Hard to believe that this is our official 300th episode! We had hoped that we could get 100 people to listen to the show in the first year. We are still a tiny podcast in a huge sea but we are pretty sure you can not find a longer running podcast about HIPAA Privacy and Security. To celebrate we have some very special guests, Dave Bittner and Ben Yellen from the CyberWire Caveat podcast. They are joining us for a discussion about where we all see things going in the future for data privacy laws and cybersecurity protections. What will we ever discuss for the next 300 episodes???

In this episode:

Caveat Discussion – Data Privacy and Security – Ep 300

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The HIPAA Boot Camp

Virtual Edition Aug 17-19, 2021

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Caveat Discussion – Data Privacy and Security

Speaking of Ben, he is the Program Director for Public Policy and External Affairs at the University of Maryland’s Center for Health and Homeland Security. He is also a lawyer by occupation and also teaches law courses at the University of Maryland School of Law. And if that wasn’t enough he has worked on a project with the National Security Agency setting up a national publicly available curriculum for cybersecurity law and policy issues. Impressive.

Here are some key points from our discussion with Dave and Ben.

Dave: Well, we do have a variety of guests on the Caveat podcast. And of course, I get to talk to all sorts of cybersecurity folks over on our CyberWire podcast. So it’s an interesting cross-section of people that we get to talk to and hear from. You know, in terms of where we’re going. I think the two things that stand out to me are ransomware and privacy.

Ben: Yeah, I mean, from I’ll take it from the privacy perspective. I think we’re starting to see efforts at the state level to legislate data privacy for the first time and a really meaningful way in the United States. So after we had GDPR in Europe, we’ve now had the California Consumer Protection Act, which just went into effect at the beginning of last year. Virginia just passed a similar law, has some differences, not quite as strong. So we’re starting to see how private industry is adapting to this patchwork of data privacy regulations and whether we’re actually going to see action at the federal level, which I’m not a gambling man, but I would never bet on. You’ll always bet on federal inertia if you have to bet on anything at the federal level. So that’s really what I’m interested in the next few years is are we going to actually get statutory protections for data privacy in this country in a meaningful way?

Ben: I mean, I think it’s become a major compliance problem for big companies because they need to have institutional expertise and 50 separate state legal regimes now for the bigger companies. That’s something that’s practical. They have large legal departments. They have very smart staff counsel that can do this work for them. For some of the smaller organizations and smaller companies, that’s going to start to become exceedingly difficult. It’s easy now, relatively, because it’s still a relatively small number of states that have really robust privacy protections and still only California, where you have to worry about a private right of action. So, you know somebody suing you. But, yeah, I mean, we could reach this critical mass of states. You know, maybe I don’t know what the exact number is. It’s kind of like herd immunity where everybody talks about it. But you don’t know exactly what the threshold is. But, yeah, I mean, I think we’re going to get to the point where whether it’s 10 states, whether it’s 15 states where the industry steps back and says we can’t do this from a compliance perspective, it’s making our lives too difficult. We don’t necessarily care what the federal government does, but it has to step in. And I think the federal governments and the long term will be responsive to those needs. I don’t see it happening until we reach that inflection point. But as I was talking about with Dave actually this morning, you know, just because the feds just if the feds stepped in, it wouldn’t necessarily mean more robust data protection. They’d be occupying an area of the law that they would decide to take authority on an issue or data privacy protection, and that could potentially preempt some of the stronger laws at the state level. And then you could kind of get this arms race where states really try and test their metal in the court system, saying how robust can we make our own protections and still not be preempted by federal law. But again, as you say, we haven’t reached that threshold yet. But that’s something that I think is five to 10 years into the future.

HIPAA privacy laws state that if the state law is more stringent, it takes priority. And the easiest way to decide that is to determine what gives the patient more rights? What gives them more protections? And that’s likely why these kinds of laws aren’t being passed in Congress at this point.

Dave: Yes, the answer is yes. Well, and in some ways, it may be even worse because we don’t have reporting requirements, right? So if you’re a small, you know, a general practitioner or something like that, you get hit with some ransomware. You’re not required to report that. So maybe you close the office for a week. You mentioned at the outset there are some companies, some doctors have chosen to shut down altogether. But, you know, most people aren’t going to do that. So it’ll be interesting to see what kind of reporting requirements may come online. That’s something. And I know the Biden administration is talking about. So one of the things that I’m really interested in as we look forward to ransomware and if we track the evolution of ransomware, so we started off with the bad guys coming in and just encrypting your stuff and saying, OK, you want the key, pay us some money. And so people responded to that and they started making robust backups. They started putting their backups offline. They put programs in place so they could restore those backups quickly. And so the baddies responded and said, oh, fine. So before we encrypt your data, we’re going to exfiltrate some of your data. We’re going to upload it to our own servers. And so if you don’t pay us, we’re going to start releasing that data. And now you’ve got a world of hurt from that.

In 2016, OCR provided guidance that any ransomware attack must be evaluated as a potential data breach. So, we’ve been trying to get people to understand that forever. And now there’s proof they are exfiltrating the data. So every ransomware attack should be evaluated and investigated as a potential data breach.

