A with Reece Hirsch of Morgan Lewis
Late last year, the U.S. Department of Health and Human Services (HHS) released voluntary cybersecurity standards that help bring the HIPAA Security Rule into focus and up to date with current cyber threats. The new guidance could also have implications for the way “reasonable standards” are legally defined going forward. We spoke with Reece Hirsch, co-head of the Privacy and Cybersecurity practice atMorgan Lewis, about the guidance and its advantages for healthcare organizations.

Can you summarize some of the key cybersecurity and privacy practices that HHS recommends in the guidance to help reduce cyber risk?
With the caveat that I’m not a security consultant—I’m a lawyer—I think there is some welcome guidance for the industry here because the HIPAA Security Rule is not very prescriptive. The guidance fills in a lot of the gaps and takes a more practical approach, concentrating on the primary risks organizations face these days, such as email phishing attacks, ransomware and loss or theft of data on equipment like laptops and medical devices. The actionable part of the guidance is divided up into two volumes, one for small organizations and one for medium to large organizations, understanding that resources differ based upon the organization’s size, as do the risks they face on a day-to-day basis. What’s good is that HHS didn’t try to make a single statement to speak to all the HIPAA security standards but instead focused on the practical risks to data that most organizations would be concerned with. There were no real surprises here in that they were developed through broad industry consensus and participation from a number of key stakeholders and organizations and they are reasonable best practices. However, it is unusual to see this much useful information in a user-friendly, largely non-technical format.

Might this guide and its recommendations serve as a benchmark or standard of care for future legal liability?
Well, there is always the danger that a plaintiff’s attorneys may seek to hold this up as a standard of care, trying to establish negligence by a healthcare organization. I suppose we will have to see how that plays out down the road. Certainly, there are other existing guidance documents and NIST standards that plaintiffs could attempt to use for that purpose.

Can you offer an example of a common cybersecurity issue in healthcare which might now be used as an indicator of negligence?
One of the major issues highlighted in the document is loss or theft of equipment and lack of encryption on laptops that store protected health data. Encryption is something that is not strictly legally required under HIPAA but, based upon OCR enforcement actions and this guidance, I think it’s almost a de facto requirement and something that all healthcare organizations should take quite seriously. At this point no one should keep ePHI on laptops if they have not taken all possible steps to encrypt those computers.

Could good faith adherence to this guide be a counterweight and serve to reduce legal or regulatory liability?
I think so. The first critical step for limiting exposure under HIPAA is to conduct an appropriate HIPAA risk analysis, which is intended to be the legal cornerstone of a HIPAA security compliance program. I think this guidance can definitely be useful in supporting the actions an organization takes in accordance with its risk analysis. What’s more, it focuses at a practical level on the actual threat the organizations are facing, rather than the general standards provided in the HIPAA security rule. While there is no specific HIPAA regulation addressing phishing or ransomware attacks, for instance, the guidance helps organizations understand how the HIPAA Security Rule standards can be interpreted and applied to address these very real risks to data..

Could “reasonable security” differ from one organization to the next?
Definitely. One of the reasons risk analysis is so important is that resources and risks vary based on the organization and it’s appropriate to take into account factors such as size, financial resources, and the types and volume of data handled. All of these factors will determine what security measures will be put into place.

Can you offer an insurance underwriter or risk manager within the healthcare sector any suggestions or final thoughts about the guidance?
I would recommend that all HIPAA security officers take the time to read the guidance and hold it up against the work they’ve done in developing their HIPAA security compliance program. They also need to make sure their risk analysis is a living document that reflects current risks and how they’re being addressed.

In summary…
I want to thank Mr. Hirsch for his thoughts as about the latest HHS voluntary guidance on HIPAA cybersecurity. In order to keep current with highly regulated healthcare sector and its cybersecurity/privacy compliance efforts, it requires ongoing vigilance. This sector is of critical interest to the cyber risk insurance industry that we support, since healthcare is often targeted and due to various industry challenges (i.e. many external connections and voluminous e-record transactions to manage) incurs many data breach events each year. With cybersecurity threats, related regulations and standards of care there are always changes and new interpretations to stay on top of, so we appreciate Reece’s thoughtful comments.