Cybersecurity and the Law - Health IT Conference for … Core: •Identify •Protect •Detect...
Transcript of Cybersecurity and the Law - Health IT Conference for … Core: •Identify •Protect •Detect...
Cybersecurity and the Law
February 29, 2016 – 9:30-10:30am
Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP
Agenda
• Learning Objectives
• The Potential Legal Costs of Poor
Cybersecurity
• What the Law Requires
• The Value of Best Practices
• The Role of NIST
3
Learning Objectives
• Explain the possible legal ramifications of a cyber-attack
• Review recent developments in Cyber Security Law
• Provide ideas on how to prepare executive management and the board for the inevitable
• Discuss the pros and cons of applying the NIST Cyber Security Framework within healthcare
4
A Really Bad Day …
An outside security consultant’s review identified sophisticated malware residing on your information systems.
6
More Bad News…
Forensic investigation identified that: • Outside entity obtained initial access through spear phishing.
• Once inside network, obtained administrative credentials.
• Has been in system for four months.
7 7
What Did They Get?
We don’t know what was exfiltrated. Possibly: • Information on 500,000 patients. • Including medical information and Social Security numbers.
• Affecting residents in 22 states where we operate.
8 8
So, How Bad Is This?
Potential HIPAA Violations: • Impermissible disclosure of 500,000 patients’
protected health information (2015-16) • Failure to conduct an accurate and thorough risk
analysis (2011-16). • Failure to implement a risk management plan
(2011-16). • Lack of information system activity review (2011-
16). • Failure to protect from malicious software (2011-
16).
9
So, How Bad Is This?
Potential HIPAA Penalties (HHS): • $50,000 per violation per day or per affected
individual • Annual cap of $1.5 million for multiple violations of
the same requirement
10
So, How Bad Is This?
Potential HIPAA Penalties (HHS): • Impermissible disclosure: 2 years * $1.5M = $3M • Risk analysis: 6 years * $1.5M = $9M • Risk management plan: $9M • Information system activity review: $9M • Failure to protect from malicious software: $9M • HHS Total = $35M
11
But Wait, There’s More ….
Potential HIPAA Penalties (State Attorney General): • $100 per violation per day or per affected individual
• Annual cap of $25,000 million for multiple violations of the same requirement
12
Potential State AG HIPAA Penalties
• Impermissible disclosure: 2 years * $25K = $50K • Risk analysis: 6 years * $25K = $150K • Risk management plan: $150K • Information system activity review: $150K • Failure to protect from malicious software: $150K • Per State Subtotal = $625K • Total for 22 states = $13.8M
13
And then there’s the FTC …
• If breached entity is for-profit entity, FTC can claim lack of security was unfair or deceptive trade practice.
• Standard 20-year consent order (potentially requiring independent monitoring).
• In Henry Schein Practice Solutions, Inc., FTC required payment of $250,000 to a redress fund
14
And don’t forget about …
• Breach notification costs • Credit monitoring costs • Breach notification legal costs • Legal costs for handling multiple regulatory investigations
• Legal costs for class action defense
18
HIPAA Provides a Minimal Baseline:
• Substantial flexibility and technology neutral • Provides discretion to not implement certain technology based on risk-based approach
• Does not clearly require due diligence of vendors
• Does not require active monitoring of vendors – only requires action upon learning of violation
20
But Don’t Let HIPAA’s Flexibility Fool You…
• For “accurate and thorough” risk analysis, OCR expects you to document how you are addressing every reasonably-anticipated risk.
• While not directly liable for most business associates’ actions, HIPAA may lead to substantial reputational harm and breach notification costs based on BAs’ violations
21
FTC Applies More Stringent Standards than HIPAA
• Section 5 authority is inapplicable to non-profits.
• No clear information security standards. • Expects “defense in depth” • In GMR Transcription, complaint alleged a lack of active monitoring of subcontractor business associate.
• In Henry Schein Practice Solutions, complaint faulted business associate for encryption that did not satisfy NIST standards.
22
Successes and Failures of Class Actions
Limited Plaintiff Successes Absent Clear Damages • AvMed $3 million settlement (1.2 million affected customers, claim of unjust enrichment based on premiums allegedly not going towards adequate information security) (2014)
• Stanford $4 million settlement (20,000 patients, settlement mostly paid by Stanford’s vendors) (2014)
23
Successes and Failures of Class Actions
Limited Plaintiff Successes Absent Clear Damages (cont’d) • Boston Medical Center, Superior Court held that plaintiffs had standing to sue based on data exposure (2016)
24
Successes and Failures of Class Actions
Most Cases Dismissed on Lack of Standing • Clapper v. Amnesty International, U.S. Supreme Court held that individuals potentially subject to surveillance did not have standing based on allegations of possible future injury. (2013)
• Numerous cases have dismissed data breach class actions on lack of standing or lack of damages
25
Dodging the CA CMIA Bullet
California Confidentiality of Medical Information Act provides $1,000 per person for negligent disclosure of medical information in absence of actual damages. • In Sutter Health, court held that evidence must show that medical information was actually viewed.
• In Eisenhower Med. Ctr., court held that patient demographic information was not “medical information.”
26
To Be Determined
• Successful action under CMIA? Will court award millions in absence of any actual damages?
• Spokeo v. Robins, U.S. Supreme Court addresses whether consumer class can sue for monetary damages w/o identifiable financial or personal injuries.
27
A Robust Cyber Security Program:
• Legal risks follow real risks – and health care hacking is on the rise.
• Tougher regulators are increasing legal risks from data breaches.
• Doing the bare minimum will lead to: – High breach notification incidents and costs – High litigation costs defending claims of
negligence – Fights with regulators over what is required
• Cyber insurance carriers may require more and more
29
Convincing the C-Suite/Board • Inform:
– Evidence of increasing threats to health care data
– Increasing level of enforcement among more regulators
• Quantify: – How much breach will cost vs. risk reduction
through InfoSec investment – Focus on return on investment
• Progress Reports – What is current profile? – What is target profile? – How are we progressing towards target?
30
The Role of NIST
• NIST standards are not required for private entities, unless incorporated through contract, but …
• A good set of tools for improving information cyber security;
• A good proxy for industry best practices; and
• Agencies such as the FTC are increasingly expecting NIST-level safeguards.
32
NIST Cyber Security Framework
Framework Implementation Tiers: • Partial (Tier 1) • Risk Informed (Tier 2) • Repeatable (Tier 3) • Adoptive (Tier 4)
34
NIST Cyber Security Framework
Framework Profile: • Current Profile • Target Profile • Comparison of Profiles
35
NIST Cyber Security Framework
1. Prioritize and Scope 2. Orient 3. Create a Current Profile 4. Conduct a Risk Assessment 5. Create a Target Profile 6. Determine, Analyze, and Prioritize Gaps 7. Implement Action Plan
36
Stay Tuned
• Section 405 of Cybersecurity Act of 2015 – HHS to work with NIST to create
information for health care industry stakeholders of all sizes for improving preparedness for, and response to, cybersecurity threats affecting health care industry
– Statute states that any new standards will be consistent with HIPAA but will be optional
38
Resources • NIST Framework for Improving Critical
Infrastructure Cybersecurity, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
• NIST Guide for Conducting Risk Assessments, http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
• Cybersecurity Information Sharing Act (part of Pub. L. 114-113), https://www.congress.gov/114/bills/hr2029/BILLS-114hr2029enr.pdf
• HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk
39