Key Takeaways From Breakfast & Breaches™ | Chicago 2019
Clearwater and Lockton Companies, the world’s largest privately owned, independent insurance brokerage firm, are hosting a series of panel discussions with security experts and officials from the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).
The series offers attendees up-to-date information about cyber risk management strategies, HIPAA compliance and OCR enforcement. Attendees can participate in person or via live webcast.
A recent Breakfast & Breaches™ event was held in Chicago, IL. Maggie Spalding, Vice President, Client Advocate, Lockton Companies hosted the event and served as Moderator. Experts participating in the panel discussion included Bob Chaput, Founder and Executive Chairman of Clearwater; Wandah Hardy, Equal Opportunity Specialist with the U.S. Department of Health & Human Services, OCR, Midwest Region; Cinthia Motley, Attorney, Director of Global Data Privacy and Information Security, Dykema; Kevin Hewgley, Vice President of Financial Services, Lockton Companies; and Joe Rungren, Investigator with the U.S. Dept. of Health & Human Services, OCR, Midwest Region.
Here are some of the highlights from the Breakfast & Breaches™/Chicago 2019 panel discussion (edited for length and clarity):
Maggie Spalding: In its enforcement activity, HHS OCR has repeatedly spotlighted the lack of comprehensive and timely enterprise-wide risk analysis. Why does this continue to be such a struggle for so many healthcare sector organizations?
Bob Chaput, Clearwater: The failure of organizations to conduct an accurate, comprehensive, enterprise-wide risk analysis is a common problem. This is partly because of the size and scope of the task. There are an estimated 25,000 petabytes of healthcare data online right now. And 50 million internet of medical things (IoMT) devices that are part of the healthcare infrastructure. Getting an organization’s hands around this scope of information is a big undertaking. It is virtually impossible to conduct a thorough, enterprise-wide risk analysis using spreadsheets and clipboards and various and sundry other things that are being used today. You really need the right tools to do this correctly.
Cinthia Motley, Dykema: I completely agree. No disrespect to the internal resources a company may have, but cyber risk analysis is a specialized area. Oftentimes, it is important to have an outside consultant come in and help the company do that risk assessment. Because you don’t know what you don’t know.
Bob: You also need to address cyber risk as a program, rather than a project. It’s a continuing journey, not a destination.
Cinthia: Yes, it has to been addressed on an ongoing basis. It’s not just a one-and-done situation.
Maggie: Why is completing the comprehensive, enterprise-wide risk analysis so important?
Bob: I can tell you a story about that. When I was a young whippersnapper, coming up as CIO of a division of GE, I went in to make a budget request for the IT department, and part of that budget included security. When I asked for the allocation, somebody asked me a simple question, “What are our exposures?” I was not able to answer that. Then they said to me, “Well if you don’t know your exposures, how do we know that if we give you this allocation, our exposures are going to be any less by the time you are done?” This is the answer to why it is important to do a comprehensive, enterprise-wide, risk analysis. How am I going to begin to implement reasonable and appropriate controls, unless I understand what my issues are? How is someone — whether it is the CIO or the CSO — going to sit in front of the Executive Team or Board and request resources, such as staff, operating expenses, or capital expenditures for their security program unless they understand what risk problems they are trying to solve? You have to get into the anatomy of risk and understand what your unique exposures are in order to make informed decisions about risk management.
Cinthia: There are resources like checklists and OCR guidance available, but I would strongly urge companies to consider those resources only as a guide. Every entity is different, and because of that, every entity needs to conduct a risk analysis. You can’t just say, “I did these five things and I’m done” or “I followed this guidance from HHS so I’m good.” You need to conduct a risk analysis.
Maggie: Bob, you’ve seen firsthand that a company can complete a checklist with a consultant and OCR still does not accept that. A checklist doesn’t provide the level of analysis that OCR really wants, correct?
Bob: We’ve seen that over and over again. Organizations will submit checklists, offered by various vendors, to OCR and OCR will reject them. These checklists are often either a gap analysis, as opposed to a real risk analysis, or it is just someone walking around with a clipboard and going through a checklist of what is in place and what is not in place. That is not at all what a risk analysis is about.
Wandah Hardy, OCR: A checklist is a guideline, a starting point. It’s used for guidance, but we don’t want everybody to think, “Oh, this is it and we are done.” When you think about rules and regulations, they are usually the minimum – the baseline. You have to take that to another level, based on your specific organization. Because, for example, a two-man show is nothing like a million-dollar, global organization. The risks are different at different levels.
Maggie: How does the rollout and implementation of the General Data Protection Regulation (GDPR) impact companies here in the U.S.? [Note: GDPR is a set of privacy regulations enacted by the European Union (EU). GDPR went into effect on May 25, 2018. Any organization, regardless of location, that collects, stores or processes data belonging to any EU citizen, is subject to the provisions of GDPR.]
Cinthia: [GDPR] has a tremendous impact on organizations. Healthcare organizations deal in protected health information (PHI), which is subject to HIPAA compliance, but they also deal in data that is subject to other types of regulation. For example, healthcare organizations handle credit card information, which is subject to the Payment Card Industry (PCI) Data Security Standards (DSS). And now the privacy regulation landscape has changed with GDPR. But clients may not even realize their exposure under GDPR until they have a situation. For example, there are notification obligations under HIPAA, but the GDPR notification requirement is within 72 hours of becoming aware of the breach. It’s important for companies to realize that even though HIPAA compliance may be their main concern, it’s not the only concern an organization will face in the event of a security incident.
Kevin Hewgley, Lockton: One of the game-changing elements of the GDPR is the fine or penalty is no longer tied to the number of records impacted. GDPR’s general rule is that the fine or penalty that can be assessed is up to 4 percent of an organization’s annual global revenue.
