Outside Medical Billing Law Firm is Vector of ePHI Breach of 36K Univ. of Pitt Health Records
From The HIPAA Journal and Michael Flavin, CISM, CHPA, CyRP
Recently, hackers were able to use a Business Associate (outside Counsel – Charles J. Hilton & Associates) who perform medical billing services for the University of Pittsburgh Medical Center (UPMC), resulting in exfiltration of 36,000 medical records containing the electronic protected health information (ePHI) of their patients – a huge HIPAA violation – and possibly a tenuous situation for the law firm. Not only is there reputational problems, Credit Monitoring costs, HIPAA fines (potentially for both UPMC and Hilton & Assoc) there are also implications for ACC guidance for outside counsel may expose that recommended cybersecurity controls and protections were not in place preceding the data breach, as required for outside counsel!
Cybersecurity thought leadership at large firms and hospitals such as CISOs, Incident Management Teams, Board Members, etc. should take note of ACC Model Controls this year, and we highly recommend a third party gap assessment of your team’s IT Compliance and Security Posture. As a reminder, from ACC, here’s a list of many or the best practices and controls below. Realtime Technologies can help you perform an end-to-end assessment of where your firm stands. Contact us today for a free assessment and consultation @ 213-797-5600 or firstname.lastname@example.org – Rudy and Michael will be glad to help set you up on a path to better cyber hygiene.
Some of the guidelines include:
- Policies and procedures to protect confidential information, including preventing such information from “accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and nature of the information to be protected, as well as having internal security and privacy policies in place to keep the information secure”
- Incident response plans that provide for “reasonable investigation, response, mitigation, and notification of events that implicate the confidentiality, integrity, and availability of Outside Counsel’s technology and information assets, or events that cause the unauthorized or unintentional disclosure of Company Confidential Information”
- Retention/Return Destruction policies that require the return of documents upon completion of the assignment, unless applicable law, regulations or professional ethical rules require retention by outside counsel for a longer period. Subject to certain exceptions, at the conclusion of the engagement, the guidelines provide that outside counsel should be required to return or destroy confidential information. Exceptions include, among others, emails without confidential information, work product, information that becomes part of the public domain and information required to be maintained by outside counsel pursuant to law, regulation or professional ethical rules
- The use of encryption for confidential information in transit and at rest, including encryption of email, portable devices and media
- Data breach reporting, including compliance with applicable laws and statutes (including applicable notification provisions) and notification by outside counsel to the company with 24 hours of discovery of the breach and cooperation with identifying the cause of the breach and remediation relating thereto
- Provide physical security of confidential information against unauthorized access through, among other things, issuance of picture identification badges, maintaining security guards monitoring entrance(s) to the facility where company confidential information is stored, processed or destroyed, close circuit TV surveillance and alarm system
- Access control systems that “manage access to company confidential Information and system functionality on a least privilege and need-to- know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, two-factor or stronger authentication for its employee remote access systems (and elsewhere where appropriate).” The guidelines suggest that the access controls should allow for changes and revocation of access and privileges as needed
- Continuous monitoring of networks
- Periodic (at least annual) vulnerability and risk assessments
- ISO27001 certification, recommended but not required
- Cyber liability insurance with a minimum coverage level of $10,000,000
- Responsibility for subcontractors (third party vendors) retained by outside counsel rests with outside counsel, with the requirement that they impose the Model Controls governing their relationship with the company.
by Michael Flavin, CISM, CHPA, CyRP
Director of Managed Security Services Sales and Marketing, Realtime Technologies