Healthcare entities confront a triple threat
Given what the healthcare industry faced in 2020, the seventh edition of our Data Security Incident Response (DSIR) Report, Disruption and Transformation, is aptly titled. As if fighting the COVID-19 pandemic weren’t enough for the industry to tackle, it also faced a surge of ransomware attacks, evolving legal/regulatory considerations, and novel and complex issues presented by pandemic- and technology-driven changes.
The growing wave of ransomware incidents that we saw toward the end of 2019 continued in 2020. Now, however, healthcare organizations are faced with a diabolical twist—in addition to the operational disruption, threat actors are now routinely stealing data and threatening to publish it online as an extra inducement for a ransom payment. With this new tactic, which took off in 2020 and is now the norm for nearly all ransomware matters we handle, came much higher ransom demands, longer downtime, and a significant increase in the number of patients requiring notification per HIPAA regulations.
While fending off cyber threats, we saw healthcare organizations confront the pandemic by transforming the availability and provision of patient care almost overnight through telemedicine. As a further challenge, organizations are dealing with a rapidly evolving legal and regulatory landscape. The 2020 regulatory and legal highlights include:
- Patient right of access. The OCR’s Right of Access initiative remains one of its key focus areas, with 19 access-related settlements to date. In 2020 alone, OCR settled 19 cases for a total of $13,554,900, of which 11 cases related to OCR’s Right of Access Initiative. Notably, in a number of these settlements, OCR initially issued a technical assistance letter to the healthcare provider following a patient complaint and later issued a fine when the patient filed a second complaint after still not receiving the requested records. This highlights the importance of reviewing incidents identified by OCR in a technical assistance letter to ensure that any issues identified therein have been remediated. In addition, 2020 saw another significant revolution in patients’ right of access to their health information with the promulgation of the information blocking regulations pursuant to the 21st Century Cures Act. This legislation continues to create a sea of change in the healthcare industry as it requires providers to make categories of ePHI readily available to patients without delay, thus having the potential to significantly disrupt how health data is used, disclosed, maintained, and commoditized.
- M.D. Anderson vs. HHS. A stolen laptop (in 2012) and a lost thumb drive (in 2013) at M.D. Anderson Cancer Center, together containing PHI for over 30,000 patients, led to HHS imposing a penalty of over $4 million. Both devices were unencrypted. The penalty was based on the disclosure of PHI and also the failure to implement a mechanism to encrypt the devices. M.D. Anderson petitioned the Fifth Circuit for review, arguing that the penalty was arbitrary and capricious. Significantly, in holding that the penalty violated the Administrative Procedure Act, the Fifth Circuit found that:
- The regulations require simply a “mechanism” for encryption, not a warrant that the mechanism is “bulletproof protection” for all systems containing PHI. M.D. Anderson had such a mechanism in place and thus satisfied the regulatory requirement, “even if the Government now wishes it had written a different [regulation].”
- Simply having devices stolen or lost is not an affirmative “disclosure” of PHI under HIPAA. “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.”
- HHS did not penalize other covered entities that also lost unencrypted devices. There was no reasoned justification given by the government for imposing zero penalties on one covered entity and millions in penalties on another, for similar circumstances. An agency must “treat like cases alike.”
- “HIPAA Safe Harbor.” Around the same time as the Fifth Circuit’s decision, Congress signed a HITECH amendment into law that created a “HIPAA Safe Harbor” of sorts. The amendment requires OCR to take into consideration whether the covered entity or business associate had recognized security practices in place when OCR makes determinations regarding fines, audit results, or other remedies for potential violations of HIPAA. Although the amendment does not provide for complete immunity from HIPAA enforcement, it provides organizations with substantial incentives to establish or improve their cybersecurity programs, and a chance to mitigate financial penalties and other negative regulatory actions that may result from a data breach.
Healthcare organizations looking to build their HIPAA safe harbor defensibility should start by assessing whether their current cybersecurity processes fit the amendment’s definition of “recognized security practices.” Organizations should consider adopting a common cybersecurity framework (such as NIST or HITRUST CSF) if they haven’t done so already.
Between M.D. Anderson and the HITECH amendments, it is difficult to assess how OCR will act going forward in terms of enforcement and the issuing of civil monetary penalties. This is especially true for ransomware matters involving data theft, where covered entities maintained a robust cybersecurity program and where PHI was not affirmatively disclosed but rather was stolen by threat actors.
Lessons learned: What can healthcare entities do?
As the number two industry affected by cyber incidents—representing 20% of the 1,250+ incidents we handled last year—healthcare organizations must assess their security posture by asking not just “How do we prevent an incident?” but also “What do we do when an incident occurs?”
The most critical preventive steps include enabling multifactor authentication for all services and programs; encrypting data at rest and leveraging an enterprise key management solution to enforce compliance; deploying an endpoint threat detection and response tool to detect the type of unauthorized activity that easily evades traditional antivirus programs; maintaining offline backups; and limiting the amount of access provided to IT and service accounts—all of which are increasingly becoming industry standard, such that failure to implement these measures also increases regulatory risk.
Other steps to take:
- Practice downtime procedures. Employees are an organization’s last defense when it comes to preventing an incident, which is why it is important to keep those phishing simulations going. However, employees are also at the front line when a network is taken offline due to a cyber incident. Accordingly, it is critical to train workforce members on downtime procedures. This includes everything from patient communications to paper charting to post-downtime data entry and claims processing. Instead of leveraging an afternoon software upgrade to check this box, an organization should perform tabletop exercises with small or integrated departments to go through what an extended downtime may look like.
- Establish processes for ambulatory diversion. Does your business continuity plan establish procedures for diverting critical care/ER patients during an emergency? This extends beyond establishing relationships and procedures with nearby hospitals; it also includes understanding how insurance may be impacted (if, for example, the hospital accepting the diversion is out of network).
- Prepare for early preservation issues. In the middle of responding to an incident and restoring operations, the last thing IT personnel are thinking about is a potential lawsuit down the road and the need to preserve encrypted evidence. Having blank drives available to retain copies of encrypted systems will help ensure relevant evidence is preserved for potential litigation without slowing down the restoration process.
- Generate an address file for notification. In the event of an incident requiring notification to thousands of individuals, how will you pull addresses to mail letters? What databases will be used? What identifiers are needed to verify patients? For your LGBTQIA+ community, what steps can you take to ensure the letter is properly addressed to individuals using their preferred pronouns and correct names? When an organization is under a regulatory deadline, there is very little time to locate, validate, and finalize information for mailing. Our recommendation is to consider the different methods needed to complete this task, and then determine how to make it more efficient without compromising quality control.
Eric A. Packel, Vimala Devassy, and Courtney Litchfield are lawyers with BakerHostetler.