HHS says sharing is preparing for cybersecurity threats

Cyber threat information sharing can help efforts to prevent, detect, and respond to cyber-attacks, according to the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR). Premised on the belief that health system preparedness requires knowledge of up-to-date threat information, the ONC and ASPR issued two funding opportunities to develop an Information Sharing and Analysis Organization (ISAO) for the health care sector.

Cyber Threats

As the health system becomes digital and health information takes on an increasingly electronic format, cyber threats have become a regular burden for health systems. Despite the growing threat, many components of the health care system lack the technological abilities to identify and protect themselves from cyber threats. Under the Cybersecurity Information Sharing Act (CISA) agencies, like HHS, were directed to develop tools that can help with the sharing of cybersecurity threat risks. Prior to the CISA, Executive Order 13691, signed on February 13, 2015, encouraged information sharing related to cyber threats between the government and private sector.

Recent Threats

Although some governmental efforts have focused on preparedness, data breaches continue to be a burden for the health care industry. This summer, Banner Health reported a cyberattack potentially affecting the protected health information (PHI) and payment card data of 3.7 million patients. The breach resulted from a hack of Banner’s point-of-sale systems, which may have been connected to its clinical systems. Such a lack of segmentation, may have contributed to the breach. Segmentation is the segregation of a network into areas that limits access to only those people, servers, and applications that need access, as a method of preventing hackers who enter part of a system from gaining complete control. However, the threat of cyber-attack reaches far beyond Banner Health. The scope of cyber threats is readily apparent from HHS’ “wall of shame,” which lists all of the breaches affecting 500 or more people that have been reported to the Office for Civil Rights (OCR).

ISAO

The idea behind the ISAO is to allow organizations with greater cyber threat knowledge share their understanding with less-equipped organizations. For example, with greater information sharing regarding the risks of segmentation, perhaps the scope of the Banner breach could have been mitigated. HHS hopes by sharing information between HHS and the health care and public health sector, the capacity to better prevent, detect and respond to cyber-attacks will improve. The funding directs an ISAO to:

  • provide cybersecurity information and education on cyber threats affecting the healthcare and public health sector,
  • expand outreach and education activities to assure that information about cybersecurity awareness is available to the entire healthcare and public health sector,
  • equip stakeholders to take action in response to cyber threat information, and
  • facilitate information sharing widely within the healthcare and public health sector regardless of the size of the organization.

HHS hopes its combined funding opportunities—$250,000 that can be renewed for up to five years—will help spread cyber threat information among industry stakeholders and federal partners.

 

Oregon university pays $2.7M, agrees to corrective action plan following breaches

Data breaches affecting thousands of people have resulted in Oregon Health & Science University (OHSU) settling with HHS to resolve allegations of potential Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. The settlement includes a $2.7 million payment as well as the implementation of a corrective action plan (CAP). The HHS Office for Civil Rights (OCR) stated that OHSU failed to correct system security issues despite several opportunities to do so.

Risk analysis and breaches

Between 2003 and 2013, OHSU performed six risk analyses that did not cover all electronic protected health information (ePHI) as required. Despite this limitation, widespread vulnerabilities were identified. OHSU did not properly implement security measures to address these issues and failed to create policies and procedures to allow the university to prevent, detect, and address security violations. Risk analysis revealed that lack of encryption was a vulnerability, but ePHI was still not encrypted.

As a result of OHSU’s inaction, several breaches occurred. Unencrypted laptops and a stolen unencrypted thumb drive resulted in several breaches. Protected information about thousands of people was stored on a cloud server without a proper security agreement. Over a thousand people had a diagnosis of a sensitive nature, presenting a significant risk of harm. This server also contained payment information, photos, Social Security numbers, driver’s license numbers, and procedures.

Resolution agreement

OHSU’s resolution agreement with HHS establishes OHSU’s responsibility to implement the CAP and pay the fee. In exchange, HHS releases OHSU from actions the agency could take due to the confidentiality issues. The CAP places various obligations on OHSU, starting with a thorough assessment of all risks and vulnerabilities to ePHI at all facilities, including all systems, networks, and devices that handle ePHI. A risk management plan must be created for implementing security measures and submitted to HHS for review and approval. HHS must also receive regular updates about encryption status and updates regarding OHSU’s compliance under the CAP.

Data for ransom: OCR offers ransomware guidance

Hackers throughout the world are kidnapping data and holding it for ransom, requiring the lawful data  holders to pay large sums of money–often in cryptocurrency, such as Bitcoins–if they want it back. Attacks have increased by 300 percent, from 1,000 per day in 2015 to 4,000 per day in early 2016. HHS, in conjunction with the U.S. Departments of Homeland Security and Justice, recently disseminated guidance about protecting networks from ransomware and responding to attacks (see Lawmakers, agencies raise specter of ransomware threats to cybersecurity, Health Law Daily, June 30, 2016).  An attack on protected health information (PHI) can have particular ramifications for covered entities (CEs) and business associates (BAs) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191Security and Breach Notification rules. As a result, the HHS Office for Civil Rights has issued its own fact sheet on the intersection of ransomware and HIPAA and ways CEs and providers can protect themselves and mitigate damages.

Security

In ransomware attacks, hackers infect systems with malicious software that encrypts data and makes it inaccessible to authorized users; they then insist on ransom payment in exchange for a key that will decrypt the data.  In some instances, however, ransomware may destroy or exfiltrate data, transferring it elsewhere.  The OCR notes that basic Security Rule compliance will help CEs and BAs prevent ransomware attacks. Organizations should already be performing risk analyses to identify threats and vulnerabilities and implementing procedures and other measures to prevent attacks, which include training users about malicious software and limiting access to only those people requiring access to electronic PHI (ePHI).

