|
Enterprise Security: The Emerging Standard of Care for Healthcare Information Security.
by John R. Christiansen, Esq., Christiansen IT Law, Seattle, WA
 As late as the middle 1990s information security law was an
irrelevant if not meaningless concept for almost all healthcare
lawyers. Outside
of narrow niche applications, particularly claims processing
by the big health insurers, computers were used by only a few
pioneering healthcare organizations, and the networking of computers
into information systems was an uncommon novelty. There were
a few information security laws dating from the 1970s, but these
were principally applicable to governmental agencies. Otherwise
there were no legislation or regulations applicable to computerized
healthcare information, nor was there any significant caselaw
on point.
Ten years later every healthcare lawyer needs to have at least
a passing acquaintance with information security issues. All
healthcare organizations of any significant size rely heavily
on information systems, often for many different purposes, and
continuing public and private initiatives promote even greater
use. Not coincidentally, this same period saw the promulgation
of healthcare information security regulations under the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”),
applicable to every health plan and almost every healthcare provider;
and under the Gramm-Leach-Bliley Act, applicable to every health
insurance company. It also saw a series of cases brought by the
Federal Trade Commission (“FTC”) and state attorneys
general, enforcing information security obligations for consumer-oriented
websites, and the filing
of the first cases alleging common law claims for breach of healthcare
information security duties of care. Most
recently, in response to a spate of well-publicized security
incidents involving the theft or other loss of sensitive data
about tens or hundreds of thousands of individuals, a number
of states have begun passing laws requiring encryption of such
data, or notification of affected individuals in case of any
breach.
Most of these laws overlap. All health insurers, for example,
are subject to regulations under both HIPAA and Gramm-Leach-Bliley;
if they have consumer websites, they must comply with FTC requirements;
and they are subject to whatever statutes, regulations and common
law obligations may apply in every state where they do business.
And the same analysis applies to healthcare providers, with the
small comfort that they are not subject to Gramm-Leach-Bliley.
Any compliance environment in which there are multiple overlapping
laws is confusing and carries a risk of inconsistent mandates.
The novelty of both the technologies and the laws in the area
of information security only aggravates this confusion and risk.
This poses difficulties not only for the lawyers who have to
help their clients figure out how to navigate these difficult
waters, but also for public policy. Healthcare, in particular,
has long been the focus of a variety of governmental and private
initiatives for the adoption of information systems to reduce
administrative costs and improve patient care and public health.
The source of both the confusion and the risk boils down to
a single legal question: What is the standard of care for healthcare
information security? Is it the same, or at least consistent,
among these overlapping laws? Is it possible to be in compliance
with one, but not the others? Worse, is it possible that steps
taken in order to comply with one law could cause the violation
of another? In the absence of a known standard or standards of
care these questions are difficult or impossible to answer.
Two major alternatives for determining information security
standards of care come to mind: Standards might be based on the
laws, or on the technologies. The former would involve traditional
intent-based analysis, and so has a logic that is particularly
appealing to lawyers. And it is true that each information security
law was developed in a different context and for different purposes – HIPAA
to mandate electronic claims transactions for healthcare organizations;
Gramm-Leach-Bliley to regulate consumer transactions by financial
institutions; security breach notification laws to mitigate the
consequences of identity theft; and so on. Jurisprudentially,
the differing intent behind each law might support its own standard
of care.
The second possibility is to develop different standards of
care for each of the different technologies in use, an approach
that also has a claim to logical validity. Back in the prehistory
of information security, up until the middle 1980s or so, computers
were (relatively) rare, enormous mainframe beasts with limited
connectivity and unfriendly programming. Now the same computing
power (and much more) is contained in devices that you can hold
in your hand, and the Internet and pervasive cheap connectivity
make every network in the world potentially available from your
local coffee shop, with interfaces so friendly that literally
even children can use them – though they usually don’t
become hackers until they’re teenagers. Clearly on some
level the fact that the technologies are so different means they
must be treated differently. But neither of these approaches
solves the problem of overlapping and confusing standards; in
fact, both aggravate it. Both technological differences and material
legal differences need to be considered in developing any standard
of care, but neither one solves the problems of confusion and
potential inconsistencies.
The emerging answer is an enterprise security standard of care, which
requires the implementation of an enterprise security program
under executive oversight, using due diligence and appropriate
professional expertise to identify and manage information security
risks. This standard does not guarantee information security
or require specific policies, procedures or technical safeguards,
but requires reasonable and appropriate action to address reasonably
foreseeable information security risks. This standard is implied
by (but not explicitly articulated in) the HIPAA and Gramm-Leach-Bliley
regulations and FTC cases, and is consistent with existing legal
principles for corporate management.
