In late 2011, a hacker employing a phishing attack succeeded in breaching the email accounts of employees at Metro Community Provider Network (MCPN), a Federally Qualified Health Center (FQHC) with locations throughout the Denver metropolitan area. After finalizing a five-year investigation of the breach, and of MCPN’s compliance with federal data privacy and security rules, the Department of Health and Human Services’ Office of Civil Rights (HHS) announced last week in a widely reported upon press release that the hacker accessed and obtained the electronic protected health information (ePHI) of 3,200 of MCPN patients. HHS explained that the Resolution Agreement and three-year Corrective Action Plan to which MCPN agreed were designed to address the provider network’s failures to (1) “conduct an accurate and thorough assessment of the potential risks and vulnerabilities” of its data storage systems for ePHI, and (2) “implement security measures sufficient to reduce risks and vulnerabilities” associated with ePHI storage systems, and thereby mitigate the risk that patients’ ePHI would be exposed to unauthorized access and theft by cybercriminals.
In addition to the Resolution Agreement and three-year Corrective Action Plan, MCPN reached agreement with HHS on a $400,000 settlement to resolve any claims arising out of its potential violations of the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS noted in its press release that it took MCPN’s status as an FQHC that serves a predominately low-income patient population and its ability to “maintain sufficient financial standing to ensure the provision of ongoing patient care” into account when determining an appropriate settlement amount, implicitly suggesting that the settlement amount may have been higher for providers in a different financial position. In a statement to the media, the provider network noted that it was “pleased with the work that has been done and continues to assure that patient privacy is protected.”
Cybercriminals Increasingly Target Healthcare Providers
The MCPN breach is neither the largest nor the most high-profile example of hackers stealing ePHI. One breach disclosed to HHS last month resulted in the theft of over 690,000 patient records and prompted a class action investigation. Moreover, in the first three months of this year alone, healthcare firms have publicly reported over 100 breaches, encompassing illicit access to over 2,000,000 patient records. Hospitals and other healthcare facilities are particularly rich targets for hackers and other cybercriminals: a recent study found that only 28% of healthcare industry employees “demonstrated the privacy and security awareness to prevent incidents that could lead to the exposure of protected health information (PHI) and other forms of personal data.” And the costs from these data breaches are adding up: a 2016 study found that data breaches are costing the US healthcare industry $6.2 billion per year, with regulated firms spending an average of $2.2 million to address such attacks.
Although firms in the healthcare industry are already aware of the financial and reputational risks associated with ePHI breaches, they should also be cognizant of the regulatory scrutiny that routinely accompanies such episodes. The MCPN action is emblematic of a broader uptick in HHS’s enforcement of HIPAA’s ePHI protections: in 2017 alone, HHS’s Office of Civil Rights has already reached settlement agreements or imposed fines totaling $9.1 million for violations of rules related to the protection and handling of ePHI. The rules at issue in the MCPN investigation—45 C.F.R. Parts 160 and 164, commonly known as the HIPAA “Privacy” and “Security” Rules— are illustrative of regulated firms’ layered legal obligations to safeguard ePHI. The Security Rule directs covered entities to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations,” which must include a Risk Analysis and a Risk Management Plan. Although HHS does not condition compliance with the Security Rule on a firm’s implementation of “a specific risk analysis or risk management methodology,” it has articulated broad guiding principles.
Implications for Covered Entities
Before implementing an ePHI Risk Management Plan, covered entities must perform an initial ePHI Risk Analysis. Section 164.308(a)(1)(ii)(A) of the Security Rule provides the outline of what any Risk Analysis must entail: covered entities must “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity” to achieve compliance. HHS concluded that MCPN failed to perform any assessment of its ePHI risks and vulnerabilities, and required MCPN to conduct “a current, comprehensive, and thorough Risk Analysis” of “all of its current facilities and electronic equipment, data systems, and applications” as a condition of settlement. Moreover, the three-year Corrective Action Plan to which MCPN agreed requires it to review its Risk Analysis on an annual basis to determine whether any “environmental or operational changes affecting the security of ePHI” warrant changes to its Risk Management Plan, policies and procedures, or training regime.
After conducting a thorough Risk Analysis, covered entities must also develop a Risk Management Plan, which HHS guidance materials describe as “security measures to reduce risk to reasonable and appropriate levels to … ensure the confidentiality, availability and integrity of ePHI, protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, and protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted” under the Privacy Rule. HHS cited MCPN for its failure to implement any “risk management plan” pursuant to an ePHI Risk Analysis, and explained in its press release that “[w]hen MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.” MCPN, as a condition of its settlement with HHS, must (i) develop an “organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis” and (ii) submit the Plan to HHS for its review and approval before implementation. Under the Corrective Action Plan, MCPN must document its compliance in annual reports during the term of the settlement agreement, and must also retain documents and records detailing its compliance for six years after the effective date of the agreement.
Companies in the healthcare industry that store and use ePHI are routinely targeted by cybercriminals, and each covered entity must develop strategies to address the financial, reputational, and regulatory risks associated with data breaches. As HHS’s investigation of MCPN indicates, regulators increasingly expect covered entities to identify and address such risks to ensure the safety and privacy of their patients’ health information. Providers that fail to meet those expectations can expect HHS and other regulators to impose stiff monetary penalties and burdensome compliance regimes when problems crop up. Firms seeking to avoid such scrutiny should ensure that their own risk practices are aligned to address the serious and evolving threat that hackers and cybercriminals present.