Covered entities should report cybersecurity threats, but no PHI disclosures

Cyber threats are becoming more and more common, both in general and specifically in the health sphere. The Department of Homeland Security operates the National Cybersecurity and Communications Integration Center (NCCIC), with four branches dedicated to protecting the right to privacy in the government, private sector, and international defense network communities. The US Computer Emergency Readiness Team (US-CERT) develops information on immediate threats and analyzes data gleaned from cybersecurity incidents.

As part of these efforts, health entities can report any suspicious activity or cybersecurity incidents to US-CERT. Disclosing cyber threat indicators, which includes information such as malicious reconnaissance, security vulnerabilities, methods of defeating controls or exploiting vulnerabilities, is intended to alert other entities of possible issues. This type of information sharing allows the federal government to better protect information systems, and maintain current alerts and reports on vulnerabilities on the US-CERT site.

HIPAA concerns

HHS recently clarified that entities subject to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) may not disclose protected health information (PHI) for the purpose of sharing cyber threat indicators. This also applies to business associates. PHI may only be released under these circumstances if the disclosure is permitted under the Privacy Rule.

HHS noted that PHI is generally not included in cyber threat indicators, so prohibiting PHI disclosure in cyber threat reporting will typically not be an issue. Under the Privacy Rule, an entity could disclose PHI to law enforcement without the individual’s written authorization in order to comply with a court order or to alert and inform law enforcement as necessary regarding criminal activity. In some instances, an entity may report limited PHI. Entities may disclose to federal officials authorized to conduct national security activities or to protect the President. In all other circumstances that are not expressly included and permitted in the Privacy Rule, the entities must obtain authorization from the individual whose PHI is to be disclosed.

Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.


Hackers to focus on hospitals in 2017

Hackers will target the health care sector above all others in 2017, with their focus shifting from insurers to hospitals, predicts Experian® Data Breach Resolution. The company’s fourth annual Data Breach Industry Forecast also indicates that ransomware will be an increased threat to hospitals. It suggests that “nation-state” cyberattacks will increase, with at least one significant incident in 2017, and that passwords will be phased out in favor of two-factor authentication.

Hospital focus

In 2015, four of the six data breaches reported to the HHS Office for Civil Rights (OCR) affecting more than one million individuals targeted health care insurance companies.  As a result, Michael Bruemmer, vice president of Experian Data Breach Resolution, noted that many insurers “doubled down on defenses.” Protected health information (PHI) remains a lucrative source of data for hackers, but the report suggests that hackers will seek this information from hospitals, in lieu of insurers, in 2017. Bruemmer noted that hospitals “tend to be more decentralized, making their cybersecurity defenses easier to penetrate.” Electronic health records (EHRs), in particular, are targeted because they are accessible by various entities and individuals. The report predicts that ransomware–which encrypts data, effectively preventing providers from using data unless they pay a ransom–will increase, and may shift from simply locking systems in exchange for money to actually stealing data. At any rate, recent OCR guidance on ransomware makes it likely to be a more publicized topic in 2017 (see Data for ransom: OCR offers ransomware guidance).

Nation-state attacks

The report also anticipates an escalation in cyberattacks between nation-states in 2017, noting that both U.S. presidential candidates discussed the issue in 2016. Although Bruemmer noted in December that the incoming Trump administration’s cyberweapons policy is unclear, he anticipates “a publicly observable action in the near future” and thus recommends that the administration “shor[e] up its defense mechanisms and identify[ ] vulnerabilities.”  Amidst heated discussions on both sides regarding Russia’s alleged interference with the recent U.S. presidential election, President-elect Trump appointed Thomas P. Bossert as Assistant to the President for Homeland Security and Counterterrorism. Bossert indicated, “We must work toward cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government,” and noted, “The internet is a U.S. invention,” that should reflect the nation’s values “as it continues to transform the future for all nations and all generations.”  The president-elect, recently reflecting on cybersecurity, noted “no computer is safe.”

Death of the password?

