[BreachExchange] Analyzing Whether HIPAA’s ‘Industry Standard’ Means You’re Safe From Cyber Attacks

[Audrey McNeil]

http://healthcare.dmagazine.com/2016/04/19/analyzing-whether-hipaas-industry-standard-means-youre-safe-from-cyber-attacks/

Many healthcare executives believe that complying with the express cyber
security safeguards set out in the so-called “HIPAA Security Rule” is both
relatively straight forward and will protect their covered entity from
civil liability and/or administrative action. Unfortunately, this is not
necessarily the case and, in many instances, it is only the first step
toward establishing and maintaining the required “reasonable” cyber
security system.

The HIPAA Security Rule requires covered entities to implement
“appropriate” security measures and to maintain such precautions in a
manner that is both “continuous” and “reasonable” in order to protect
electronic protected health information (“e-PHI”). The HIPAA Security Rule
identifies two different types of implementation specifications in its
attempt – regrettably, only partially successful -to guide efforts to meet
these laudable, but highly elastic, standards.

First, all HIPAA-compliant programs must take the “required” precautions
delineated in the HIPAA Security Rule. This classification includes items
such as risk analysis and management, the implementation of an employee
sanctions policy for violations, information system activity review, the
designation of a point person who is responsible for compliance, security
incident procedures, contingency planning, system evaluation, workstation
use, e-PHI disposal, unique user identification, and emergency access
procedures.

But even this direction comes with a good bit of flexibility and discretion
since the HIPAA Security Rule does not mandate the specific technology that
must be used in order to implement these steps. Specifically, covered
entities may use any security measures that would be reasonable and
appropriate in the individual covered entity’s situation in order to
achieve the goal of protecting against reasonably anticipated threats or
hazards to the security and the integrity of e-PHI. Reaching this decision
requires a thoughtful consideration of factors ranging from the size,
complexity and capabilities of the covered entity, its technical
infrastructure, hardware and software security capabilities, the cost of
potential security precautions as well as the probability and magnitude of
the risks of inappropriate access to, or use and disclosure of, e-PHI.

The HIPAA Security Rule further complicates compliance efforts by
designating several other types of actions as merely “addressable.”
Addressable components range from workforce authorization, supervision,
clearance and termination procedures, access authorization, establishment
and modification, protection from malicious software, log-in monitoring,
password management, facilities access control and validation procedures,
accountability for devices and other media, encryption and various
integrity controls..

Covered entities are not required to implement these actions but they must
assess whether each individual addressable function is a reasonable and
appropriate safeguard that will likely contribute to the protection of
e-PHI and then implement those reasonable and appropriate specifications
that provide that additional protection.

The search for the elusive “reasonable” cyber security program frequently
involves efforts to comply with a generally accepted “industry standard”
other than the HIPAA Security Rule. The National Institute of Standards and
Technology, the NIST, has offered a rigorous methodology to conduct the
risk assessment that is the very heart of the HIPAA Security Rule. In
addition, various NIST publications can provide helpful guidance on
specific administrative, physical and technical “safeguards” as well as
organizational, policy, procedural and documentation requirements.

The stated goal of this risk management function—to provide “the right
security controls to the right information system at the right time to
adequately protect the critical and sensitive information, missions and
business functions” of a covered entity—evidences the need to provide much
needed flexibility so that new technologies may improve the “quality and
efficiency of patient care.” Helpful to be sure, but not a safe harbor upon
which the “reasonable” cyber security program may confidently be based.

Unfortunately, the results of recent enforcement actions by the US Office
of Civil Rights do not provide much clarity either. For example, the OCR
obtained a $4.8 million settlement with New York Presbyterian Hospital and
Columbia University Medical Center after their errant reconfiguration of a
server enabled various Internet search engines to access e-PHI stored on
their system. Unfortunately, a careful reading of these settlements provide
little detail on the specific deficiencies or the ongoing compliance
actions required by the OCR.

Nor does recent case law provides much direction. In fact, several recent
decisions have found that the HIPAA Security Rule can serve as the standard
of care in negligence actions, which will enable plaintiffs to bring suit
for breaches of those requirements. This trend represents a potentially
significant expansion of the types of plaintiffs that can bring such
actions since such HIPAA –which has no express provision for such private
actions – had traditionally been enforced solely by regulators and the
government.

But let’s assume for the moment that your organization can identity and
implement all of the requirements that are necessary in order to have a
“reasonable” cyber security system today. Security threats are increasing
and morphing at an increasingly rapid rate and with increasing complexity
and damage. The market continues to provide new or additional protection,
but at a cost. How then do you convince your CFO—who is trying to allocate
frequently scarce corporate resources across the entire enterprise—to
continue to invest in all of this new cyber security technology when no one
can definitely prove that these additional expenditures will prevent any
future breach?

But for the sake of argument, let’s assume that your CFO understands the
need for, and continues to fund, these enhancements to your current cyber
security system so that you continue to comply with the “industry
standard.” Does this mean that you’re finally OK and can look forward to a
good night’s sleep at last? No, not necessarily.

At least one older case has held that complying with the industry standard
is not always reasonable and, as such, does not necessarily provide a
shield against liability for negligence. In the “TJ Hooper” case, the court
held that the failure of tugboats to use available and cheap radio
technology – even when the industry did not generally use radios for
navigation safety – could impose liability on the defendant for collisions
with other vessels. What new technology will future plaintiffs’ lawyers
cite as the basis for imposing liability even when the defendant has
satisfied the “industry standard?” Said differently, must your IT budget
continue to suffer the “death of a thousand cuts” as these new precautions
are rolled out but not yet generally adopted?

The express and repeated application of T.J. Hooper to HIPAA cyber security
compliance is far from certain. However, the rationale underlying this case
is still available for use in both the courtroom and in administrative
actions. Healthcare executives and their directors should make sure that
their CIOs keep this risk in mind while the amounts spent on HIPAA cyber
security compliance continue to grow exponentially- even with no guarantee
of future compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160419/bd3d3b94/attachment.html>