As cybersecurity regulatory frameworks mature, the move has been toward risk-adjusted security requirements rather than prescriptive controls mandated by a legislature or administrative agency. This makes sense, of course, for two primary reasons.
Cybersecurity legislation and regulation is, by definition, reactive. Legislatures and regulators are ill equipped to anticipate emerging security threats or dictate how to make organizations more secure. Hence the provision under the HIPAA Security Rule that Covered Entities “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [Covered Entity].” See 45 C.F.R. § 164.308(a)(1)(ii)(A). Similarly, the cybersecurity regulations promulgated by the New York State Department of Financial Services in 2017, 23 N.Y.C.R.R. Part 500, incorporate a risk assessment requirement as of March 1, 2018. The risk assessment under Part 500 colors every aspect of Part 500 compliance, allowing a Covered Entity under Part 500 to choose appropriate safeguards and controls in light of its specific risk profile.
These risk assessments, however, can create risks of their own, specifically in hindsight after a breach. Case in point, the recent decision by a federal Department of Health and Human Services Administrative Law Judge (“ALJ”) granting summary judgment to the Office of Civil Rights (“OCR”) in relation to a $4,348,000 fine issued against The University of Texas MD Anderson Cancer Center (“Anderson Center” or “Center”) arising from a 2012-13 data breach involving loss of patient records. At first blush, this OCR fine may not seem surprising, given the ubiquity of health care data breaches and increasing regulatory fines in response.
To put this fine into context, however, the Anderson Center breach involved only approximately 33,500 patient records and arose from three separate incidents—the theft of a laptop and the loss of two unencrypted thumb drives from Anderson Center employees and agents. Although serious issues in themselves, loss of mobile endpoints and unencrypted storage media are, unfortunately, common causes for HIPAA data breaches. The exacerbating factor in relation to the Anderson Center fine, however, seems to be the fact that, as early as 2006, the Center had identified the security risk caused by unencrypted data in its HIPAA risk assessment. The Center continued to identify this risk in subsequent years and, while it began moving toward widespread encryption of these devices, it did so in a slow and stop-and-start fashion, to the degree that in 2013 the Center’s institutional compliance officer still identified the failure to encrypt devices as a “high risk area.” It should be noted that encryption of electronic Protected Health Information is only an “addressable” control under HIPAA (meaning that encryption or an alternative security measure that renders devices physically impossible for unauthorized users to access is only required when indicated by a Covered Entity’s risk assessment). Yet the fact that the Center had indeed identified lack of encryption as a material and ongoing security risk, and failed to address that risk, created fertile ground for the multi-million dollar fine upheld by HHS.
The lesson learned here should be twofold: (i) there is risk in a Covered Entity’s risk assessment (regardless of whether conducted under HIPAA, Part 500, or any other applicable regulatory framework) in that it identifies issues and then places the onus on the Covered Entity to effectively address those issues; and (ii) if a Covered Entity identifies a material risk in its risk assessment, it should address that risk in a timely manner. The risk in the risk assessment specifically comes from the judgment calls made in relation to identifying and ranking which risks to address before the organization’s next risk assessment. Conducting a risk assessment under the attorney-client privilege allows an organization to have full and frank discussions when ranking risk, ensuring that those communications cannot be used against the organization, whether in a post-breach administrative investigation or litigation.
Ultimately, however an organization comes to rank its risks, whether protected by the attorney-client privilege or otherwise, once it identifies material risks in a risk assessment, it has created a roadmap to future regulatory action post breach. It must be remembered in this regard that hindsight post breach is both negative and 20/20. If a material risk is left unaddressed before the next risk assessment is done, or it is left unaddressed over the period of several risk assessments, an administrative agency will almost certainly—as OCR did in relation to the Anderson Center—find fault in the Covered Entity’s security controls. Hence, a risk assessment should neither be perfunctory nor undertaken in a vacuum. Past risk assessments and changing risk profiles should influence decisions made in a current risk assessment. Regulatory risk and the potential for post-breach scrutiny should also be taken into account, as shown by the Anderson Center ALJ decision.