Third Party Risk Management and the FTC's "New & Improved" Data Security Orders
Date Posted: Thursday,
March 12, 2020
Cybersecurity and the related technical, administrative, and physical safeguards, which are required under a plethora of law ranging from the Health Insurance Portability and Accountability Act (HIPAA) to the California Consumer Protection Act (CCPA) to the Federal Trade Commission's Data Security Orders (FTC's Data Orders), is receiving heightened attention from regulators. Yet, according to EHRIntelligence, one of the biggest problem areas is risk mitigation associated with a third-party or vendor-related breach.
The purpose of this article is to highlight the July 2019 Ponemon Report, The Economic Impact of Third-Party Risk Management in Healthcare in relation to the well-established privacy and security requirements and its relationship to the FTC's Data Orders. For purposes of the article, the term "risk assessment" is being used in a general context and includes the annual requirement for a risk analysis under HIPAA, which is set forth in 42 C.F.R. § 164.308(a)(1)(ii)(A).
Analysis
According to the EHRIntelligence article, the following findings are disconcerting:
- The indirect and direct costs of third-party risk management for the healthcare industry averages $23.7 billion annually.
- The lack of automation and reliance upon manual risk management processes makes it difficult to keep pace with cyber threats and the proliferation of digital applications and medical devices used in healthcare.
- Vendor risk assessments are time-consuming and costly, so few organizations are conducting risk assessment of all their vendors.
- Critical vendor management controls and processes are often only partially deployed or not deployed at all. If controls and processes are deployed, they are not considered very effective in reducing third-party risks.
The Ponemon Report reached similar conclusions, indicating that healthcare entities are grappling with the prevention or mitigation of a third-party or vendor-related data breach. Of the many findings that are highlighted, there is one in particular that should be pointed out.
Organizations are not requiring remediation or disqualification when an assessment reveals security gaps. Only an average of 21 percent of all assessments result in a requirement to remediate prior to doing business with them and only 11 percent of respondents say they result in disqualification.
Moreover, vendor's security gaps are not addressed following an assessment. Respondents were asked what they do if they determine working with the vendor will put their organization at risk. Only one-third of respondents say they would terminate the relationship with the vendor. These findings indicate that most organizations might not have processes in place to follow-up when such security gaps are revealed.
So, it appears to be a conscience choice. Typically, I advise clients to ask these five basic questions of a vendor/third-party. If the answer to any of these five questions is "No," then the likelihood of a breach and potentially a monetary penalty and/or lawsuit damages is harder to mitigate.
The five questions are:
- Do you train employees annually?
- Do you have a Business Associate Agreement or similar Data Privacy and Security Agreement executed between the parties?
- Is an annual risk assessment conducted and are the gaps corrected?
- Are policies and procedures adequate and reviewed annually?
- Is data encrypted at rest and in transit?
The impetus for these five questions stems from reading various U.S. Department and Health and Human Services – Office for Civil Rights (HHS-OCR) resolutions of admitted and non-admitted breaches of protected health information, class action law suits, and FTC Orders. These five areas comprise the highest dollar recovery. Therefore, if there are gaps in any of these, mitigating liability is slim.
That brings us to the FTC's Orders in data security cases, "Since the early 2000s, our data security orders had contained fairly standard language. For example, these orders typically required a company to implement a comprehensive information security program subject to a biennial outside assessment. As part of the FTC's Hearings on Competition and Consumer Protection in the 21st Century, we held a hearing in December 2018 that specifically considered how we might improve our data security orders. We were also mindful of the 11th Circuit's 2018 LabMD decision, which struck down an FTC data security order as unenforceably vague."
In light of these outcomes, the FTC curtailed data security practices in three major ways. First, the orders have greater specificity, which are similar to those disseminated by HHS-OCR. Second, the orders place more of an onus on third-party assessor accountability. Finally, the orders consider the data security compliance of C-Suite and Board level members, such as training and being briefed on a company's information security program. This enterprise risk management approach correlates to mitigating the risks found in the EHRIntelligence article and Ponemon Report.
Conclusion
In sum, the FTC's revisions to its orders should serve as a reminder that ignoring either conducting an annual risk assessment or failing to address the gaps can have consequences. With renewed emphasis at the Board and C-Suite levels, organizations should assess their corporate culture and risk tolerance, as well as what assets are available to pay for fines, damages, legal costs, and reputational damage. By asking five simple questions and choosing not to ignore the answers, organizations can improve the overall industry as those with inadequate technical, administrative, and physical safeguards will be left behind.
Rachel V. Rose, JD, MBA, is an Attorney at Law, in Houston, TX. Rachel advises clients on healthcare, cybersecurity, securities law, and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer's Top 25. She can be reached at rvrose@rvrose.com. www.rvrose.com