The Exposure
Organizations that deal with private health information (PHI) should know how to properly handle such data in absence of a breach as well as how to respond after a breach occurs. According to the 2011 Computer Security Institute Crime and Security Survey, 97% of organizations report using anti-virus software, 95% use firewalls, 85% use anti-spyware software, 66% use data encryption and 62% use intrusion detection systems.
The Open Security Foundation's website, www.datalossdb.org, shows that despite taking meaningful steps to prevent security breaches, healthcare organizations accounted for 18% of the 1,032 data breaches reported in 2011 and 15% of all time. Further, according to the Ponemon Institute's 2011 Cost of Breach Study, the per capita costs of a breach for healthcare organizations average around $240 per record. When compared to retail, which averages $174 per record, education which averages $142 per record, and an average of $194 per record for all industries, healthcare organizations clearly have cause to be concerned about breach response expenses.
A healthcare organization or business associate1 should also be aware of the increased standards that have been imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Privacy Rule and the Security Rule. One aspect of the Health Information Technology for Economic and Clinical Health Act act that may surprise many is the potential for the Office of Civil Rights (OCR) to fine an organization in absence of a breach.
In 2012, the Office of Civil Rights will conduct 150 audits of Covered Entities. If material security weaknesses are reported, a formal compliance review will follow. If that review uncovers blatant security violations, civil monetary fines could follow. Enforcement action around data breaches has been on the rise, and fines and penalties are being levied more frequently than in the past. The Department of Health & Human Services (DHHS) posts examples of resolutions including fines on their website. These initial audits are likely only the beginning of expanding regulatory oversight related to private health information.
Theodore Kobus III of Baker & Hostetler LLP, one of the national leaders of their Privacy, Security and Social Media Practice, advises the following regarding the current regulatory environment:
Data security extends beyond breach response and we are seeing an increasing number of regulatory investigations and fines stemming from how an organization responds to changes in its risks. A big part of being prepared includes understanding the nature and scope of the information you hold and how that data needs to be protected as risks in the organization evolve. For example, if you store data in an area that was once monitored by a security guard, but that area is now unoccupied, you may want to consider implementing other security measures.
Reducing The Exposure
In a previous article regarding lost laptops, we provided basic tips for handling a privacy breach.
With the type and volume of private health information that organizations in the healthcare arena touch, they are expected to take even more comprehensive steps to anticipate, prevent, respond to, and survive a breach. While many organizations are large enough to have entire departments dedicated to this issue, the complexity of the privacy laws means that, regardless of the organization's ability to dedicate resources, it is important to work with legal counsel that is solely focused on privacy related issues. Similarly, healthcare providers should also seek out specialized network security risk management providers who can help answer important questions like:
- Am I prepared to show that I took the proper steps before a data breach occurred?
- Do I have an effective incident response plan in place when there is a problem?
- Am I protecting digital records as well as paper records under the requirements of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act?
- Are my vendors and business associates also in compliance with the proper standards?
Many insurers have existing relationships with computer forensic firms, notification vendors, credit monitoring providers, legal forensic firms, public relations firms and others to help navigate the huge distractions following a data breach. To this end, we have seen insureds purchase cyberliability coverage solely for the value-added services provided by the insurer. Many of these buyers feel that they can afford a security breach, but that they don't have the time to line up all the necessary critical response vendors if a breach occurs.
Neeraj Sahni of Kroll Advisory Solutions points out:
The ease of access to electronic data, anywhere-anytime, makes security a challenge as negligence leads to recurring data breaches. Preventive preparation is the most important loss control mechanism for any organization that has sensitive data. Thus waiting for a breach to occur is reactive and may incur more liability for any company. An incident response plan potentially helps lessen the impact of a breach. Also note, being compliant with security and privacy regulations does not provide assurance to an organization against a data breach.
Contractual Risk Transfer May Not Be Enough
Contracts with business associates and other trading partners may be part of the solution, but not the whole solution, as observed by Theodore Kobus III:
Many organizations think that a contract shifting liability to a third party is all that you need to protect the organization in the event that a vendor causes a breach. This type of protection is good, but it does not solve all of the organization's issues. Notwithstanding the public relations issues the organization may face after a breach by a vendor, laws such as HITECH and various state laws still hold the organization who owns the data ultimately responsible for the breach. Another consideration about shifting all responsibility for a breach to the vendor is the lack of control about the messaging after a breach occurs. Remember, even though the vendor may have caused the breach, these are still your customers and your reputation is at risk.
Mr. Kobus brings up a dangerous situation. If a healthcare provider has fully shifted post-breach responsibilities to a vendor that caused the breach, the treatment of its customers or patients is in the hands of the vendor. To shift financial responsibility is one thing, but the provision of post-breach services such as call centers and identity/credit services should remain in the healthcare provider's control. When it comes to the handling of an organization's reputation, the preferred approach is to proactively protect its reputation rather than scramble to restore it after a poorly handled data breach.
The Right Insurance To Survive A Breach
Healthcare providers and business associates should have their own policy to protect their organization. The company's own employees are a significant cause of data breaches, as are external hacks. The organization will not be able to unfailingly transfer that risk to other parties.
Organizations should also ensure their vendors have the financial assets or insurance to back up their contractual promises. If an entity is going to rely on a third party vendor to hold on to private health information for which they are responsible, they should be reviewing the vendor's professional liability insurance rather than just asking if they have a policy.
Types Of Risk Transfer Vehicles
Cyberliability is the generic description of the type of policy healthcare organizations will need. In a prior article, we went into some detail about what is available. Here are some of the typical insuring agreements in a Cyberliability policy:
- 1st Party Business Interruption — Covers lost business income in the event a virus infection or hacker shuts down your network.
- 1st Party Data Asset — Covers the expense to recover lost data and other expenses.
- Cyberextortion — Covers expenses and ransom if a hacker threatens your network or data.
- 3rd Party Network Security — Covers your liability when hackers use your system to inflict damage on others.
- 1st Party Privacy
- Notification Expenses — When data is lost, you must notify all potential victims within a very brief period of time and in accordance with the state laws where the potential victims reside.
- Forensic Expenses — The insurer will cover the expenses associated with bringing in computer experts to determine the cause of a breach and list of potential victims. Some insurers also cover legal forensic experts.
- Credit Monitoring — The insurer may cover one to two years of credit monitoring services for those exposed.
- Credit or Identity Repair Services — The insurer will cover the expenses for up to one year to restore compromised identities and repair a victim's credit rating following an actual identity theft.
- Crisis Management — Public Relations expense coverage to protect the image of the organization.
- Regulatory Defense and Expenses — Many new regulations exist related to the protection of confidential data. The insurance will provide defense cost coverage and in many cases cover fines, penalties and restitution funds levied by a regulatory body, where insurable. This coverage is designed to help healthcare organizations respond to actions brought by state agencies, state attorneys general, the Department of Health and Human Services, the Office of Civil Rights and other regulatory agencies.
There are now more than 30 different insurers with dedicated cyberliability policies, and no two insuring agreements are the same. It is important to be diligent in making sure the coverage sought is the coverage bought.
Conclusion
The current regulatory oversight and monetary implications surrounding a loss of private health information means that firms in the healthcare arena should be more aware than most of privacy enforcement and how to protect their clients, constituents, reputation, and organization.
1 A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate. (For more information, see hhs.gov.)