Cats, China, Innovation, and BYOD

Here’s a funny story out from the Verizon security team about a software developer who outsourced his own job to China, then pretended to continue work as normal.  He was able to surf reddit, shop on Ebay, and watch cat videos during the day until his unsanctioned sub-contracting was recently uncovered.

The organization made the discovery when a check of their VPN logs showed that the individual was simultaneously logged in to the VPN from China and sitting at his desk.  At first, this paradox was assumed to be the result of a successful attack by hackers in China.  A deeper analysis revealed the truth: their employee had hired an unknown individual in a foreign country to do the employee’s job while he surfed the Internet.

You probably don’t need to be a security expert to recognize that an unvetted programmer in China with access to internal servers will be considered a pretty major security problem in most circles.  Fortunately for the companies involved, there didn’t appear to be any maleficence or attempts at hacking from the Chinese programmer(s).  The primary moral of this story is clear: review your logs or you may miss gaping holes in your defenses.  But there is another way to look at this story that relates to innovation managed by employees and illustrates some of my biggest concerns with the BYOD craze.
 

Personal Risk Tolerance vs. Institutional Risk Tolerance

At its heart, this is a story about innovation and cutting costs.  Here is an employee who found an innovative way to complete his job over the Internet for much less than what he was being paid.  Not only that, he was employing this strategy with multiple organizations in the area and reportedly netting himself several hundred thousand dollars.  He was essentially running a one-man outsourcing business (except none of the employers using his service were aware of who was actually doing the work).  The story also points out that the quality of work was very high with no major issues or problems from the outsourced code, indicating he was running a quality operation in some respects.

The fact that the work was done just as well at a fraction of the cost raises an obvious question.  Why haven't any of these companies simply outsourced the work themselves?  One quick and obvious answer is an innovation deficit.  Most organizations lack the time or resources to stay abreast of all the emerging resources now available over the Internet.  New technologies, business models, and start-ups pop up every day, each offering new and innovative ways to use and develop software.  IT managers are often so overloaded trying to deliver today’s projects that they have little time to fully explore emerging technologies.  As a result, organizations that fail to foster innovation may miss opportunities to cut costs and improve efficiency every day.  In this case, an employee found an innovative approach to improve efficiency and chose to leverage that innovation for his own personal benefit.

Of course there is another valid and very important concern that may have prevented these companies from blazing the cost-cutting trail followed by their innovative outsourcing employee, and that is security risk.  Many organizations choose to limit the countries they do business with either out of general security concerns or specific regulatory or contractual obligations.  Law firms themselves may be required to impose restrictions on foreign nationals due to ITAR or other regulatory obligations.  It is necessary to strike a balance between the impulse to innovate and the desire for absolute security, and the individual employee may not always choose wisely for the entire organization.

While I don’t think that many lawyers or firm staff are likely to outsource their jobs to China, they may introduce similar risks through the use of consumer-grade services or unvetted software applications.  This behavior is not only likely, but actually encouraged due to the BYOD phenomenon of recent years.  Proponents point to the advantage that can result by allowing employees to use the latest cutting-edge technologies, usually paid for by the employees themselves.  Owning the mobile device used for work purposes gives a lawyer the unfettered ability to innovate by finding new tools and applications that will improve efficiency and billable hours (without needing help from the overloaded IT department).  But what happens if those applications are hosted in China or contain privacy policies which may conflict with a lawyer’s professional responsibilities?  The benefits of innovation from using these tools may come at the cost of significant risk to both themselves and the firm.  
 

The Need For Balance

It has traditionally been the responsibility of executive management to set the risk tolerance for an organization.  This is because the management of risk is highly strategic and can have a radical impact (positive or negative) on the core business of an organization and its ability to maintain operations.  As this outsourcing story evidences, when management of risk associated with innovation falls to individual employees, those individuals may introduce unacceptable levels of risks borne by the entire organization.

However, the traditional executive-driven risk management approach may itself be risky.  For years now law firms have been hearing of the need to “Innovate or Die.”  As Ron Friedman, Toby Brown, Ryan McClead, and numerous other legal commentators have discussed, the biggest risk facing a law firm could well be a lack of effective innovation.  Rigid change management procedures with extended approval processes for new technologies may inhibit the ability of lawyers to find new and interesting ways to service clients.  Law firms that are unable to leverage new technologies to reduce costs and improve efficiency may find themselves lagging in an increasingly competitive and innovative market.

