Sarah Gregory
Associate Editor
Loyola University Chicago School of Law, JD 2018
ADAM C. SOLANDER is a Member of Epstein Becker Green’s Health Care and Life Sciences practice, in the firm’s D.C. office. Mr. Solander advises clients on data breach/cybersecurity issues across industry lines, including compliance with HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state, and business requirements.
The following is an interview with him discussing the unique cybersecurity challenges facing the healthcare sector, and how the industry can move past HIPAA compliance to a more robust definition of privacy and security.
● ● ● ●
SARAH GREGORY:
So you’ve worked on regulatory issues in a number of areas and across industry lines. What do you think makes health care different, either with respect to cybersecurity or more generally?
ADAM C. SOLANDER:
You know, I’ll speak more generally, and then I’ll dig in on cybersecurity. More generally, it’s 20% of the U.S. economy. It’s a huge deal. And as a result, you know, it’s—every aspect of it is regulated, and it’s regulated by multiple agencies in a way that doesn’t provide a uniform set of rules for people to follow. As a result it’s extraordinarily complicated. I think that’s really the difference between healthcare and a whole lot of other regulated industries out there. It’s just the sheer volume of it and the sheer number of agencies that are involved in regulating it. So it becomes a very complicated patchwork quilt of regulation.
You know one of the things in cybersecurity that I think is unique, is that healthcare organizations are a decade behind the other regulated industries out there, in terms of true actual cybersecurity. With the recent ransomware attacks, with the highly publicized breaches that are out there, we’re very quickly getting up to a much higher state of security, in terms of our information security programs. And what we’re seeing is that the regulation that was designed to regulate information security in the healthcare arena, HIPAA, it’s a non-prescriptive standard. As a result, there’s a lot of flexibility, there’s a lot of interpretation that’s out there, that has led to inconsistent information security management programs. So what we’re seeing is we’re seeing a push towards the frameworks and the measures that are out there for other regulated industries, to bring us in line with that and protect information.
Every time I look at the data around health care breaches, you know most health care breaches, at least a few years ago—I think this has changed because the huge hacks that have happened. But at least a few years ago, the way that we were losing information was literally through unencrypted devices, it made up 40% of the breaches that were out there. And when you look at other industries, that was just a small sliver of how they were losing information; most of it was hacking events, web app attacks, that type of stuff. In health care, that stuff is nonexistent.
[Not because those types of attacks weren’t happening.] What it is, is we weren’t sophisticated enough to detect it. And as we become more sophisticated we’ll start to look like other the other industries in terms of our threats.
[laughs] A long answer for a short question.
GREGORY:
You’ve isolated a couple issues here—the lag in technology, the lack of a singular regulatory agency…Would you say that those are the big issues and challenges facing areas that cyber security right now?
SOLANDER:
You know I think that the biggest issue facing cybersecurity is…the differences in sophistication between, you know, large or well-established organizations—your insurance, your hospital systems—that have a lot of information security protocols in place, they have a mature infrastructure that’s out there. But health care is an amalgamation of a ton of smaller regulated industries that may not have the same resources with which to push out the same information security controls and sophisticated programs.
I think what we’re going to see, at least on the insurance side, is they’re making all of their business associates achieve HITRUST certification—which is like an industry best standard in information security—in order to promote more uniformity in the information security management programs that are out there. I really think that’s the biggest challenge, is that there’s such a gap between the sophisticated companies of information security and the non-sophisticated companies.
GREGORY:
Can you see any movement in narrowing that gap at all, or—
SOLANDER:
Oh yeah, absolutely.
GREGORY:
What would you say is moving that along, what’s the driver there?
SOLANDER:
On the insurance side, I think you know pushing all PAs is to get HITRUST certification will close that gap extraordinarily quick. That’s based on industry best standards, ISO 27001, other security frameworks… You’re just seeing that in order to get business now, you really have to show a level of I.T. security sophistication that you didn’t have to show five years ago. So if you’re going to compete in the healthcare space, you have to spend money on information security or else you have no clients.
