WEBVTT 1 00:00:00.000 --> 00:00:03.090 Marianne McGee: Hi, I'm Marianne Kolbasuk McGee with Information 2 00:00:03.090 --> 00:00:06.810 Security Media Group. So far this year, health data breaches 3 00:00:06.810 --> 00:00:10.380 have affected more than 40 million individuals in the U.S. 4 00:00:10.890 --> 00:00:15.300 Nearly twice a day, hospitals, doctor offices and a cast of 5 00:00:15.300 --> 00:00:19.590 business associates fall victim to hacking, theft, loss or 6 00:00:19.590 --> 00:00:22.890 misuse of patient data. The Department of Health and Human 7 00:00:22.890 --> 00:00:26.190 Services Office for Civil Rights is responsible for policing 8 00:00:26.190 --> 00:00:29.460 HIPAA breaches, levying fines and prescribing corrective 9 00:00:29.460 --> 00:00:34.080 actions. In the past, HHS has levied fines of up to $16 10 00:00:34.080 --> 00:00:38.850 million dollars for a 2015 breach at health insurer Anthem 11 00:00:39.000 --> 00:00:43.710 that affected nearly 79 million patients. But much of that 12 00:00:43.710 --> 00:00:49.560 appears to have changed since January 14, 2021, with a federal 13 00:00:49.560 --> 00:00:52.860 appeals court ruling that struck down the agency's approach to 14 00:00:52.860 --> 00:00:57.570 levying fines. In a breach case against the University of Texas 15 00:00:57.570 --> 00:01:01.860 MD Anderson Cancer Center, the court found that a $4.3 million 16 00:01:02.100 --> 00:01:07.050 fine by HHS was arbitrary and capricious, in part because 17 00:01:07.050 --> 00:01:10.980 other providers had committed the same mistake losing a laptop 18 00:01:10.980 --> 00:01:14.430 with personal health information without facing any penalty. 19 00:01:14.790 --> 00:01:19.080 Since a $5.1 million fine levied the very next day against 20 00:01:19.080 --> 00:01:22.680 lifetime healthcare, the agency has bought for only one breach 21 00:01:22.680 --> 00:01:28.290 settlement case in the last 22 months. That was a $937,000 fine 22 00:01:28.320 --> 00:01:31.860 against Oklahoma State University. This is happening at 23 00:01:31.860 --> 00:01:35.100 a time when the number of breach cases has nearly doubled. 24 00:01:35.550 --> 00:01:38.970 Observers say that the MD Anderson case is just one of 25 00:01:38.970 --> 00:01:42.930 many challenges facing HHS Office for Civil Rights ability 26 00:01:42.930 --> 00:01:44.010 to enforce HIPAA. 27 00:01:44.130 --> 00:01:46.500 David Holtzman: There probably is impact but because of the 28 00:01:46.500 --> 00:01:53.160 opaque nature of OCR enforcement program, I think it's hard to 29 00:01:53.160 --> 00:02:00.900 measure. I also think that we're seeing a policy shift at HHS. I 30 00:02:00.900 --> 00:02:03.870 don't think it's just MD Anderson. I think there are 31 00:02:03.870 --> 00:02:06.720 many, many issues at play here. 32 00:02:06.930 --> 00:02:10.290 Marianne McGee: In fact, since the MD Anderson ruling, HHS' 33 00:02:10.290 --> 00:02:15.210 average fines for breaches has fallen 93% - from an average of 34 00:02:15.240 --> 00:02:23.400 $14 million a year between 2018 and 2021 to $900,000 since early 35 00:02:23.400 --> 00:02:27.960 last year. We asked HHS about the sudden drop but officials 36 00:02:27.960 --> 00:02:29.130 declined to discuss it. 37 00:02:30.600 --> 00:02:35.070 Nicholas Heesters: To answer what the single event may have 38 00:02:35.070 --> 00:02:39.060 indicated heuristics but all I can really say is that OCR 39 00:02:39.060 --> 00:02:45.090 continues to enforce all the HIPAA rules and we are certainly 40 00:02:45.120 --> 00:02:48.750 continuing to investigate breaches and investigate 41 00:02:49.080 --> 00:02:52.290 different complaints that people pose to OCR and that continues 42 00:02:52.290 --> 00:02:55.560 to be our posture and how we are going to work things moving 43 00:02:55.560 --> 00:02:55.980 forward. 44 00:02:56.340 --> 00:02:59.550 Marianne McGee: Holtzman, a former senior adviser at HHS 45 00:02:59.580 --> 00:03:03.330 says the agency is also dealing with years of growing workloads 46 00:03:03.360 --> 00:03:04.830 and staffing shortages. 