The pressure to stay competitive may leave some firms feeling as if they have to choose between well-governed risk management and unfettered freedom for lawyers to innovate using whatever technologies they choose.  But this false dichotomy can lead to potentially catastrophic consequences along either path.  Instead, firms should seek sensible ways to harness the creativity and innovation of lawyers while maintaining awareness and involvement in the risk management decisions associated with emerging technologies.  

Like most things this is easier said than done and requires involvement from firm management, firm lawyers, and IT; three groups chronically short on time.  However, when the alternative is choosing between higher operational costs than competitors or accepting potentially catastrophic risks, firms may find that forming something like a Technology Innovation Committee may be worth the time investment.  

HIPAA Omnibus Rule Arrives

Xmas for Firm's Health Care Practice, Nightmare for Firm Management

The HIPAA Omnibus Rule will officially appear in the Federal Register on January 25, 2013, but the text of the rule was made available earlier today. These much-delayed modifications help answer a wide range of important questions, some of which have been looming for over two years.  Significantly, we now know compliance with the final rule will be required by September 23, 2013. Hence, the clock is ticking for business  associates...

Now that the rule has been released and the deadline for compliance has been set, health care attorneys will no doubt find themselves inundated with questions from clients. In fact, the final rule may represent a late Christmas present in the form of billable hours as clients grapple with the 563 pages of text released today. HHS was clearly pleased that the rule had arrived:

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez.   “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

While no one has yet had time to perform a thorough and complete review of the changes, we wanted to share our initial impressions.  The portions of most interest to law firm management (related to the compliance obligations of law firms as business associates) appear to be consistent with those in the proposed rule.  "After this final rule, business associates, by definition, are separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts."

HHS estimates that business associates will need to spend between $22.6 million - $113 million to comply with the Security Rule. The agency declined to exempt smaller organizations despite acknowledging such organizations "may not have engaged in the formal administrative safeguards such as having performed a risk analysis, established a risk management program, or designated a security official, and may not have written policies and procedures, conducted employee training, or documented compliance as the statute and these regulations would now require." Still, business associates have a strong incentive to comply as the rule "applies the same penalties to business associates that apply to covered entities," meaning each violation could cost as much as $50,000.

Also in line with expectations, HHS will have expanded regulatory authority to perform comprehensive compliance reviews of business associates and to apply  the HITECH Act's expanded penalties for violations. The final rule also facilitates greater use of monetary penalties. "The Secretary may move directly to a civil money penalty without exhausting informal resolution efforts at her discretion, particularly in cases involving willful neglect." Greater HIPAA enforcement seems likely for 2013.

We will follow up with additional commentary after we've had more time to review. Stay tuned!

New Year's Resolution: Cut Down On The Risk Cheeseburgers

“Risk Cheeseburger” is officially my favorite security term of 2012.  First used at the Security Zone 2012 conference in Cali, Columbia by Wendy Nather  (@451wendy), this bit of imagery does a great job of illustrating a few common problems with the perception of risk in law firms.  One common example of risk cheeseburgers in law firms involves the increasing use of mobile devices without the appropriate protections in place.

While I did not attend the conference to hear Wendy’s remarks first hand, based on the tweet above I would define “eating a risk cheeseburger” as engaging in risky behavior that brings immediate satisfaction but could ultimately lead to catastrophic consequences (like a heart attack).  In hindsight it becomes all too clear how very reckless it was to have indulged in such an unhealthy diet, but for some that realization simply comes too late.  

For example, firms might savor a satisfying risk cheeseburger when they choose not to bother with encrypting mobile devices that contain large amounts of sensitive data.  Admittedly, developing an encryption strategy is not always a trivial undertaking and has been made much more difficult with the BYOD trend.  It is all too tempting to forego protection and allow lawyers to enjoy immediate gratification by using their new smartphones right out of the box without expending time or resources to adequately protect those mobile devices (mmm...risk).  But what happens when an unprotected mobile device with a vast amount of client data is lost or stolen?  Suddenly the firm finds itself facing excruciating choices regarding if (and how) to notify clients that their most sensitive secrets may have been lost.

