By Richard Blunk and Eric Armstrong
Many healthcare executives believe that complying with the express cyber security safeguards set out in the so-called “HIPAA Security Rule” is both relatively straight forward and will protect their covered entity from civil liability and/or administrative action. Unfortunately, this is not necessarily the case and, in many instances, it is only the first step toward establishing and maintaining the required “reasonable” cyber security system.
The HIPAA Security Rule requires covered entities to implement “appropriate” security measures and to maintain such precautions in a manner that is both “continuous” and “reasonable” in order to protect electronic protected health information (“e-PHI”). The HIPAA Security Rule identifies two different types of implementation specifications in its attempt – regrettably, only partially successful -to guide efforts to meet these laudable, but highly elastic, standards.
First, all HIPAA-compliant programs must take the “required” precautions delineated in the HIPAA Security Rule. This classification includes items such as risk analysis and management, the implementation of an employee sanctions policy for violations, information system activity review, the designation of a point person who is responsible for compliance, security incident procedures, contingency planning, system evaluation, workstation use, e-PHI disposal, unique user identification, and emergency access procedures.
But even this direction comes with a good bit of flexibility and discretion since the HIPAA Security Rule does not mandate the specific technology that must be used in order to implement these steps. Specifically, covered entities may use any security measures that would be reasonable and appropriate in the individual covered entity’s situation in order to achieve the goal of protecting against reasonably anticipated threats or hazards to the security and the integrity of e-PHI. Reaching this decision requires a thoughtful consideration of factors ranging from the size, complexity and capabilities of the covered entity, its technical infrastructure, hardware and software security capabilities, the cost of potential security precautions as well as the probability and magnitude of the risks of inappropriate access to, or use and disclosure of, e-PHI.
The HIPAA Security Rule further complicates compliance efforts by designating several other types of actions as merely “addressable.” Addressable components range from workforce authorization, supervision, clearance and termination procedures, access authorization, establishment and modification, protection from malicious software, log-in monitoring, password management, facilities access control and validation procedures, accountability for devices and other media, encryption and various integrity controls..
Covered entities are not required to implement these actions but they must assess whether each individual addressable function is a reasonable and appropriate safeguard that will likely contribute to the protection of e-PHI and then implement those reasonable and appropriate specifications that provide that additional protection.
The search for the elusive “reasonable” cyber security program frequently involves efforts to comply with a generally accepted “industry standard” other than the HIPAA Security Rule. The National Institute of Standards and Technology, the NIST, has offered a rigorous methodology to conduct the risk assessment that is the very heart of the HIPAA Security Rule. In addition, various NIST publications can provide helpful guidance on specific administrative, physical and technical “safeguards” as well as organizational, policy, procedural and documentation requirements.
The stated goal of this risk management function—to provide “the right security controls to the right information system at the right time to adequately protect the critical and sensitive information, missions and business functions” of a covered entity—evidences the need to provide much needed flexibility so that new technologies may improve the “quality and efficiency of patient care.” Helpful to be sure, but not a safe harbor upon which the “reasonable” cyber security program may confidently be based.
Unfortunately, the results of recent enforcement actions by the US Office of Civil Rights do not provide much clarity either. For example, the OCR obtained a $4.8 million settlement with New York Presbyterian Hospital and Columbia University Medical Center after their errant reconfiguration of a server enabled various Internet search engines to access e-PHI stored on their system. Unfortunately, a careful reading of these settlements provide little detail on the specific deficiencies or the ongoing compliance actions required by the OCR.
Nor does recent case law provides much direction. In fact, several recent decisions have found that the HIPAA Security Rule can serve as the standard of care in negligence actions, which will enable plaintiffs to bring suit for breaches of those requirements. This trend represents a potentially significant expansion of the types of plaintiffs that can bring such actions since such HIPAA –which has no express provision for such private actions – had traditionally been enforced solely by regulators and the government.
But let’s assume for the moment that your organization can identity and implement all of the requirements that are necessary in order to have a “reasonable” cyber security system today. Security threats are increasing and morphing at an increasingly rapid rate and with increasing complexity and damage. The market continues to provide new or additional protection, but at a cost. How then do you convince your CFO—who is trying to allocate frequently scarce corporate resources across the entire enterprise—to continue to invest in all of this new cyber security technology when no one can definitely prove that these additional expenditures will prevent any future breach?
But for the sake of argument, let’s assume that your CFO understands the need for, and continues to fund, these enhancements to your current cyber security system so that you continue to comply with the “industry standard.” Does this mean that you’re finally OK and can look forward to a good night’s sleep at last? No, not necessarily.
At least one older case has held that complying with the industry standard is not always reasonable and, as such, does not necessarily provide a shield against liability for negligence. In the “TJ Hooper” case, the court held that the failure of tugboats to use available and cheap radio technology – even when the industry did not generally use radios for navigation safety – could impose liability on the defendant for collisions with other vessels. What new technology will future plaintiffs’ lawyers cite as the basis for imposing liability even when the defendant has satisfied the “industry standard?” Said differently, must your IT budget continue to suffer the “death of a thousand cuts” as these new precautions are rolled out but not yet generally adopted?
The express and repeated application of T.J. Hooper to HIPAA cyber security compliance is far from certain. However, the rationale underlying this case is still available for use in both the courtroom and in administrative actions. Healthcare executives and their directors should make sure that their CIOs keep this risk in mind while the amounts spent on HIPAA cyber security compliance continue to grow exponentially- even with no guarantee of future compliance.
Mr. Blunk is Managing Director and General Counsel of Thermopylae Ventures, LLC, a Dallas-based alternative investment group with interests in cyber security, intellectual property monetization, alternative litigation finance, fire retardants, Internet addresses, inbound foreign investment and Texas real estate. He can be reached at email@example.com.
Mr. Armstrong is Controller and Compliance Manager of Virdatint, Inc., a Dallas based software company that provides a comprehensive distributed data virtualization, federation, integration, master data management, analytics, and security platform where the data remains in its original source and format. He can be reached at firstname.lastname@example.org.