Evolving Security

1
Evolving Security Privacy Laws Regulations

• Michael W. Hubbard, J.D.
• Smith, Anderson, Blount, Dorsett, Mitchell
  Jernigan, L.L.P.
• Carole A. Klove, R.N., J.D.
• Chief Compliance and Privacy Officer
• Stanford Hospital Clinics and
• Lucile Salter Packard Childrens Hospital
• Jeanne Smythe, CISM
• Director of Computing Policy and Compliance
• University of North Carolina at Chapel Hill
• AMC Security Privacy Progress Prospects
• Research Triangle Park, North Carolina
• September 26, 2005
• Note The information reported is general in
  nature, and because individual
• circumstances differ, should not be construed as
  legal advice.

2
Agenda for this Session

1. Evolving Privacy Security Laws
2. Trends of More Complaints and Incidents
3. AMC Security Management Trends
4. Group Discussion

2
3
Evolving Privacy Security Laws
3
4
Key Privacy Laws Affecting AMCs

• Health Information Portability and Accountability
  Act (HIPAA)
• Gramm-Leach-Bliley?
• Potentially applicable if AMC is vendor to a
  commercial health plan or it makes loans to
  medical students
• Federal Trade Commission Act (FTC Act)
• Federal Drug Administration (FDA) Regulations
• Fair and Accurate Credit Transactions Act (FACTA)
• FTC Disposal Rule
• Consumer credit reports regarding patients,
  regarding potential hires in pre-employment
  screening
• Fair Information Practices (FIPs) Principles

4
5
Key Privacy Laws AffectingAMCs, contd

• Cross-Border Data Transfer Laws
• State Consumer Protection LawsEspecially
  California!
• State Privacy Breach Notice Laws
• Childrens Online Privacy Protection Act (COPPA)
• Medicare Conditions of Participation
• Patriot Act

5
6
Security Breach Notificationthe New Driver

• California Security Breach Notification Law (SB
  1386)
• Many observers attribute to this California law
  the flood of news stories in the last year
  about privacy breachesCalifornia had the first
  law in the United States requiring notice to
  consumers.
• Congress and states are very busy on this topic.

6
7
New State Data Protection Laws

• North Carolina Senate Bill 1048
• Privacy breach notification
• Destruction of records

7
8
North Carolina Senate Bill 1048

• Applies to personal information, which is a
  persons first name or first initial, and last
  name, in combination with identifying
  information, which includes
• Social security numbers.
• Drivers license numbers.
• Checking account numbers.
• Savings account numbers.
• Credit card numbers.
• Debit card numbers.
• Personal Identification (PIN) Code as defined in
  G.S. 14-113.8(6).
• Electronic identification numbers.

1. Digital signatures.
2. Any other numbers or information that can be used
   to access a persons financial resources.
   (emphasis added)
3. Biometric data.
4. Fingerprints.
5. Passwords.
6. Parents legal surname prior to marriage.

8
9
North Carolina Senate Bill 1048, contd

• Effective date for most provisions October 1,
  2006.
• More than a data breach notification bill.

9
10
North Carolina Senate Bill 1048, contd

• 75-64. Destruction of personal information
  records. (a) Any business that conducts business
  in North Carolina and any business that maintains
  or otherwise possesses personal information of a
  resident of North Carolina must take reasonable
  measures to protect against unauthorized access
  to or use of the information in connection with
  or after its disposal.
• (f) A violation of this section is a violation
  of G.S. 75-1.1, but any damages assessed against
  a business because of the acts or omissions of
  its nonmanagerial employees shall not be trebled
  as provided in G.S. 75-16 unless the business was
  negligent in the training, supervision, or
  monitoring of those employees. No private right
  of action may be brought by an individual for a
  violation of this section unless such individual
  is injured as a result of the violation.