And I think the market is starting to regulate that. We’re seeing more security questionnaires out there, and we’re seeing more in the vendor diligence process—you know, that is not just ‘Are you complying with HIPAA?’ in the business associate agreement, but really digging into how they’re protecting sensitive information.
GREGORY:
HIPAA certainly has its limitations, and I think there are a number of questions in regard to its centrally to so many companies’ cybersecurity policies.
SOLANDER:
Well, you know, HIPAA has a few required implementation specifications. Really your cybersecurity comes in with the requirement that you do a risk assessment, which is a required implementation specification. Still, the variability in what I see in terms of risk assessment is unbelievable. I mean, OCR published some guidance on how to do it that was really for small physician practices, but…you know even in the consulting market, more than half of the risk assessments I see aren’t really risk assessments that would pass regulatory scrutiny.
GREGORY:
What do you mean by that?
SOLANDER:
Under HIPAA, you have to look at physical, administrative, and technical safeguards. Oftentimes, what we see being passed off as a security risk assessment is a gap analysis of the policies. You have to look at threats that are out there, vulnerabilities in your systems…You have to catalog your current security controls, and identify if the threatened vulnerability is a vulnerability, and what you can do to fix it and reduce that risk to a reasonable and appropriate level. You know, I just don’t see that level of analysis in most of the risk assessments that I look at.
GREGORY:
Now, would you put that down to an inadequate understanding, or—
SOLANDER:
I think so. I think that people don’t understand how to do it. OCR is doing its part. You know, the number one thing that they enforce against is inappropriate risk assessments, or not enterprise-wide risk assessments. But…you know, I think it’s that disconnect between companies, their information security people, and the compliance and legal team.
GREGORY:
I definitely agree, I think siloing professionals, especially in the C-suite, might be something of the issue.
SOLANDER:
Yeah, I think it’s definitely there. You know, I.T. reports they’ve done a risk assessment; they have a consultant come in and do it. The consultant may not understand the law and what’s really required, and—you know, then legal and compliance trust they they’ve done it and officers checked. The box is checked and you know, if something happens, if an audit happens, then there’s some exposure there.
GREGORY:
That makes a lot of sense. Have you seen any—I’m not sure if we should call them success stories, or best practices…What do you see emerging as kind of the gold standard of this new era?
SOLANDER:
What we’re really seeing is more adherence to the best practices frameworks. HITECH actually grew out of insurance, and is a certifiable framework that you can use to certify, by a third party, that your security practices are industry best standard. We’re seeing a ton of adherence to that, and we’re also seeing people really looking at the guidance documents that are out there. You know, NIST, ISO 27001, SANS…those cybersecurity-centric repositories of information feeding into their healthcare information security. And that’s really increasing in the programs that we’re dealing with, which is nothing but positive.
GREGORY:
Certainly that’s one side of the spectrum—what about the other, what are the worst practices you see?
SOLANDER:
The head in the sand! [laughs] You know, unfortunately, you know half my practice is data breach work. The sad stories that are out there are…organizations that didn’t do what they should have done to protect information. You have to have a compliance program, and you have to assertively work it. Data breaches can happen to anyone, but you really want to stop is foreseeable stuff.
You can’t put in place a ton of policies, and assume you’re not going to have a data breach. You really have to make those policies operational, you have to have an information security management program where you’re continually assessing your risk and putting in plans to mitigate the risk.
GREGORY:
You know it’s interesting that you mention a foreseeable issue when there’s been an uptick in the last year or so of—I would call it human error, but it comes down to employees losing portable devices or theft, some sloppy disposal of records. Going beyond strict technical limits, how does a good cybersecurity program encompass those situations as well?
SOLANDER:
So people are your new perimeter. Every one of the major security breaches that has happened has some element of social engineering involved—where users were tricked into providing some information that the hacker was able to exploit, and gain access to the system. So you have to train your people. Your people really have to understand how to spot fraudulent messages, how they’re allowed to use information…how the organization will ask for information, and all that sort of just common sense stuff has to be ingrained in the culture and reinforced constantly.
Any time a device is lost, a laptop or a mobile device, under the HIPAA rules if you just encrypt that device, you haven’t had a data breach. So that’s the sort of common sense foreseeable stuff. I think as an organization, if you have mobile devices you can assume that you will lose one, and you have to take steps to protect those.
