Privacy and Security Law

According to a report by West Monroe Partners, approximately 40% of companies engaged in corporate transactions reported finding a cybersecurity issue during post-acquisition integration of the target company.  While companies routinely conduct robust transactional due diligence to manage legal risk, many fail to adequately conduct cybersecurity due diligence. As a consequence, many companies and investors are leaving themselves vulnerable to potentially severe latent cyber risks.

Cybersecurity is especially relevant in healthcare transactions as the industry continues to be riddled with cyber-attacks.  Protenus Breach Barometer reports that healthcare has been the most targeted industry over the last few years, with 1.13 million, 3.15 million, and 4.4 million patient records compromised in the first three quarters of 2018, respectively, and more than half of breaches occurring due to hacking.  The cat is out of the bag.  Healthcare entities usually amass very lucrative personal data – social security numbers, demographic information, health insurance records, and prescription information – making them attractive targets for hackers.

Despite the high frequency of cyber-attacks in the industry, many healthcare entities spend only half as much to improve security protections when compared to other industries.  As a result, these companies remain vulnerable to cyber threats.  In the case of a breach, companies could face penalties from government agencies as well as class action lawsuits. Cyber risks may intensify during acquisitions, as the likelihood of a breach increases with the expansion of the overall cyber footprint.  Further, in a transaction, the target company’s vulnerabilities ultimately become an issue for the acquiring company.  Thus, if the target entity does not have adequate safeguards to protect patient records, then the acquiring company is at financial and reputational risk for those failings.

Given the potential risks, it is important that acquiring companies prioritize cybersecurity as an integral part of due diligence efforts.  An effective due diligence process should at a minimum evaluate cybersecurity preparedness and risks related to the following: 1) current state of risk assessment; 2) technical security features of business critical information systems and network architecture; 3) implementation of policies and procedures related to information security; 4) policies and procedures related to detecting, responding to, and recovering from cyber incidents; and 5) historical indicators of legal and regulatory compliance issues related to cybersecurity.


Alaap B. Shah


Eric W. Moran


Brian Hedgeman

As 2019 begins, companies should seriously consider the financial and reputational impacts of cyber incidents and invest in sufficient and appropriate cyber liability coverage. According to a recent published report, incidents of lost personal information (such as protected health information) are on the rise and are significantly costing companies. Although cyber liability insurance is not new, many companies lack sufficient coverage. RSM US LLP, NetDiligence 2018 Cyber Claims Study (2018).

According to the 2018 study, cyber claims are impacting companies of all sizes with revenues ranging from less than $50 million to more than $100 billion.  Further, the average total breach cost alone is $603.9K. This does not include crisis services cost (average $307K), the legal costs (defense = $106K; settlement = $224K; regulatory defense = $514K; regulatory fines = $18K), and the cost of business interruption (all costs = $2M; recovery expense = $957K).  In addition to these financial costs, reputational impact stemming from cyber incidents can materially set companies back for a long-period of time after the incident.

Companies can reduce risk associated with cyber incidents by developing and implementing privacy and security policies, educating and training employees, and building strong security infrastructures.  Nevertheless, there is no such thing as 100% security, and thus companies should consider leveraging cyber liability insurance to offset residual risks.  With that said, cyber liability coverages vary across issuers and can contain many carve outs and other complexities that can prevent or reduce coverage.  Therefore, stakeholders should review their cyber liability policies to ensure that they understand the terms and conditions of such policies. Key items to evaluate can include: coverage levels per claim and in the aggregate, retention amounts, notice requirements, exclusions, and whether liability arising from malicious third party conduct are sufficiently covered.

While cyber liability insurance will not practically reduce risk or a cyber incident, it is increasingly a critical component of a holistic risk mitigation strategy given the world we live in.


Alaap B. Shah


Daniel Kim

On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas:  (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

While some of the questions ask for factual information (such as the typical time it takes a covered entity to transfer PHI to another covered entity), many of the questions raise larger policy issues.  For example, the RFI includes a series of questions on whether it would make sense to have health care clearinghouses play a much more direct role in providing information to individuals, whether health care clearinghouses should be treated only as covered entities, and if so, could other covered entities impose contractual obligations on the health care clearinghouses to protect PHI without the use of a business associate agreement.  Similarly, the RFI includes multiple questions on whether the OCR could amend the Privacy Rule to allow for better coordination for patients suffering from a substance abuse disorder or serious mental illness, and how such changes might interact with current state privacy laws and 42 CFR Part 2 that would otherwise prohibit the sharing of such information.

From an operational perspective, the RFI requests comments on how to effectively implement the HITECH Act requirement to provide an accounting of all disclosures made through an electronic health record and whether requiring providers to make a good faith effort to obtain written acknowledgement from a patient that they have received a Notice of Privacy Practices places an unnecessary burden on providers, and perhaps inadvertently confuses patients.

