|
Enterprise Security: The Emerging Standard of
Care for Healthcare Information Security.
by John R.
Christiansen, Esq., Christiansen
IT Law, Seattle, WA
 As late as the middle 1990s information
security law was an irrelevant if not meaningless concept for almost
all healthcare lawyers. Outside of narrow niche
applications, particularly claims processing by the big health
insurers, computers were used by only a few pioneering healthcare
organizations, and the networking of computers into information
systems was an uncommon novelty. There were a few information
security laws dating from the 1970s, but these were principally
applicable to governmental agencies. Otherwise there were no
legislation or regulations applicable to computerized healthcare
information, nor was there any significant caselaw on point.
Ten years later every healthcare lawyer needs to have at least a
passing acquaintance with information security issues. All
healthcare organizations of any significant size rely heavily on
information systems, often for many different purposes, and
continuing public and private initiatives promote even greater use.
Not coincidentally, this same period saw the promulgation of
healthcare information security regulations under the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”),
applicable to every health plan and almost every healthcare
provider; and under the Gramm-Leach-Bliley Act, applicable to every
health insurance company. It also saw a series of cases brought by
the Federal Trade Commission (“FTC”) and state attorneys general,
enforcing information security obligations for consumer-oriented
websites, and the filing of the first
cases alleging common law claims for breach of healthcare
information security duties of care. Most recently, in response to
a spate of well-publicized security incidents involving the theft or
other loss of sensitive data about tens or hundreds of thousands of
individuals, a number of states have begun passing laws requiring
encryption of such data, or notification of affected individuals in
case of any breach.
Most of these laws overlap. All health insurers, for example, are
subject to regulations under both HIPAA and Gramm-Leach-Bliley; if
they have consumer websites, they must comply with FTC requirements;
and they are subject to whatever statutes, regulations and common
law obligations may apply in every state where they do business. And
the same analysis applies to healthcare providers, with the small
comfort that they are not subject to Gramm-Leach-Bliley.
Any compliance environment in which there are multiple
overlapping laws is confusing and carries a risk of inconsistent
mandates. The novelty of both the technologies and the laws in the
area of information security only aggravates this confusion and
risk. This poses difficulties not only for the lawyers who have to
help their clients figure out how to navigate these difficult
waters, but also for public policy. Healthcare, in particular, has
long been the focus of a variety of governmental and private
initiatives for the adoption of information systems to reduce
administrative costs and improve patient care and public health.
The source of both the confusion and the risk boils down to a
single legal question: What is the standard of care for healthcare
information security? Is it the same, or at least consistent, among
these overlapping laws? Is it possible to be in compliance with one,
but not the others? Worse, is it possible that steps taken in order
to comply with one law could cause the violation of another? In the
absence of a known standard or standards of care these questions are
difficult or impossible to answer.
Two major alternatives for determining information security
standards of care come to mind: Standards might be based on the
laws, or on the technologies. The former would involve traditional
intent-based analysis, and so has a logic that is particularly
appealing to lawyers. And it is true that each information security
law was developed in a different context and for different purposes
– HIPAA to mandate electronic claims transactions for healthcare
organizations; Gramm-Leach-Bliley to regulate consumer transactions
by financial institutions; security breach notification laws to
mitigate the consequences of identity theft; and so on.
Jurisprudentially, the differing intent behind each law might
support its own standard of care.
The second possibility is to develop different standards of care
for each of the different technologies in use, an approach that also
has a claim to logical validity. Back in the prehistory of
information security, up until the middle 1980s or so, computers
were (relatively) rare, enormous mainframe beasts with limited
connectivity and unfriendly programming. Now the same computing
power (and much more) is contained in devices that you can hold in
your hand, and the Internet and pervasive cheap connectivity make
every network in the world potentially available from your local
coffee shop, with interfaces so friendly that literally even
children can use them – though they usually don’t become hackers
until they’re teenagers. Clearly on some level the fact that the
technologies are so different means they must be treated
differently. But neither of these approaches solves the problem of
overlapping and confusing standards; in fact, both aggravate it.
Both technological differences and material legal differences need
to be considered in developing any standard of care, but neither one
solves the problems of confusion and potential inconsistencies.
The emerging answer is an enterprise security standard of care, which requires the
implementation of an enterprise security program under executive
oversight, using due diligence and appropriate professional
expertise to identify and manage information security risks. This
standard does not guarantee information security or require specific
policies, procedures or technical safeguards, but requires
reasonable and appropriate action to address reasonably foreseeable
information security risks. This standard is implied by (but not
explicitly articulated in) the HIPAA and Gramm-Leach-Bliley
regulations and FTC cases, and is consistent with existing legal
principles for corporate management.
