What Steps Should Covered Entities, Business Associates Take to Combat Cyberthreats?
Over the last several months there has been an onslaught of news about cyberattacks, most notably ransomware attacks involving many industries, including…
July 21, 2017 at 03:56 PM
8 minute read
The original version of this story was published on Law.com
Over the last several months there has been an onslaught of news about cyberattacks, most notably ransomware attacks involving many industries, including health care institutions both in the United States and abroad, most notably the “WannaCry” attack. Most recently, a new ransomware attack known as “Petya” made headlines. By all accounts, these attacks are predicted to get worse. These attacks are in addition to other cybersecurity issues involving identity theft and other types of hacking.
Data loss through cybercrime creates an ever-increasing risk, especially to the health care industry, which is becoming a targeted industry. As discussed below, education and prevention are keys to protecting sensitive health care data and quickly responding to a security incident. The federal government through the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) websites provide summaries of the HIPAA Privacy, Security and Breach Notification Rules. Understanding and complying with these various HIPAA requirements, including the requirements in the privacy rule that covered entities have a business associate agreement with its vendors that have access to personal health information (PHI), are the first steps to be taken to protect sensitive health care data. The security rule sets the standards to control the confidentiality and storage of electronic PHI, and access to electronic PHI.
The OCR continues to provide guidance on the issues of cybersecurity in the form of summary bulletins. In February 2017, it issued one titled “Reporting and Monitoring Cyberthreats.” In May 2017, it issued a summary bulletin titled “Cybersecurity Incidents Will Happen … Remember to Plan, Respond and Report.” In that summary, the OCR listed the following incident headlines:
• “Leading Cause of Healthcare Data Breaches in April Was Hacking”
• “Healthcare Data Security Incidents Second Highest in 2016″
• “Ransomware Attack: Healthcare Vulnerable to Cyber”
Importantly, the summary bulletin provides a “refresher” on what is a security incident under the HIPAA Security Rule and when it is a breach under the HIPAA Breach Notification Rule. The OCR reminds covered entities and business associates that they need to have an incident response policy and different types of contingency plans to appropriately respond to a security incident. The OCR summary bulletin also provides a reminder that the HIPAA Breach Notification Rule requires covered entities to notify affected individuals, OCR, and in some cases, the media of a breach of unsecured PHI. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate. See https://www.hhs.gov/hipaa/for-professionals/breach-notification.
On June 9, the OCR issued its “Quick Response Cyberattack” checklist and corresponding infographic. Once again, this publication by the OCR and the recent U.S. government interagency technical guidance document, “How to Protect Your Networks From Ransomware,” serve as reminders that cybersecurity concerns need to be addressed proactively before an incident occurs. As outlined by the OCR, a HIPAA-covered entity and business associate need to consider taking these steps in response to a cyberrelated security incident:
• Execute its response and mitigation procedures and contingency plans;
• Report the crime to law enforcement agencies;
• Report all cyberthreat indicators to federal and information-sharing and analysis organizations (ISAOs); and
• Report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.
It bears repeating that while all of these steps may not necessarily apply to all situations, it is imperative that HIPAA-covered entities and business associates review their current incidence response plans (IRPs) and procedures and compare them to the OCR checklist. As noted in the OCR checklist, the OCR considers all mitigation efforts taken by the entity during any breach investigation. This is an important point to consider in the event of a settlement of a HIPAA violation. Such efforts include voluntary sharing of breach-related information with law enforcement agencies and other federal and ISAOs. As noted in the OCR graphic, even if there is not a breach, the entity must document and retain all information considered during the risk assessment of the cyberattack, including how it determined that no breach occurred.
As outlined by the OCR and other federal agencies, prevention and pre-breach planning are critical, including taking the following steps:
• Update systems and software with current patches: Ransomware spreads easily when it encounters unpatched or outdated software. In addition, keeping computer and antivirus software up to date adds another layer of defense that could help stop malware.
