Notification of a data breach is a worrisome step of any governmental entity, association, medical office, law office, data management entity, and even of a school or university. The provisions that attempt to address this progressing act of cyber attempts to acquire data, of any sort, are evolving. An initial reaction to an incident is how to inform the relevant entities that something has happened while overwhelmingly concerned with trying to prevent a spread or reoccurrence, let alone minimizing the potential harm. Certain states require immediate notification to individuals whose personal health information (PHI) or their electronic health information (ePHI) been compromised. By compromised, it is meant that the PHI has been obtained by someone or entity without authorization. There are responsibilities that covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to follow and meet. The key point to note is the element of electronic transmittal, storage, and administration of health records. Another key point is the stress on protecting PHI and ePHI. Along with these points is the ever so important consideration of the shared responsibilities of the ‘business associates’ who are so integral daily in the operations of handling ePHI and PHI records, though not a healthcare provider, a health plan, or a health care clearinghouse. These business associates serve as third-party responsible entities in handling PHI and are affected by ransomware cyber incidents.
The rate in which cyber events are occurring is so alarming that there is a growing chronicle of cyber incidents in varied sectors of the economy. The value of personal information and personal health information is at an all-time high which is significantly driving increasing attacks. The United States Department of Health and Human Services (HHS) pursuant to HIPAA, has provided guidelines for business associates and covered entities to implement as they operationally address the data breaches and ‘ransomware’ incidents, beyond the inherent notification requirements that may apply contingent on state notification laws. On this point regarding the state notification laws impinging on covered entities and business associates, note should be taken that over 40 states have implemented some form of data breach incident notification regime. Among them, they have their differences in addressing how to react to the incidents. Aspects of a definition of what is ‘personal’ are imperative to triggering a required notification by a business associate and or a covered entity and those aspects differ among states. Another difference is the required content in the notices as well as the requirement to inform governmental agencies of the incident.
As common steps are prescribed to address a data breach it is important to be aware of how they take place. The intelligent variety of ways data breaches is emerging catch many information technology specialists by surprise. Intrusions, which can occur with email attachments, phishing messages, hard intrusions breaching networks, and even websites, can achieve the goals of ransomware. The ransomware characteristics are varied. One aspect seeks to deny the covered entity’s or business associates’ record files. This may be done by an expedient encryption process. The covered entity or business associate is not informed by the hacker of the encryption key. Once paid, it is hoped that the hacker releases the information or provided a key to decrypt the record files, but that is not always the case. There have been incidences that captured data is forcefully transferred to another data storage location where in effect the data no longer resides in the covered entities or business associates network. This latter scenario is a nightmare.
Nevertheless, the importance of learning what to do now before it happens is critical to the integrity of a covered entity or business associate. The HHS points are some of the similarly required steps that the Federal Trade Commission is seeking to impose on entities it has cited leaning with great emphasis on prevention which is after all the name of the game. For instance, the imperative of conducting ‘scheduled’ and frequent backups has not only the benefit of retaining the data that could minimize the damage that could be done if the data is ultimately destroyed or transferred to a remote server, but it allows for operational recovery. The guidelines also stress the need for testing the restorative process. The examination should highlight how the entity can recover and if its efficiencies and protections are implemented on a restorative posture. The restorative testing should as well assess its process when using remote storage retrieval rather than just an online connected network. The concern is that if the backup is online and synced with the online network, the malware can infiltrate that system and compromise any measures taken to address how to recover from ransomware attack.
Entities overwhelmingly are expected to undertake not only plan to train personnel in handling data, personal health information, and electronic files, but as well anticipate how to respond to a cyber incident. Appropriately training personnel on the noticeable signs of cyber attempts; though, that is only as precise and effective as yesterday’s cyber incident. But what is expected is that staff should be made aware of their responsibility to not visit questionable sites nor open unknown emails. An entity’s effort in conducting risk assessments before they occur and after is expected. The entity’s plan reacting to an incident should be anticipated and rehearsed to ensure that services are not compromised. The assessment of risk will tell if there is a notification requirement. That risk assessment will screen for how the encryption was effective and how much of the data was encrypted.
The notification requirement issue is the ultimate concern that trips certain entities. Counsel can be instructive not only in communications with the insurer that covers the cyber incidents within the entity’s General Commercial Liability Insurance (GCLI) but in communicating with law enforcement and in crafting the notice that is sent to effect individuals whose records were compromised. Depending on the state, determines the notice and its contents. Depending on the nature of how the data of PHI and ePHI was administered by the covered entity and the business associate, as well determines if there is a noticeable incident under HIPAA. Here the question hinges on the implementation of encryption as a protective tool by the entity. The privacy requirement stated under HIPAA says ‘acquisition, use or disclosure of personal health information …compromises the privacy of the personal health information.” From this vantage point, the risk assessment will be telling of what can be done to remedy the incident. If the cyber incident acquiring encrypted data then there has not occurred a noticeable cyber incident under HIPAA, however, state laws may require notification. Risk assessment is needed that accounts for the scope of the risk, the effectiveness of the encryption, the assessment of what data was actually compromised, and to what extent the data was compromised. Each incident will require case-by-case assessment in order to determine compliance as well as vulnerabilities, including the notification requirements that will be triggered by the nature and extent of the ePHI and PHI compromise in unauthorized hands.