Bob: The good news is that there are common elements across all three of these regulations — HIPAA, PCI DSS, and GDPR — that can facilitate compliance. HIPAA requires a risk assessment; PCI DSS calls for a risk assessment, and the GDPR calls for a Data Protection Impact Assessment (DPIA). At the end of the day, it all boils down to the same thing: the most fundamental building block of any information security program is understanding what your exposures are. That’s where the risk assessment comes in.
Wandah: And OCR’s take is that the assessment has to be enterprise-wide. So wherever there is data, that has to be included in the risk analysis. For example, copiers. People don’t usually think about their copiers, but some copiers are saving information, and so those need to be included. Anywhere that data rests, moves or is transmitted in any form should be included in the risk analysis. That’s where OCR is finding issues. When the iPad first came out, everybody thought it was the best thing, but it wasn’t being included in the risk analysis. As technology changes, we need to be very mindful that where there is data, that needs to be included; whoever touches the data needs to be included in the risk analysis.
Maggie: How do we structure cyber risk and cyber liability insurance coverage to make sure that all components are covered? Because we know that checking the box to say, ‘I have cyber coverage’ does not cover everything.
Kevin: That is a great question and one that many insurance brokers struggle with in advising their clients. It is very, very common to go into a company and find out that the Chief Security Officer (CSO), Chief Privacy Officer (CPO) and Chief Technology Officer (CTO) may have never gotten together at the same table, at the same time, to have a conversation about cyber risk and cyber liability event insurance coverage. So quite often, that’s our starting point: getting those critical stakeholders to the same table … It’s about really taking a look at your organization, trying to determine what the maximum exposure is from a records standpoint and then drilling down into the organization’s very specific responses for breach events. Breach events can run the full gamut, from catastrophic loss, impacting millions of records, all the way down to a single patient. We’ve seen some significant payouts on unintentional breach events for even a single patient.
Maggie: Can organizations take a proactive – rather than reactive – approach to cyber insurance?
Kevin: Insurance is primarily meant to be reactive. More and more carriers are trying to put vendors on the front end of their insurance. An example is setting up an enterprise-wide application that will help from an underwriting standpoint. The position is that if you answer everything favorably during that application process, we will be able to discount you more for your annual premiums.
Maggie: What are some things that are important for organizations to consider in the event of a breach?
Kevin: I would say that getting the right stakeholders, including your adjuster, to the table as soon as possible is probably the single best practice/lesson learned. The majority of clients out there can’t even tell you what their notification compliance requirements are. So it is absolutely critical to communicate with stakeholders – from the CEO down to general counsel and risk managers – early on. On that note, I’ve been shocked at the number of breach response plans that do not include CEOs. The company will say, “Well, why would we include them?” Well, they are the front man or woman of your organization. If you have an incident and a reporter is standing outside your office and that executive is leaving, the worst thing that an organization can do is have no answer. I’ve seen this happen. So I think every breach response and incident response plan has to have the top of the organization involved with what the company is going to do when there is an incident or breach.
Cinthia: Kevin, I completely echo what you are saying. A recommended or healthy incident response team should obviously include legal, IT, the insurer, and many other [stakeholders] … but the most important part you mentioned is the C-Suite liaison. You need to have that information going all the way to the top, so that if that CEO gets put on the spot, at least they are prepared, they are aware of the situation and they know how to respond.
Kevin: One additional takeaway, from personal experience, is that you should include a scribe on your breach response team as well. Somebody whose complete responsibility is to do nothing but gather, take and disseminate the notes. They are simply there to capture the conversation and capture the response.
Wandah: I want to say, too, that the policies and procedures an organization has developed during the risk analysis/risk management plan, are living documents. That includes the breach notification response plan. These are all living documents. With the speed at which technology is moving, those documents have to be living. You can’t think, “We completed our risk assessment today, and made our plan, and this is going to last us for the next ten years.” That plan might barely get you through the end of a single year, at the rate things are currently moving. So your documents – your risk analysis, your policies and procedures – can’t be information that you put in a book and put in the director’s office and it sits there in a nice binder. We have to work on it every day, we have to continually assess, to ensure we are staying on top of our game.
Joe Rungren, OCR: In one of the OCR cases, the organization had encryption policies in place for ten years, but they didn’t follow them. So you can have policies in place, but if you are not following them, then what is the point?
Bob: I would like to add that while the HIPAA regulations are important, the international regulations are important and OCR is important … the work that organizations are doing in this area is important because of the rules and laws and regulations. At the same time, if we think about the healthcare industry, the most fundamental core element of the transaction between a patient and his or her physician is the belief and trust that the information I share, as a patient, is not going to be impermissibly disclosed. This goes back to Hippocrates. It’s in the American Medical Association Code of Ethics. So the laws are interesting, but the trust factor may be the most important point. This is bigger than OCR and OCR audits and what the results of any specific investigation are going to be. This is about a fundamental trust issue in healthcare today.
Wandah: When all is said and done, that [trust] is where we need to start. If we remember that we’re protecting our information, or that individual’s information and that relationship, then we will all be a little bit better.
* * *
These are just a few of the topics discussed at Breakfast & Breaches™/Chicago, 2019. Additional topics discussed included: the importance of employee training in cyber risk management, the role of health information management professionals, Business Associates’ obligations to the OCR, and the complications that may arise when a cloud services provider is part of an OCR investigation.
To access a recording of the entire two-hour discussion please visit https://clearwatercompliance.com/clearwater-breakfast-breaches/
Register Now for Breakfast & Breaches™ D.C. (June 6th): A lively breakfast discussion with marquis panel of cyber risk leaders discussing lessons learned from dozens of Office for Civil Rights risk-analysis related cases.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.