• Refresh, review, retrain: To protect your company from a ransomware attack, properly train employees on cybersecurity. Authorized users can expose a company the most when it comes to cybersecurity risks. This includes employees who are vulnerable to social engineering and phishing attacks. Thus, train employees to identify phishing attacks and perform proper authentication of third parties before providing them with data or access to the network.
• Data Access Controls: Grant users access to data and systems minimally necessary to do their jobs and closely monitor access controls to help contain the spread of initial infections.
• Implement data loss prevention (DLP) and intrusion detection systems: Quickly identify potential infections with intrusion detection systems which allow a company to rapidly isolate infected servers and/or endpoints (computers), and prevent the spread of initial infections. Using data loss prevention tools, companies can enforce protection policies and administrators can secure sensitive business data and prevent illegal access to data.
•Implement regular and offsite data backups: In the event of a ransomware attack, decryption keys are not always provided even when ransoms are paid. Backups stored on the same infected server are often encrypted along with the encrypted data. Thus, regular data backups that are continually tested to ensure they can be restored if needed are important to help a company recover its data, resume operations and avoid paying a ransom demand. It is equally important that backups be stored offsite.
• Implement, practice and update incident response and business continuity plans: Having a tested incident response plan will help an organization quickly respond to a security incident. While many organizations have information security procedures in place, it is important that those plans and procedures be reviewed to address a potential ransomware attack. Similarly, perhaps the biggest impact of a ransomware attack is the downtime an organization may face, even causing business functions to come to a halt. Thus, it is critically important that companies update their business continuity plans to specifically address ransomware.
• Quickly deploy incident response team and protect privilege: Quick incident response team deployment is essential when faced with a ransomware attack. This should include having legal, forensic and public relations consultants, as well as law enforcement contacts identified before a security incident occurs. Top level awareness is equally important as crisis management decisions will need to be made quickly, such as whether the ransom demand will be paid and, if so, who should negotiate the ransom payment, how and when to notify law enforcement, as well as any internal or external communication deemed necessary. As these decisions may greatly impact a company's business, financial and legal obligations, it is critically important that in-house or outside legal counsel be involved from the outset to advise and guide the organization, including in the retention of outside consultants. This is the best measure to help protect attorney-client privilege as company executives are forced to navigate quickly through important decisions for the organization.
Implementing these steps cannot be overemphasized in order to minimize the impact of a security incident. By way of illustration, a West Virginia hospital was recently targeted by the Petya attack. In that case, the hospital was forced to replace its entire computer network after the ransomware froze the system's electronic medical records, jeopardizing healthcare providers' abilities to review patient documents and transmit laboratory and pharmacy requests. In that case, the hospital officials could not restore the services and could not find a way to pay the ransom for the return of their network. After consulting with the FBI, that institution ended up replacing their system.
In short, being proactive is often easier and less costly than a reactive approach. Cyberrisks present a fast evolving landscape. Prevention is key to mitigation in this area and a better option than facing a breach unprepared. An entity that knows those risks and controls the data that flows within and outside its walls can best remain competitive in its marketplace.
Cinthia Granados Motley is the co-chair of Sedgwick LLP's cybersecurity and privacy practice group. She has an active practice handling data privacy, security and liability matters, both domestically and internationally, as well as information governance, e-discovery, international contract disputes, directors and officers liability and employment defense. Carol Gerner is a member of the firm's cybersecurity and privacy practice group. Her practice also includes advising clients in a wide range of industries on compliance issues under federal and state privacy, data protection and cybersecurity laws and regulations, and assisting clients in incident preparedness and breach response. Contact them at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllMyriad Genetics Hires NIH Scientist-Turned-Biopharma Lawyer as Legal Chief
Patent Data Unicorn Names First GC, Hiring From Another AI-Driven Unicorn
3 minute readMeta Transfers AI-Related Patents to Midjourney to Thwart Patent Trolls
Google, HP Alum Hired as GC of Startup Bringing AI to Classrooms
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250