47 00:03:04.000 --> 00:03:09.850 David Holtzman: I don't think we can discount the lack of 48 00:03:09.850 --> 00:03:16.570 resources that OCR has, and their portfolio has increased 49 00:03:16.570 --> 00:03:20.770 tremendously. Under the last administration, they added a new 50 00:03:20.770 --> 00:03:29.920 division for conscience and other related issues. OCR has 51 00:03:29.920 --> 00:03:36.670 not had an opportunity to add investigators. In fact, in order 52 00:03:36.670 --> 00:03:41.020 to live within its budget constraints, it has fewer 53 00:03:41.020 --> 00:03:47.140 investigators today than it did 10 years ago. And then, I also 54 00:03:47.140 --> 00:03:51.070 think it's important to recognize that in order to 55 00:03:51.100 --> 00:03:55.750 investigate breach cases, you really need some technical 56 00:03:55.750 --> 00:04:01.360 capability. Unlike the Federal Trade Commission, or the SEC or 57 00:04:01.360 --> 00:04:07.840 the Justice Department, OCR doesn't have access to technical 58 00:04:07.840 --> 00:04:11.710 laboratories or testing equipment. Everything is a book 59 00:04:11.710 --> 00:04:13.210 exercise with OCR. 60 00:04:13.450 --> 00:04:15.250 Marianne McGee: With the number of breach reports nearly 61 00:04:15.250 --> 00:04:20.980 doubling since 2018, impacting 182 million patients, some 62 00:04:20.980 --> 00:04:23.950 question whether the threat or fines is having any effect on 63 00:04:23.950 --> 00:04:25.480 cybersecurity and healthcare. 64 00:04:25.690 --> 00:04:31.570 Greg Garcia: It's hard to prove the negative that OCR 65 00:04:32.950 --> 00:04:39.790 enforcement has resulted in fewer cyberattacks. But we 66 00:04:39.790 --> 00:04:42.340 certainly do support a combination of carrots and 67 00:04:42.340 --> 00:04:47.380 sticks. There remain a number of health providers who simply have 68 00:04:47.380 --> 00:04:50.800 not done the right thing, have not invested. Some would say 69 00:04:50.800 --> 00:04:53.530 negligent but there are many, many more who are doing the 70 00:04:53.530 --> 00:04:57.070 right thing yet they still get hacked, and then it becomes a 71 00:04:57.070 --> 00:05:01.330 process of punishing the victim. With that in mind, we've had a 72 00:05:01.330 --> 00:05:04.090 number of consultations with HHS about how do we better 73 00:05:04.090 --> 00:05:07.750 incentivize the healthcare industry to make those 74 00:05:07.750 --> 00:05:11.980 appropriate investments that maybe will move the needle 75 00:05:11.980 --> 00:05:13.960 toward a higher level of preparedness. 76 00:05:13.990 --> 00:05:17.350 Marianne McGee: HHS must balance two conflicting policies, 77 00:05:17.500 --> 00:05:20.440 ensuring that patients can easily access their healthcare 78 00:05:20.440 --> 00:05:24.160 information and protecting it from unauthorized disclosure. 79 00:05:24.310 --> 00:05:28.480 David Holtzman: They have to make sure that they are adopting 80 00:05:28.480 --> 00:05:33.460 appropriate technologies that allow consumers access to all of 81 00:05:33.460 --> 00:05:37.660 this health information - that they are providing the 82 00:05:37.660 --> 00:05:43.990 appropriate tools, but at the same time, they are not creating 83 00:05:45.010 --> 00:05:51.430 vulnerabilities. It really is a very tenuous time in the 84 00:05:51.430 --> 00:05:59.050 healthcare industry. And I think each HHS is hearing that message 85 00:05:59.590 --> 00:06:06.670 from the healthcare industry that we really are at wit's end 86 00:06:06.970 --> 00:06:12.310 on how to satisfy both of these requirements. 87 00:06:12.670 --> 00:06:14.920 Marianne McGee: Typically, potential federal fines are only 88 00:06:14.920 --> 00:06:17.590 part of the damages that healthcare entities incur from 89 00:06:17.590 --> 00:06:22.060 breaches, lost revenue, IT remediation, state penalties and 90 00:06:22.060 --> 00:06:25.630 class action lawsuits can multiply total breach costs 91 00:06:25.690 --> 00:06:26.440 tenfold. 92 00:06:26.660 --> 00:06:33.530 David Holtzman: We have seen just a firestorm of class action 93 00:06:33.530 --> 00:06:39.740 lawsuits resulting from alleged incidents of breaches and 94 00:06:40.550 --> 00:06:48.140 alleging damage. So I think, to some extent, the OCR wants to 95 00:06:48.170 --> 00:06:52.940 stay away from cases in which the plaintiff's attorneys are 96 00:06:52.940 --> 00:06:56.510 pursuing their own remedies. 