10
11
North Carolina Senate Bill 1048, contd

• 75-65. Protection from security breaches.
  (a) Any business that owns or licenses personal
  information of residents of North Carolina or any
  business that conducts business in North Carolina
  that owns or licenses personal information in any
  form (whether computerized, paper, or otherwise)
  shall provide notice to the affected person that
  there has been a security breach following
  discovery or notification of the breach.
• 14-113.21. Venue of offenses. In any
  criminal proceeding brought under G.S. 14-113.20,
  the crime is considered to be committed in the
  county where the victim resides, where the
  perpetrator resides, where any part of the
  financial identity fraud took place, or in any
  other county instrumental to the completion of
  the offense, regardless of whether the defendant
  was ever actually present in that county.
• 120-61. Report by State agencies to the
  General Assembly on ways to reduce incidence of
  identity theft. Agencies of the State shall
  evaluate and report annually by January 1 to the
  General Assembly about the agencys efforts to
  reduce the dissemination of personal identifying
  information, as defined in G.S. 14-113.20(b).

11
12
Evolving Common Law

• What is the liability standard (1) prevailing
  standard of care among like providers, or (2)
  reasonable person standard?
• When the alleged breach does not involve the
  rendering or failure to render professional
  nursing or medical services requiring special
  skills, it is not necessary to establish the
  standard of due care prevailing among hospitals
  in like situations in order to develop a case of
  negligence.The standard of care of a reasonable,
  prudent person is generally the standard the
  courts have applied.

Burns v. Forsyth Memorial Hospital, 81 N.C. App.
556 (1986)
12
13
Evolving Common Law, contd

• Claim for negligence per seis HIPAA a safety
  statute?
• Our Supreme Court has held that when a statute
  imposes a duty on a person for the protection of
  others, it is a public safety statute and a
  violation of such a statute is negligence per
  se.
• Gregory v. Kilbride, 150 N.C. App. 601, 610
  (2002)

13
14
Evolving Common Law, contd

• Fair Information Practices (FIPs) principles and
  remedies
• Will FIPs become a part of common law in states?

14
15
Claim Negligent Formulation of Privacy and
Security Policies

• Also claim for negligent enforcement of
  policies
• See Foster ex rel. J.L. v. Hillcrest Baptist Med.
  Ctr., No. 10-02-143-CV, 2004 WL 254713
  (Tex.App.-Waco Feb. 11, 2004)

15
16
Unfair and Deceptive Trade Practices Claims Based
on Privacy/Security Failure

• Alleged inconsistencies between privacy notice
  and actual privacy practices
• See, e.g., California Consumer Healthcare Council
  v. Kaiser Foundation Health Plan, Inc., et al.,
  Superior Court of the State of California, County
  of Alameda, Case No. RGO414572, Complaint filed
  March 15, 2004
• Kaisers HIPAA Privacy Notice is Exhibit A to
  litigation complaint
• Plaintiffs allege actual handling of health
  information deviated from what the privacy notice
  said.

16
17
Unfair and Deceptive Trade Practices Claims Based
on Privacy/Security Failure, contd

• Key HIPAA requirements for privacy notices.
• The notice must contain . . . a statement that
  all other uses and disclosures will only be made
  with the individuals written authorization . . .
  .
• Some privacy notices (especially on websites)
  contain gratuitous and strong assurances
  regarding privacy and security of personally
  identifiable information.

17
18
FTC Act , Section 5

• The Commission is hereby empowered and directed
  to prevent personsfrom using unfair methods of
  competition in or affecting commerce and unfair
  or deceptive acts or practices in or affecting
  commerce. (emphasis added)

18
19
In Re Petco Animal Supplies, Inc.,

• Petco stated in its privacy notice that
  consumers credit card numbers and other personal
  information would be (1) completely safe and
  (2) maintained in encrypted form.
• FTC alleged that Petco engaged in deceptive
  practices because Petco website was easily
  subject to attack and data was not encrypted.
• Consent Order For twenty years, Petco must get
  a biennial assessment of its security practices
  from a qualified, objective independent third
  party professional and must provide supporting
  materials to FTC.

19
20
In Re BJs Wholesale Club, Inc.

