“surviving securely & surviving security -- thoughts after 9/11”
DESCRIPTION
“Surviving Securely & Surviving Security -- Thoughts After 9/11”. Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA Summit, Baltimore October 31, 2002. Overview. Today is Halloween -- How scared should we be? Of what? - PowerPoint PPT PresentationTRANSCRIPT
“Surviving Securely & Surviving
Security -- Thoughts After 9/11”
Professor Peter P. Swire
Ohio State University
Consultant, Morrison & Foerster LLP
HIPAA Summit, Baltimore
October 31, 2002
Overview
Today is Halloween -- How scared should we be? Of what?
HIPAA and private sector security– Why HIPAA security is scary hard– Why it is not quite so hard
Homeland security– Bioterrorism and other issues post 9/11– Civil liberties, privacy & security
Concluding thoughts
My Background
Clinton Administration Chief Counselor for Privacy, 1999-2001– White House coordinator, HIPAA privacy rule– Chair of White House working group to update
wiretap and surveillance law– Much work on computer security, encryption,
and other security issues
My current work
Professor, Moritz College of Law of the Ohio State University– Based in D.C.
Consultant, Morrison & Foerster LLP– Nationwide HIPAA practice
Writing on privacy & security issues– Op-ed, Washington Post– Testimony, House Judiciary– See www.peterswire.net
I. HIPAA and Private Sector Security
Today have heard the many, many components of state-of-the-art HIPAA security compliance
Your possible concerns:– Cost– Lack of technical expertise– Interfere with health care and other work– No management support to get from here to there
More to worry about
FTC and the Eli Lilly case– Medi-messenger to remind users to refill
prescriptions– 669 names of Prozac users put in the “To” line
rather than the “Bcc” line in June 2001– Everyone agrees was unintentional– ACLU complained to the FTC
Lilly case and the law
Not a HIPAA case– Rules not yet in effect– Very likely not a covered entity
FTC Act, Section 5– Prohibits “unfair and deceptive trade practices”– Broad FTC jurisdiction (except insurance)– Case law -- deceptive if break a material
promise on your web site
Lilly
Lilly web site said: “Eli Lilly and Co. respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests’ privacy as they take advantage of this resource”
FTC claimed deceptive because of failure to “implement internal measures appropriate under the circumstances to protect sensitive consumer information”
Lilly Settlement, early 2002
Create 4-stage information security program– Designate appropriate managers to oversee– Comprehensive assessment and addressing of
security risks– Annual written review by qualified persons of
compliance– Update program over time
One-time negligence leads to federal case for “deceptive practices”
Your HIPAA web policy and FTC enforcement
New California Security Law
S.B. 1386, signed Sept. 25 requiring notification of security breaches involving personal information
If there is a security breach, then must disclose to any resident of California whose personal information was acquired by the unauthorized person
Breach essentially means unauthorized acquisition of computerized data
Takes effect July 1, 2003
New California Law Breach applies to “personal information”
– Name plus one or more of:– Social Security number– Driver’s license number, or– Account numbers or passwords that permit access to
individual financial accounts Safe harbor if you keep the data encrypted Private civil actions and injunctions Consider preparing your systems for HIPAA and S.B. 1386
together
Security as Scary Hard
To summarize– HIPAA security rule will come– HIPAA privacy rule already will require
reasonable physical and cyber safeguards– Lilly case and deceptive practices– New state law interest in assuring information
security
Security as Less Hard
Draft HIPAA Security Rule– Most of it is codified common sense– Have backups, disaster recovery, good
passwords, and so on– How easy will it be for HHS to surprise
everyone and have a much stricter and more regulatory security rule?
– Not very. Would be unfair surprise and more regulatory than the HIPAA privacy approach.
HIPAA Security as Less Scary
Key concept of “scalability”– Security plan for big research hospital– Security plan for pediatrician office– Rule contemplates they will be very different
“Good faith”, “reasonableness” Enforcement
– Compliance oriented, not penalty oriented– Limited staff at HHS/OCR
Security in the Private Sector
Lilly as less scary:– Limited FTC enforcement staff– Settlement was essentially a good compliance plan
going forward As a society
– We learned to lock our houses and cars– Some have to do more -- jewelry stores– Now are learning what good practices mean for our
networked world
II. Homeland Security after 9/11
Clearly more focus on cyber-security & other homeland security issues
Anthrax scare and bioterrorism USA-PATRIOT Act fall 2001 Homeland Security Department bill Proposals for state public health changes
and more data uses
Don’t Over-react to New Security Threats My recent “State of the Union for Privacy,
Fall 2002” Privacy, civil liberties and foreign
intelligence laws today arose from previous pattern of systematic abuse
“The Lawless State”
Thousands of documented instances of lawbreaking by U.S. law enforcement and intelligence agencies 1950s-70s
Bobby Kennedy & MLK, Jr. Infiltration of fringe groups
– KKK, Black Panthers– Democratic Party, too
Legal Safeguards in Reaction
Federal wiretap law, 1968 Privacy Act, 1974 Freedom of Information Act, 1974 Foreign Intelligence Surveillance Act, 1978 Electronic Communications Privacy Act,
1984 Others as well
III. Privacy & Security After 9/11
Privacy vs. security Privacy and security How to build them together
Security vs. Privacy
Security sometimes means greater surveillance, information gathering & information sharing
New USA-PATRIOT surveillance provisions
Err on the side of public health reporting In short, greater disclosure to build security
Security and Privacy
Good data handling practices become more important -- good security protects PHI against unauthorized use
Audit trails, accounting, are more obviously desirable -- helps with some privacy compliance
Part of system upgrade for security can be system upgrade for other requirements, such as HIPAA privacy
Building Them Together
Step One: Does the new security proposal in fact improve security?
Step Two: Is the new security proposal drafted consistently with privacy and other values?
Step Three: Are the right checks and balances in place to achieve security and other goals over time?
Conclusion
Many of our organizations need a security upgrade to comply with HIPAA– But, meet other goals such as efficiency (good
medical care), contain costs, etc. Many of our organizations need a security
upgrade to create homeland security– But, meet other goals such as efficiency (society’s
business continues), contain costs, & privacy and civil liberties
Conclusion
In both private and public sectors:– Survive Securely -- move up the learning curve
to better practices– Survive Security -- do it without letting the
security concerns prevent solid analysis of the other goals at stake