that can be daunting given the size and complexity of some organizations. Providers should have operational processes established to manage their technical assets, to monitor vulnerability reports to determine when and where internal impact may exist, and to quickly remediate their environment to mitigate any risks.

Another significant challenge is personnel management. Most data breaches and security events are preventable – having a knowledgeable, well-trained workforce, in addition to a comprehensive information security plan, is one of the best lines of defense.

Questions for the Author?

Feedback/Comments on the Article?

Next in the Daily Briefing

Shinseki resigns as VA secretary in wake of wait-list scandal

Read now