HEALTHCARE DATA SECURITY

TODAY’S BIGGEST CHALLENGES

As recent news once again shows – no organization is safe from intrusion and healthcare has been a particular favorite for hackers. Huge amounts of personal, financial, health and other information was harvested in the Anthem breach with as many as 80 million personal and health records illegally harvested – and all without detection. As changes in federal and state healthcare legislation and new technologies abound, so does the threat of illegal intrusion and theft of vast repositories of personal patient information.

Internet lock

Not that long ago, medical records were stored in large, paper files typically free from intrusion unless thieves gained access to a medical provider’s facility. Not so today, as doctors and patients have many more ways of using and sharing information, including online patient portals (VPNs), large networked healthcare exchanges, digital medical records (e-PHI), meaningful use records (EMR) and cloud (Saas) technologies. Many of the newer technologies have been driven by Affordable Care Act (ACA) mandates and other regulatory directives to improve patient care and outcome.

Did you know?

1. Patient and consumer data are top targets for hackers.

Patient data is a valuable source of information for hackers – allowing quick sales of large pools of medical, personal and financial data to the highest bidder on the black market.

In the post-Target breach days consumers learned the lesson of judiciously reviewing credit card statements and credit reports to detect improper use of their credit. The same advice is prudent for consumers to periodically review their insurance billing statements and medical records for potential misuse. Credit cards often limit exposure to $50 or less, but identity theft is costly to fix and often takes years to correct. “Medical identity theft” the latest entrant – poses not only a significant financial risk to carriers and consumers, but more importantly can pose huge medical risks to patients in need of care. Imagine someone’s “medical identity – name, address, policy no., etc.” is stolen and someone posing as the patient receives medical care – unless quickly caught (and it often takes many months for it to be detected, if at all) this treatment and diagnosis becomes a part of the insured’s medical record posing potentially serious consequences to a patient.

2. Fraud and abuse has significant consequences on the quality and cost of care.

Fraudsters use patient medical identity to gain medical services, procure drugs, defraud insurers and benefit programs, as well as posing potentially life threatening outcomes for patients whose identity was stolen. The Medical Identity Fraud Alliance estimated the cost of medical identity theft at $20 billion last year (excluding the Anthem breach, which is largely conjecture at this time) and costs are expected to significantly rise. This figure doesn’t include physician fraud for improper billing practices under Medicare, Medicaid, False Claims Act or similar laws.

3. More HIPAA-related enforcement actions (with increased fines) are anticipated.

Federal and state agencies responsible for regulating healthcare from Health and Human Services (HHS) to Office for Civil Rights (OCR) Department of Justice (DOJ) and Federal Trade Commission (FTC) have announced aggressive audit plans to ensure patient data safety and limit fraud and abuse. And compliance audits won’t be limited to just “Covered Entities” – those with direct access to patients and patient data (hospitals, doctors and other direct providers), but also extend to “Business Associates” those with access to patient records, who provide services to Covered Entities. HIPAA-regulated entities not in compliance with the final omnibus rules implemented under the Privacy and Security Rules of the Health Insurance Portability Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) will be faced with higher fines and sanctions for non-compliance.

Since HIPAA’s enactment in 1996, Covered Entities (direct providers) face rigorous requirements for protecting patient information (PHI, PII, ePHI, EMR) and must have appropriate security practices to protect patient data. There are multiple layers of security protocols, including technical, physical, administrative controls, as well as general organizational requirements designed to protect patient data. Since the implementation of the final omnibus rules, HIPAA compliance now extends governmental oversight and liability to all sorts of other individuals, businesses and vendors engaged by Covered Entities as their “Business Associates”. Appropriate privacy and security standards must be in place and enforced to limit the ever present risk of cyber attack.

4. More private litigation by patients is likely.

Although the HIPAA statute itself does not give patients the right to sue for violations, last year the Connecticut Supreme Court in Byrne v. Avery (as well as courts in several other states) ruled that HIPAA’s lack of a private right of action does not necessarily prevent an individual from bringing an action under state law. While the contractual provisions of most data security agreements between CEs and BAs (Business Associate Agreements) typically contain language limiting the rights of persons who can assert rights directly against them – the end result of recent court decisions seems to be opening the door for individuals affected by breach to pursue remedies against Covered Entities and Business Associates directly.

