Information Security – Faith At Law LLC

Virtual Practice of Law

I recently wrote an article for the Maryland Bar Journal (Nov/Dec 2014 edition) entitled Virtuality: The Lawyer that is Almost Really There, and I recently made a presentation on the same topic to the SL Bar Association. Please find a link here to the recording of the presentation.

Fundamentally, technology has significantly impacted the practice of law. Part of that impact has been felt in the greater access to information that previously was only available in proprietary database systems. Part of that impact has also been felt in more cost effective methods to acquire new clients and provide more access to the legal system through fixed cost or unbundled legal services that may be provided electronically. However, not all aspects of these changes have been welcomed by the legal marketplace with open arms. For one, our ethics rules have not embraced the changes driven by technology to the delivery of legal services, leaving the practicing lawyer with uncertainty about the ethics status of newer technologies available to support the practice of law. In addition, there are substantial questions about the security and integrity of some of the technology available to lawyers to support virtual practices. There is one constant: change, and one consistent struggle for all of us: trying to keep up with it.

Estate Planning in the 21st Century

So, what happens to all your digital stuff when you die, anyway? Of course, if you are dead, chances are you won’t much care. But your loved ones might.

As an exercise, think for a moment about all of the digital stuff you use during the typical day. If you are like many, you may have:

a smartphone, a tablet computer and perhaps a laptop
a bunch of online accounts to websites like Facebook, LinkedIn, Flickr and other places
your own domain and web site, and an email account or three
many people with bank accounts or other financial accounts have online access to view and manage their money
auction or retail site account access on places like ebay or etsy
an account on an entertainment site like iTunes
a remote data account if you use the cloud to backup your important data remotely
one or more accounts for a virtual world like Second Life
and there are probably a whole lot of other accounts and passwords you have

Now, holding those accounts in your head, answer these questions:

Who might be able to access all of those accounts if you were to die?
Does anyone you care about know your password to your computer?
Do you have a list somewhere of accounts that you maintain online?
Are there online accounts you would prefer be kept private, or things you have written you would prefer not become public knowledge, like an online private diary?
If no one has your password, what might your family do if they needed to gain access to those accounts after you die?

These are the kinds of dilemmas we face in the 21^st century as technology expands into more as

pects of our lives. The law has also not exactly caught up with the technology issues for estate planning. There are a patchwork of federal and state laws that tend to restrict the ab

ility of a personal representative or family member from having access to online content of a deceased loved one. For example, the Computer Fraud and Abuse Act (CFAA), which became law in 1986, was intended to prevent the unauthorized use by a person of a “protected computer.” 18 U.S.C. § 1030. Court decisions over time have interpreted the CFAA to subject unauthorized users to civil and criminal sanctions for various forms of unauthorized access to computers or online accounts. The Stored Communications Act (SCA), another federal law, provides a private cause of action for the unauthorized and intentional access of another’s online communications. 18 U.S.C. § 2701. Because these laws have been around before the age of Google and Facebook, many online service providers have established, within their terms of service, limitations on the access by others of a user’s account. There is some concern in the legal community that a person who violates such an online agreement to gain access to a user’s website could be prosecuted under CFAA or SCA.

In addition, some online services may not give you more than a personal license to access an item, such as music. Bruce Willis, of hard-talking and explosion-surviving Die Hard fame, got into an argument with Apple about whether Willis could leave his extensive iTunes collection to his children. B. Griggs, Can Bruce Willis Leave his iTunes Music to his Kids?, http://www.cnn.com/2012/09/03/tech/web/bruce-willis-itunes/ (accessed Aug. 4, 2014). The iTunes license agreement contains a provision that prohibits you from sharing your account information with anyone else. The agreement also limits access to content on iTunes for “only for personal, noncommercial use.” Apple, Inc., iTunes Store Terms and Conditions, http://www.apple.com/legal/internet-services/itunes/us/terms.html (accessed Aug. 4, 2014). If you think about that restriction, after you die, your estate would be unable to transfer your account to an heir to access your iTunes music or movies.

