Web-Tones

The purpose of this group is to discuss and share knowledge related to the EU's General Data Protection Regulation ("GDPR"). One way to think about the GDPR is "HIPAA for everyone," especially if you are in the EU OR, more importantly from our perspective, you are an American company that is doing business in the EU or wants to do business in the EU. The GDPR protects "personal data" of "data subjects" which is something akin to what the FTC regulates as personally identifiable information ("PII"), but not exactly. Personal data from the EU's perspective is much broader. The GDPR becomes law in May 2018 and will have a massive impact (understatement) pursuant to how business is conducted in the EU going forward!

You can signup for the group here: https://www.linkedin.com/groups/12087020

At the HIPAA Survival Guide and the Digital Business Law Group we are starting to grapple with the much broader question of when state laws require breach notification. As the NCSL states in their overview on this topic: 

Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

All but Alabama and South Dakota currently have state data breach laws. We are confident that the latter are soon to follow. So, as is obvious to us veterans, a data breach almost always implicates both state and federal law. Further, depending on where the entity responsible for the breach does business, it is almost always more than one state law that is implicated. Although the state data breach laws tend to be similar, they are by no means "harmonized;" which means each one is a special use case. For example, apparently Connecticut requires notification in five days, while many states require notification in 45 days; both are more stringent than HIPAA that requires notification to HHS in 60 days if a certain threshold of records is exceeded.

Also, like HIPAA, many state laws provide a "safe harbor" of sensitive data (our term) if it is encrypted according to certain (usually) government standard protocols (e.g. NIST). Although most states do not mandate encryption of sensitive data, at least one state apparently does, see the quote below.

The following quote come from this somewhat dated but still useful (circa 2014) White Paper:

Other states such as Massachusetts have passed laws which expressly require the encryption of electronically communicated personal data. Section 17.04 of Law 201 CMR 17.00 requires the implementation of adequate computer system security measures to protect personal data which includes ‘encryption of all transmitted records and files containing personal information that will travel across public networks or wirelessly’ and ‘encryption for all personal information stored on laptops or portable devices’.

Attached is a PDF on critical decision points that some of you may find useful. As always we welcome all feedback in this topic!

The notion of "Criticality Analysis" is NOT foreign to the HIPAA Security Rule ("SR"). The SR addresses (in part) this requirement as part of the implementation specifications for the Contingency Standard in the Administrative Safeguards: 164-308(a)(7)(ii)(E); which states "Assess the relative criticality of specific applications and data in support of other contingency plan components.

http://www.hipaasurvivalguide.com/hipaa-regulations/164-308.php#a-7-ii-e

However, what NIST is recommending  (currently in draft form) is much broader than just "Applications." Its model discusses (paraphrasing): systems, sub-systems, systems of systems, supply chains, etc. etc. and appears to introduce a concept long missing from the SR which is addressing "single points of failure." The SR "gets at" this concept in a roundabout way but not directly. NIST continues to be a super valuable resource and is a good example of your tax dollars at work!

 As promised here are the 2017 & 2016 HHS CMP numbers: Download HHS CMPs. These two years account for over $28M of "revenue" for HHS. Remember that the HITECH Act gave HHS a virtual $$ machine by allowing it to keep all revenue generated in its own coffers for additional enforcement. The $$ quote is as follows:

Subject to the regulation promulgated pursuant to paragraph (3), any civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subtitle or section 1176 of the Social Security Act (42 U.S.C. 1320d–5) insofar as such section relates to privacy or security shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act. [Emphasis Added].

Needless to say that HHS is not short on cash for enforcement. In fact, it would not surprise me if other agencies within the Federal Government aren't anxious to get their hands on this money. Here's the thing, the Feds are hungry for cash. Despite the Trump administration's rhetoric about less regulation, don't expect that it will kill this golden goose for several reasons: (1) there's consensus that cybersecurity is national security; and (2) the administration writ large has to love a mechanism that raises cash without raising taxes.

In short, HIPAA enforcement is alive and well. In fact, if the number of ransomware attacks increase dramatically (which they will) it would not surprise me to see HHS go "full frontal" on enforcement. Sooner or later (more likely sooner) someone is going to die because of a ransomware attack on the healthcare industry. HHS would probably like to get out ahead of the enforcement curve so that recriminations about lax enforcement can be rebutted.

FREE Webinar

Healthcare's cybersecurity status quo has been destroyed by a confluence of factors. We are now 17 years into the 21st century and the healthcare industry writ large has somehow managed to hold on to a minimalist cybersecurity posture that is two decades old. In Internet time this is equivalent to about 100 years. Despite a slew of continuous breaches and civil monetary penalties imposed by HHS, not much seemed to move the needle. However, the days where healthcare can continue to stick its collective head in the sand are quickly fading.

The real dangers posed by WannaCry and Petya, and the tsunami of similar ransomware attacks that are sure to follow, has awoken the healthcare masses to the fact that maybe this "cybersecurity thing" is not just Big Brother looking over their shoulder, but rather simply the cost of doing business in the 21st century. David Harlow's recent article nails it. The $$ quote follows:

Ransomware poses an existential threat to data security and operations in an era of electronic health records, integrated health data management systems and connected medical devices. As a result, it puts every person’s health and safety at risk.

That is not hyperbole. Cyberextortionists in May unleashed WannaCry ransomware on the general public, affecting hundreds of thousands of computers in 150 countries, including those at many National Health Service hospitals and clinics in the United Kingdom. The healthcare industry likely was not deliberately attacked, but instead was a target of opportunity, reached through links to malware distributed by email.

Going forward it is likely that the healthcare industry will be deliberately attacked because, as Willie Sutton infamously said: "That's where the $$ is." PHI is an obvious target of opportunity, not only for the purposes of extortion, but because allegedly the data itself is worth a significant amount of money on the black market (e.g. for identity fraud and other nefarious reasons).

The existential threat that David refers to above has the power to destroy reputations and result in millions (if not tens of millions) of dollars in costs and penalties, including class action litigation that is likely to, sooner rather than later, overcome the "what's the harm" threshold that has stymied prior suits from moving forward on a negligence theory (HIPAA having no private right of action; only HHS and State AGs can bring actions).

Finally, the generational gap where the "old grumpy docs" refused to comply as a matter of principle is also fading. None of us escapes the ravages of time, and the younger generation of healthcare executives, having grown up "digital," have a more holistic understanding of the risks, and therefore are better positioned to mitigate, including expanding compliance and information technology budgets commensurate with the existential threat.

This is not hyperbole and this is NOT Your Daddy's HIPAA anymore! 

That question is so broad that it can only be answered succinctly in the abstract. However for our purpose such a definition should work just fine. One such definition follows: "Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security."

- See more at: http://www.lawtechtv.com/home/2017/06/you-can-see-the-full-text-of-guidance-here-the-takeaway-from-hhs-guidance-post-wannacry-can-be-summarized-as-1-contingency.html#sthash.kQOU5BgU.dpuf