A Prescription for Protecting Patients

January 14, 2019

A team of HHS and health care experts issues some guidelines to keep medical records out of the wrong hands

Introduction

Every business is vulnerable to cyberattacks, but health care companies are entrusted with people’s most sensitive information. For that reason, they present a particularly attractive target to cybercriminals. The U.S. health care industry lost at least $6.2 billion in 2016 because of data breaches.¹ It has also been estimated that over 2,100 patients die each year as a result of data breaches, because of the remediation, regulatory inquiries and litigation which often lead to care quality problems.²

In an effort to help health care professionals safeguard medical records, on December 28, 2018, the Department of Health and Human Services (HHS) released a four-volume document entitled “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.” The HICP is a joint effort by HHS and an industry-led task group convened under Section 405(d) of the Cybersecurity Act of 2015 (click here to read our previous alert on the task group’s report). It offers practical, cost-effective recommendations for voluntary actions to address cybersecurity concerns in the health care industry.

The best practices seek to achieve three stated core goals:

Cost-effectively reduce cybersecurity risks for a range of health care organizations;
Support the voluntary adoption and implementation of the HICP’s specific cybersecurity practices; and
Ensure, on an ongoing basis, that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

The HICP supports this process by making it simple for organizations to understand the task group’s recommendations and how to adapt them in practice. The first of the four HICP volumes is the so-called Main Document, which lays the groundwork for the two Technical Volumes (one for small organizations, and one for medium and large organizations); the fourth volume is for the appendices, which contain helpful resources and templates for health care organizations.

Overview

Main Document

The HICP’s first volume provides an overview of cybersecurity threats to the health care industry and a roadmap for the Technical Volumes’ recommendations. Because the HICP offers different recommendations for small, medium, and large organizations, this first volume lays out criteria to help organizations determine which recommendations apply to them. In general, small organizations are defined as those without IT and security staff dedicated to implementing cybersecurity practices. Medium and large organizations have IT staff and infrastructure, but may struggle to fund and support cybersecurity initiatives.

The first volume also features an accessible overview, using real health care industry examples, of the threat categories that inform the Technical Volumes’ recommendations. These are:

Phishing attacks—emails, disguised as messages from legitimate sources, to trick people into disclosing private information or clicking on links that install malicious software.
Ransomware attacks—installation of malicious software that denies users access to their data unless a ransom is paid.
Loss or theft of equipment or data—physical removal of equipment including computers, flash drives, and other devices, as well as the virtual theft of data
Accidental data loss—inadvertent mistakes, including procedural errors or negligence, by employees, contractors, or other inside users of the organization’s infrastructure.
Insider intentional data loss—destruction or theft of information by an employee, contractor, or other user of the organization’s infrastructure.
Attacks against connected medical devices—a malicious actor accesses an organization’s computer network and gains control of a server to which medical devices, such as heart monitors, are connected. The attacker can then control the devices.

Technical Volumes

Each Technical Volume presents the ten most effective cybersecurity practices identified by the task group, followed by sub-practices and implementation recommendations. Each volume seeks to achieve the goal of helping health care organizations answer the question: “How do I mitigate the five threats that were outlined in the Main Document?”

Technical Volume One contains best practices and policies for small organizations. Because those entities lack much IT infrastructure, this volume covers and recommends implementation of the most basic sub-practices. Technical Volume Two is generally intended for medium and large organizations. Because those entities generally have dedicated personnel working on IT and cybersecurity issues, this volume both includes and expands upon the sub-practices from Technical Volume One with more complex sub-practices and implementation methods.

The practices discussed in the two Technical Volumes were designed to align with the National Institute of Standards and Technology’s Cybersecurity Framework. That framework is organized around five steps for managing cyber threats: Identify, Protect, Detect, Respond, and Recover. The Task Group identified ten key cybersecurity practices for addressing those steps, and tailored them to the health sector:

Email protection systems: The HICP recommends establishing education programs and initiating simulations to increase staff awareness about fraudulent emails.
Endpoint protection systems: All equipment, including workstations, laptops, and mobile devices, should be protected against ransomware attacks and loss or theft. This includes the installation of antivirus and encryption software.
Access management: An organization needs to control access to its systems. The HICP focuses on best practices to protect passwords and connected medical devices.
Data protection and loss prevention: The HICP presents policies and procedures to prevent data loss and theft.
Asset management: The HICP includes best practices for procuring and maintaining servers and networking equipment, and for controlling network access.
Network management: Computers and other electronic devices communicate via wired or wireless networks, which must be secured physically and virtually.
Vulnerability management: Organizations are encouraged to identify gaps in their cybersecurity practices that may be exploited by malicious actors.
Incident response: The HICP suggests that organizations establish standardized response procedures and designate personnel responsible for their implementation.
Medical device security: All cybersecurity procedures need to be applied to all connected medical devices as well.
Cybersecurity policies: It is critical for organizations to establish and familiarize employees with an internal cybersecurity policy. Since small and medium organizations may not have the resources to design their own plans, the HICP recommends that they implement a subset of practices used by larger organizations.

The HICP recommendations will not prevent all cyberattacks in the health care industry, of course, but they are a valuable tool if implemented.

While the guidance is not mandatory, it adds to the growing body of best practices that regulators and courts may look to when trying to determine the relevant standard of care. Several data security laws are framed in terms of “reasonable” actions (or similar terms), including HIPAA, which requires that organizations provide “reasonable and appropriate protection of electronic protected health information.”³ Some regulators and courts may look to published government guidance on best practices to provide some meaning to those general principles.⁴ As the common law of negligence and regulatory rules of thumb continue to emerge, we expect that HHS’s new guidance will be an important consideration, especially in the health care industry but also more broadly for companies looking to understand what minimum reasonable cybersecurity measures they need to take to protect their and their customers’ data.

¹ Healthcare Breaches Cost $6.2B Annually, Becker’s Health IT & CIO Report (Jan. 19, 2017).

² Study: Hospital data breaches tied to thousands of additional patient deaths, Becker’s Health IT & CIO Report (Mar. 27, 2018).

³ 45 C.F.R. § 164.306(e)

⁴ “Indeed, the rulings, interpretations and opinions of the Administrator under this Act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance.”F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 621 (D.N.J. 2014), aff'd, 799 F.3d 236 (3d Cir. 2015) (internal citations and quotation marks omitted) (refusing to dismiss complaint on fair notice grounds in light of “FTC's many public complaints and consent agreements, as well as its public statements and business guidance brochure—and despite [the defendant’s] own references to ‘industry standard practices’ and ‘commercially reasonable efforts’ in its privacy policy”).

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O’Melveny partner licensed to practice law in the District of Columbia, Randall Edwards, an O’Melveny partner licensed to practice law in California, Mallory Jensen, an O’Melveny counsel licensed to practice law in California, and Kayla Haran, an O’Melveny associate, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.