The year ahead will be marked by a changing tide of cyber standards—social, legal, and policy—that are raising the bar for provider organizations to protect the integrity of their data. On the policy front, of course, the updated version of the Health Insurance Portability and Accountability Act (HIPAA), which went into effect in September, has raised the bar on compliance activities, breach notification rules and patients’ rights, and requirements on business associates. In addition to policy, provider organizations can expect to face added pressure from technological changes, among them, cloud storage, the burgeoning use of personal devices in the workplace, the changing nature of “insider” threats, and additional focus from the corporate boards, which are increasingly taking a more proactive look at their organizations’ preparedness and mitigation strategies.
All of this means that cyber security should be a front-burner issue. Last week, Kroll, a New York-based risk mitigation and response firm, released its security cyber forecast for 2014. Healthcare Informatics spoke with Kroll’s senior managing director, Alan Brill, to put those forecasts into perspective for healthcare provider organizations.
1. NIST and other security frameworks will become de facto standards for best practices. Frameworks from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and similar frameworks will drive organizational decision-making with regard to cyber security, according to Kroll. Organizations that do not follow suit may find themselves subject to shareholder lawsuits, actions by regulators, and other legal implications.
Brill points out that NIST, ISO and similar frameworks underlie the HIPAA Final Omnibus Rule. He also observes that “This trend will move the U.S. in the direction of the European Union, where there is greater recognition of privacy as a right.” He recommends that organizations be cognizant of these standards and “make strategic business decisions that give clients and customers confidence that their information is protected.”
2. The data supply chain will pose continuing challenges to even the most sophisticated enterprises. Brill notes that in the last five years, many tasks that would have been done completely in-house are now outsourced. “Now, instead of having everything in-house, there is this eco-structure, this ecology of companies in which various parts of the organization may work; and may share e-phi. It becomes extremely important to know where that’s happening,” he says.
Today, that’s not always the case, because decisions made at the departmental level or as part of the research operation aren’t necessarily being made by the hospital’s IT department, he says. Instead, those decisions are being made by the principle investigator, and it doesn’t always reach the point of someone suggesting that the legal department look at a vendor contract. “Any time sensitive data is leaving to go to a business associate or to software as a service (SaaS), an organization needs to ensure that appropriate steps have been taken to avoid a breach of its obligations under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act,” he says.
3. The malicious insider remains a serious threat, but will become more visible. In 2014, a significant percentage of data breaches—possibly almost half—will come at the hands of people on the inside of an organization, according to Kroll. At the same time, insider threats are becoming more visible, as the federal government and states to privacy breach laws and enforcement regimes. “When we deal with incidents involving healthcare, a lot of times it is an insider,” Brill says. He adds that the nature of these incidents has changed, with increasing reliance on third parties to perform tasks. “It used to be that these things happened and the insider was an employee, but now we are finding that these insiders might be contractors, vendors, business associates. For that reason, it becomes important to understand not just your own practices with regard to HR-type security issues, but those of people you entrust with your data,” he says.
Brill cautions that organizations need to examine their entire data supply chain. He describes one recent case of a client that experienced a loss of back-up media. The culprit, it turned out, was a sub-contractor of the vendor performing the service. He recommends that organizations get their general counsel in decisions to hire outside vendors.
4. Corporate board audit committees will take a greater interest in cyber security risks and the organization’s plans for addressing them. Corporate boards are beginning to make a connection between an organization's financial well-being and cyber security, according to Kroll. As such they will expand their attention beyond financial audits to the organization's strategic plans for protecting non-public information and risk mitigation plans for responding to a possible breach.
Brill notes that this trend is even more common among hospitals than other types of organizations. Boards don't want their organizations to be the next poster child for a data breach, he says. “As we are seeing with other organizations in areas such as financial services, the board is getting more activist, and particularly the audit committee,” he says.
He recommends that CIOs look at how their security policies have evolved. “For example, do you know that your policies and procedures match the actual wording of the Final Rule? If they don't you can have a problem,” he says. The Department of Health and Human Services and the Office of Civil Rights auditors are looking to see whether, for every section of the rules—risk and threat assessment, security, privacy or breach notification—are covered in a way the rules require. “There’s a lot you can do, and to what extent do you do it because it’s the right thing to do if you are a CIO; and to what extent do it because the board is asking you these questions, ultimately it doesn’t matter. You want to be ready to answer the questions of your board, and your management, and any outside auditors that come in. It’s good practice,” he says.