5. ACA, Final Omnibus Rules and HIPAA Privacy and Security standards impact more than just healthcare providers.

Whether working within the healthcare community or another field entirely, every business must carefully evaluate the risks poses by a breach of its data – whether from outside threats (hackers), inside threats (employee human error) or risks posed by access to sensitive data arising from services by Business Associates (third party vendors). Under the final omnibus rules, many vendors and their subcontractors fall under the definition of “Business Associate” requiring the same rigorous compliance with HIPAA Privacy and Security standards required of direct healthcare providers. Knowing the rules and incorporating best practices to ensure data is secure must be a top priority for the healthcare industry and any downstream providers falling under the definition of Business Associate.

It’s incumbent on any individual or business having access to patient data (or any personal consumer data) to implement appropriate security practices and to investigate the practices of their subcontractors. All it takes is one mishap to be in the same position as Anthem and other healthcare providers who found themselves on the wrong side of this issue. In addition to conducting annual risk and compliance assessments, any individual or entity falling within the scope to the HIPAA/HITECH requirements should consider including or expanding cyber security coverage sufficient to protect against this increasing risk exposure – with many experts estimating the cost at $200/record for each record actually or potentially exposed to breach.

The healthcare industry and their downstream vendors can avoid trouble by:

1. Periodically assessing and addressing potential security risks;
2. Adequately training employees to understand the risks posed by the use of technology;
3. Adopting appropriate privacy and security practices;
4. Developing a Data Security Incident Response Plans with a team qualified to quickly respond if the worst should happen;
5. Adequately evaluating the risks and adding appropriate coverage for data security compromise/breach response costs; (or be prepared to self-insure);
6. Reviewing/updating all data security contracts to ensure they meet the new legal requirements;
7. Vetting all technologies and vendors to make sure they measure up; and
8. Appointing a qualified HIPAA Compliance Officer to ensure the required standards are met.

If you’re thinking you’re too small to be noticed, you’re not. There’s an abundance of reliable information available showing the true cost to those not in compliance or suffering a breach. The reputational harm posed by a breach or potential security incident can have devastating consequences for the ill-prepared. Our firm regularly provides compliance counseling, HIPAA assessments and training to help our clients avoid trouble. Having represented a number of companies hacked by off-shore organized crime, I can tell you a data breach, even a suspected data breach, is something you want to avoid. And all it takes is some careful analysis and planning.

We invite inquires on how we can assist with evaluating your needs in this critical area.

Digital Assets – Not Just the Here and Now

The reality – digital assets are a part of everyday life. And the need to protect them has never been greater. Planning for both the protection and conveyance of digital assets is more important than ever. While I’ve written extensively about the importance of data protection and cybersecurity here on my blog (Archives on: Data Protection: What Every Business Needs to Know; Steps Consumers Can Take to Protect Their Data, related topics and articles published in the Hartford Business Journal, Hartford Courant, Connecticut Law Tribune and others), digital information also plays great importance (or can cause a lot of problems) for family members, executors, heirs, care-givers and others after the here-and-now. This blog post highlights – why typical estate planning documents may not be enough.

Estate planning attorneys have always used a variety of legal documents to help clients and their loved ones manage assets (during incapacity) or transfer assets (after death) through the use of Powers of Attorney, Wills and/or Trusts. Another “tool” estate planning attorneys use is an inventory (or questionnaire) where clients identify all of their assets – real estate, personal property, health information, bank accounts, retirement accounts, life policies, retirement accounts, veteran’s benefits, intended beneficiaries and other important information necessary to assess and accomplish important estate planning objectives.

All too often Powers of Attorney, Wills and Trusts don’t say anything about “digital assets” – things like online accounts, passwords, security questions, files stored on computers or in the cloud, email accounts, social media sites, domain names, online digital photo albums – the list goes on… While a few states have enacted legislation enabling executors to have access to digital accounts, it’s a much more cumbersome (and often uncertain) process than it needs to be. In some instances, it may be a client’s wish (during incapacity or after death) that this information remain private and accounts terminated. In other instances, digital assets may have value (financial or emotional) and be important to convey to beneficiaries or successors of business interests. What happens to the face book or twitter account? What’s the password for online bank accounts, business urls or websites?