So far we’ve seen ransomware attacks that encrypt data and hold it for ransom and exfiltrate data and threaten to post it online if companies don’t pay. But what if the criminals start changing the data. The implications for medical data being changed is enormous. It could cost people’s lives. Even the hacking of industrial control systems, like water plants or heating and air systems, could have a major impact on a wide range of types of companies, especially in healthcare.

With many folks in the workforce working from home these days, the hackers have a much wider threat vector. They are coming at us from ten ways and it’s making the cybersecurity folks worry about protecting every one of these vectors. As you talk with these security professionals on your podcasts, are they seeing new ways that we can prevent this besides the ones we know about, which is managing the human and hardening our normal protections?

Dave: [20:21] What I see is a real emphasis on threat hunting, which is rather than waiting for an alarm to go off, some detection that something has already happened, to have folks and you either have your own in-house folks or you hire folks to come in to be actively looking around within your network to see what may already be in there lurking to try to head off that problem before it happens.

David Sims: As the technology goes, we have a lot of the technology to either prevent or identify a lot of these things that are happening? But when you start getting into the smaller and medium sized businesses, and I’m not just talking about health care, but just businesses in general, they don’t want to invest in those things. They don’t see value there. And so we don’t have a very good track record of just getting them to do what’s already out there and available for them to do to prevent these things from happening. And, so that’s the biggest challenge is getting them to even take this stuff seriously because most people run around with the “it won’t happen to me syndrome”. And that’s a challenge.

Ben: If it [ransomware attacks] starts to reach the spheres of everyday lives of people who don’t know anything about cybersecurity or ransomware, then I think we’ll finally start to be addressing this at more of a macro policy level.

There’s the issue of third party risk, risks from your supply chain. There is a need for all size businesses to start going to their suppliers and say they need proof of the protections in place to safeguard our data. Businesses are entrusting their critical business information to these third party vendors and the days of “trust us, we got this” isn’t gonna cut it anymore. HIPAA already requires you to vet your vendors and document their privacy and security safeguards and protections, but more often than not, it doesn’t happen.

One way organizations are seeing these privacy and security issues “reforms” is through their insurance policies. More and more insurance companies are saying if you want us to insure you, you have to do certain things. And those things are including cybersecurity protections and proving you are taking certain steps to protect your own data whether it’s through a third party or not.

From a legal perspective, if a third party vendor is not doing what they say they will in their BAA or other contract, they can be sued for breach of contract. Many cases like this get settled out for court because you have to get into the weeds on what a particular provision means and all. Ben had a great point idea that could help in terms of accountability for vendors:

Ben: [29:52] Another thing I can see happening over the next several years is little by little in terms of accountability and having an impact, some of the recommendations of the solarium commission might be adopted on kind of an ad hoc basis at both the regulatory level and at the legislative level. One thing Dave and I talked about in our podcast is this idea for a rating system. So, for a given organization, like they do at restaurants in New York City, based on your cyber hygiene practices, you get a letter grade that determines the level of risk that you’re subjecting to your users. And maybe that’s a way of holding organizations themselves accountable, whether that letter grade is simply something that might hurt their reputation or if there’s a tort case, if there’s some sort of liability case, maybe that’s evidence that you’re not up to industry standards. And there’s a bunch of proposed provisions like that in the solarium commission that might try to address that problem you are talking about, Donna, where what what does happen? Who is held accountable when, you know, when crisis strikes in health care?

According to HIPAA, the covered entity is ultimately held accountable to make sure they have proper protections in place, whether it’s using a third party or not for those protections or not. Using a security standard like the NIST Cybersecurity Framework or the HHS 405d Cybersecurity Task Force’s HICP guides is something every organization should look into. These types of guides not only tell you who is responsible for also how does a business prove they are being responsible. And that’s what the new HITECH Amendment regarding the recognized security practices incentive is all about.

Next Steps in Data Privacy and Cybersecurity Protections

Once to the biggest challenges, however, is getting organizations to consider risks… risks to installing new hardware or software, connecting a new copier to the network, allowing staff to connect their phones to their PCs to charge, or even disposing of old pieces of equipment without considering the risks of data that is on the devices. Security programs and technology that companies used five years ago is not relevant anymore. The cyber threat landscape has changed so much in the last five year and continues to constantly change. The time to take cybersecurity protections seriously and protect patient data is not after you’ve been hacked or breached.

So, the top 5 takeaways from our discussion with Dave and Ben today:

1. Protecting data privacy and security is a mess.
2. It’s not going to get better anytime soon.
3. Legislation is going to fly around for the next three or four years before anything settles down to some sort of standard.
4. Education and cyber hygiene are the best ways to protect ourselves in the long run.
5. Businesses have to do better in being able to prove that they are doing these things… to other businesses as well as consumers.

Great conversation with Dave Bittner and Ben Yellen from the Cyberwire Caveat podcast. They had some great perspectives, stories and and predictions of where they see things going regarding data privacy laws and cybersecurity protections.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.