The CyberPHIx Roundup: Industry News & Trends, 1/28/21

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:11] Good day and welcome to the CyberPHIx healthcare security roundup, your source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for healthcare. I'm your host, Brian Selfridge. In addition to this roundup. Be sure to check out our Resource Center on Meditology Services dot com, which includes our CyberPHIx interviews with leading healthcare security, privacy compliance leaders, as well as blogs, webinars, articles and lots of other education stuff. We have a lot of ground to cover today, so let's dive into it.

Brian Selfridge: [00:00:45] MD Anderson Cancer Center has had a four point three million dollar OCR fine overturned this past week upon appeal, the original case related to unencrypted laptops and USB devices at MD Anderson that resulted in two separate breaches in 2012 in 2013. Now, originally, an administrative law judge had ruled in favor of OCR in this case, as did several other appeals. However, in this third appeal, the judge ruled that HHS had issue an arbitrary and capricious result contrary to law, and essentially vacated the penalties and the monetary fines in this case. The judge also draws conclusions about the implementation standards for encryption and OCR's ability to levy fines for the same. And this is a significant departure from prior interpretations of HIPAA and OCR enforcement that have been underway for the past decade plus. So the industry is still digesting what this means. OCR still trying to figure it out. The industry is trying to determine what kind of impact this will mean for future fines and how encryption is interpreted for breaches going forward and investigations from OCR. Now, some interpretations from legal specialists in the industry indicate that the ruling could in some ways end up seeing OCR enforcing even more a higher volume of penalties and with some more consistency in the way that they issue fines, but maybe in smaller amounts, but for larger volumes of activities. So that's just speculation at this point that I think everyone's still trying to digest it and see how this will play out going forward. But a very interesting and eyebrow raising decision from this appellate court.

Brian Selfridge: [00:02:28] In our second update today, the Department of Health and Human Services has named Micky Tripathi and Robinsue Frohboese to head ONC and OCR, respectively. Now, Mickey is a longstanding leader in the health care space and a heavyweight in this industry. And folks that have worked in this field, such as ourselves, have known Mickey for a long time. And he is highly respected and I think a great choice for the role. He originally has served many different roles prior to and see in this case in his current role, where he serves as the CEO of Massachusetts eHealth Collaborative. He was the CEO of the Indiana Health Information Exchange. He's also served on the boards of the HL7 FHIR Foundation, the Sequoia Project, the CARIN Alliance and many others. So he's got a long history in the field and looking forward to seeing how he's going to take on these new 21st Century Cures Act provisions and promoting interoperability and information blocking provisions that have been put in place. And we'll see how he's able to take those on. The second appointment is HHS has confirmed Robinsue Frohboese to take on the role of acting director of Office for Civil Rights. OCR is near and dear to our hearts, of course. Robinsue has been a veteran in the field for 17 years plus and special litigation for the Civil Rights Division at the US Department of Justice, first as a senior trial attorney and subsequently as deputy chief. So a lot of experience in this field and really excited to see what she can do in the OCR acting director role.

Brian Selfridge: [00:04:01] In other federal health care news, President Biden has invested 10 billion dollars in cybersecurity as part of the American rescue package. The plan calls for nine billion dollar investment in the CISA, or Cybersecurity Infrastructure Security Agency and the GSA General Services Administration to launch new cybersecurity initiatives. And another two hundred million dollars has been set aside for the rapid hiring of experts in the field, including a federal chief information security officer and U.S. digital service. And 300 million has been put toward technology programs at the GSA. And then the final allocation. Six hundred and ninety million to CISA to improve security monitoring and incident response. And the timing of this investment is important. We're coming fresh off of a large scale series of cyber attacks, particularly from the Russian contingent, including the recent solarwinds attack, that third party supply chain attack, which included federal breaches, as well as private sector breaches of hundreds to thousands of organizations. Major, major attack, probably largest scale of a supply chain related attack in our history, as well as the ransomware attacks against healthcare entities. If you'll recall, the FBI alerts around that. So we are under heavy fire, so to speak, cyber fire. And these investments are intended as a reaction to that, but also a proactive investment in building the security posture, improving the security posture of the United States, both in the private and public sectors for years to come. Biden's plan reads, it says, "in addition to the covid-19 crisis, we also. Face a crisis when it comes to the nation's cybersecurity. The recent cybersecurity breaches of federal government data and systems underscore the importance and urgency of strengthening U.S. cybersecurity capabilities." So we look forward to seeing how those funds are allocated and hopefully helping giving us the shot in the arm. That's necessary from a cybersecurity perspective to tackle some of these attacks, which are going well beyond the bounds of what we've ever seen historically.