Mark Twain, who lived in a very different technology age, planned that his autobiography would not be published for a 100 years, to reduce the chances that his writing would trigger a libel lawsuit from a living contemporary, or heap an unwanted burden on his surviving family. G. Adams, After Keeping Us Waiting for a Century, Mark Twain Will Finally Reveal All, http://www.independent.co.uk/arts-entertainment/books/news/after-keeping-us-waiting-for-a-century-mark-twain-will-finally-reveal-all-1980695.html (accessed Aug. 4, 2014).

You may very well have digital items you would prefer that your heirs not be able to access. That might have been Alison Atkins’ intention when she died prematurely at 16, having finally succumbed to a colon disease. Though upbeat publicly about her health and condition, she also kept a private blog secured by a separate password where she contemplated suicide and other “dark” thoughts. G. Fowler, Life and Death Online: Who Controls a Digital Legacy?, Wall Street Journal, Jan. 5, 2013, http://online.wsj.com/news/articles/SB10001424127887324677204578188220364231346.

Without an expression of your intent, your family may have no choice but to break into your computer and gain access to all of your online and social media accounts, risking a violation of federal or state privacy law, and also gaining access to information you might wish to protect them from. Give us a call or get in touch with us if you want to talk more about your digital estate planning.

Final HIPAA Security Regulations and EHRs

Note: this article was originally published in Maryland Physician Magazine in its May/June 2013 issue.

The HiTech Act in 2009 set in motion a series of changes to the HIPAA rules that govern the use, disclosure and protection of protected health information (“PHI”). The Department of Health and Human Services (“HHS”) subsequently issued interim regulations in response to these changes in the law, and this year issued a final regulation as of March 26, 2013 that requires compliance by covered entities and business associates within 180 days. These final HIPAA security regulations make a number of important changes which may impact your relationship with vendors that provide you with electronic health record (“EHR”) licensing and support.

First, prior to HiTech, business associates of covered entities were not required to comply with the security rules and standards set forth in the HIPAA security regulations. HiTech changed the applicability of the security regulations to include business associates. The final regulation from HHS implements this provision of the HiTech Act, but with a twist: subcontractors to business associates are also defined as business associates within the final regulation. What this means is that EHR vendors and their subcontractors must fully comply with the HIPAA security rules, not just with “reasonable” security measures.

Second, prior to HiTech, there was no federal requirement that a covered entity or business associate report a security breach that resulted in the disclosure of protected health information (“PHI”). HHS subsequently issued interim regulations to implement these notification requirements, and as of March 26, 2013, HHS issued final regulations that alter the assumptions and exceptions to what constitutes a “breach” under HIPAA. In addition, business associates and subcontractors are obligated to report security breaches to covered entities.

For providers that are at the beginning of their search for an EHR vendor, have an attorney review any proposed contract between your organization and the vendor to ensure that the business associate provisions comply with the final regulations. If you already have an existing relationship, work with your attorney to ensure that the contract in place complies with the final regulatory requirements. All business associate agreements must come into compliance with the final regulations by September, 2014.

In recent years, some EHR vendors have moved to “cloud”-based data storage and access solutions for their clients. These cloud systems are designed so that provider data collected by the EHR is stored at a remote data center, and made available over an internet connection with the provider. Some EHR vendors subcontract with a third party to provide the cloud data storage. More likely than not, that subcontractor is now a business associate under the final regulations and takes on the same obligations as the EHR vendor with regards to your data. The final regulations require that a covered entity’s contract with their business associate require subcontractor compliance with the final security regulations.

Beyond compliance issues, providers will want to evaluate whether an EHR vendor that hosts your data in the “cloud” has really made sufficient provisions for security. Such an evaluation makes good business sense because of the incredibly negative consequences of any security breach that results in a loss of PHI for a health care provider. For example, does the vendor comply with a recognized, national security standard (like NIST)? Is the EHR vendor, or the data center it uses for storing your data, audited against a SAS standard like SAS-70? What are the security practices and security devices in place at the EHR vendor to protect your data? If the vendor will host your data, what are its disaster recovery and data backup procedures? Are those procedures regularly tested?