Ransomware attacks often go undetected until a hacker contacts an entity, demanding payment.  However, workforce members should be trained to look for early signs of an attack, including knowledge that they have clicked on link, opened an attachment, or visited a website that is potentially malicious; an increase in central processing unit (CPU) and disk activity for no apparent reason; an inability to access certain files; and suspicious network communications.

Frequent data backups can prevent day-to-day operations from coming to a halt in the event of an attack.  The OCR recommends that organizations maintain backups offline in order to make them inaccessible from their networks.  The agency highlighted the importance of performing periodic test restorations to ensure that an entity would be able to restore data that has been backed up should an attack occur. Pursuant to the HIPAA Security Rule, entities should have security incident response procedures in place in order to address various types of security incidents; in the case of ransomware, the procedures should allow them to quickly detect and analyze the ransomware, contain the impact, eradicate the ransomware, and restore lost data. The presence of ransomware is a security incident  pursuant to the Security Rule and entities must initiate security incident and response and reporting procedures (see 45 C.F.R. secs. 164.304, 164.308(a)(6)).

Breach notification

Covered entities and BAs must determine on a case-by-case basis whether the presence of ransomware constitutes a reportable breach under the Breach Notification Rule (see 45 C.F.R. 164.402) or whether there is a low probability that the PHI has been compromised (see 45 C.F.R. 164.402(2)). In the event that ePHI was encrypted prior to the attack to the extent that it is not considered “unsecured,” there is no requirement to conduct an assessment as to the probability of compromise or to notify individuals and entities of a breach. However, organizations must be sure that the encryption is truly effective. For example, a full disk encryption solution may make data on a hard drive unreadable to unauthorized parties if the system is powered down.  However, that same data may be accessible in the event that the hard drive is in use by an authorized user who performs an action infecting the computer with ransomware.

Organizations must be prepared to fend off and respond to ransomware attacks.  The OCR wants to be sure these entities are ready when faced with a choice between their money and their PHI.

Supreme Court remand may signal end for data breach class actions

The Supreme Court’s decision to remand a Fair Credit Reporting Act (FCRA) case to the Ninth Circuit Court of Appeals may affect the future of class actions brought by victims of health care data breaches.  The High Court told the Ninth Circuit to determine whether the respondent in Spokeo, Inc. v. Robins (May 16, 2016) sustained a concrete injury for purposes of proceeding with FCRA allegations based on Spokeo’s alleged dissemination of incorrect information about the respondent.  The opinion emphasized the importance of the concreteness element of the injury-in-fact requirement of standing, and could endanger lawsuits filed by data breach victims based on impending injuries.

Spokeo

The respondent alleged that while he was “out of work” and “actively seeking employment,” Spokeo, a website that calls itself a “people search engine,” posted misinformation about him that was detrimental to his job search.  Specifically, he claimed that the misinformation stating that he was married with children, employed, and in “very strong” economic health made him appear overqualified for work, desirous of a higher salary, and unwilling to travel or relocate. He alleged that Spokeo’s actions violated the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possibly accuracy.”

A district court determined that the respondent did not have standing to sue, but the Ninth Circuit reversed, noting that Spokeo violated the respondent’s individual statutory rights and that his interests regarding how his credit information was handled were “individualized rather than collective.”  Writing for the majority, Justice Alito noted that standing requires an injury in fact that is both “concrete and particularized,” in addition to being “actual or imminent.” While the Ninth Circuit’s analysis concluded that the respondent’s injury was particularized, affecting him “in a personal and individual way,” the Supreme Court determined that the appellate court did not perform a separate analysis to determine whether the injury was concrete, with Justice Alito noting that “not all inaccuracies cause harm or present any material risk of harm.” He also noted, however, that concrete injuries may be tangible or intangible.  Justice Thomas concurred, while Justice Ginsburg, joined by Justice Sotomayor, dissented.

Health care ramifications

The Supreme Court’s view on concreteness could affect the ability of data breach victims to file class actions against the entities that held their protected health information (PHI). Prior cases have dealt with the “actual or imminent” aspects of alleged injuries, with circuits disagreeing with one another. In 2015, for example, the U. S. Court of Appeals for the Seventh Circuit determined that retail customers whose credit card information had been hacked were subject to a “certainly impending” risk or future injury involving fraudulent charges and identity theft, even though they had not actually fallen victim to those actions (see Credit hacking case opens door to health care class actions, August 11, 2015).  It issued a similar decision in 2016  in Lewert v. P.F. Chang’s China Bistro, Inc. (April 14, 2016), another credit hacking case, noting that the injuries were concrete.

In Khan v. Children’s National Health System (May 18, 2016), decided after Spokeo, the U.S. District Court for the District of Maryland determined that the plaintiff had did not have an injury in fact.  It noted that, in the context of data breaches, victims allege “an injury in fact arising from increased identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.” In Khan, phishing emails targeted a hospital system’s employees’ emails that happened to contain some PHI, but the court found no evidence that hackers targeted PHI for the purposes of committing identity fraud.  The Khan court noted that the majority of district courts follow this line of reasoning. Stakeholders should follow the Spokeo case, as the ultimate decision may be an indication of the future trend of data breach class actions.