5. Sophisticated tools will enable organizations to quickly uncover data breach details and react faster. “Healthcare is not different from a lot of other organizations. You need to know when an incident occurs, and there is a lot of technology out there,” Brill says. “The problem is that there is no such thing as 100-percent security, no matter how much you spend, how hard you work or how many people you have looking at it. Incidents happen.”
The issue is, if there is an incident, an organization has to be ready to respond, to investigate what happened, to understand what happened, to go back and look at the events, Brill says, noting that that capability is a combination of the availability of the tools and a recognition that organizations have got to use the record keeping capabilities that are in systems. Unfortunately, those capabilities are often turned off, because of concerns about space, he says, but adds, “Storage is a lot cheaper than it used to be; the fact that you can buy terabyte drive for $60 to $70, is an indication that you have to rethink how you store files and how long you keep them, to make sure that you are actually keeping them and keeping them for a relevant amount of time.”
Brill says it's important for organizations to have an incident response plan in place that is actually practiced. “The worst time to try to learn crises management is in the middle of a crisis,” he says. Exercises that simulate an incident should involve the whole team--not just technical people, but management, legal, risk management, and organization security, so that when something happens, everybody knows that they are going to be part of that team, he says. The team needs to understand what kind of data is going to be available, what the legal decisions to be made with counsel are, the management decisions, what needs to be safeguarded, and how reporting will be handled, he says.
6. New standards related to breach notification are gaining traction and will have greater impact on corporate data breach response. The offer of credit monitoring to victims of a data breach will begin to fall by the wayside, according to Kroll. Brill questions the value of offering a year’s worth of credit monitoring to victims of a data breach, and says there is a need for compensation that is more meaningful to the victims. While credit monitoring can have value if it aligns with the type of data that is exposed, provider organizations need to have a better understanding of the breach risks, how it can affect the patient, and the best way to remedy those risks.
The kinds of data that are stolen from healthcare organization will likely be used for some sort of fraud that might or might not show up on a patient’s credit report. In healthcare, for example, breaches frequently result in W2 fraud (resulting in a tax bill from the IRS) or identity theft to get medical treatment illicitly. Neither type of incident is going to show up on a credit report, Brill says, but both harm the victim.
“Our experience with breach remediation is that one size doesn’t fit all, and remediation has to be relevant to incident, and be effective with regard to that,” Brill says. He notes that the Federal Trade Commission and states including Illinois and California have suggested that remediation should be risk based. “The evolution is going to be more thoughtful beyond knee jerks like credit reports,” Brill says. Under a risk-based model of remediation, patients can be informed about the type of information that was stolen, provided with some indication of who may have stolen the information, and provide to the victim with the risks he or she faces and advice on protecting themselves, he says.
7. As cloud and BYOD adoption continues to accelerate, greater accountability will be required for implementing policies and managing technologies. This is an important trend, because it is happening so quickly, Brill says. According to Kroll, in 2014 IT leaders will have to work closely with their organizations’ senior leadership and legal counsel to adopt corporate policies in a way that addresses changing legal risks while meeting the needs of the organization. Brill notes that until now the cloud and Bring Your Own Device (BYOD) adoption have been uncharted, unrestricted and subjected to few restrictions. However he cautions the he has been seeing courts issuing rulings that include significant penalties where discovery, disclosure and other legal obligations aren’t being met because the use of these technologies.
He advocates that organizations integrate these technologies into their corporate policies, IT security and risk management plans that will meet their legal obligations. “The key is that decisions with regard to BYOD programs are not just technical decisions, that they represent a decision that has application to the general counsel’s office, application to the hospital’s risk manager. You want to make those decisions smart, with as much input as you can,” he says.
He also notes that organizations should consider the use of technology, such as partitioning personal devices so that work-related data is secured and encrypted. “It’s a matter of building a system that is useful to the user but doesn’t unduly increase the organization’s risk or place it out of compliance,” he says.