OCR is requesting comments to the elucidated questions on or before February 12, 2019.

On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”

Citing cybersecurity of medical devices as a top management challenge for HHS, OIG conducted an audit to evaluate FDA’s plans and processes for timely communicating and addressing cybersecurity compromises in the medical device postmarket phase. Based on OIG’s audit of certain FDA internal policies, procedures, and website, as well as interviews with FDA staff, OIG recommended that FDA take the following actions: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. Although the OIG acknowledged that FDA has recently implemented some of its initial recommendations, it emphasized that its findings and recommendations with regard to FDA’s cybersecurity policies and procedures remain valid.

On the same date OIG published its report, FDA’s Suzanne B. Schwartz, M.D., M.B.A., published a post on FDA Voices asserting that the OIG report is an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity. The post addresses FDA’s ongoing efforts to improve medical device cybersecurity over the past five years, including entering into a memorandum of agreement between FDA and the Department of Homeland Security (“DHS”) and publishing a new premarket cybersecurity guidance update in October 2018, which we wrote about in a previous blog here. FDA’s post also highlights FDA’s other partnerships with industry that aim to increase awareness of cybersecurity vulnerabilities and related concerns.

FDA reiterated that its regulatory approach to cybersecurity threats “is not static,” and reconfirmed its commitment to “work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first.” FDA has announced that it will hold a public Workshop on January 29-30, 2019 to discuss the newly released draft guidance on cybersecurity in premarket submissions. Instructions for registration are available on FDA’s website here.

In response to the OIG’s report, FDA will likely continue to develop new cybersecurity policies, initiatives, and guidance. Stakeholders in the medical device industry should monitor these developments and be prepared to address any such changes in policy or regulation. Meanwhile, regulated industry should consider reviewing FDA’s current cybersecurity guidance documents and assess whether its internal controls, quality systems, policies, or procedures adequately address potential cybersecurity risks or threats or could be improved.

EBG will continue to monitor all developments in FDA’s regulation of and policies related to medical device cybersecurity.

On October 26, 2018, the Federal Trade Commission (FTC) announced that it will hold four days of hearings between December of 2018 and February of 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.[1] The two days of December hearings will focus on data security, while the two days of February hearings will focus on consumer privacy. This announcement comes as part of the agencies Hearings on Competition and Consumer Protection in the 21st Century, an initiative that has already scheduled hearings on closely related topics such as Big Data, Privacy, and Competition, and Algorithms, Artificial Intelligence (AI), and Predictive Analytics. The FTC will seek comments on the privacy and data security hearings through March 13, 2019.

These hearings serve as a signpost of a long-standing movement within the FTC to establish itself as the governing body over consumer data privacy and data security in the United States.[2] [3] This move however runs counter to the power that Congress has afforded it throughout the years. In particular, some of the most powerful enforcement tools for data breaches, such as the Computer Fraud and Abuse Act (CFAA) have been created outside of the FTC’s toolbox of enforcement. There are many reasons for this, including that acts like the CFAA include both criminal provisions and private causes of action, but it also speaks to a wider question of industry specific agency enforcement of data protection and privacy. As every industry and sector of American life becomes more digitally data-centric, the question of which government agency or agencies are best suited to ensure that sector-specific data is private and secure becomes more pressing.

As Congress considers following the European Union in increasing data privacy and security laws, it will have essential decisions to make regarding which agency is in charge of citizen data. Should this data be regulated by sector? Or should this data be regulated by a central agency? From the actions of the FTC, it is clear that the agency sees itself as a large part of the solution.

____

[1] https://www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-consumer-privacy-data-security-part-its?mkt_tok=eyJpIjoiTlRWalpqZzFOV0ptWVRobCIsInQiOiJFSTc1UkdqZ0YyUWpKZG1WK3Z3K0RjbHNhd3ZQXC9SemtGelkzeVp6bGZyaXpwSGVaUUEzUU96bUtIRlpWdThuWmhsbGdhNmszb1U0TDhaelVCRExuXC9ieDd6Zk9VUTdvT3lKemJYZzJwdnBmTnozSUNHd3F0OGxTQzJJY1VaaTU3In0%3D

[2] 83 FR 38307

[3] https://www.law360.com/articles/495364/ftc-head-wants-more-power-to-penalize-for-data-breaches

Recent comments by the Federal Trade Commission (FTC) Commissioner Rohit Chopra should have companies on notice for increased enforcement actions across the board. During the “Privacy. Security. Risk.” Conference in Texas last week, Chopra made comments regarding his views on increasing enforcement, including the imposition of greater civil monetary penalties. “I’ve already raised concerns about settlements we do with no monetary penalties. I want to see monetary consequences for egregious breaking of the law” said Chopra as reported by the IAPP during a live podcast taping. Chopra also stated that he was troubled by current federal enforcement action in the United States, the answer to which appears in part to come with heftier fines.