Providers and their counsel should also evaluate what, if any, additional provisions should be negotiated into any final agreement with the EHR vendor concerning the vendor’s compliance with a security standard, commitment to security procedures, and related obligations (such as maintaining appropriate border security and/or appropriate encryption for data during its transmission).

The changes in HIPAA compliance mean that providers cannot simply treat EHR vendors as a “black box” into which providers place PHI, and rely on the EHR vendor’s representations that they know best regarding security. In addition, because the scope of HIPAA now covers more than just covered entities and business associates, but also most subcontractors of business associates that handle PHI, more entities are at risk for substantial fines for failing to comply with the applicable security standards. All providers should work with their counsel to analyze and address compliance with the final regulations.

Data Breach Over Time

The following chart is a summary of data breach information available on privacyrights.org of approximately 3,700 data breaches that have become publicly known, affecting in excess of 600,000,000 records of personal information, such as credit card numbers, social security numbers, and other sensitive information.

This chart illustrates the number of private records lost by year, starting in 2005. The two most common ways that data is lost are either as a result of a portable device (PORT) that is lost or stolen (the orange bar), or direct hacking/malware (HACK) (the green bar). The reader will note that there was a spike in lost records in 2009. A major contributing factor to this loss was a single hacking incident involving Heartland Payment Systems involving in excess of 130,000,000 records, combined with a loss by the Veterans Administration of 76,000,000 records that same year.

In terms of the major business industry categories, the industry sector with the largest data losses over time (2005-2013) is the financial and insurance industry (BSF), followed by retail (BSR) and government (GOV) (the latter being most impacted by losses at the Veterans Administration among government agencies).

Reported PHI Breaches

The Department of Health and Human Services (“HHS”) maintains an online list of covered entities and business associates that have experienced PHI breaches where more than 500 individual patient records were involved. As of the writing of this post, a total of 572 reported breaches are listed on this website. What can we learn from this information?

First, the dataset covers breaches reported from September, 2009 through February, 2013. A total of more than 21 million patient records are listed on this report (though it is likely there is some duplication of patient records between data breaches reported here). These incidents total less than the single data loss reported by the Department of Veterans Affairs in 2006 when a single laptop was stolen from an employee’s home that contained in excess of 26 million records. Nonetheless, a significant amount of PHI has been lost or stolen and reported to HHS over the last three and a half years.

Second, the most common scenarios for PHI breaches are tape backups that are lost, followed by theft. Almost 6 million patient records were affected by this kind of data loss. The theft or loss of a laptop came in fourth, affecting about 2.3 million patient records. Theft generally accounted for more than one third of all records compromised, followed next by loss (which probably includes scenarios like we accidentally put the backup tapes in the dumpster, or the tape fell out of my bag between the office and my car), also accounting for about one third of all records compromised. Hacking appears down the list, affecting a total of 1.3 million patient records.

Third, a little more than half of data breaches appear to involve a business associate of a covered entity in terms of patient records breached. However, only 92 of the 572 data breaches note a business associate’s involvement, which tends to suggest that when a business associate is involved, more records on average are affected by the data breach. This is consistent with the expectation that technology vendors like those that implement and/or host electronic health records often do so for more clients and are a bigger target for data theft or hacking and computer viruses.

With the change in breach notification in the final HIPAA regulations recently issued by HHS, it will be interesting to see if there are more breach notifications published to HHS’ web site.

Changes in HIPAA Breach Notification Rule

HHS recently released the final regulations that revise certain provisions of HIPAA, including the HIPAA breach notification rule. Congress, in enacting the HiTech Act in 2009, included a statutory requirement that covered entities report breaches that involved the unauthorized access or loss of protected health information (“PHI”). HHS then promulgated an interim rule to implement this statutory provision. That interim rule required reporting of the breach under the “significant risk of financial, reputational or other harm” standard. Criticism was subsequently leveled at this standard as being too subjective. HHS just recently issued its final rule (effective on March 26, 2013) that changes the breach reporting rule in two ways.

