Enterprise Security: The Emerging Standard of Care for Healthcare Information Security.
by John R. Christiansen, Esq., Christiansen IT Law, Seattle, WA
As late as the middle 1990s information security law was an irrelevant if not meaningless concept for almost all healthcare lawyers. Outside of narrow niche applications, particularly claims processing by the big health insurers, computers were used by only a few pioneering healthcare organizations, and the networking of computers into information systems was an uncommon novelty. There were a few information security laws dating from the 1970s, but these were principally applicable to governmental agencies. Otherwise there were no legislation or regulations applicable to computerized healthcare information, nor was there any significant caselaw on point.
Ten years later every healthcare lawyer needs to have at least a passing acquaintance with information security issues. All healthcare organizations of any significant size rely heavily on information systems, often for many different purposes, and continuing public and private initiatives promote even greater use. Not coincidentally, this same period saw the promulgation of healthcare information security regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), applicable to every health plan and almost every healthcare provider; and under the Gramm-Leach-Bliley Act, applicable to every health insurance company. It also saw a series of cases brought by the Federal Trade Commission (“FTC”) and state attorneys general, enforcing information security obligations for consumer-oriented websites, and the filing of the first cases alleging common law claims for breach of healthcare information security duties of care. Most recently, in response to a spate of well-publicized security incidents involving the theft or other loss of sensitive data about tens or hundreds of thousands of individuals, a number of states have begun passing laws requiring encryption of such data, or notification of affected individuals in case of any breach.
Most of these laws overlap. All health insurers, for example, are subject to regulations under both HIPAA and Gramm-Leach-Bliley; if they have consumer websites, they must comply with FTC requirements; and they are subject to whatever statutes, regulations and common law obligations may apply in every state where they do business. And the same analysis applies to healthcare providers, with the small comfort that they are not subject to Gramm-Leach-Bliley.
Any compliance environment in which there are multiple overlapping laws is confusing and carries a risk of inconsistent mandates. The novelty of both the technologies and the laws in the area of information security only aggravates this confusion and risk. This poses difficulties not only for the lawyers who have to help their clients figure out how to navigate these difficult waters, but also for public policy. Healthcare, in particular, has long been the focus of a variety of governmental and private initiatives for the adoption of information systems to reduce administrative costs and improve patient care and public health.
The source of both the confusion and the risk boils down to a single legal question: What is the standard of care for healthcare information security? Is it the same, or at least consistent, among these overlapping laws? Is it possible to be in compliance with one, but not the others? Worse, is it possible that steps taken in order to comply with one law could cause the violation of another? In the absence of a known standard or standards of care these questions are difficult or impossible to answer.
Two major alternatives for determining information security standards of care come to mind: Standards might be based on the laws, or on the technologies. The former would involve traditional intent-based analysis, and so has a logic that is particularly appealing to lawyers. And it is true that each information security law was developed in a different context and for different purposes – HIPAA to mandate electronic claims transactions for healthcare organizations; Gramm-Leach-Bliley to regulate consumer transactions by financial institutions; security breach notification laws to mitigate the consequences of identity theft; and so on. Jurisprudentially, the differing intent behind each law might support its own standard of care.
The second possibility is to develop different standards of care for each of the different technologies in use, an approach that also has a claim to logical validity. Back in the prehistory of information security, up until the middle 1980s or so, computers were (relatively) rare, enormous mainframe beasts with limited connectivity and unfriendly programming. Now the same computing power (and much more) is contained in devices that you can hold in your hand, and the Internet and pervasive cheap connectivity make every network in the world potentially available from your local coffee shop, with interfaces so friendly that literally even children can use them – though they usually don’t become hackers until they’re teenagers. Clearly on some level the fact that the technologies are so different means they must be treated differently. But neither of these approaches solves the problem of overlapping and confusing standards; in fact, both aggravate it. Both technological differences and material legal differences need to be considered in developing any standard of care, but neither one solves the problems of confusion and potential inconsistencies.
The emerging answer is an enterprise security standard of care, which requires the implementation of an enterprise security program under executive oversight, using due diligence and appropriate professional expertise to identify and manage information security risks. This standard does not guarantee information security or require specific policies, procedures or technical safeguards, but requires reasonable and appropriate action to address reasonably foreseeable information security risks. This standard is implied by (but not explicitly articulated in) the HIPAA and Gramm-Leach-Bliley regulations and FTC cases, and is consistent with existing legal principles for corporate management.
