HIPAA Risk Analysis Tip – Part 7 - Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez

Questions & Answers #61 - 70


61. How do you know how much insurance you will need to cover a breach or data loss? You could spend thousands and thousands a month on premiums and still not be covered for a particular loss.


Answer: You’re correct that the wording in the policy needs to be read carefully and by experts in the field. The single best advice we can provide is to engage a cyber liability insurance expert with a major brokerage house. BTW, here are a few examples of “misses” in cyber security insurance policy coverage that you’ll want to watch out for:


· A 10-lawyer firm based in Rhode Island, is suing its insurer over denied coverage following a ransomware attack that locked down the firm’s computer files for three months resulting in more than $700,000 in lost business, even though the policy included “business income interruption.”


· A manufacturing firm in Texas is suing its insurer for denying coverage for a loss of $480,000 following an email that impersonated the CEO resulting in the CFO wiring the money to a bank in China. The policy covered computer fraud and funds transfer fraud, but “business email compromise” (BEC) did not involve the “forgery of a financial instrument as required by policy.”


· The security credentials of the CFO of a Bitcoin payment processor were stolen in a spearfishing attack and used to spoof emails to the CEO, tricking him into making three cash transfers totaling $1.8 million. Attorneys for the insurance company pointed out the distinction between “fraudulently causing a transfer,” as the policy language required, and “causing a fraudulent transfer”, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious emails. “In other words, the insurance company claims it doesn’t have to pay because an authorized system user triggered a transfer.”


62. Is they are larger version of the Maturity Model diagram?


Answer: Yes, you can access a slide presentation deck on the subject which contains the larger versionand view a recorded webinar entitled “How to Mature Your Information Risk Management Program”. As a reminder, we encourage organizations to adopt three key building blocks:


1) NIST Cybersecurity Framework

2) NIST Information Risk Management process

3) a Maturity Model such as the one we showed


63. Suppose patient records exist in files dropped by FTP - 10,000 records. And then they are imported into your data warehouse (10,000 "duplicate" records in the warehouse). Is that counted as 10,000 or 20,000 (across two stores)?


Answer:  The requirement to report breaches to OCR is based on the number of affected individuals. As references please see 45 CFR §164.406 Notification to the media Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction… and … 45 CFR §164.408 Notification to the Secretary (b) Implementation specifications: Breaches involving 500 or more individuals… (c) Implementation specifications: Breaches involving less than 500 individuals…


64. Why do you think CEs aren’t doing a comprehensive or enterprise-wide risk analysis? Is there an underlying problem? Maybe a lack of staff, support, or money? Or maybe CEs feel they have a low probability of getting audited.


Answer: The items you suggested are all contributing factors. Healthcare leaders (think: Hospital and Health System CEOs, among others) typically prioritize financial stability, stakeholder satisfaction, quality of care and career risk as their top concerns. Focus on information risk management, including completing comprehensive, enterprise-wide risk analyses will become a priority when failure to do so affects the balance sheet, brand or reputation, patient safety and their careers. Hence, our work on the matter of Connecting the Dots Between Cyber Risk and Patient Safety, among other topics. When there is better understanding that we must consider information risks as being about patient information AND patient safety, we’ll have an uptick in the number of comprehensive, enterprise-wide risk analyses being completed.


65. How does the new AICPA Cybersecurity guidance influence this work?


Answer: The short answer is that we are not familiar with this AICPA work. I’d suggest that the existing OCR Final Guidance on Risk Analysis and the huge move by healthcare and other critical national infrastructure sectors to adopt the Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) will continue to influence healthcare more than AICPA guidance.


66. Where does that settlement $ info come from?


Answer: Please visit the the HHS/OCR web site and, specifically, the page entitled Resolution Agreements and Civil Money Penalties.


67. How does one find the "Regional OCR offices" that Leon referred to as an alternative to the 1-800 number?


Answer: Visit: https://www.hhs.gov/ocr/about-us/contact-us/index.html for a full list of regional offices and contact information.


68. How do you approach customers who have total apathy for using unsecure technology? There still is a lot of healthcare users and prescribers who do not concern themselves with using unsecure email or text?


Answer: Our approach is education-based. We believe the industry is in a significant catch up and learning mode about information / cyber risk management. Unfortunately, it sometimes takes a “bad event” in order to break through the apathy. We are often contacted with “911 call” – not only has the bad event occurred, an OCR investigation was completed and a Resolution Agreement with a Correction Action Plan set forth. In other cases, by way of education, the contact is made more proactively in a quest to complete a comprehensive, enterprise-wide risk analysis for compliance and security purposes, but more importantly for patient safety purposes.


69. With the majority of settlements coming from a reported breach, isn't there a risk that more and more entities may decide not to report breaches?


Answer: Of course, and there most likely is under-reporting today. The extent of it is not well known. At the same time, not reporting or untimely reporting constitute violations of the Breach Notification Rule and carry penalties as well.


70. Will a recording be made available of this webinar?


Answer: Yes and it may be accessed here: WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez.


Stay tuned for Part 8 next week, and be sure to register for Clearwater's In-Person BootCamp(TM) in August. Leon Rodriguez will be attending!



This event is open to the public (not just AHIA members) and will be held in Boston, MA on August 27, 2017.

About the Author: Bob Chaput

Bob Chaput

Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.

Subscribe for News