First, if there is a breach that involves PHI, and the breach does not fall within a regulatory exception, the presumption of the regulation is that the breach must be reported. This means that a party that experiences a loss of PHI cannot assume, on the grounds that the loss was uncertain to cause significant harm to the patients, that notification of the breach was not required.

Second, the final regulation replaces the interim rule’s standard with a requirement that the party who experienced the loss must demonstrate that there is a low probability that the PHI has been compromised. In order to qualify under this new standard, the party must perform a risk assessment, taking into account at least the four factors outlined in the regulation. These factors are found in § 164.402(2):

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

So, let’s evaluate some typical hypothetical scenarios that involve the loss of PHI. The most common reported PHI breach involves data backup tapes that are lost. By design, a data backup tape is usually the entire database of patient records, because this entire dataset would normally be required to restore the data from the backup.

Under the first factor, such a loss would militate towards breach notification, because the dataset would almost certainly include patient identifiers and, if the backup was of an electronic health record, extensive health information on each patient. Under the second factor, if the tape was merely lost, there is no determination of who might have had unauthorized access to the PHI. If, for example, the backup tape was just simply lost by a contractor that stores the backup tapes in a vault for retrieval on demand, this factor might lean towards not making a notification. On the other hand, if the tape was in the trunk of the network administrator’s car, and the car was stolen, this factor might lean towards making a notification.

As to the third factor, a lost data tape alone, without more information, would not inform us whether the data was actually acquired by anyone, or viewed by someone. There is certainly the potential that a lost tape could be viewed, assuming that the person that obtained it had access to a compatible tape drive. But based on what we know, this factor is probably neutral.

As to the fourth factor, the question here is whether the backup tape itself was encrypted, or was stored in a locked storage box. A tape that is encrypted is much harder to access, even if the tape was intentionally stolen to obtain unauthorized access to PHI. A tape in a locked storage box that was merely lost may be less likely to be accessed by an unauthorized user. So this factor may swing either way based on what, if any, mitigations were in place to protect the data on the backup tape.

If we assumed that no mitigations were in place, the overall analysis would lean towards breach notification under the new rule. As you can see, however, the facts and circumstances matter greatly in evaluating whether a breach has occurred that requires notification.

Changes in HIPAA Compliance

The HiTech Act set in motion a series of changes to Health Insurance Portability and Accountability Act (“HIPAA”) compliance for covered entities and business associates in 2009, which were followed by interim regulations issued by the department of Health and Human Services (“HHS”). HHS has issued a final regulation that goes into effect on March 26, 2013, and requires compliance within 180 days by all covered entities and business associates.

The HiTech Act made a number of important changes to the law governing the security and disclosure of protected health information. First, prior to HiTech, business associates of covered entities were not required to comply with the security rules and standards set forth in the HIPAA security regulations. HiTech changed the applicability of the security regulations to include business associates. The final regulation from HHS implements this provision of the HiTech Act.

Business Associates are Covered Entities when it comes to PHI

HiTech initially changed the law governing PHI by requiring that business associates comply with the same security regulations that govern covered entities. The final regulations with HHS clarify which security rules also apply to business associates under section 164.104 and 164.106, including those applicable rules found in Parts 160 and 162. However, HHS also expanded the definition of “business associate” to include subcontractors of business associates that handle PHI on behalf of the business associate for the covered entity. The regulation does provide certain narrow exceptions to who is now covered in the definition of a “business associate,” including an exception for “conduits” of PHI that may, on a transitory basis, transmit PHI but would not access the PHI except on a random or infrequent basis. But the regulation appears to generally expand further the legal responsibilities, and potential liability, for members of the industry that work even indirectly for covered entities.