Depending on the number and nature of digital assets (which can change as often as accounts are added, modified or terminated), it’s important to keep an up-to-date inventory of these assets whether printed, stored on computer, smart phone or other devise, CD, DVD, flash drive or cloud. (Keeping in mind, of course, the importance of updating this information and protecting access with sufficient passwords, reliable vendors…) The person(s) selected as caretakers during incapacity or after death – executors, conservators or others will need to know the location of Wills, Trusts and other important estate planning documents, including the inventory of assets identifying accounts and, of course, any digital assets – such as online accounts and passwords. Unfortunately, many of the traditional estate planning documents prepared by attorneys today don’t adequately address “digital assets”. Adding even more complexity to the issue is the fact that many online vendors, such as twitter, face book, EBay, Google have a wide variety of differing terms of service “TOS” that can prevent or hamper a non-owner’s access. If it has to go to a probate court to get resolved, the Computer Fraud and Abuse Act, internet law, probate law and numerous other laws are also likely to come into play.

Living in today’s “digital age” means keeping track of this information and making decisions on how you want it to be conveyed, used or terminated (and by whom) with the right legal instruments in place to accomplish these important goals. Powers of Attorney, Wills, Trusts and other conveyance documents should be reviewed (and updated) every few years by a qualified estate planning attorney. If estate planning documents haven’t been updated in a while, you might also run the risk of having banks or others reject them as outdated or not covering a particular subject – such as online accounts. Many banks now require Powers of Attorney to be updated every year (some require every 2 years). I’ve seen many instances where banks, insurance companies and others rejected documents (often because they’re outdated or were prepared by clients themselves or other firms), because they didn’t specifically provide for access to online accounts (the same problem often comes up with safe deposit boxes and other depositories, because they weren’t specifically mentioned). In the past, there was an assumption that checking the box on the Power of Attorney giving authority for “all other matters” would be enough. Clearly, this catch-all phrase of the past has little to no legal significance today. While probate courts can and often do accomplish important things – they’re not known for acting quickly and anything coming before them is a public proceeding. Without clear, legally sufficient documents stating clear intentions about digital assets (and other property) – the door will be open to delays, uncertainty and the possibility of lingering entanglements with online vendors, banks, business partners and family members.

To make sure your intentions are carried out in the here-in-now and after-life will require a little more planning and the right documents in place. Digital assets are here to stay and need to be included in your planning decisions for now and the future. (Preventing identity theft when it’s been more present than ever and privacy considerations must, of course, be considered to keep the information properly protected.) We welcome inquiries on our estate planning, data protection and businesses succession services, as well as requests for our articles and guidelines on these important topics available to the public on request.

National Cyber Security Recognition

In recognition of National Cyber Security Awareness Month and our firm’s commitment to bringing about more awareness to this critically important issue, we provide our readers with insightful tips on how to stay ahead of this all too pervasive issue. Unfortunately, too many think data breach is a big business problem when, in fact, their small and mid-size counterparts are more likely – not less – to be attacked. And attacks by outsiders on the internet and cyber criminals are only a part of the problem.

Did you know…

  1. More than 50% of data breaches can be attributed to the unintentional behavior or negligence of employees in the workplace. Common examples include an employee inadvertently opening malicious email that upon closer inspection would have raised a red flag – wreaking havoc on computer systems and often resulting in the silent harvesting of private company or customer information or failing to log-off leaving information open and exposed to potential misconduct by others. More intentional misconduct must also be guarded against when, for example, terminated employees who might be looking for retribution still have login credentials or other access to company or personal information.
  2. A staggering 60% of small businesses suffering a data breach will be out of business in less than 6 months following an attack (according to the Experian Data Breach Study in 2013 and other national sources). The cost of a data breach is not small and goes far beyond fines imposed by regulators, card brands, Attorney Generals or others. The typical response cost is now estimated at about $181 per record. For even the smallest breach, this quickly adds up with estimates for a small business data breach on average costing from $500,000 to $1,000,000 or more. In addition to the costs necessary to investigate and resolve a breach, the harm to a company’s reputation following attack is next to impossible to calculate – often resulting in staggering consequences for the ill prepared.
  3. Over 70% of security breaches are targeted on small businesses or particular industries. Retail, healthcare, hospitality and financial sector businesses have been particularly hard hit sectors and are often prime targets for cyber criminals. Attacks on small business aren’t usually the result of an attack on that particular, individual company, but more likely occur from the large, sweeping, phishing attacks cyber criminals make on industry sectors (retail, Mom & Pop shops and restaurants are among favorites) where hackers have correctly assessed these smaller businesses are less equipped to defend against attack.