Protections like encryption are especially important when dealing with personally identifiable information protected by state breach notification laws or other regulations.  In these cases firms will have a legal obligation to notify clients that data was lost.  However, in most states the requirement to notify is waived when the lost or stolen data was encrypted.  Implementing such protections may avoid a figurative heart attack in the form of high breach response costs, averaging $5.5 million in 2011 according to a recent study.  (An unexpected $5.5 million loss may be enough to give some legal administrators a real heart attack).  

So why do firms choose to put themselves at such risk?  In most cases it is simply the result of a lack of awareness and sound risk management practices.  The current level of reliance on information technology grew incrementally over time and most of these risks snuck up on law firms.  Twenty years ago it would have been nearly impossible for a lone individual in China to steal every client file or for a single summer associate to be the source of a catastrophic data breach.  But the ubiquitous access provided by today’s technology has made these very dangerous risks a worrisome reality in many firms.

Organizations who fail to recognize these risks and experience a breach invariably recognize the error of their ways after the fact.  Just as very few individuals continue to eat cheeseburgers after a near-fatal heart attack, very few organizations continue to deploy unprotected mobile devices following a breach due to a lost mobile device.  Once the full magnitude of the negative impact is felt, management often looks back and wonders why they were eating all those risk cheeseburgers rather than shelling out for the relatively inexpensive (or even free) encryption software which would have prevented the problem entirely.  

Firms should not need to feel this type of pain first-hand in order to understand that encrypting mobile devices is a good idea.  Mobile device encryption is widely recognized as a best practice, and it has been well publicized that lost or stolen mobile devices represent a leading cause of data breaches across industries.  And yet despite these statistics and readily available protections, many law firms continue to consume the risk cheeseburger represented by unencrypted devices.  It is just so convenient and tempting, and no one believes a heart attack will happen to them until it actually strikes.

If you’ve managed to dodge heart failure so far, don’t let that lull your firm into a steady diet of high risk activities.  A risk cheeseburger every now and then may be warranted when innovating or experimenting with new technologies to meet today’s evolving client expectations.  But after adopting a technology, firms must ensure it has been adequately secured or risk a catastrophic data loss.  The modest investment required to implement best security practices will typically provide all of the benefits while minimizing the chances of an expensive breach.  

A few tips to help you avoid cardiac arrest:

• Start with education - Ensure that lawyers and staff know how to be safe and are aware of the risks of the technology they use.
• Evaluate your firm’s risks - Make sure you understand what a “heart attack” in your firm would look like. Identify the most catastrophic types of problems that might arise and make sure you have protections in place to prevent them. Mobile devices are a common source of risk, but definitely not the only one to be concerned about.
• Assign responsibility for security and the enforcement of policies - While it would be great if education alone would force lawyers to “eat healthy” on their own, the reality is some people require incentive and oversight. Don’t rely on the honor system to keep your client data safe. Verify that your high risk issues have been effectively addressed using available best practices.

As with physical health, a little prevention may well save a firm from a much more painful and expensive cure.

Law Firms and HIPAA Round 3: The Coming Storm of Regulatory Oversight

As we discussed in our previous post, the HITECH Act changed the game for Business Associates (BAs), including the many law firms acting in that capacity. BAs now have a legal obligation to comply with provisions of HIPAA and are subject to direct regulatory oversight. Lawyers acting as BAs face the added challenge of having to reconcile their obligations under the applicable Rules of Professional Conduct with potentially conflicting obligations under HIPAA/HITECH. We’ll talk more about that in an upcoming post. Today, we’ll be looking at trends in federal enforcement of HIPAA to understand what BAs will likely face when the Omnibus Rule emerges.

Overall, enforcement of the HIPAA Privacy Rule and Security Rule has intensified considerably over the last few years. As a result of the HITECH Act, the maximum civil monetary penalty for a single HIPAA violation rose from $100 to a much more serious $50,000. Monetary penalties and settlements for HIPAA violations now go directly to fund future enforcement efforts, which gives regulators an incentive for vigorous enforcement. The Office for Civil Rights (OCR) is sending clear signals that it intends to continue using monetary penalties to promote compliance, as exemplified by recent settlements-- each exceeds one million dollars.  There is every indication that law firms will be facing scrutiny from regulators with no tolerance for noncompliance.

