Report on Patient Privacy 21, no. 11 (November, 2021)
Attorney Brad Hammer doesn’t always don a suit and tie, or what he calls his “lawyer’s uniform.” A privacy and security expert and founder of the Vakaris Group based in the Minneapolis area, Hammer found that dressing to match the folks he meets goes a long way toward eliciting the vital information he needs to help craft security policies or review ones already in place.
As he discussed during a wide-ranging talk at the recent Compliance & Ethics Institute, sponsored by the Society of Corporate Compliance and Ethics, co-publisher of RPP, security or information technology (IT) departments at HIPAA covered entities and business associates often have good policies and procedures in place—but there are limits.[1]
Security officials are “really good at writing policies about acceptable use and password requirements and any number of things related to security or protecting data,” Hammer said. But, adding he meant “no offense” to security officials, these individuals “are really, really bad…at communicating those policies. No one in the organization knows [the policies] exist.”
The answer, he said, is to “take the people who are good at communicating policies, the compliance people, [and have them] go talk to the information technology and security people.” The goal is to “share with everybody how awesome the policies are and help with the protection of the data,” he said.
Hammer prefaced his remarks by sharing a sobering July report by IBM and the Ponemon Institute,[2] which quantified the costs of data breaches from 2020. The cost of mitigating a health care breach was estimated at $9.23 million, slightly more than a general U.S. data breach but more than twice the cost ($4.24 million) of a breach globally, based on data from firms in 17 countries.
Hammer said the cost is important to know as it could help organizations fight for more funds to prevent and safeguard against these breaches; most, he said, likely need more resources and personnel.
Looking again at the cost of a global breach, of the $4.24 million, lost business accounted for $1.59 million or 38% of the total; “detection and escalation” accounted for $1.24 million or 29%. Post-breach response was estimated at $1.14 million, or 27%, with notification costs estimated at $270,000, or 6% of the total.
Common Vectors Include Phishing
The report showed that even a relatively small breach of 500 records can be costly to manage—the range was $80,000 to $120,000. According to Hammer, the previous year’s report noted that the cost of a single breached record in the United States was $242, “so small data breaches do cost a lot of money”—and generally more than elsewhere in the world.
The new report also showed that organizations that employed both incident response teams and incident response planning faced lower breach costs—$3.25 million versus $5.71 million.
According to the report, “the most frequent initial attack vectors were (1) compromised credentials, 20% of breaches (2) phishing, 17% (3) cloud misconfiguration, 15%. Business email compromise was responsible for only 4% of breaches but had the highest average total cost at $5.01 million. The second costliest initial attack vector was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million).”
As Hammer put it, “your employees and their access to your systems are, continually, the most critical vector in terms of the cause of the breach.” This means “getting policies in place” and providing training “is as important as any encryption, firewall” and other technical tools that an organization can implement.
As an aside, Hammer said he actually doesn’t like to use the word “hacker,” saying it “implies that you didn’t do anything wrong.” Maybe a breach could have been prevented, but in all cases, “there’s probably some lessons to be learned about either improving security or improving policies,” he said.
The new report also showed that the average cost of a “mega breach” affecting 50 to 65 million records was $401 million, at the top end, while a breach of 1 to 10 million records cost $52 million.
It is critical to be aware of lost revenue and customers, which result from “business disruption, revenue loss, system downtime, cost of loss customers [and] reputation harm,” said Hammer, who called the final item “really important.”
Ironically, the two areas where organizations spend the most amount of time negotiating in their contracts—breach notification and post-breach response—“are going to be your smallest areas of costs,” said Hammer. These include call centers, providing credit services and reporting the breach to authorities.
Inventory, Map Your Data
As Hammer explained, to prevent and mitigate breaches, entities need to answer a number of basic questions:
-
What data do you have?
-
Where is the data coming from? Going to?
-
Who has access to the data?
-
When is the data collected and deleted?
-
Why do you have the data?
-
How are you protecting the data?
Organizations need to create a “data inventory” and map the data, Hammer said. The point is “figuring out these various component pieces,” he said.
Privacy compliance officials who are “not already in the information security space [should] start by having these conversations with your IT security teams,” as they may have “policies around some of this.”
Take Care to Seem Nonthreatening
Recalling when he was a “young attorney,” Hammer said a midsize client asked him to conduct a privacy evaluation, and he wore a suit to the meeting. Yet firm officials were dressed not in “business casual, they were just casual,” said Hammer. In fact, “most people were wearing jeans. And there I am sitting in a conference room asking really prying questions about privacy compliance, security standards, privacy standards, and people didn’t want to talk to me because I looked like I was interrogating them, like it was a deposition.”
What Hammer learned was to be “gentle in your approach; start casual conversations” to collect the information and data. The goal is to be able to “mitigate risks across the entire life cycle,” Hammer said, which extends from data collection to storage and use and ends with data destruction.
He added that the “risks and players will differ at different stages,” and that organizations will need to have data security as well as incident response plans.
Which Requirements Apply?
Key to developing strategies to mitigate risk is understanding the security requirements that apply to the organization. As Hammer explained, in addition to HIPAA rules, others that may apply include:
-
New York SHIELD Act.
-
Payment Card Industry Data Security Standard .
-
Federal Trade Commission.
-
Gramm-Leach-Bliley Act.
-
General Data Protection Regulation and other laws in foreign jurisdictions.
While being familiar—and compliant—with these rules and laws is essential, Hammer added organizations may often overlook their own contracts with other firms.
“In all likelihood, you have agreed to something from a security perspective in your contracts [that] is sometimes stricter than what you might be subject to under regulation,” Hammer said. “I faced this a lot with my start-ups and midsize clients where they will just sign agreements without actually reading them. Then we come to find out later on that [they’ve] been in breach of any number of security provisions.”