While the FTC hopes to have a bigger bite, it appears that Congressional action, or lack thereof, is in many ways muzzling the agency. During a House Subcommittee hearing in July, FTC officials indicated that while they were aggressively pursuing action regarding data and privacy security, they also said that their hands were tied in regard to bringing more aggressive enforcement. As stated by Chairman Joe Simmons, “In my view, we need more authority. I support data security legislation that would give us three things: (1) the ability to seek civil penalties to effectively deter unlawful conduct, (2) jurisdiction over non-profits and common carriers, and (3) the authority to issue implementing rules under the Administrative Procedure Act. And we should consider additional privacy authority as well….” In part, Chairman Simmons may be referencing Congress’s failure to pass a comprehensive data protection law, particularly in the shadow of the European Union’s GDPR standards, which are continuing to impact American companies.

These comments come at a time where companies face ever increasing risk as the economy becomes more and more data-centric. Across the country, companies and their boards are faced with an ever more complex business decision on how to make cyber-security make business sense. On the one hand, investing in a robust cyber-security program, both in terms of designing a compliance strategy and investing in technology, is balanced with the risk and cost of a data breach. While the risks appear to be increasing, the cost of such a breach may also be increasing as well. In addition to a loss of revenue due to a drop in consumer confidence, Chairman Simmons and Commissioner Chopra’s comments should make companies aware that enforcement and increased civil monetary penalties may also be more of a threat towards business’s bottom lines.

On October 16, 2018 the Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) announced an update to their previously provided Security Risk Assessment Tool.  According to ONC and OCR, the “tool is designed to help healthcare providers conduct a security risk assessment” as required under the HIPAA Security Rule.  ONC states that the updated tool includes additional features such as:

  • Enhanced user interface
  • Modular workflow
  • Custom assessment logic
  • Progress tracker
  • Threats & vulnerabilities rating
  • Detailed reports
  • Business associate and asset tracking
  • Overall improvement of the user experience

As with prior tools, the ONC/OCR tool includes a broad disclaimer noting that use of the tool “does not guarantee compliance with federal, state or local laws”.  Indeed, ONC and OCR encourage providers to “seek expert advice when evaluating the use of the tool.”

Ultimately, while the tool may provide a useful resource for small physician groups, larger organizations are more likely to need what is rapidly becoming the industry standard of having a security risk assessment/risk analysis performed by an outside third party, and ensuring additional assessments (such as penetration testing of the systems) are a part of that full risk assessment for the organization.

***

If your organization has any questions or needs assistance with a privacy and security related issue, please reach out to members of our Privacy and Security Group: Patricia Wagner, Alaap Shah, Brian CesarattoAdam Forman, or Wenxi Li.

The FDA issued a new Draft Guidance today to ensure medical devices – an increasing potential target for hackers – are better protected from unauthorized digital access.

According to the FDA’s draft guidance issued today, “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.”

Under the proposed draft guidance manufacturers will be required to better protect their devices in a more uniform manner as prescribed by the FDA. The new pre-market submission proposals are designed to help guide the industry in designing these digital safety mechanisms from the beginning of product design and development.

The New Guidance covers Premarket Notification (510(k)) submissions (including Traditional, Special, and Abbreviated); De Novo requests; Premarket Approval Applications (PMAs); Product Development Protocols (PDPs) that contain software (including firmware) or programmable logic; as well as software that is a medical device.

While manufacturers are required under Quality System Regulations to establish and maintain procedures for validating the devices design including software validation and risk analysis, FDA is recommending validation include design controls to ensure medical device cybersecurity and maintain medical device safety and effectiveness. Including these design controls may make it easier for FDA to “find your device meets its applicable statutory standard for premarket review.”

The recommendations in the newly released Draft Guidance describe using a more risk-based approach to the design and development of appropriate cybersecurity protections. The FDA wants manufacturers to design programs to follow their devices throughout the device lifecycle, monitor new and potential threats, and issue cybersecurity updates to thwart new attempts at unauthorized digital access of the devices.

Because devices that connect to the internet or wirelessly to other devices pose a new and larger threat to cybersecurity, the FDA is requiring a Cybersecurity Bill of Materials be included in the manufacturers filing to identify key components and accessories that could render the device vulnerable to “hacking”. The FDA is creating a new Tier 1 level of standards for these devices to ensure greater security than Tier 2 devices (those that are not wirelessly or internet connected).

Design controls should include appropriate authorization such as ID’s, passwords, time limited sessions with auto logout, layered authorization (i.e. patient, healthcare professional, technician) should now be used in the design of these devices. Authentication and authorization of critical safety commands will be considered in new submissions. In addition, proper labeling to warn patients and providers of the cyber security risks involved in these devices is essential.