The Best Defense to Cyber Attach includes:

  1. Creating a “culture of cyber security”. Everyone in the workplace must be adequately trained and aware of the potential risk of cyber attack. For even the smallest employer, Data Protection Policies suited to the particular industry risk and job function of their employees must be developed, monitored and enforced in order to protect against both inadvertent or more intentional use or abuse of sensitive, internal company information or customer personal information.
  2. Having a Response Plan in place can minimize the impact of a breach. Hacks, breaches and other cyber crimes happen out in the world every single day; just as fires, floods and other losses occur every day in the business world. In addition to training and adequate policies, every business needs a Data Security Response Plan outlining the important steps that need to be taken when a breach has occurred or is suspected. Too many small businesses are blind-sided when breach occurs and are fasted with too little too late in the eyes of regulators and others. With so much at stake, every business needs to be prepared. No business can assume it won’t happen. With the tremendous growth of insurance products coming on the market to cover a data breach losses, businesses may want to purchase coverage, but care must be taken to review what’s covered, what’s not, whether there’s coverage under existing policies and the insured’s responsibility for meeting the applicable data protection standards before coverage is available in the event of loss.
  3. Lastly, having the right team you can quickly call upon to assess and respond to a breach is critical. If and when the worst happens, having a plan in place means you won’t be consumed by the aftermath and have the right resources in place to assess and resolve the issue as quickly and favorably as possible.

This article was written by Attorney Tegan Blackburn, who focuses her law practice in Simsbury, Connecticut on Business & Corporate Law, Compliance Counseling, Commercial Transactions and Data Breach Response. She is General Counsel and Chief Compliance Officer to various IT, healthcare, retail and other industry clients and has been called upon to resolve data breach incidents in Connecticut, as well as acting as a consultant to other firms in and out of the New England area. This article is intended as general guidance and is not legal advice. The reader should consult with an attorney regarding their particular situation.

Other online resources are available at the National Cyber Security Alliance and at:
http://www.staysafeonline.org
http://nist.gov
http://stopthinkconnect.org

What’s Your Risk Of Cyber Attack?

WHAT EVERY BUSINESS NEEDS TO KNOW:

Every business that uses, views, stores or otherwise handles personal customer information is at risk. The level of risk is largely determined by the business you’re in and what kind of “personal information” you have in your care, custody and control. If you use the internet to conduct business, you’ve significantly increased your risk of cyber attack. However, there are things you can do to protect yourself and your customers. If your company is hacked and you haven’t adequately protected the data on your devises, you may find yourself in for a costly surprise. Many small and mid-size businesses with high volumes of transactions are often favored targets where hackers have learned cyber security may not be up to snuff allowing them easy access. These smaller incidents don’t usually get the same level of attention as the large breaches; however, the consequences are just as serious. The cost to small and mid-size companies for responding to a data breach can run from $100,000.00 to $500,000.00 or more. In today’s internet business environment, anyone handling credit cards, debit cards or other sensitive information such as a customer’s financial, legal or health information is particularly at risk.

