Can Data Protection Be Put Together?

factory-1354672_640Regulatory schemes for the protection of data, whether healthcare or otherwise, are often criticized in the United States for being fragmentary and siloed. No coordinated regulatory framework exists because that is not the way in which United States law was implemented. Instead, different industries have their own structures, and those are the “lucky” industries as many do not have any protective scheme at all. Healthcare has arguably the most famous data protection scheme in place, the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Despite the arguably robust privacy protections contained within HIPAA, the question remains whether those protections are sufficient. Professor Nicolas Terry raised this question in his recent article “Existential Challenges for Healthcare Data Protection in the United States.” While Professor Terry praises the robust nature of privacy protections of HIPAA, it is really only a positive endorsement by comparison to the poor state of other privacy protections in the United States.

As explained by Professor Terry, HIPAA places almost all of its eggs in implementing “downstream rules.”  Downstream rules focus the processing or use and disclosure of data. For those familiar with the HIPAA Privacy Rule, this explanation makes a lot of sense. The Privacy Rule governs the use and disclosure of protected health information. There is no focus on “upstream” or collection activities. All efforts are placed on setting parameters around how data are distributed. Further, HIPAA is limited in the scope of players to which it applies. There are three broad categories of entities who need to comply with HIPAA: covered entities, business associates, and subcontractors. Covered entities are the driving force, who are really the traditional players in healthcare, namely providers (encompassing physicians, hospitals, nursing homes, home health care, and more) and health insurers. Noticeably absent are the newer entities like mobile health app developers or wearable manufacturers who operate on the periphery of the traditional healthcare system.

To the heart of Professor Terry’s concern, the overabundance of downstream protections and the hyper focus on traditional healthcare, create significant deficiencies in what is arguably the best set of privacy protections in the United States. The incoming General Data Protection Regulation (“GDPR”) that will soon be in full force and effect in the European Union is cited as the premier privacy scheme as it combines a variety of protective measures. Is implementation of such a scheme like the GDPR possible in the United States? That is an open question.

Systems in the United States have been allowed to develop in silos and without much coordination. As a result, the systems that are in place have developed in a specialized manner uniquely tailored to their individual industries. While it would be good to see a generally applicable framework for protection of all data that is industry agnostic, such a hope is unlikely to come to fruition any time in the near future. Given that reality, it is necessary to work within the existing framework (HIPAA) and get creative in finding the means of expanding requirements.

One “creative” (or confusing) means of expanding the framework of privacy protections is the layer added by state law. While state law cannot loosen protections created by federal law, it can add more proscriptive requirements. Many states have piled onto the HIPAA’s downstream protections by restricting use and dislcosure of different forms of sensitive information, such as mental health, HIV/AIDS or other discrete matters. Additionally, states are imposing data breach notification requirements onto entities in the healthcare industry that go beyond notice required by HIPAA. From this perspective, maybe states could help in switching the paradigm to add “upstream” protective requirements. A patchwork approach from the state level would impose burdens on entities at first, but could result in a couple of federal level scenarios. One would be pre-emption by federal law imposing uniform collection requirements, or such laws could be struck down in a different form of pre-emption. Either way, a clear standard could be set.

The bottomline is that the world of data protection has entered a new reality. The amount of data being created increases every day with no sign of slwiing down any time soon. Will the law be able to keep up?

Posted in Business, Compliance, Health IT, HIPAA, Regulations | Tagged , , , , , | Leave a comment

Which Path Will be Taken: Future of Cybersecurity

oracle-girl-2133976_640The ability to protect and secure digital information is under constant threat. Attackers of all sorts force their way into systems, trick individuals into providing access, and otherwise access data that is not their own. In a state of continual threats, the issue of cybersecurity is typically at the forefront for many. Questions about cybersecurity include: can data actually be secure?; will defense measures every be better than the offensive measure?; and is it necessary to accept that all data will be hacked or inappropriately accessed at some point in time?

Given the uncertainty and focus, an analysis from the Center for Long-Term Cybersecurity at the University of California, Berkeley is particularly interesting. The analysis, Cybersecurity Futures 2020, contemplates five different scenarios for what cybersecurity and really data will look like in the near future. Each scenario offers a glimpse into a possible future. The scenarios are all quite plausible and to some degree even represent current realities.