A New Sheriff In Town

For many years, enforcement of the HIPAA Security Rule rested with the Centers for Medicare and Medicaid Services (CMS). CMS pursued a goal of voluntary compliance through a complaint-driven enforcement process. After conducting several studies, in 2008 the Department of Health and Human Services concluded that Security Rule enforcement efforts had been largely ineffective. The Secretary of Health and Human Services took action in 2009 by reassigning authority to administer and enforce the HIPAA Security Rule to the Office for Civil Rights within HHS. (As a result, OCR now has authority to administer and enforce both the Privacy Rule and the Security Rule.)

To further strengthen enforcement activities, in 2011 Secretary Sebelius announced the appointment  of veteran prosecutor and former DOJ attorney Leon Rodriguez as OCR’s new director.  Rodriguez has spoken candidly about his willingness to employ civil monetary penalties as a tool to drive compliance.  As he explained in an interview earlier this year, "I've learned as a prosecutor and then as a defense lawyer, enforcement promotes compliance."

Serious Enforcement Begins

Promoting compliance is certainly something Director Rodriguez seems determined to do:

The message that I would put out there is this really matters to me personally and really matters to the Secretary [of HHS].  So we're going to be serious both about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy.

Back in June, Director Rodriguez spoke publicly about his plans to use his enforcement authority against business associates and explained that the tolerance for HIPAA violations is “much, much lower” than it has been in years past.  He reiterated that point when he spoke just last week at the Healthcare IT News/HIMSS Media Privacy & Security Forum. Addressing business associates during a Q&A session, he had the following advice about what to expect after OCR issues the Final Rule:

On most elements of the rules, once that 180 days is up, [business associates will be] subject to the rule in all the same ways that a current covered entity would be. My advice to business associates is to get in compliance now, because it's what you're suppose to be doing anyway for the benefit of your clients, and it's going to avoid a lot of problems down the line. That's probably the big thing that's going to be different once the rule actually comes on.

Some firms have already done as Director Rodriguez advises. We encourage other firms to take this opportunity to evaluate their compliance posture and develop plans to address any gaps. The alternative--remaining unaware--could be quite costly. (As you may recall from our last post, the HITECH Act established a tiered penalty scheme with greater penalties for higher levels of culpability. Violations made with willful neglect are subject to the highest penalty tier .) When asked why an organization wouldn't be better off remaining ignorant about its security problems, Rodiguez offered the following:

I think that's why I'm here…We're looking for that high level of sensitivity [to security issues]. . . Another one of the big audit findings was activity monitoring, and failure to conduct activity monitoring was a consistent issue. . . So we are looking at that issue, and that is an issue that could easily turn into an enforcement issue.

Achieving meaningful compliance with HIPAA will take time and planning--starting now makes sense.  

Our "Law Firms and HIPAA" series will continue in January with specifics on  Security Rule challenges for law firms, ethical issues for the attorney business associates, and more.

Happy Holidays from the crew at C&W!

Law Firms and HIPAA Round 2: HITECH Raises The Stakes

Eds Note: We use the phrase “covered law firm” as a shorthand to refer to law firms that receive protected health information from their healthcare industry clients and have agreed to meet HIPAA-related obligations through a business associate agreement.  We talked about those agreements in our last post. 

HITECH Act

The American Recovery and Reinvestment Act (ARRA) of 2009 signed into law by President Obama included the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act was designed to promote the widespread adoption and standardization of health information technology but also included provisions which radically altered the regulation of professionals serving the health care industry, including lawyers.

Prior to the HITECH Act, the federal government could not fine “covered law firms” for violations of the HIPAA requirements.  Covered entities would contractually obligate law firms to appropriately protect PHI in a business associate agreement, but the law firms themselves did not face regulatory fines for noncompliance.  This changed under the HITECH Act. Civil and criminal penalties now apply directly to business associates, like law firms, for applicable HIPAA violations.  The HITECH Act also increased the size of the penalties federal regulators could levy with up to $50,000 per individual violation and up to a total of 1.5 million dollars per year for violations of a single provision.