Brian Selfridge: [00:06:10] Now, I would be remiss if we didn't have an update from the CyberPHIx without some overview of HIPAA and OCR penalties. We talked about M.D. Anderson, but the latest 2021 OCR fines were inclusive of Excellus Health Plan, who settled a case to pay five point one million dollars related to a 2015 data breach that affected over nine million individuals. Excellus was doing business as Excellus Blue Cross Blue Shield and Univera, hopefully I'm pronouncing that correctly, Healthcare. And they serve a population predominantly in upstate in western New York. Now, pretty classic case here. There were hackers. They gained access to Excellus' systems and the breach investigation revealed that the breach was ongoing for several years from 2013 to 2015 and reported in 2015. Pretty typical attack. Malware was installed. They went laterally across the environment and ended up taking out seven million Excellus healthplan members' data, as well as two and a half million of members from Lifetime Healthcare, another subsidiary of Blue Cross in the attack. So they got access to Social Security numbers, date of birth, health plan, I.D. numbers, all the goodies that the bad guys go after. Pretty typical settlement here. OCR identifying that there was a lack of enterprise wide risk analysis that's in almost every case these days and insufficient measures to reduce the risks related to PHI, in other words that's your remediation planning and execution. Pretty, pretty typical stuff. Also lack of policies and procedures having routine review, so nothing too earth shattering. And the findings, they're pretty standard OCR settlements, but interesting to see that we still keep rolling with the same old trends that we saw in the prior decade into twenty twenty one.

Brian Selfridge: [00:08:03] There was also another OCR fine of two hundred thousand dollars related to HIPAA right of access for an organization,  Banner Health.  And the HIPAA right of access is really worth paying attention to. That's been a big focus in twenty, twenty and twenty twenty one being expect those trends to continue to make sure you're paying attention to your right of access implementation as well as your policies and procedures.

Brian Selfridge: [00:08:27] Another OCR announcement. They've announced the enforcement discretion decision around online Web-Based scheduling applications for covid-19 vaccinations. So we have a number of clients that have been put out and somewhat under duress, have been implementing web-based vaccination websites that will allow patients to register to receive the vaccine. We're seeing I think the stat from today was the US is planning on one point five million vaccinations per day for the near future and getting up into the larger scale, hundreds of millions is the plan to do that. They need to sign up on webpages that health systems across the country that have been designated for this purpose have stood up in fairly short order. And so OCR's intent, I believe from my perspective with this announcement to implement enforcement discretion, is that they are trying to not stifle the development of those portals so they can be stood up quickly and hopefully safely and securely.

Brian Selfridge: [00:09:26] But basically putting the industry on notice that I get this thing up and working. Do the best you can. We're not it's not the first thing we're going to do to come after you. And if we look at the cases that we've just talked about, really what OCR has been focused on is risk analysis, encryption policies and procedures, standard stuff. So they're saying, look, you get a pass on this covid-19 thing. Now, you should still make sure you're securing that and you're having a breach related to one of these sites would certainly be a problem from a public perception issue and all the negative things that happen with security breaches. So it's not like you should just sort of stand something up without any security, but they're at least saying they're not going to go after you right off the bat. Our last update today is related to a class action lawsuit against a children's hospital, Rady Children's Hospital of San Diego, in relation to a breach suffered by its third party business associate Blackbaud in a ransomware attack in May 2020. So the blackboard attack was was very prominent, one of the larger ransomware attacks in recent memory. And the reason why this is so this story is particularly interesting is a couple of reasons. One, Blackbaud services many, many health care providers across the country, including children's and pediatrics organizations, but many others as well.

Brian Selfridge: [00:10:44] And so their scope and scale is very large, similar to the solarwinds attack that we saw earlier this year, late last year, where you have these third party vendors and dependencies where the breaches then have these sort of cascading impacts on the industry overall. Now, this lawsuits is also interesting because it claims that Rady Children's in San Diego specifically didn't do enough to implement adequate security measures and failed to ensure that Blackbaud had adequate security measures in place on their side to protect patient information. So this is that third party risk supply chain issue that we've been talking about for years. And for the longest time, folks have said, well, you know, OCR doesn't specifically go after third parties that have been prominently going directly after business associates but have been going after providers for negligence related to business associate activity. That has certainly happened, but not as much. But this is where the rubber really starts hitting the road with the costs associated with lack of third party risk management, and Blackbaud solarwinds and these other attacks are causing real dollars to be lost. So this is going to be interesting to see how this plays out.

Brian Selfridge: [00:11:52] We've been talking for the last several years about class action lawsuits as really being the future of where organizations are going to be getting the largest sting and are are getting the largest financial hit versus just OCR enforcement activity. And that that trend seems to be continuing. And it's important also to note that this is not the only lawsuit facing or related to the Blackbaud breach. They are facing at least 27 class action lawsuits according to its 2020 quarterly filing. Anyway, the lawsuits have been filed in 17 federal courts, four state courts, two Canadian courts. So as we've been talking about again, over and over again in these sessions, that these class action lawsuits are really going to become the dominant theme for years to come, as well as a third party risk and supply chain protections that we've been talking about early this year. Meditology serves as expert witnesses for a lot of cases. And so we've been very busy reacting and responding to all sides, sort of making the case of what was reasonable and appropriate in these. So more to come. We'll keep you posted, but it's going to it's going to be busy for some time.

Brian Selfridge: [00:12:58] That's all for the session of the CyberPHIx healthcare security round. You hope this is informative for you would love to hear from you. If you want to talk about any of this, just reach out to us at CyberPHIx @ meditologyservices.com. So long. And thank you for everything you do to keep our healthcare systems and organizations safe.