GREGORY:
That makes sense.
SOLANDER:
One thing I always tell people is—we do a lot of risk assessments, and these are an exercise in imagination and what could happen. What is out there in the market that you see—either threats to your organization specifically, or to the market, and have you effectively addressed those.
GREGORY:
I think one of the problems of—going to the limits of your imagination, is that many professionals aren’t aware of the risks that are out there, particularly in a fast paced field where every day seems to bring a new challenge. How do you see companies maintaining that kind of forward thinking, anticipating of unknown threats?
SOLANDER:
They have to monitor it. You have to get good people in place to understand what threats are out there. Hiring good counsel, hiring good consultants, that can help look at what’s going on in the market and then report that information to them. Nothing that we’re seeing is unique to healthcare.
GREGORY:
Sure.
SOLANDER:
Breaches are happening in every single industry. You should, at this point, have some sort of strategy for dealing with that type of attack. You have to assume as a healthcare provider that there is a financial incentive out there for hackers to introduce ransomware to your environment. You have to assume that’s going to happen, and you need to play that out in terms of tabletop exercises.
None of what we’re really dealing with is novel. It’s malware, it’s anti-virus, it’s—those types of sort of bread and butter blocking and tackling type activities that we really need to worry about. You know, if a nation state points at you as a healthcare entity, your security controls are probably going to fail because—you know no one has ever faced those attacks before. But that’s not the standard you’re held up to. It’s understanding your industry, and understanding what is what is required and what is reasonable, and what you can do with more innovation.
One of the mistakes I always see with risk assessments is—you know, HIPAA allows you to prioritize risk, and take a risk-based approach to mitigation you put in place. One thing I see is the mitigations that organizations commit to undertake just aren’t realistic, given their resources. Where they have a giant laundry list of, you know, a million things they need to do, but no budget to do those things and no manpower to implement them even if they did. So it’s really taking a reasonable approach to information security.
GREGORY:
I think that’s certainly one of the issues I’ve seen in HIPAA enforcement, where your smaller providers and organizations have to make decisions about what they want to do.
SOLANDER:
Oh, absolutely. But everybody does. That’s the unique thing about information security, is that there’s a defense for every attack, but you have to look at what it attacks are likely and put in place the right defenses.
GREGORY:
And what are those right defenses?
SOLANDER:
That’s based on risk assessments; it’s based on what you see out there. The risk profiles we see for providers are very different than what we see for insurers or telemedicine companies. It really is specific to your environment, where you are vulnerable, and where you see others trying to exploit those vulnerabilities. So it’s a sophisticated analysis of both law and information security.
GREGORY:
We’ve talked about different types of attacks and the need for and an evolving framework of understanding them. But what do you think is on the horizon for cybersecurity?
SOLANDER:
They can anticipate that they have a repository of very sensitive information. Especially with things like ransomware, there’s now a direct financial incentive for hackers to exploit that. I think they can expect more data breaches, more novel ways of attacking an organization, and it’s just something that we’re going to have to live with.
Hopefully it evolves so that when these incidents happen, they’re minor incidents and not data breaches. So really, this has to be a part of the way you operate. It’s something that isn’t going to go away, and there just needs to be a company commitment to information security.
GREGORY:
That’s important. The company has to be party in this commitment making information security a part of day to day business.
SOLANDER:
Absolutely. It’s here, and we all have to deal with it. Your patients, your clients, they expect you to deal with this. It’s important that, as a fiduciary in those roles, that you’re taking this seriously and you’re doing the best that you can.
I tell people—you know, data breaches are going to happen to every company at some point. Really what we’re doing is we’re stopping the easy stuff. We’re stopping the low-hanging fruit from happening. And that’s the best that we can do a lot of cases.
GREGORY:
I think those are all my questions. Unless you had something to you wanted to add?
SOLANDER:
I think that the next few years are going to be full of a lot of growing pains for healthcare. At least until we as an industry gain that maturity that the financial services, and those types of regulated have had. And once we get there, we’ll have to keep evolving. It’s the world that we live in now and we have to address it.