The scenarios, in brief summary, are:

  1. The New Normal – In this scenario, it is accepted that data cannot be kept private and that personal information will be both stolen and broadcast. In response, individuals or institutions may respond by (i) shutting off connections to the internet, (ii) proactively making information public before it can be inappropriately accessed, or (iii) fight back with any tool that may become available.
  2. Omega – This scenario is named after the “omega” or last algorithm concept. The omega algorithm would be the last step before control is turned over to technology. With the omega algorithm in place, individualized predictive analytics would create new strata of security risks. Additionally, issues would become focused on individuals as opposed to infrastructure, which in turn could cause irreparable damage in a number of ways.
  3. Bubble 2.0 – In this scenario, a second bubble bursts when it comes to web-based companies. Decades after the dot-com bubble of the 1990s, the new web companies suffer a similar fate. However, the primary asset of each of these companies is a tremendous trove of personal data. The data do not disappear with the companies. Instead, the data will be sold. With data sets the main target of cybercriminals and increasing numbers of data scientists unemployed, cybersecurity and market security become entangled.
  4. Intentional Internet of Things – In this scenario, the internet of things becomes seamlessly integrated into everyday life. In fact, certain core functions are turned over to technology. Such functions could include healthcare to a degree, environmental functions and other social of economic functions. As such, attackers may subtly infiltrate systems to manipulate the vast array of connected devices or have the opportunity to cause widespread harm. Cybersecurity becomes just security and must be a part of everyday life.
  5. Sensorium (Internet of Emotion) – In this scenario, devices move beyond physical functions and into an individual’s emotional state. Devices will track fundamental emotional aspects of an individual’s psychology. In turn, an individual’s mental or emotional state can be manipulated for any number of purposes. Cybersecurity evolves from data protection to managing and protecting an emotional public image.

The goal of the scenarios is not to identify what is occurring today, but developing concepts of how the future may actually unfold. Once the potential futures are detailed, then it is possible to study those futures and engage in strategic planning or set forth research priorities. Starting from such a framework, it is easy to see why each scenario reflects some current realities. In fact, the currently existing world is likely a reflection of some components from each of the scenarios.

With these possible futures laid out, what does it mean for cybersecurity today? It means that cybersecurity should be considered as more than just a quick challenge or one that will remain the same. Changes in what cybersecurity means can already be seen on a daily basis. Threats are constantly evolving, changing or springing up completely new. What is known a week or month before has become obsolete to some degree not very far down the road.

A few overarching issues can also be teased out from the current state of cybersecurity and where the future may go. The human element will be both a primary concern and benefit. Individuals are currently the cause of many data breaches. Those causes include falling victim to a phishing attack, purposefully accessing data for malicious purposes or an unintentional action that exposes information, among other issues. At the same time, individuals are actively trying to increase security measures and make it more difficult for a data security incident to occur. The opposing forces of human intervention will also be at the center of cybersecurity because so much of what happens in this world is about what humans are doing.

Another overarching issue is the role of data in the economy and as a resource. Much of the world economy centers around creation, curation, and analysis of data. Product development and sales center on data because data help identify what product should be developed, how it should go to market and where it should be sold. From this perspective, data have become a commodity because it informs so many potential decisions. It may not be possible to fully separate the different functions of data as being a driver of and a good in the economy are so intertwined. The central importance of data to the economy means that it will be a constant target. If individuals and companies cannot secure data, then someone else will exploit the data. Accordingly, there is a fundamental monetary consideration driving the need to ensure security is in place and actually works.

The central role of data in so many aspects of life and the inability to ensure constantly appropriate individual behavior means that there will never be a single solution for ensuring cybersecurity. Risks will always exist because, as the old saying goes, a system is only as strong as its weakest link. Since the weakest link is ever changing, all links can never be fully strengthened. If such a reality can be accepted, it means that vigilance will be maintained. A corollary to the lack of a cybersecurity silver bullet is that the attackers will also always be multiple steps ahead. Such is the nature of attack because those trying to gain access to a system are incentivized to come up with novel approaches. While security and defense can also identify a novel concept, it is just more likely for the other side to have already thought of and blown past an idea.

