Cybersecurity Compliance Protects Against Breaches, Offers Safe Harbor

Weekly, and sometimes more frequently, the Cybersecurity & Infrastructure Security Agency (“CISA”) and Department of Health and Human Services (“HHS”) release warnings about cyber threats to healthcare and other sensitive information. The recent announcement by the FBI and HHS of a new ransomware threat, the OnePercent Group, demonstrates the continued pursuit by threat actors of email phishing as an entrance for malicious activity.

In addition to email phishing vulnerabilities, CISA has recently identified the top Common Vulnerabilities and Exposures (CVEs) that were routinely exploited by threat actors in 2020 and continuing into 2021. Not surprisingly, these CVEs primarily arose in technology processes made essential during the pandemic work closures: remote work settings, a virtual private network and other remote desktop applications, and cloud-based environments.

IBM and the Ponemon’s 2021 Cost of a Data Breach Report provides some sobering but not unexpected information regarding the impact of 2020 cyberattacks on health care businesses. The industry with the highest rate of breach was the healthcare industry, the average cost of a healthcare breach was $9.23 million and, on average, it took 287 days to identify and contain the malicious attack.

Given the significant increase in cyber threats and the cost of a data breach, what can healthcare businesses do?

• Assess and implement a cybersecurity program in compliance with standards recognized by HITECH and state laws. This is discussed below.
• Train staff, provide frequent and periodic cybersecurity reminders and implement email phishing testing.
• Monitor potential threats by registering for listserv emails from HHS and CISA.
• Implement a continual security management program to address vulnerabilities and threats and not limited to an annual security risk analysis process.
• Prepare for a cyberattack by implementing a detailed cybersecurity incident response plan and testing this plan. Be sure each participant is prepared.
• Review data security cyber-coverage, and upgrade if needed, to provide sufficient coverage in the event of a breach, and discuss the potential need for coverage with the underwriter prior to the event.
• Identify data breach response resources, such as forensic analysts, ransomware negotiators, public relations, breach notice services, and legal counsel, prior to an incident and get pre-approval from your cyber-insurer if needed.

Federal and state legislators have recognized the need to incentivize enhanced cybersecurity compliance as a front-line defense against the onslaught of malicious cyberattacks, and are providing healthcare providers and support businesses with incentives to implement strong cyber-security standards. While security standards have long been a component of HIPAA and state security regulatory compliance and there has been government enforcement, a really enticing “Carrot” is being offered.

In January 2021, the Health Information Technology and Economic Clinical Health Act (“HITECH”) was amended to provide a HIPAA Safeharbor that requires HHS to give HIPAA-regulated entities credit for prior implementation of “recognized security standards” (Pub. Law 116-321). With proof of at least a prior 12 month period of compliance, a healthcare entity may be entitled to early dismissal of an HHS compliance audit, reduction or elimination of penalties and reduction of corrective actions and other components of a settlement agreement with OCR. This is in addition to the current affirmative defense available under HIPAA for prompt correction of identified deficiencies, 45 CFR 160.410. The HIPAA Security Rule’s inherent flexibility has provided healthcare entities with the ability to structure cyber-security to fit the organization’s environment and resources. The lack of clear standards, however, has led to a fair amount of confusion. The new HIPAA Safeharbor identifies 2 specific sets of standards as “recognized security standards”: the Health Industry Cybersecurity Practices developed and published by HHS in compliance with Section 405(d) of the Cybersecurity Act of 2015, and practices set out under Section 2(c)(15) of the National Institute of Standards and Technology Act (NIST Special Publication Rev. 1, and current draft Rev. 2). The HIPAA Safeharbor does not mandate compliance with these standards, but it definitely offers an incentive for a healthcare entity to assess its cybersecurity compliance in light of these standards.

States, such as Connecticut and Ohio, also recognize the value in incentivizing cyber-security compliance. When an Ohio covered entity can demonstrate that at the time of a breach the business was in compliance with a prior “written cybersecurity program . . . that conforms to an industry-recognized cybersecurity framework,” the Ohio law provides an affirmative defense (i.e. a right to dismissal) in court actions to claims that “failure to implement reasonable security controls” resulted in a breach. Connecticut recently adopted a “safe harbor” that bars punitive damages in plaintiff security breach actions alleging that “failure to implement reasonable cybersecurity controls resulted in a data breach.” The safe harbors are triggered by proof of implementation of a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and conforms to an industry-recognized cybersecurity framework identified in the statutes. The Connecticut and Ohio safe harbors identify several “industry-recognized cybersecurity” standards including HIPAA and NIST.

Malicious attackers are actively and constantly at work developing organizations and networks as well as sophisticated technologies designed to gain access to healthcare information and maximize the profitability of a data breach. Vigilance and a constant culture of cybersecurity compliance is necessary to protect against loss or destruction of patient and business information, operational delays and unneeded cost and expense that can follow a cyber-attack.