• FTC alleged that BJs committed unfair acts and
  practices in failing to implement reasonable
  protections of credit and debit card information.
• In June 2005, BJs and FTC agreed to a 20 year
  consent decree.
• This is first FTC privacy enforcement of unfair
  acts and practices versus deceptive acts and
  practicesBJs enforcement is not based on a
  privacy notice that was violated.

20
21
Trends of More Complaintsand Incidents
21
22
Points to Consider inIncident Response

• Attorney-client privilege
• Public relations
• Alert management
• Investigate
• Consider applicable data breach notification laws
  in applicable jurisdictions
• Identify data/files/executables to quarantine,
  destroy, preserve for chain of custody purposes
  in later proceeding, etc.
• Compare to policies and procedures
• Identify gaps
• Identify lessons learned or any changes to
  policies
• Identify how to communicate to a patient or a
  customer
• Identify what documentation is required

22
23
AMC Security Management Trends
23
24
Consumer Requests

• Consumer Awareness and Requests
• Identity theft
• Access to and correction of records
• Collateral damage
• May be used as a way to take out frustrations

24
25
Patient Communication Challenges

• Patient demand for insecure communications
• Email today
• IM tomorrow
• Once patients send you the medical information,
  you have duty to protect it

25
26
Increasingly Hostile Environment

• More security incidents
• Viruses and worms are becoming more evil
• Disproportionate number of incidents in Academic
  environment
• Accounting for disclosures is a nightmare

26
27
Small Mobile Devices and Media

• Becoming Ubiquitous
• PDAs, Blackberries, Treos
• Multiple communication paths
• Not always Centrally Managed
• Patient management software easily available for
  download
• Medical students as well as staff
• Personal and business use commingled
• Incident handling very difficult

27
28
Managing the Risk of FDA Approved Devices

• Dilemma patching can invalidate warranty
• Manage vendor relationship proactively
• Inventory and understand risk of underlying
  imbedded technology
• Frequency of need to address new vulnerabilities

28
29
Special Challenges for Academia

• Distributed Academic Environment makes some
  security challenges more difficult
• Blending of research and treatment records
• Disaster Recovery and Emergency Mode Operation
  Plan
• Technology usable but not secure for IT novices

29
30
Leverage What Youre Already Doing

• Look to other compliance practices for examples
  of technical implementation
• You already need to do security for other
  compliance efforts and to manage risks

30
31
Group Discussion
31
32
Audience Experience

• Have you found the direction and trends discussed
  here to be also what you are experiencing at your
  institution?
• 1 - Strongly Disagree ___
• 2 - Disagree ___
• 3 - Neither agree not disagree ___
• 4 - Agree ____
• 5 - Strongly agree ____

33
Audience Experience

• How is your institution preparing for this trend
  toward greater emphasis on privacy and security
  of sensitive (patient and other) data?
• In communicating with patients
• In incorporating key security considerations in
  new systems and processes in anticipation of more
  stringent requirements

34
Audience Experience

• What measures in policies, processes, and
  practices have been made to sensitize and prepare
  the workforce for this heightened focus on
  sensitive data?
• Enterprise-wide, multi-discipline
  teams/committees
• Initial and continuing training efforts

35
Session Feedback Poll

• This session did a good job of engaging the
  panelists and the audience on the topic.
• 1 - Strongly Disagree ___
• 2 - Disagree ___
• 3 - Neither agree not disagree ___
• 4 - Agree ____
• 5 - Strongly agree ____

36
Thank You !

• Carole Klove
• Stanford Hospital Clinics
• 180 El Camino Real, Suite V860
• Palo Alto, California 94304-5716
• Telephone (650) 724-2572
• cklove_at_stanfordmed.org
• Jeanne Smythe
• University of North Carolina at Chapel Hill
• Chapel Hill, North Carolina 27599
• Telephone (919) 962-5322
• jeanne_smythe_at_unc.edu
• Mike Hubbard
• Smith, Anderson, Blount, Dorsett, Mitchell
  Jernigan, L.L.P
• 2500 Wachovia Capitol Center
• Raleigh, NC 27602-2611
• Telephone (919) 821-6656

36