As a set of risk management processes, an enterprise security
program can and should be designed to meet the requirements of the
various overlapping information security laws. With minimal exceptions,
these laws do not specify policies, procedures or technological
safeguards. Rather, information security laws generally require
organizations to assess and manage information security risks, to a
standard usually framed as “reasonable and appropriate,” or as
applicable to “reasonably foreseeable risks.” Compliance with laws
which incorporate this standard, such as HIPAA and
Gramm-Leach-Bliley, can therefore be integrated through an
enterprise security program. Compliance with those laws which do
impose specific requirements, such as security breach notification
statutes, can also readily be incorporated. And while caselaw is only
beginning to develop, an enterprise security standard appears
consistent with common law requirements for “reasonable prudence.”
Technological differences are accounted for under the enterprise
security standard by reliance on appropriate professional expertise
for advice and operational management. Information systems are
complex and constantly evolving, and the detailed understanding of
their functioning necessary to identify the various threats and
vulnerabilities which affect their security takes specialized
training and experience. Identification of
reasonably foreseeable information security risks is therefore
properly the domain of information security professionals, as is the
implementation and management of reasonable and appropriate
information system protections. But this expertise must be applied
under the informed governance and direction of the organization’s
accountable executives; information security policies and
professionals must serve, not drive the enterprise security
program.
This principle may complicate compliance with the enterprise
security standard for some organizations. All too often healthcare
organizations delegate resolution of their information security
compliance and risk issues to information security professionals or
the information technology (“IT”) department. This may happen
because operational and financial executives and legal counsel don’t
understand — or aren’t comfortable with — information security
issues, or else perceive them as essentially matters of technical
implementation. Some information security professionals may be quite
willing to accept such delegation, not recognizing that it may be
inappropriate (or, maybe not really recognizing that it is
occurring, or even, perhaps, seeing it as a positive enhancement of
their power and authority). Such a dysfunctional approach to
information security may expose organizations not only to avoidable
penalties and liabilities, but to unnecessary compliance burdens and
costs.
Information security risks can never be completely eliminated.
Some risks are inherent in an organization’s mission. Fraud, for
example, is an inherent risk for financial services, so there is
always a risk that fraud will be committed through misuse of
financial transactions systems. Likewise, medical errors are an
inherent risk for health care providers, so there is an unavoidable
risk an electronic medical records system (“EMR”) may be implicated
in medical errors causing patient harm. Other risks are unavoidable
functions of systems operations; safeguards which prevent
unauthorized individuals from having access to an EMR may also
interfere with authorized access, for example, which could be
disastrous if the EMR must be available for urgent diagnostic uses.
And sometimes the costs of eliminating or materially reducing risks
substantially outweigh the benefits of the elimination or reduction
– more lives may be saved and better care provided by upgrading an
EMR’s data content than by upgrading its access controls, and the
organization may not be able to afford to do both. The acceptance of
such risks is therefore crucial to their proper management.
Deciding whether or not a given level of information security
risk is acceptable depends less on an understanding of specific
security threats and vulnerabilities, than on an understanding of
their implications for the organizational mission and operations.
Potential financial, operational and reputational harms and legal
penalties associated with security risks must be balanced against
potential harms associated with their prevention, and there is no a
priori formula for striking such a balance. Decisions like this are,
in the final analysis, the fiduciary responsibility of the officers
and board of the organization, and the role of both lawyers and
security professionals is to provide these officers and directors
with the information and professional advice they need to make
them.
Since information security risks cannot be eliminated, risk
management and compliance decisions will always be subject to
second-guessing in hindsight by regulators or counsel for parties
alleging harm caused by an information security failure. Under the
enterprise security standard of care, the fact that a failure
occurred is not proof of lack of compliance or negligence; instead,
the test is whether foreseeable risks were identified and reasonable
and appropriate safeguards implemented to manage them. Compliance
and reasonable prudence are therefore proven by evidence of
informed, appropriate risk assessment and management conducted
diligently and in good faith.
Operation of an enterprise security program therefore resembles
the processes used by organizational fiduciaries for compliance with
the corporate “business judgment rule,” and programs implemented to
minimize organizational and officer exposures to criminal penalties
under the Federal Sentencing Guidelines. Such a program requires
informed executive oversight and careful documentation. Advice from
qualified experts and legal counsel can help demonstrate due
diligence, and legal counsel can be helpful in developing the
strategy for properly documenting the process for use as defensive
evidence if needed.
Lawyers should play an active role at all levels of an enterprise
security program, from defining the scope of risk assessments and
determining the legal effects of policies and procedures under
assessment, through interpretation of the legal implications of
security assessment findings, to assisting in the development of
appropriate compliance and risk management strategies, policies and
procedures. Technology-dependent organizations should therefore
identify (or develop) and make use of attorneys who understand how
to work with information security concepts, documentation and
professionals, to help them appropriately manage their information
security compliance obligations, and manage their security-related
risks. Conversely, lawyers serving such organizations should develop
appropriate expertise, or identify and make use of appropriate
outside counsel when dealing with potentially important security
issues. Either way, this means involving legal counsel in
information security risk assessment and management processes and
procedures.
|