This noncompliance may also be revealed if the third party decides to conduct an audit and provides the organization with an “evaluation of all the points that [the organization] didn’t comply with,” Hammer said.
Consider What Is ‘Reasonable’
In terms of establishing security practices and goals, there are a number of “gold standards” the health care industry can look to, Hammer said, including those developed by the International Organization for Standardization[3] and the Cybersecurity Framework developed by the National Institute of Standards and Technology.[4]
Hammer also recommended privacy and security officials review “The Duty of Data Security,” an article written by William McGeveran,[5] which “reviews fourteen data security frameworks; seven of them were promulgated by formal legal institutions such as legislatures or regulatory agencies, and seven were derived from private ordering with little or no government involvement,” the article explains. “Part II then synthesizes the shared features of the fourteen frameworks, distilling them to describe the features of the duty of data security consistent across different frameworks—and thus across different laws, industry practices, and enforcement mechanisms.”
“The big takeaway is be reasonable,” said Hammer. “The question is, what is reasonable?” This will be “based on the data and the industry you’re in. This is where you need to partner closely with your IT security teams, understand what they are hearing in the space, what their colleagues are doing.” Organizations that experience a breach “will be measured [by the response] when something happens in our similarly situated companies with similar datasets.”
Hammer stressed that “when you are looking at statutes, regulations [and] any kind of regulatory guidance, pay really close attention to when things are examples of steps you could take to be reasonable, or when they’re actual requirements.”
Picking up on his earlier comments, Hammer noted that there are a number of technology safeguards that organizations should employ, including:
• Up-to-date firewall protection.
• Encryption of sensitive systems.
• Active monitoring of computer systems.
• Authentication protocols.
• Locked facilities.
• Smart and compliant use of the cloud.
Cyber Insurance Policies Evolving
Hammer also recommended that entities review their cyber insurance policy.
“See what your limits are, and see what it actually covers,” Hammer said. Policies that his clients have tend to have caps of $1 to $2 million, amounts that would not cover the levels revealed by the report. He added that underwriting for cyber insurance has become “stricter.”
“The other thing that I noticed is they’re dropping caps,” Hammer said. “I had a client who said, ‘My cyber insurance just sent us a note that they’re dropping us from a cap of $5 million to $3 million,’” Hammer recalled. “It’s because breaches are getting more expensive,” and insurance firms are seeking to reduce their liability.
He added that class-action lawsuits over breaches are tending to settle “somewhere around insurance caps,” so if insurance companies lower caps, they also lower their payout.
Cyber firms may also deny payment, saying the breach was an “act of war, outside the policy,” Hammer said, adding that this has not happened to any of his clients. However, in 2019, Zurich Insurance Group was sued after refusing to honor insurance following a hack of a Spanish food firm; it is not clear how this was resolved.[6]
The cost of cyber insurance policies will increase as more services are added, Hammer said.
“The C-suite will often say, ‘Well, we have cyber insurance. And if it’s a breach from a third party, we have coverage in our contracts that they’re liable for that,’” Hammer said. But coverage is limited, he said.
“Cyber insurance isn’t going to cover lost reputation—customers walking out the door,” Hammer said. “Your contracts almost surely disclaim these types of damages. So you’re not going to be able to recover those from third parties. So 40% of your breach costs are going to be not recoverable and they are just going to go straight out of your pocket.”
Ensuring ‘Confidence’ After a Breach
Hammer discussed a recent breach involving a law firm that suffered a ransomware attack and “completely lost access to several systems, including their email system. So we stopped sending them email,” he said.
“There were any number of things that I thought could have gone better with that breach that I won’t get into. But one of the things that went really well was, after about a week, we got a report from a third party that assessed the systems [saying] their security system had worked well; as soon as their system sensed that ransomware had been placed, it locked itself down,” said Hammer. “They were able to show via these third-party reports that there was no exfiltration of data. And so while there was a ransomware attack and their systems are shut down, [they] were not in their breach scenario. There was not a significant theft of data, [but] there were costs associated with that incident.”
Still, said Hammer, “It’s a great story to say, ‘Hey, look, this happened, but our system worked exactly the way it should have. We’re back. It took us a couple of weeks to get fully back online, but now we are in a place that, you know, you can trust us.’”
Actions like this give the “customer confidence,” Hammer said, and stop “the reputational hit.”
Hammer and his clients whose contractors or vendors have experienced breaches have held “serious conversations about whether to keep using that particular vendor, depending on how that situation is handled. I had no hesitation telling them that they could go ahead and keep using that law firm,” for example.
But when circumstances warrant it, he also would advise dropping a vendor, said Hammer.
Hammer also addressed how to respond to a security incident or breach, which RPP will address in a subsequent issue.
1 Brad Hammer, “Data Breaches: Prevention and Management,” 20th Annual Compliance & Ethics Institute, September 21, 2021, https://bit.ly/3ELnIHU.
2 IBM, Cost of a Data Breach Report 2021, accessed November 8, 2021, https://www.ibm.com/security/data-breach.
3 “Standards,” International Organization for Standardization, accessed November 11, 2021, https://www.iso.org/home.html.
4 “Cybersecurity Framework,” National Institute of Standards and Technology, accessed November 8, 2021, https://www.nist.gov/cyberframework.
5 William McGeveran, “The Duty of Data Security,” Minnesota Law Review 103 (2019), 1135, https://scholarship.law.umn.edu/mlr/71.
6 Charlie Osborne, “NotPetya an ‘act of war,’ cyber insurance firm taken to task for refusing to pay out,” Zero Day, January 11, 2019, https://zd.net/3od9yZR.
[View source.]