Any business handling “personal information” has the obligation to protect its customers from the illegal use or disclosure of this protected information. The privacy and security protections regulating many industries include administrative, legal and technical requirements. Data breaches are often the result of either insufficient technical safeguards or careless handling of data. A great deal of debate has taken place over the amount of time it took for Target to notify its customers. The difficulty faced by businesses when a breach has occurred (or is suspected) is that steps must be immediately taken to eliminate the intrusion, which often involves a very comprehensive forensic analysis. This first step can take weeks to complete and then must be evaluated with counsel familiar with the many layers of regulation, risk and reporting requirements. The assessment of when and whether a company is required to notify customers typically requires the involvement and consent of local, state and federal law enforcement officials. In many states including Connecticut, the Attorney General must also be notified. These notifications extend to any state or territory where an affected customer resides. To add to the mix of complexity following a breach, forty-eight states now have their own response requirements for known or suspected data breaches. Unfortunately, many of these laws have differing requirements and most don’t specify the timetables for reporting a breach. Connecticut’s statute requires that notice must not be unreasonably delayed, which leaves a great deal open to interpretation. A business might also be compelled to delay publically reporting a breach by the Secret Service or other law enforcement authorities.

The U.S. Senate recently re-introduced a Data Breach Bill in efforts to nationalize data security and reporting standards. Following the recent breach announcements by Target, Neiman Marcus and Michael’s Stores, there will undoubtedly be many more efforts to strengthen cyber security standards. Currently, credit card security standards are primarily privately regulated by the major card brands, including MasterCard, Visa and American Express. These recent major breaches clearly show a need to better protect American businesses and residents. The technical standards required by merchants in America today (known as the Payment Card Industry Data Security Standards PCI-DSS standards) for all point of sale systems (and POS Providers) are not nearly as strong as the EMI standards used by many European nations. By latest counts, the recent Target breach involved over 100 million customers, whose data is now at risk. These pools of ill-gotten gain are typically sold on the black market within a matter of moments leaving the door open to large scale fraud and identity theft problems for those affected.

Businesses handling any type of regulated “personal information” should immediately take steps to evaluate their risk and audit all devises. Responding to a cyber attack is a costly enterprise, which will include the costs of forensics, fines by the card brands, notification costs, legal expenses to evaluate and respond to the breach and mitigate damage, and fall out certain to take place from unhappy customers and many potential lawsuits and claims to follow. The damage to a business’s reputation after a breach is impossible to put a dollar value on. Staying abreast of current and emerging regulations is critical to keep a step ahead of the ever present risk of cyber attack on the internet. If you are notified or suspect that customer data may have been breached, it’s imperative to take this seriously and immediately take steps to evaluate the situation. Numerous states including Connecticut now permit the Attorney General to assess additional fines against businesses that do notify affected customers in a timely fashion. Lastly and most importantly having a comprehensive compliance program in place covering the technical, legal and administrative safeguards necessary to protect data is simply the best way to avoid a costly data breach, which has become a far too common occurrence today.

Attorney Tegan Blackburn frequently provides compliance counseling to businesses across diverse industries on preventing and responding to data breach.

Data Breach: What Steps Can Consumers Take To Protect Their Data?

Hardly a day goes by without some news about the Target data breach, which is now estimated to have affected over 100 million customers. Neiman Marcus and Michaels Stores have also just announced potential large scale breaches at their stores.

Protection of customer data is regulated on a number of different levels depending upon the type of transaction. Different state and federal laws and regulations come into play depending upon the type of transaction and where it occurred. Consumers may be surprised to learn that credit card transactions are for the most part privately regulated by the card brand industry (referred to as PCI-DSS standards). The technical standards required for point of sale transactions in the United States clearly need to be strengthened and are not nearly as robust as standards used by many European countries (the EMI standards.)

When a credit card breach is suspected, many of the card brands will promptly cancel credit cards and issue new cards to customers to limit liability. In some instances the card brands will shut down a merchant’s ability to process cards. The good news for consumers using credit cards is that most card brands (Visa, MasterCard, American Express and others) have a policy of no liability (some have a $50.00 limit for fraudulent transactions.) The news is not as good for debit card transactions where accounts can be hacked into and completely drained in a matter of moments.