For existing health care providers, now might be the time to revisit your business associate agreement with your business associates, such as your EHR vendors. Section 164.314 establishes certain requirements for these agreements, including provisions that all business associates comply with the full security rule, that subcontractors to business associates also comply with the full security rule, and that business associates provide the covered entity with security incident reporting in the event of a breach at the business associate’s or subcontractor’s facility or systems.

Changes in Security Breach and Notification

HiTech also introduced a breach notification provision which was intended to require covered entities to report to HHS, and where appropriate, to patients affected by a security breach involving their PHI. The final regulations have modified the definition of a “breach” by establishing the assumption that an unauthorized access of PHI is a breach unless it can be demonstrated by the covered entity or business associate that there is a low probability that the PHI has been compromised.

Such a demonstration requires that the covered entity or business associate conduct a risk assessment and evaluate at a minimum the four factors described in the regulation: “(i) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification, (ii) the unauthorized person who used the protected health information or to whom the disclosure was made, (iii) whether the protected health information was actually acquired or viewed, and (iv) the extent to which the risk to the protected health information has been mitigated.”

Altering the burden and requiring a covered entity or business associate to engage in this risk assessment is likely to increase the number of breach notifications required under the final regulation.

The final regulation includes a variety of other changes in requirements for covered entities and business associates not discussed in this article, such as sale and marketing of PHI, use of genetic information for insurance underwriting, notices to patients of privacy practices, and disclosure of PHI to friends and families of decedents. Providers should promptly examine their privacy and security policies to ensure compliance with the final regulations.

Mac OS X Viruses: Rare but they happen

Thanks to the MacAttorney, Randy B. Singer. Randy emailed to his mailing list about a recent virus making the rounds for Mac users. This “Mac Flashback Trojan” has apparently infected some Mac computers. Here is an article on how to check if your computer is infected, and how to go about resolving the issue.

For many Mac OS X users, you should have already received a Java update from Apple that will patch this problem. If not, you can check for operating system updates by clicking on Apple icon in the upper left corner of your desktop and going to Software Update. If a patch for Java is listed, be sure to install it promptly to protect your computer from viruses like these.

Living in the Cloud(s)

I wrote about cloud computing in an earlier post and discussed some of the general pros and cons involved with the idea. For attorneys, doctors and other professionals that are regulated, cloud computing creates some new wrinkles. For attorneys, protecting the confidences of clients is an ethical obligation. The unauthorized disclosure of client secrets can lead an attorney to disciplinary action and disbarment. For physicians and other health care providers, federal laws on the privacy of patient information put providers at risk for substantial fines for inappropriately disclosing patient health information (or otherwise not complying with HIPAA’s privacy and security rules). Using the cloud for applications that might have such confidential information adds a layer of uncertainty for the practitioner.

On the other hand, cloud computing is coming to a practice near you whether you like it or not. For example, an increasing number of attorney practice management systems are cloud-based, such as Clio. Legal research tools like FastCase, LexisNexis, Westlaw and Google Scholar are all cloud-based systems (in the sense that the information being searched is not stored on your local network but in internet-based database repositories that you access through your web browser). And a growing number of email providers, including Google Apps for Business, Mailstreet.com, and others have been providing cloud-based email solutions for custom domain names.

State bar ethics groups and the ABA have been working on ethics opinions about these cloud-based systems. North Carolina’s Bar had initially proposed a restrictive rule on the use of cloud computing systems by attorneys in the state. The NC Bar had suggested that the use of web-based systems like directlaw.com (which allows clients to complete a questionnaire online for specific legal documents which are reviewed by an attorney before becoming final) represented a violation of the state’s ethics rules. However, the NC Bar later revised its opinion and indicated that cloud computing solutions can be acceptable, so long as the attorney takes reasonable steps to minimize the inadvertent disclosure of confidential information. “Reasonable,” a favorite word of attorneys for generations, has the virtue and vice of being subject to interpretation. However, given the pace of change of technology, a bright line rule that favors one system over another faces prompt obsolescence.