97 00:06:56.560 --> 00:06:59.050 Marianne McGee: Jeff Westerman, a Los Angeles attorney 98 00:06:59.050 --> 00:07:02.890 specializing in class action claims, argues that the problems 99 00:07:02.890 --> 00:07:06.520 with data privacy are much greater than HHS enforcement can 100 00:07:06.520 --> 00:07:07.210 address. 101 00:07:07.270 --> 00:07:09.670 Jeff Westerman: I don't know that a civil enforcement action 102 00:07:09.670 --> 00:07:15.220 would have much more impact than the private civil litigation 103 00:07:15.220 --> 00:07:19.870 that gets filed. It can be and the regulators or the government 104 00:07:19.870 --> 00:07:27.130 can bring all kinds of resources to bear. But I think that from a 105 00:07:27.130 --> 00:07:31.270 motivational standpoint, if you're not going to seek - and 106 00:07:31.270 --> 00:07:33.430 I'm not even sure there is a basis for criminal enforcement - 107 00:07:33.730 --> 00:07:35.680 but without criminal enforcement, where individuals 108 00:07:35.680 --> 00:07:43.600 face criminal penalties. I'm not sure that there's going to be 109 00:07:43.600 --> 00:07:45.340 much individual incentive. 110 00:07:45.640 --> 00:07:47.830 Marianne McGee: The government and related healthcare groups 111 00:07:47.830 --> 00:07:50.590 are pushing for more incentives to encourage healthcare 112 00:07:50.590 --> 00:07:53.710 organizations to improve security and to follow industry 113 00:07:53.710 --> 00:07:58.720 best practices. In 2021, Congress directed HHS 114 00:07:58.720 --> 00:08:01.900 enforcement to consider an organization's adoption of 115 00:08:01.900 --> 00:08:05.830 recognized security practices, such as NIST standards as a 116 00:08:05.830 --> 00:08:08.380 mitigating factor in the enforcement process. 117 00:08:08.530 --> 00:08:10.750 Nicholas Heesters: But these are strictly voluntary, though there 118 00:08:10.750 --> 00:08:15.310 is no penalty for not doing these things. I think that's 119 00:08:15.310 --> 00:08:18.250 important to note that there is not a penalty if an organization 120 00:08:18.250 --> 00:08:21.430 does not implement a defined recognized security practice. 121 00:08:21.430 --> 00:08:24.370 But, we got a lot of things that are related to the NIST 122 00:08:24.370 --> 00:08:28.450 cybersecurity framework, to the work of the HIPAA in the four or 123 00:08:28.450 --> 00:08:32.680 five D Group, health information industry cybersecurity 124 00:08:32.680 --> 00:08:38.710 practices. If they can come to the table and they can 125 00:08:39.190 --> 00:08:43.780 demonstrate the OCR and they have had recognized security 126 00:08:43.780 --> 00:08:48.190 practices implemented for the previous 12 months, then that's 127 00:08:48.190 --> 00:08:50.380 going to be considered as a mitigating factor. 128 00:08:50.500 --> 00:08:52.660 Marianne McGee: Greg Garcia, with the healthcare sector 129 00:08:52.660 --> 00:08:55.840 coordinating council, believes that monetary incentives can 130 00:08:55.840 --> 00:08:58.090 play a role in securing the industry. 131 00:08:58.210 --> 00:09:00.850 Greg Garcia: We're told that CMS - The Centers for Medicare & 132 00:09:01.870 --> 00:09:08.380 Medicaid Services - is considering whether they can use 133 00:09:08.560 --> 00:09:12.310 the reimbursement process as an incentive. Do the right thing in 134 00:09:12.310 --> 00:09:15.820 cybersecurity, your reimbursements are higher. If 135 00:09:15.820 --> 00:09:19.510 you can show that you are managing the security of medical 136 00:09:19.510 --> 00:09:24.820 devices in a more secure way, reimbursement can also be an 137 00:09:24.820 --> 00:09:30.670 incentive for that. We've talked about whether there can be grant 138 00:09:30.670 --> 00:09:37.870 programs from HHS perhaps a matching grant to give smaller 139 00:09:37.870 --> 00:09:43.360 hospital systems a leg up in terms of investing in the ISAC 140 00:09:43.360 --> 00:09:47.830 membership, which is a very small amount to pay or to invest 141 00:09:47.830 --> 00:09:51.760 in other managed security services. So, we think there is 142 00:09:51.760 --> 00:09:53.560 a lot that HHS can do. 143 00:09:53.680 --> 00:09:55.810 Marianne McGee: Garcia and others say a fundamental 144 00:09:55.810 --> 00:09:58.960 challenge facing the Department of Health and Human Services is 145 00:09:58.960 --> 00:10:02.620 a siloed nature in the federal agencies that regulate various 146 00:10:02.620 --> 00:10:06.640 aspects of cybersecurity and healthcare. Among them is the 147 00:10:06.640 --> 00:10:10.210 Cybersecurity and Infrastructure Security Agency, which is part 148 00:10:10.210 --> 00:10:13.330 of the Department of Homeland Security, which is charged with 149 00:10:13.330 --> 00:10:15.070 protecting critical infrastructure. 