The requirements that business associates must meet to avoid those fines changed as well.  The HITECH Act imposed compliance obligations for covered law firms by applying provisions of the Security Rule and the Privacy Rule directly to business associates for the first time.  Prior to the HITECH Act, business associates agreements merely had to specify that law firms implement “reasonable and appropriate security.”  The Security Rule represents a much more comprehensive set of security standards with more detailed safeguards grouped into three categories: Administrative, Physical, and Technical.  Similarly, certain provisions of the HIPAA Privacy Rule now apply directly to law firms under HITECH.  We will cover the requirements laid out by the Privacy Rule and the Security Rule in future posts.  For now the point to keep in mind is that the requirements for covered law firms increased and became more prescriptive under the HITECH Act.

So if the HITECH Act was passed in 2009 and the relevant provisions took effect early in 2010, why is it important to discuss these changes now?  In short, back in 2010 HHS agreed not to enforce the security and privacy rules against business associates until the release of a final set of rules (the so called “HIPAA Final Rule” or “HIPAA Omnibus Rule”).  HHS believed that it would be a short wait for a final set of rules, but more than two years later the Final Rule has yet to be released.

While the Omnibus Rule remains under OMB review today, most commentators expect publication any time.  Once published, enforcement of these statutory changes will commence 180 days later.  At that point, law firms may well face the types of seven-figure fines recently handed down to a number of covered entities.  As we’ll discuss in our next post, HHS has become increasingly serious about enforcement and has clearly stated that business associates (and thus by implication law firms), should not wait for the Final Rule to meet their compliance obligations.

Adam Discusses Security Blindspots as ALPMA Guest Blogger

Earlier this week, Adam did a guest blog post for the Australasian Legal Practice Management Association entitled "Address Your Security Blindspots." He explains why law firms should understand their security exposure and manage it as a business problem. He also offers a few practical tips to help firms reduce risk. Check it out if you have a chance!

Law Firms and HIPAA Round One: Compliance via Contract

Before we dive into what exactly HIPAA requires of law firms today, we thought it might be helpful to describe what HIPAA required from prior to the HITECH Act and then explain how things have evolved.  Some may remember that HIPAA compliance garnered a lot of attention from health care practices in 2009 with the with the passage of the HITECH Act.  While the HITECH Act did dramatically expand the reach of HIPAA’s Security Rule, the act was not the first attempt to apply some privacy and security requirements to third parties serving the health care industry.

“Business Associates” - Contractual Obligations for Security and Privacy

Few will be surprised to hear that law firms were not the intended regulatory target of the original 1996 HIPAA legislation.  At that time, HIPAA dealt solely with health care organizations now referred to as “covered entities” (CEs).  Covered entities consist of health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically.  (Whether an entity is subject to HIPAA can be a complex issue.  For a more detailed explanation of the types of covered entities, please see the Health and Human Services website.)

In 1999, the federal agency responsible for issuing HIPAA regulations--the US Department of Health and Human Services (HHS)--recognized that CEs outsource a variety of operational functions to third parties (like law firms) and may need to disclose protected health information (PHI) to those third parties. While such outsourcing is perfectly legitimate, when HHS issued the Final Privacy Rule in 2000, it took steps to ensure that third parties providing services to CEs would be obligated to protect PHI.

Under that rule, CEs must enter into a “Business Associate Agreement” (BAA) with third parties who need access to PHI.  A BAA establishes a contractual obligation on the part of the business associate to to protect PHI disclosed by the CE.  The rendering of legal services is an activity requiring a BAA, so whenever a CE-client discloses PHI to a law firm (e.g., to defend a health plan client), the CE-client must first execute a BAA with the firm.  Given that HHS began enforcing this requirement against all CEs by 2004, it is very likely that firms with a health care practice have entered into a BAA at some point or other.  As a result, even though law firms were not the target of HIPAA requirements as a covered entity, law firms must contractually agree to protect PHI before a covered entity client can release such information to the firm.

Non-Regulatory Exposure Is Still Exposure

While signing a BAA before the HITECH Act did not directly expose firms to regulatory enforcement, firms were liable to their CEs if they breached  provisions of their BAAs.  A firm with a health care practice that failed to protect PHI in a reasonable manner would likely experience difficulty attracting new health care clients.

However, as we’ll see in our next post the landscape changed dramatically with the HITECH Act, and firms under BAAs must now agree to comply with the entire Security Rule.  We are entering a new era of HIPAA enforcement where law firms will find themselves in the crosshairs of regulators.