News & Resources

Firm News

Mounting Risks Abound in Data Privacy, Security

Ask a room full of pharmacy attorneys and executives to raise their hands if they’re concerned about data privacy and security, and you’ll likely get a nearly unanimous response: they are. And that’s exactly what happened at Quarles & Brady’s 3rd Annual Pharmacy Law Symposium in Chicago.

Quarles & Brady associate Heather Siegelheim asked the question to kick off a panel discussion titled, “Privacy and Security: The Data Gets Bigger, the Stakes Get Higher.” Nearly everyone in the room raised a hand, to Siegelheim’s approval. But while she was pleased to see that so many in the industry are taking data privacy and security seriously, Siegelheim also used the moment to show a perilous reality in the health care industry.

“Health care entities generally don’t have the resources, processes or technologies to adequately protect their data,” she said. “And that is absolutely critical to understand.”

That’s because health care companies, including pharmacies, are particularly vulnerable to data breaches. Siegelheim and her colleagues, partners Margaret Utterback and Heather Buchta, described the situation: Health care data is more heavily regulated than most industries, and related breaches are on the rise.

In fact, Utterback said, a study by the Ponemon Institute revealed that nearly 90 percent of health care organizations had suffered a data breach in the past two years; 45 percent had suffered more than five data breaches in that time. And criminal cyber-attacks caused half of those breaches.

And those criminals aren’t letting up. Even worse, they’re constantly honing their hacking skills. “The bad guys are getting sneakier, and they’re really good at what they do,” Utterback said.

After describing the threat and the urgency pharmacies should feel, the Quarles & Brady attorneys provided the symposium attendees with an outline of the latest developments and most pressing requirements around health data privacy and protection.

Those included the Security Rule under HIPAA (Health Insurance Portability and Accountability Act), the federal law governing the privacy and security of patient information. Siegelheim emphasized that HIPAA’s Security Rule is intended to be “flexible and scalable,” to give health care entities leeway in implementing new technologies to improve patient care. But, she cautioned, there is no "one-size-fits-all" approach to HIPAA compliance and the Department of Health and Human Services’ Office of Civil Rights (OCR) does not specify the level of detail or type of controls that are required. This leaves it to companies to be able to justify every step they take in securing their data.

In practice she said, that means, “document everything – every engagement, every transaction, every partner interaction.”

OCR’s recent audits (while not intended to be punitive) combined with a handful of recent settlements of HIPAA violations, demonstrate how seriously the agency is taking data security, Siegelheim said. She reviewed a handful of recent and significant settlements and penalties levied by OCR. They included the $3.2 million penalty that OCR slapped on Children’s Medical Center of Dallas after concluding that the provider “failed to implement a risk management plan and failed to encrypt or use alternative protective measures” on its laptops, workstations, and mobile devices to secure its data.

New technology, same risks and requirements

Even as health care organizations work to stay in compliance with their data security, they’re also trying to implement new technology, including mobile applications, to improve efficiencies and the patient experience. But those technologies bring new risks to data privacy and security, as Buchta pointed out.

Mobile apps raise particular concerns, because the software developers who build them are just that – developers. “They don’t know how to spell HIPAA,” Buchta said. And the apps they’re accustomed to building might adhere to mobile privacy rules that are not health care specific.

Given those realities, she urged attendees to address privacy concerns at every stage of mobile app development. “It’s much more efficient and effective to think about privacy as you’re developing an app than after you’ve built it,” she said.

And, as Siegelheim, pointed out, the bar for whether apps are subject to HIPAA requirements is fairly low. Any app that functions as or on behalf of a “covered entity” or a “business associate” and involves the transmission or storage of "protected health information," which can be as little as a person's name and the fact that the person receives services from a particular provider or is a member of a particular health plan, falls under HIPAA. So while fitness trackers and other technology that are not issued by or on behalf of providers are not subject to HIPAA, any apps offered by providers likely fall squarely inside its purview.

Training, training, training

After criminal cyber-attacks, the greatest threat to most health care organizations’ data are the people they employ. Utterback noted that while human error can’t possibly be eradicated, companies do have a very effective way to minimize it (and to use as a defense when mistakes do lead to breaches): training.

Here again, hackers are growing more sophisticated. Utterback described a scenario where cyber criminals had dropped interesting-looking thumb drives on tables at a Starbucks. Liking their looks, employees picked them up and plugged them into company laptops – thereby giving the hackers access to an organization’s entire network and databases.

That real-world scenario shows that organizations need the ability to wipe data from mobile devices and computers – even those owned by employees, if they’re used for work – in the event of a breach, Utterback said. But more importantly it once again illustrates the need to take the most effective step for reducing the risk posed by employees: training.