retrieved from govhealthit.com | May 26, 2015
Read original article.
With major data breaches making headline news on a near-weekly basis, the healthcare industry is increasingly focused on cybersecurity, as well it should be.
In addition to working toward a culture of security wherein all employees are trained to spot and prevent attempted cyber-attacks, a strong program is an essential part of any long-term business strategy, and healthcare entities are not exempt.
But where to begin? And how best to move forward?
These 10 tips can help healthcare organizations establish such a program:
- Create a strong, cross-sectional cybersecurity team that includes personnel from legal, information technology, human resources, and public relations departments. The team should also include at least one member of senior management.
- Conduct a “privacy survey,” which is the process of identifying the legal, regulatory, and contractual obligations to protect data. Healthcare companies and their business associates must be particularly aware of their obligations to safeguard protected health information under both HIPAA and HITECH. Companies should also consider state laws to protect “personally identifiable information” (“PII”), and should understand contractual obligations, which likely include obligations to protect payment card information (“PCI”) under the rules established by card brands like Visa and MasterCard.
- Perform risk analysis required under HIPAA’s Security Rule. As part of the risk analysis process, companies need to identify the PHI they maintain and develop a detailed understanding of their technical systems and the potential threats they may face.
- Segregate sensitive data from regular data and protect it with additional physical, technical, or procedural safeguards (including firewalls, password protection and encryption).
- Implement “privacy by design” when developing cybersecurity solutions. The company should create policies and procedures that account for patient privacy, legal compliance, and data protection throughout the data lifecycle (i.e., collection, processing, storage, and destruction). As part of this effort, the company should develop comprehensive policies to address privacy and data security, including:
a BYOD policy, a password policy requiring use of strong, complex, unique passwords; personnel policies (including onboarding and off-boarding policies) that enhance security; and a network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access.
- Manage vendors and scrutinize the adequacy of their cybersecurity policies and procedures before entering into relationships with them. Enact contractual safeguards to minimize risk, including by requiring protection of sensitive data, providing rights to audit vendors’ security practices, and requiring vendors to notify the company if a breach occurs. The contract should allocate risk in the event that a breach at the vendor harms the company, and companies should consider requiring vendors to carry cyber insurance. Companies must enter business associate agreements with vendors that will have access to PHI. But before entering a business associate agreement, healthcare organizations should assess whether a vendor’s access to PHI is necessary. If not, the vendor should not have access to the PHI, and the company may avoid the compliance costs associated with business associates.
- Engage in cybersecurity information sharing through, for example, the National Health ISAC. The NH-ISAC allows industry players to keep abreast of evolving cyber-attack tactics and industry security standards.
- Consider cybersecurity insurance, which, depending on the policy, may cover forensic investigation and system restoration costs; defense and indemnity costs associated with litigation resulting from the loss of personal information or other sensitive data; regulatory investigation defense costs and penalties; notification costs and credit monitoring for affected customers and employees; losses attributable to the theft of the policyholder-company’s own data (including transfer of funds); business interruption costs; costs required to investigate threats of cyber-extortion and payments to extortionists; and (viii) crisis management costs, such as the hiring of public relations firms. Unlike many traditional policies, cyber liability policies differ significantly because they are not (yet) based on a standard form. It is therefore critical to carefully review the exclusions of cyber policies with a broker and coverage counsel.
- Develop an incident response plan, which is a detailed plan that outlines how a company will respond to suspected cyber-events. These plans help companies quickly and effectively investigate and remediate attacks. An incident response plan should identify the leaders of the response team and present easy-to-follow, scenario-based responses to different types of cyber incidents. The plan should clearly delineate first steps and include a timeline of major investigative events. The plan should also provide for involvement of experienced legal counsel in all aspects of the investigation of a suspected cyber-event (including communications about the potential event, remediation efforts, and disclosure and reporting) to ensure that the investigation is protected under the attorney-client and work product privileges. Privilege is critical because the company may soon find itself the defendant in a variety of lawsuits, including lawsuits by regulators, customers, issuing banks, or investors.
- Develop a business continuity plan to facilitate efficient data recovery and resumption of operations in compliance with HIPAA requirements. Cyber-attacks may result in victim-companies losing access to their data and systems. For example, many companies have been affected by the Cryptolocker malware, which encrypts (and renders useless) the company’s data until a ransom is paid. If companies are not prepared for these types of attacks, they may face enforcement actions, private litigation, and a substantial interruption of services, which can each be extremely costly. The first step in creating an effective business continuity plan is identifying critical systems. Systems should be prioritized based on the maximum time that each can be down without causing substantial harm to the business. The company must then select a back-up system, and should consider the following factors in choosing a back-up system: how quickly the data needs to be restored, how much data must be stored, and how long data must be maintained. It is critical that the company’s back-up system be sufficiently segregated from the company’s day-to-day systems so that a cyber-attacker cannot access the back-up system during an attack.
Emily Westridge Black is an attorney in the Austin office of Haynes and Boone, LLP, and Chris Quinlan is an attorney in the Dallas office. Both specialize in data security, white-collar criminal defense, and the prosecution and defense of complex commercial litigation matters.