What impact do all of the predictions and pondering have for healthcare? What is true generally for cybersecurity will likely be equally if not more important for healthcare. The quantity of healthcare data are growing at exponential rates and such data is among the most private and sensitive that can relate to an individual. Additionally, healthcare is already not only under almost constant threat but is likely to fall victim to a successful attack. Any number of negative consequences can be imagined if the situation does not improve. Such negative outcomes could include individuals not trusting the system and withholding information, increasing amounts of fraud funneling money out of the system to illegitimate hands, or manipulation of data to influence or create outcomes. These concerns echo those of the scenarios because, as said before, all are likely. Given the possibilities, healthcare is very much at a crossroads when it comes to security.

The future does not need to look grim. Alongside all of the potential nightmares are an equal, if not greater, number of improved benefits and outcomes. The issue is whether all will take up the challenge and work collaboratively for the good of everyone.

Posted in Business, Compliance, Health IT, HIPAA | Tagged , , , , , , | 1 Comment

Who’s Handling Your Data?: Vendor Risk Management

handshake-2056023_640Access cannot be freely granted to data. Such is the reality of the world today. If a vendor is allowed to freely access, use or otherwise interact with data, unnecessary risk has been created. Why go down the risk-filled road, when issues can be identified and addressed? This question is central for healthcare entities, whether covered entities contracting with business associates or business associates contracting with subcontractors. The direct liability all of the way up and down the chain of access now firmly entrenched in HIPAA means no entity on any level can escape notice.

If risk exists on all levels, what can be done? Asking questions prior to full engagement of a vendor is the first step. Do not assume that a vendor is providing all necessary information, or even any of the relevant information when pitching services. Instead, having a questionnaire ready to go that can pull in baseline data. For example, ask a vendor whether it has HIPAA policies and procedures in place, when it conducted its last risk analysis, how the results of the risk analysis were used and whether a breach has ever occurred. Obtaining responses to these and similar questions can begin providing comfort as to the actual status of a vendor’s security and/or privacy preparedness.

If a vendor makes it past the initial road of vetting, the terms of the service agreement are the next important step. What requirements should be baked into the agreement and how specific or granular should those requirements go. The answer likely depends upon the nature of the services being provided. If a vendor is hosting protected health information or regularly transmitting protected health information, then the agreement may get quite specific as to types of encryption to utilize, means of transmission or other requirements. However, if the vendor provides a service where they only get a minor subset of protected health information, then a little more leniency may be possible. In addition to the scope of requirements for protection specified, consideration should be given to the consequences of non-compliance. Is there a monetary penalty, immediate termination or some other outcome? Again, the scope of remedies will depend upon the nature of the services, but all of these issues should be considered.

The business associate agreement is the next essential element. As should be widely known, if there is a business associate relationship, no protected health information can be exchanged until the BAA is in place. If parties were somehow unaware of the necessity of a BAA, a recent HIPAA breach settlement through the Office for Civil Rights made the requirement crystal clear. Acknowledging that a BAA is needed is only the first step though. The next step is determining whether the BAA will stop at the baseline of the regulatory requirements, or include “extracurricular” terms such as mandating insurance coverage, calling for indemnification or reimbursement, and granting the upstream entity audit rights. Some elements are easier to identify as desirable than others, i.e. indemnification or reimbursement. A term such as audit rights is not as clear cut. Arguably this provides good insight, but the upstream entity will actually need to utilize those rights. Failure to do so could backfire and end up in negative consequences for the upstream entity.

The process of vendor management does not end with the execution of an agreement either. Constant vigilance and dialogue are needed. Threats are evolving, so entities cannot remain static. If any aspect of privacy or security protection sits for too long, an issue will almost certainly arise. Accordingly, parties should work together to manage risks and not assume that the other is the only one responsible. A go it alone approach will only come back to harm both entities.

Managing privacy and security risks is not easy. However, understanding baseline regulatory requirements provides a firm foundation from which to build. Ignoring or misconstruing that foundation will weaken the structure above and create enforcement exposure. Do not overlook these initial steps and create unnecessary risk.

Posted in Business, Compliance, Health IT, HIPAA | Tagged , , , , , | 1 Comment