150 00:10:15.370 --> 00:10:19.360 David Holtzman: I think what will be interesting to watch is 151 00:10:19.690 --> 00:10:23.920 to what extent the administration supports the 152 00:10:23.920 --> 00:10:29.500 separate activity and HHS for cybersecurity, or whether 153 00:10:29.530 --> 00:10:37.270 they're going to roll everything up into one agency - the CISA 154 00:10:37.750 --> 00:10:47.170 effort - and to treat healthcare as just a another cybersecurity 155 00:10:47.200 --> 00:10:51.460 critical infrastructure for cybersecurity awareness and 156 00:10:51.460 --> 00:10:52.180 response. 157 00:10:52.240 --> 00:10:54.580 Greg Garcia: You have all of these operational divisions 158 00:10:54.580 --> 00:10:59.890 within HHS, you have OCR, you have the Office of the National 159 00:10:59.890 --> 00:11:05.950 Coordinator, which regulates health IT interoperability, you 160 00:11:05.950 --> 00:11:14.230 have CMS, you have FDA. So all of these offices touch 161 00:11:14.230 --> 00:11:18.850 cybersecurity in some way. But they don't necessarily do it in 162 00:11:18.850 --> 00:11:22.840 a coherent way because they all have their own statutory 163 00:11:22.840 --> 00:11:27.610 authorities that they have to answer to. So it is incumbent 164 00:11:27.610 --> 00:11:30.940 upon the executive leadership, the political leadership of HHS 165 00:11:30.940 --> 00:11:38.650 to find ways to coordinate holistically how HHS is going to 166 00:11:38.680 --> 00:11:43.390 address at a policy level, at a programmatic level, at an 167 00:11:43.390 --> 00:11:47.140 operational level how they're going to address this constantly 168 00:11:47.140 --> 00:11:51.790 evolving cybersecurity threat against the nation's healthcare 169 00:11:51.790 --> 00:11:52.300 system. 170 00:11:52.630 --> 00:11:55.060 Marianne McGee: Every time a new administration moves into the 171 00:11:55.060 --> 00:11:58.540 White House, the President appoints a new HHS secretary, 172 00:11:58.660 --> 00:12:02.590 who then appoints a new director of HIPAA enforcement. But except 173 00:12:02.590 --> 00:12:06.670 for Roger Severino, who has served as HHS OCR director for 174 00:12:06.670 --> 00:12:09.910 all four years of the Trump administration, most don't stay 175 00:12:09.910 --> 00:12:13.810 for the full term. In fact, the agency has had five directors 176 00:12:13.810 --> 00:12:18.400 over the past decade. Lisa Pino, the Biden administration's first 177 00:12:18.430 --> 00:12:22.990 HHS OCR director, left the job after less than a year. In 178 00:12:22.990 --> 00:12:26.770 September, Melanie Fontes Rainer became the new director. She 179 00:12:26.770 --> 00:12:29.380 declined ISMG's requests for an interview. 180 00:12:29.470 --> 00:12:35.140 David Holtzman: I don't know the current director personally, I 181 00:12:35.140 --> 00:12:46.810 know her by reputation. She's a smart, very good leader who is 182 00:12:46.810 --> 00:12:54.370 well trusted by the Secretary. But just looking at her resume, 183 00:12:54.670 --> 00:12:59.500 she doesn't have too much background or experience in 184 00:12:59.680 --> 00:13:04.540 privacy, or information security matters. And she needs to come 185 00:13:04.540 --> 00:13:10.330 up to speed and every director does that. So to some extent, 186 00:13:11.500 --> 00:13:19.000 the managers and the staff are working to both learn, to both 187 00:13:19.000 --> 00:13:24.520 teach the director to whatever her comfort level is, and also 188 00:13:24.520 --> 00:13:30.220 to learn from the new director, what her priorities are. And 189 00:13:30.280 --> 00:13:34.480 then we have the Secretary's and the administration's priorities. 190 00:13:34.690 --> 00:13:37.630 Marianne McGee: As the political and enforcement debate rages on, 191 00:13:37.780 --> 00:13:42.100 healthcare will continue to be a prime target for bad actors. No 192 00:13:42.100 --> 00:13:46.840 one's quite sure how and when things will improve. For ISMG, 193 00:13:46.840 --> 00:13:49.720 I'm Marianne Kolbasuk McGee. Thanks for watching.