In the context of the NC Bar 2011 Formal Opinion 6, for software as a service providers, ethics considerations include: (a) what’s in the contract between the vendor and the lawyer as to confidentiality, (b) how the attorney will be able to retrieve data from the provider should it go out of business or the parties terminate the SAAS contract, (c) an understanding of the security policy and practices of the vendor, (d) the steps the vendor takes to protect its network, such as firewalls, antivirus software, encryption and intrusion detection, and (e) the SAAS vendor’s backup and recovery plan.

Can you penetrate past the marketing of a vendor to truly understand its security practices? For example, Google does not even disclose the total number of physical servers it uses to provide you those instant search results (though you can learn where its data centers are – there is even one in Finland as of the writing of this article – here). And, in spite of Google’s security vigilance, Google and the applications it provides have periodic outages and hack attacks, such as the Aurora attack on gmail that became known in 2010. Other data centers and service providers may be less transparent concerning these security issues. In some cases, the opacity is a security strategy. Just as the garrison of a castle wouldn’t advertise its weak spots, cloud providers aren’t likely to admit to security problems until either after the breach is plugged, or the breach is irreparable.

What’s your alternative? For you Luddites, perhaps paper and pencil can’t be hacked, but good luck if you have a fire, or a disgruntled employee dumps your files in a local dumpster for all to see one weekend. For those of you that want computer system in your practice, can you maintain these systems in-house in a cost-effective manner? Do you have the resources to keep up with the software and hardware upgrades, service contracts, backup & recovery tests, and security features to reasonably protect your data? How does that stack with professional-grade data centers? Are you SAS-70 or SAS-16 compliant? Do you know how data you access is encrypted? In functional terms, do you really exercise more effective control over your security risks if you have IT people as employees rather than a data center under a reasonable commercial contract?

There are a lot of considerations. And the best part? They keep changing!

Spam Spam Spam Spam Spam Spam Baked Beans and Spam

“18” year old virgins have recently found online resellers of non-prescription viagra for Magic Jack users that want cheap ski vacations that need health insurance, iPads and Dyson vacuum cleaners at rock bottom, knock off prices! And all of these thousands of emails have been sent to my account online so that I can help a gentleman from Nigeria move $55 million in money from an African bank account into the U.S. and I can charge a humble $5 million fee to help. I just need to send my social security number, credit card numbers, street address, and a sample of my signature to a person I’ve never met by email, deposit the bogus cashier’s check in my trust account, and then immediately write a check off the account the next day, well before the bogus check is returned by the collecting bank.

I feel as though I have ended up in the 21st century Monty Python skit about the restaurant that only seems to have “spam” on the menu. I hear this problem continues, with more than 70% of all email amounting to spam, according to a 2011 article from Symantec (though there was a time that more than 90% of email was spam, so there has been some improvement since those dark days in 2009). Progress has been made with some service providers that have waged a counter war against spam. Gmail, for example, group-sources and marks messages as spam based on all messages identified by users as spam across the gmail platform. This is a surprisingly effective strategy. My experience has been that there are few false positives.

Previously, email systems were implemented that would check if a message was sent from a known, blacklisted IP address based on a series of independently maintained blacklist databases on the internet. There have also been other improvements in the background, including the use of special DNS entries, and email gateways that pre-filter messages before reaching the mail server (Symantec had a product it had acquired from Brightmail; Google Apps includes a single-domain license for Postini, which is also generally effective at cutting down spam). Spam messages often include phishing links, virus-laden email attachments, and other nefarious attacks on users. Reducing spam makes sense for service providers that are paying, ultimately, for the bandwidth and storage space to process and deliver this junk to users. We clearly have a way to go to reduce this problem for users. Until then, if you need male enhancement medicine, are missing out on a $1,000 transfer to your bank account, want to help a political refugee move his family fortune to the U.S., need a usurious student loan, or want to work from home – I’m your guy!