As a set of risk management processes, an enterprise security
program can and should be designed to meet the requirements of
the various overlapping information security laws. With
minimal exceptions, these laws do not specify policies, procedures
or technological safeguards. Rather, information security laws
generally require organizations to assess and manage information
security risks, to a standard usually framed as “reasonable
and appropriate,” or as applicable to “reasonably
foreseeable risks.” Compliance with laws which incorporate
this standard, such as HIPAA and Gramm-Leach-Bliley, can therefore
be integrated through an enterprise security program. Compliance
with those laws which do impose specific requirements, such as
security breach notification statutes, can also readily be incorporated. And while caselaw is only beginning to develop, an enterprise
security standard appears consistent with common law requirements
for “reasonable
prudence.”
Technological differences are accounted for under the enterprise
security standard by reliance on appropriate professional expertise
for advice and operational management. Information systems are
complex and constantly evolving, and the detailed understanding
of their functioning necessary to identify the various threats
and vulnerabilities which affect their security takes specialized
training and experience. Identification
of reasonably foreseeable information security risks is therefore
properly the domain of information security professionals, as
is the implementation and management of reasonable and appropriate
information system protections. But this expertise must be applied
under the informed governance and direction of the organization’s
accountable executives; information security policies and professionals
must serve, not drive the enterprise security program.
This principle may complicate compliance with the enterprise
security standard for some organizations. All too often healthcare
organizations delegate resolution of their information security
compliance and risk issues to information security professionals
or the information technology (“IT”) department.
This may happen because operational and financial executives
and legal counsel don’t understand — or aren’t comfortable
with — information security issues, or else perceive them as
essentially matters of technical implementation. Some information
security professionals may be quite willing to accept such delegation,
not recognizing that it may be inappropriate (or, maybe not really
recognizing that it is occurring, or even, perhaps, seeing it
as a positive enhancement of their power and authority). Such
a dysfunctional approach to information security may expose organizations
not only to avoidable penalties and liabilities, but to unnecessary
compliance burdens and costs.
Information security risks can never be completely eliminated.
Some risks are inherent in an organization’s mission. Fraud,
for example, is an inherent risk for financial services, so there
is always a risk that fraud will be committed through misuse
of financial transactions systems. Likewise, medical errors are
an inherent risk for health care providers, so there is an unavoidable
risk an electronic medical records system (“EMR”)
may be implicated in medical errors causing patient harm. Other
risks are unavoidable functions of systems operations; safeguards
which prevent unauthorized individuals from having access to
an EMR may also interfere with authorized access, for example,
which could be disastrous if the EMR must be available for urgent
diagnostic uses. And sometimes the costs of eliminating or materially
reducing risks substantially outweigh the benefits of the elimination
or reduction – more lives may be saved and better care
provided by upgrading an EMR’s data content than by upgrading
its access controls, and the organization may not be able to
afford to do both. The acceptance of such risks is therefore
crucial to their proper management.
Deciding whether or not a given level of information security
risk is acceptable depends less on an understanding of specific
security threats and vulnerabilities, than on an understanding
of their implications for the organizational mission and operations.
Potential financial, operational and reputational harms and legal
penalties associated with security risks must be balanced against
potential harms associated with their prevention, and there is
no a priori formula for striking such a balance. Decisions like
this are, in the final analysis, the fiduciary responsibility
of the officers and board of the organization, and the role of
both lawyers and security professionals is to provide these officers
and directors with the information and professional advice they
need to make them.
Since information security risks cannot be eliminated, risk
management and compliance decisions will always be subject to
second-guessing in hindsight by regulators or counsel for parties
alleging harm caused by an information security failure. Under the
enterprise security standard of care, the fact that a failure
occurred is not proof of lack of compliance or negligence; instead,
the test is whether foreseeable risks were identified and reasonable
and appropriate safeguards implemented to manage them. Compliance
and reasonable prudence are therefore proven by evidence of informed,
appropriate risk assessment and management conducted diligently
and in good faith.
Operation of an enterprise security program therefore resembles
the processes used by organizational fiduciaries for compliance
with the corporate “business judgment rule,” and
programs implemented to minimize organizational and officer exposures
to criminal penalties under the Federal Sentencing Guidelines. Such
a program requires informed executive oversight and careful documentation.
Advice from qualified experts and legal counsel can help demonstrate
due diligence, and legal counsel can be helpful in developing
the strategy for properly documenting the process for use as
defensive evidence if needed.
Lawyers should play an active role at all levels of an enterprise
security program, from defining the scope of risk assessments
and determining the legal effects of policies and procedures
under assessment, through interpretation of the legal implications
of security assessment findings, to assisting in the development
of appropriate compliance and risk management strategies, policies
and procedures. Technology-dependent organizations should therefore
identify (or develop) and make use of attorneys who understand
how to work with information security concepts, documentation
and professionals, to help them appropriately manage their information
security compliance obligations, and manage their security-related
risks. Conversely, lawyers serving such organizations should
develop appropriate expertise, or identify and make use of appropriate
outside counsel when dealing with potentially important security
issues. Either way, this means involving legal counsel in information
security risk assessment and management processes and procedures.
|