Until better standards are in place, consumers should take the following steps to protect their financial security:

  • Cancel debit cards or keep only minimal balances in these accounts.
  • Obtain free annual credit reports and immediately report and any false or suspicious activity.
  • Frequently change passwords using complex passwords (combination of letters, symbols and numbers that do not personally relate to you or that could be easily guessed) Use a unique password for each account. In that way, not all accounts will be affected if one account is hacked. Weak passwords are one of the easiest ways to be attacked on-line. Software bots running programs at mind blogging speed on internet 24/7 all too often gain entry due to weak or easy to guess passwords.
  • Consider adding identify theft protection to your insurance policies.
    Keep up to date with antivirus software applications on all devises. It’s critical to keep AV software up to date and some offer better protections than others.
  • Never open an email that looks suspicious. Phishing scams with official sounding names, including details. zip; UPS_document.zip; DCIM.zip; Report.zip; Scan.zip and many others, including exe.files that prompt you to enter passwords or click links to infected website should never be opened and will come to no good.

Most credit card companies do a good job of cancelling cards and limiting liability for fraudulent credit card transactions. Debit cards do not enjoy the same protections. Debit card transactions won’t usually be reimbursed unless the merchant decides to cover the loss or is able to recover the funds from the hacker. Since many of the data breaches today result from hacks outside the United States, it’s not likely you’ll get reimbursed for fraudulent debit card activity. By keeping antivirus software up to date and using strong passwords on all your accounts, you can have the peace of mind that you haven’t made it easy for hackers to gain access. The encryption and other standards in place today won’t likely change for some time. In the meantime, you can take these steps to protect your financial security.

Last Updated (Wednesday, 29 January 2014 07:33)

New Data Breach Law Impacts Connecticut Businesses

Any business handling credit card transactions, confidential health or financial information needs to take heed of important new amendments to Connecticut’s security breach notification laws. Effective October 1, 2012, new subsection (b)(2) of the existing Connecticut General Statutes Sec. 36a-701 Data Breach Notification Statute requires that the Connecticut Attorney General’s Office be notified of a data breach. Prior to this enactment, Connecticut and other New England states were on the forefront of these consumer protection breach laws requiring anyone doing business in their state to provide notice of a computerized security breach without unreasonable delay to residents who may have been affected. As part of the Connecticut Attorney General’s Privacy Task Force, a dedicated webpage detailing these new reporting requirements is available at www.ct.gov/ag.

An important lesson from this new law is that unless these new notification provisions are carefully followed, the Attorney General’s office will also have a crack at assessing additional fines. The good news is that there is a “safe harbor” built into some of these regulations so that if businesses are fully compliant with the Payment Card Industry’s Data Security Standards (often called PCI-DSS) at the time the breach occurred they will likely get a “get out of jail free card” with no fines accessed by the credit card industry.

Given the prolific amount of malware and organized crime activity occurring on the internet, businesses can’t be too cautious about regularly updating their internet security tools and accessing potential risks. Many of the data breaches occurring today aren’t always caused by criminals. They’re just as often caused by careless handling of customers’ personal information on the devices that store or transmit information and failing to update security tools. Regularly updating computer security, training employees, restricting user access and understanding the legal requirements will help businesses stay ahead of the costly aftermath of a data breach. If businesses outsource these functions to third party vendors, it’s critical to verify they meet or exceed current security standards on all networks and devises.

Sufficient encryption, secure passwords, limited user access, regularly updating all firewall and anti-virus software on all devises that use, store or transmit data is critical to data breach prevention. The small cost of regularly conducting audits, upgrading security tools and training staff is well worth the investment compared to the high-cost of a data breach. Only after forensics has been completed with the clock running will the breached entity know just how many individuals, Attorney Generals, banking institutions, local law enforcement and FBI officials or other regulators will need to be notified. The aftermath to a breached entity will be much more than the sum of its legal expenses, costs of forensics, notification costs, fines and penalties. Data breach is much more than an IT issue, it is critical to business survival. Ensuring your business meets or exceeds all applicable security standards and carefully training staff is one of best ways to avoid a breach and the serious consequences that follow.

If you missed our articles in the Hartford Business Journal and Connecticut Law Tribune on these important new requirements under Connecticut State law, reprints of the full article are available on request.

Attorney Tegan Blackburn based in Simsbury, Connecticut has two decades of experience as in-house and outside counsel advising retail, banking, restaurant, healthcare, technology and other clients on general business and corporate matters, including compliance issues and data breach response.

Last Updated (Wednesday, 13 February 2013 21:34)