HHS's Data Security Problem: Lessons for the Private Sector
Last week, the House of Representatives Committee on Energy and Commerce (the “Committee”) cataloged a series of potentially-serious data security failures at the Department of Health and Human Services (“HHS”). The Committee’s report reveals, among other things, that HHS division systems have been hacked five times in the past three years, and traces the root of the problem to HHS’s treatment of data security as subordinate to operational priorities. This resulted in cybersecurity corners being cut to meet operational goals, paving the way for a series potentially damaging data breaches. Private industry – particularly in the healthcare field, where the privacy stakes are at their highest and data is increasingly under attack by bad actors – would do well to consider these lessons as well.
The report takes a cue from a growing private-sector trend of removing data security from the IT “silo” and placing it under the legal department. Following this trend, the report recommends that HHS and its divisions restructure so that Chief Information Security Officers (“CISOs”) report to their respective General Counsels – who oversee most other risk-management functions – rather than to their Chief Information Officers (“CIOs”), for whom operational concerns are a top priority.
Data Privacy an HHS Enforcement Priority as Health Data Increasingly Comes Under Attack
Cybersecurity professionals in the healthcare industry are likely to view the revelation of HHS’s information security woes with a measure of irony. Last year, Jerome B. Meites, counsel for HHS’s Office of Civil Rights (“OCR”), which is charged with enforcing health data privacy regulations, told an American Bar Association audience that the prior twelve months’ enforcement activities would “pale in comparison” to what was coming up. The remarks came on the heels of OCR’s announcement of a record-breaking $4.8 million monetary settlement with New York and Presbyterian Hospital and Columbia University; that settlement capped twelve months of enforcement activity that netted the agency more than $10 million in fines. Nevertheless, Mr. Meites said, “Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up.”
In the months since Mr. Meites’ comments, according to an HHS website which reports breaches of unsecured protected health information affecting 500 or more individuals (often referred to as the “Wall of Shame”), some 54 such hacking incidents have occurred. When the numbers of individuals affected by each hacking attack are tallied, the total comes to well over 100 million.
This alarming total does not include breaches at entities other than health plans, healthcare providers, healthcare clearing houses, or their business associates. As a result, certain other significant incidents – including the recent breach at the U.S. government’s own Office of Personnel Management (“OPM”), which affected more than 21 million Americans and involved at least some health data – are not included. Indeed, according to the recently-released results of a Healthcare Information and Management Systems Society (“HIMSS”) cybersecurity survey, more than two thirds of respondents reported dealing with a “significant [data] security incident” in the recent past.
Recent reports tied state-sponsored cyber-spies to some of the most significant health data hacks of recent months, including the OPM breach (21 million people), the Anthem, Inc. breach (79 million, including one of the authors of this eFlash), and the Premara Blue Cross breach (11 million). One theory is that private health data provides fodder for blackmail, making it valuable to foreign governments looking for cracks in the U.S. armor. Additionally, medical identity theft – in which cybercriminals steal medical identification information to sell to individuals seeking free healthcare or prescription medication – is a significant and growing problem.
House Committee’s Report on HHS Information Security Concerns
In this context of heightened enforcement and increased risk, it is worth examining the Committee’s recommendations with respect to HHS’s own data security issues, and considering their applicability in other contexts as well.
The report finds that the subordination of data security to “operational concerns” – things like adhering to schedules imposed by higher-ups, or “zero downtime” for certain applications – was a root cause of the variety of problems found at HHS and its divisions. At HHS, according to the report, “[w]hen IT security concerns and operational needs clash . . . operational needs are prioritized and security concerns downplayed, delayed, or ignored,” with the result that hackers were able to use unsophisticated attacks to compromise the agencies’ data. There is a valuable lesson here for the private sector as well: do not allow data security to serve as the default “safety valve” when the natural tensions between operations, cost, and security heat up. According to the HIMSS cybersecurity survey, respondents listed “lack of staffing and lack of financial resources” as the primary barriers to mitigating cybersecurity events, suggesting that a similar priority structure may obtain in the healthcare industry.
The report details certain specific instances of HHS or its divisions prioritizing operations over security, each of which may have applicability in the private sector.
- The Food and Drug Administration (“FDA”) denied data security auditors access to seven web applications, due to those applications’ “business criticality.” As a result, some of the agency’s most important applications escaped scrutiny. One of those applications was later the victim of a data breach; it was later revealed that all of them were vulnerable to the same unsophisticated and easily-avoided attack.
- The Centers for Medicare and Medicaid Services (“CMS”) launched the federal health insurance marketplace website before all of the security control assessments required by regulation were fully completed. Nine months later – although the Committee declined to attribute it to any particular factor – the system was compromised and hackers were able to install malware on the network.
- One of the breaches resulted from a missing “critical” software patch. This serves as a reminder to all entities that collect and store health data to be vigilant about remaining up to date with patches.
- Another breach stemmed in part from the use of default credentials, allowing an automated scan to guess the username and password needed to gain privileged access to the server. This is a reminder of the importance of changing default credentials.
- HHS and its divisions did not have control over, or visibility into, certain legacy systems and systems owned by contractors, making it impossible for the agencies to ensure that the data transmitted or housed by those systems was properly secured. Private-sector actors should consider, and ensure that they maintain, the proper level of control and authority vis-à-vis all systems for which they have responsibility.
The Report’s Recommendation: Make Information Security a Function of the Legal Department
Ultimately, the Committee report recommends a structural change at HHS and its divisions. Referring to “a growing trend in the private sector to restructure information security operations so that CISOs report to a senior executive other than the CIO,” the report recommends that HHS CISOs and their staffs should be relocated to the Office of the General Counsel. This change, according to the report, “removes information security from the IT ‘silo’ and . . . . specifically acknowledges the fact that information security has evolved into a risk-management activity, traditionally the purview of the legal team.”
The report explains:
The compromise of an information system is no longer a purely technological issue, but one of risk and liability…. It is no longer enough to address and mitigate the security vulnerability or vulnerabilities that facilitated a compromise; organizations must now cope with regulations regarding the exposure of protected information, litigation, and lost business from compromised IP or reputational damage. Since the management of an organization’s risk and liability is the responsibility of its legal team, it is logical to place the protection of the information systems on which an organization relies within the Office of the General or Chief Counsel.
Every organization is different; there is no one-size-fits-all model for data security. But any entity that collects and stores critical data – and particularly health data, given its value to bad actors and promises of robust federal enforcement – should consider involving its legal team in issues of cybersecurity before a breach occurs.
If you have questions about health care data privacy and cybersecurity, and related legal issues, please contact Post & Schell's Data Protection/Breach Practice Group, or the authors, Steven J. Fox at email@example.com, and Abraham J. Rein at firstname.lastname@example.org.
Disclaimer: this E-Flash does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this E-Flash without first seeking the advice of counsel.
About Post & Schell's Data Protection/Breach Practice Group:
Compliance planning and training before the need arises is a must. Swift action after an incident is just as critical. Post & Schell, P.C.’s Data Protection/Breach Group brings experience and regulatory knowledge to advising and defending our clients in this hot button area. The depth and range of the Group’s experience in criminal, civil and administrative matters enable us to provide corporate clients and senior executives with seasoned risk assessment, insights into compliance plan preparation and high-level enforcement decision-making essential to pursuing an informed defense strategy, and sure-handed representation. Learn More >>
Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.