The report also predicts that individual passwords will be phased out, in all industries, in favor of two-factor authentication, which requires secondary authentication to allow access to systems and networks.  It lists tokens, geo location confirmation, and biometrics as examples of secondary authentication. Individuals’ use of the same passwords for various accounts can lead to “aftershock” breaches, which occur when a password compromised in one breach is used to break into another network in the future.  Experian Data Breach Resolution suggests that health care organizations will be forced to use two-factor authentication to protect against aftershocks.

Kusserow on Compliance: 2016 ransomware and HIPAA data breaches

The HHS Office for Civil Rights (OCR) continues to report most reported Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule violations were due to unauthorized access or disclosure, but cyber attacks are now a close second. Cyber attacks have been very significant in the last couple of years with the number of such breaches rising to dramatic levels during 2016. The OCR reported at the end of November that scammers were using fake OCR emails to advance their schemes. No one knows for sure how many data breaches occur, but from what is known, the number may average more than one per day. The broad category of data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. The most disturbing trend involves ransomware, which typically involves a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data. The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. Health care industry stakeholders, particularly hospitals, have proven to be soft targets, as they need to have immediate access to their patient information, and many have paid the ransom to regain control over it.  There have been some major payouts by health care organizations to regain control over their data and information.

Dr. Cornelia Dorfschmid, a national expert on the subject of ransomware attacks, notes they have been growing as an internet threat for more than a decade, but have only recently become prominent in health care. The health care sector is considered a soft target, particularly hospitals, which are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

Tom Herrmann, J.D., explained that both the OCR and CMS found that many questioned whether ransomware attacks were even reportable HIPAA breaches. The reasoning was the attackers don’t have interest in accessing, copying, exfiltrating, or exporting the files they capture. They just want to hold it out of their target’s control, until they are paid.  Both CMS and the OCR disagreed and took the position that attack is also likely a data breach which must be reported like any HIPAA violation.  In July, the OCR then released guidance that made it clear that a ransomware attack is a reportable security incident and must be publicly reported in a timely manner or an covered entity or business associate will face severe penalties. Since the release of the OCR guidance, there has been a continued increase in the number of reported attacks.  Some of that increase may be a result of some health care organizations just considering the payment of ransom as the price of doing business.  They no longer can do that without risking severe penalties and the OCR has been entering into very large settlements, many of which have been over $1 million.  A recent example of this enforcement effort is the University of Massachusetts’ $650,000 HIPAA settlement after a breach of unsecured protected health information (PHI) in which the OCR found a number of security and compliance gaps, including the absence of firewalls, as well as failure to meet basic HIPAA security requirements, including conducting thorough organization-wide risk analyses, proper training of staff, and the implementation of applicable policies and procedures.

OCR guidance to prevent data breaches and ransomware attacks

The OCR guidance discusses:

  • conducting a risk analysis to identify threats and vulnerabilities to electronic PHI (ePHI);
  • establishing ways to mitigate or remediate these identified risks;
  • implementing procedures to take precautions against malware;
  • training users to detect malware and report such detections;
  • limiting access to PHI to people and software requiring such access;
  • maintaining disaster recovery, emergency operations, frequent data backups, and practice restorations.

The fact is that organizations have tools available that can strengthen security and may just need to address a basic lack of security measures.


To protect against ransomware, organizations should:

  • train employees to understand breaches often occur when opening an email link or attachment, or respond to “phishing” inquiries
  • conduct an ePHI vulnerabilities assessment and mitigate or remediate identified risks;
  • address any lack of security technology protecting data and information, including firewalls, email, or web traffic filters;
  • focus security efforts on those files that are most critical patient records;
  • consider using passphrases rather than passwords;
  • develop and implement policies and procedures on how to take precautions against malware;
  • limit access to PHI to people and software requiring such access;
  • maintain disaster recovery, emergency operations, and frequent data backups to permit restoration of lost data in case of an attack;
  • configure email servers to block zip or other files that are likely to be malicious;
  • move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system; and
  • limit those who can access files on a single server, so that if a server gets infected, it won’t spread to everyone.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.