Plan Ahead, Stay On Top of Government and Tech Changes, and Be Ready to Call the FBI: Key Lessons from the PHI Protection Network Conference

March 21, 2016
By: Abraham J. Rein

Late last week, the health care data security community gathered in Philadelphia for the PHI Protection Network Conference. The diverse group of speakers included in-house data security officers, technology consultants, academics, attorneys, and a variety of influential federal government representatives. I was in the audience. A handful of key themes were reiterated in various ways throughout the two-day gathering.

One: Cybersecurity isn’t just about keeping them out

This lesson was repeated again and again: gone are the days when a company’s network administrators could credibly claim that their infrastructure was breach-proof. In today’s world – with its proliferation of network entry-points (think of the infamous “internet of things,” including networked medical devices) and ever more sophisticated hackers -- an experienced and determined cyberattacker can find a way in to any network.

Many panelists stressed the importance of internalizing the fact that cybersecurity is no longer just about keeping the attackers out. Rather – in addition to defending the perimeter – companies should have in place systems that allow them to see what intruders are doing once they are in. Were they able to steal the company’s “crown jewels,” its most valuable data?  Did they access protected health information, and if so was the breach extensive enough to require a report to the department of Health and Human Services (HHS)?  Are they attempting to corrupt backup data, a possible prelude to a potentially-devastating ransomware attack?  Measures can be taken prior to a breach that will allow a company to monitor for indicia of an ongoing attack, and to gain insight into the intruders’ conduct and intentions.

Two: Plan ahead for a breach

An abiding theme at the conference – and, indeed, something heard regularly in the cybersecurity community at large – was that breach response cannot be made up on the fly. It requires careful planning, and painstaking practice. As Jonathan Fairtlough, former head deputy and co-founder of the High Technology Division of the L.A. District Attorney’s Office and currently a managing director with Kroll’s cybersecurity practice, told the group: “Have an incident response plan that you practice. It’s never the breach that kills you, it’s the response.”  

Fairtlough advised that not only should entities perform regular penetration testing of their networks, but they should prepare management for the fact that those tests are likely to fail – if the network passes the test, he said, nothing is learned. This is so because there is no longer such a thing as a completely hack-proof network.

Three: Be ready to work with law enforcement

The law enforcement panelists took pains to demonstrate that the government can be a friendly and helpful partner when a company has been breached. Sean Hoar, former lead cyber attorney for the U.S. Attorney’s Office in Oregon, now with Davis Wright Tremaine, suggested that – as part of the “planning ahead” discussed above – companies should invite the lead regional FBI cyber agent in for a C-suite briefing, to talk about the latest high-tech threats. Hoar pointed out that, not only would such a session help drive home to upper management the importance of cybersecurity as a business matter, it would help solidify a relationship with law enforcement, something that is bound to prove useful in the face of a breach.

Michael Stawasz, Deputy Chief of the U.S. Department of Justice Computer Crime and Intellectual Property Section (“CCIPS”), and Rich Goldberg, Chief of the Economic Crimes Unit for the U.S. Attorney’s Office of the Eastern District of Pennsylvania, both worked to assuage corporate anxiety around reporting a data breach to law enforcement. Such anxiety is reasonable, given the risk of the company finding itself on the wrong end of enforcement scrutiny. But Stawasz and Goldberg both emphasized that, when a company suffers a data breach, “you [the company] are our victim” – indeed, “our goal is to protect you.” Companies need not be concerned, according to Stawasz, about turning information over to the government to assist in its investigation of the breach:  “Your information will not be FOIA’d,” Stawasz told the audience; moreover, “it won’t be immediately shared with your regulators,” because “I’m not interested in holding you liable for unreasonable security.” It should be noted, as many readers will be aware, that other government agencies may take a different approach vis-à-vis company’s data security practices; as a result, whether to involve law enforcement at the outset of a data breach response is a nuanced decision, and one to be decided case by case.

"Whether to involve law enforcement at the outset of a data breach response is a nuanced decision, and one to be decided case by case."

Four: HIPAA audits are coming

Barbara Holland of the HHS Office of Civil Rights (OCR) spoke in some detail about OCR’s upcoming program of Health Insurance Portability and Accountability Act (“HIPAA”) audits. OCR, which is charged with enforcing the health care privacy requirements embodied in HIPAA, performs regular audits of entities covered by HIPAA’s requirements (“covered entities”), to ensure that the rules are being followed.

Holland – along with her co-panelist, Adam Greene, formerly with HHS and now at Davis Wright Tremaine – described OCR as an atypical enforcement agency, in that most of OCR’s complaints are resolved with voluntary corrective action, rather than a penalty. Holland noted, however, that OCR “has to” take action when it finds willful neglect of the HIPAA rules (indeed, in the past week, health data breaches have resulted in OCR settlements totaling $5.45 million). She added that this year OCR will be raising its expectations of covered entities – she explained that HIPAA and its amendments have been in effect for long enough that even entities that have in the past “struggled to comply” should be compliant by now – and that OCR plans to “be harder on” entities that have seen recurring data security problems.

Holland said that OCR expects to perform 200 HIPAA audits in 2016, beginning within the next few months. Those audits will focus on ensuring that covered entities have adequate:

• risk analysis;
• risk management plans;
• breach response policies and procedures; and
• training.

Notably, each of these foci represents a proactive, pre-breach measure that covered entities should be taking as part of their compliance program in the spirit of “planning ahead” discussed above. Holland emphasized that not only should companies have performed a risk analysis, it should be re-done on a regular basis, and should be re-done any time something changes that would affect the analysis – for example, when the company brings a new system online or acquires a new subsidiary.

Greene confirmed his experience that OCR is very focused on these proactive measures. He noted that he has seen cases in which a covered entity suffered a breach, adequately complied with its post-breach obligations, but found that OCR was nonetheless unsatisfied because the entity did not have a breach-response procedure in place prior to the incident.

Five: Be aware of ransomware

As one speaker noted, the “market for [stolen] data isn’t so great anymore, because it’s all been stolen already.” As a result, hackers are turning to new models for monetizing cyberattacks. One theme heard continually throughout the conference was that one of the latest and most important cybercrime business models is ransomware – a type of attack in which intruders access and encrypt a company’s data, then offer to provide the encryption key in return for payment. Readers may recall the recent ransomware attack that took Hollywood Presbyterian Medical Center offline for nearly two weeks (not to mention the even more recent such attack at Methodist Hospital in Henderson, KY).

The Supervisory Special Agent for the FBI’s Pennsylvania Cyber Criminal Squad, Ben Stone, advised the audience – again, in the spirit of pre-planning for an attack -- to have a strategy in place to defend against ransomware aimed at their organizations’ networks.

Ransomware attacks are swiftly becoming more sophisticated and potentially damaging. Two speakers mentioned that some hackers have begun surreptitiously breaching and corrupting companies’ backup systems prior to launching a ransomware attack – impeding their ability to restore the data locked up by the ransomware.

Conclusion

Health care entities collect and house some of individuals’ most sensitive information. Yet, in an era of big changes in the industry – massive technological shifts and ongoing corporate consolidation, for example – data security can be tricky, and can sometimes find its way to the bottom of the priority list. The speakers at the PHI Protection Network Conference confirmed, however, the importance of staying proactively ahead of this increasingly complex area. Plan ahead, stay on top of changes in cyber threats and government priorities, and be ready to work with law enforcement when appropriate. Failure to do so can spell trouble.

"Plan ahead, stay on top of changes in cyber threats and government priorities, and be ready to work with law enforcement when appropriate."