For an updated list of FDA recognized consensus standards the Agency recommends that you refer to the FDA Recognized Consensus Standards Database.

 

 

 

On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are being used.  Failure to comply with these new laws could be costly to businesses with civil penalties resulting from an action by the state attorney general of up to $7,500 per violation.  In addition, in the event of a breach of personal information, the California Privacy Act provides consumers with statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.  Therefore, the California Privacy Act will have a significant impact on businesses, including the healthcare sector.

Business Types Affected.

Generally, the California Privacy Act will affect business entities that are for-profit business entities that collect consumers’ personal information and that meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.  The law applies to businesses who collect, use, or share personal information of California residents, including those who are outside the state for temporary or transitory purposes (e.g., travelers).  California’s privacy law does not apply to protected health information regulated by California’s Confidentiality of Medical Information Act or by HIPAA’s privacy, security, and notification rules, but, it does apply to the other personal information held by an organization that meets the criteria above and doing business in California. 

Consumer Rights Expanded.

Additionally, the California Privacy Act will provide California residents more control over their personal information.  For example, consumers will have the right to know the type of personal information collected by the business, the purpose for which the information is being collected, and with whom the information is being shared with.  Also, consumers will have the “right to be forgotten” by requesting the deletion of their personal information from the businesses’ systems (with certain exceptions that may apply).  Under the new law, consumers will have the right to prohibit businesses from selling their personal information.  Furthermore, the California Privacy Act will also provide consumers protection from discriminatory action by businesses for exercising these privacy rights.  Overall, the expansion of consumers’ rights to their personal information are similar to the requirements set forth in the European Union’s General Data Protection Regulation (“GDPR”) policies.  Therefore, in this regard, the good news is that the work businesses have been doing to be GDPR compliant will most likely comport with the California Privacy Act.

Business Response Required.

Also, the California Privacy Act will mandate businesses, affected by the law, to comply with several requirements that will ensure consumers’ awareness of their privacy rights.  For example, the law will require businesses to make available at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).  Businesses will be required to disclose and deliver the requested information, free of charge to the consumer within 45 days of the request (although businesses will not have to provide such information more than twice a year to a single consumer).  Furthermore, businesses will be required to ensure that all individuals handling consumer inquiries about the business’s privacy practices or the business’s compliance with the law understand all the requirements under the California Privacy Law.  Therefore, businesses will need to make sure that its online privacy policies and/or California-specific consumers’ privacy rights are updated to include these new rights.

* * *

As mentioned above, the California Privacy Act reaches businesses beyond the borders of the state.  According to the International Association of Privacy Professionals (“IAPP”), more than 500,000 U.S. businesses (most being small- to medium-sized enterprises) will be affected by the privacy law.  Because the California Privacy Act follows in the footsteps of the GDPR, the work businesses have done to be in compliance with the GDPR will most likely comport with California’s privacy law.  But those businesses who have not, should begin making changes to their policies and procedures to ensure they are in compliance by the end of 2019.

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related technology in ways that enhance economic security and quality of life. Its standards and best practices address interoperability, usability and privacy continues to be critical for the nation. NIST’s latest announcement is directed at eventually providing security guidance for the healthcare sector’s most common uses of data, inasmuch as that industry has increasingly come under attack.

The current announcement is reflective of the interest of NIST and the Food & Drug Administration (“FDA”), the primary regulatory agency for medical devices, within the so-called Internet of Things (“IoT”).  Thus, NIST, through its National Cybersecurity Center of Excellence, will accept proposals up to  June 8, 2018, for “products and technical expertise” relevant to the creation of guidelines for securing data used by Picture Archiving and Communication Systems (“PACS”). NIST will attempt to harmonize the requirements for patient imaging devices with NIST’s overall cybersecurity framework.

The proposed project will examine the specific uses and regulatory requirements for patient imaging devices, and how those varying considerations apply to the use of the NIST cybersecurity framework. As the NIST project summary notes PACS are regulated by the FDA as “class II” devices that provide one or more functions related to the “acceptance, transfer, display, storage, and digital processing of medical images.”  These devices, which can be found in virtually every hospital, are not only vulnerable to cyber-attack in and of themselves, but NIST sees them as a “pivot point into an integrated healthcare information system.”

The current imaging device project follows last year’s release of draft guidelines for wireless infusion pumps, and evidences the government’s continuing concern, not only with the security of the IoT, but with specific reference to the vulnerable health care sector.

Epstein Becker Green routinely deals with questions related to medical device regulation and cybersecurity. For further information, you can contact Stuart Gerson, Adam Solander, Bradley Merrill Thompson or James Boiani.