As a set of risk management processes, an enterprise security program can and should be designed to meet the requirements of the various overlapping information security laws. With minimal exceptions, these laws do not specify policies, procedures or technological safeguards. Rather, information security laws generally require organizations to assess and manage information security risks, to a standard usually framed as “reasonable and appropriate,” or as applicable to “reasonably foreseeable risks.” Compliance with laws which incorporate this standard, such as HIPAA and Gramm-Leach-Bliley, can therefore be integrated through an enterprise security program. Compliance with those laws which do impose specific requirements, such as security breach notification statutes, can also readily be incorporated. And while caselaw is only beginning to develop, an enterprise security standard appears consistent with common law requirements for “reasonable prudence.”
Technological differences are accounted for under the enterprise security standard by reliance on appropriate professional expertise for advice and operational management. Information systems are complex and constantly evolving, and the detailed understanding of their functioning necessary to identify the various threats and vulnerabilities which affect their security takes specialized training and experience. Identification of reasonably foreseeable information security risks is therefore properly the domain of information security professionals, as is the implementation and management of reasonable and appropriate information system protections. But this expertise must be applied under the informed governance and direction of the organization’s accountable executives; information security policies and professionals must serve, not drive the enterprise security program.
This principle may complicate compliance with the enterprise security standard for some organizations. All too often healthcare organizations delegate resolution of their information security compliance and risk issues to information security professionals or the information technology (“IT”) department. This may happen because operational and financial executives and legal counsel don’t understand — or aren’t comfortable with — information security issues, or else perceive them as essentially matters of technical implementation. Some information security professionals may be quite willing to accept such delegation, not recognizing that it may be inappropriate (or, maybe not really recognizing that it is occurring, or even, perhaps, seeing it as a positive enhancement of their power and authority). Such a dysfunctional approach to information security may expose organizations not only to avoidable penalties and liabilities, but to unnecessary compliance burdens and costs.
Information security risks can never be completely eliminated. Some risks are inherent in an organization’s mission. Fraud, for example, is an inherent risk for financial services, so there is always a risk that fraud will be committed through misuse of financial transactions systems. Likewise, medical errors are an inherent risk for health care providers, so there is an unavoidable risk an electronic medical records system (“EMR”) may be implicated in medical errors causing patient harm. Other risks are unavoidable functions of systems operations; safeguards which prevent unauthorized individuals from having access to an EMR may also interfere with authorized access, for example, which could be disastrous if the EMR must be available for urgent diagnostic uses. And sometimes the costs of eliminating or materially reducing risks substantially outweigh the benefits of the elimination or reduction – more lives may be saved and better care provided by upgrading an EMR’s data content than by upgrading its access controls, and the organization may not be able to afford to do both. The acceptance of such risks is therefore crucial to their proper management.
Deciding whether or not a given level of information security risk is acceptable depends less on an understanding of specific security threats and vulnerabilities, than on an understanding of their implications for the organizational mission and operations. Potential financial, operational and reputational harms and legal penalties associated with security risks must be balanced against potential harms associated with their prevention, and there is no a priori formula for striking such a balance. Decisions like this are, in the final analysis, the fiduciary responsibility of the officers and board of the organization, and the role of both lawyers and security professionals is to provide these officers and directors with the information and professional advice they need to make them.
Since information security risks cannot be eliminated, risk management and compliance decisions will always be subject to second-guessing in hindsight by regulators or counsel for parties alleging harm caused by an information security failure. Under the enterprise security standard of care, the fact that a failure occurred is not proof of lack of compliance or negligence; instead, the test is whether foreseeable risks were identified and reasonable and appropriate safeguards implemented to manage them. Compliance and reasonable prudence are therefore proven by evidence of informed, appropriate risk assessment and management conducted diligently and in good faith.
Operation of an enterprise security program therefore resembles the processes used by organizational fiduciaries for compliance with the corporate “business judgment rule,” and programs implemented to minimize organizational and officer exposures to criminal penalties under the Federal Sentencing Guidelines. Such a program requires informed executive oversight and careful documentation. Advice from qualified experts and legal counsel can help demonstrate due diligence, and legal counsel can be helpful in developing the strategy for properly documenting the process for use as defensive evidence if needed.
Lawyers should play an active role at all levels of an enterprise security program, from defining the scope of risk assessments and determining the legal effects of policies and procedures under assessment, through interpretation of the legal implications of security assessment findings, to assisting in the development of appropriate compliance and risk management strategies, policies and procedures. Technology-dependent organizations should therefore identify (or develop) and make use of attorneys who understand how to work with information security concepts, documentation and professionals, to help them appropriately manage their information security compliance obligations, and manage their security-related risks. Conversely, lawyers serving such organizations should develop appropriate expertise, or identify and make use of appropriate outside counsel when dealing with potentially important security issues. Either way, this means involving legal counsel in information security risk assessment and management processes and procedures.