Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
New York's new cybersecurity regulation will regulate the data security practices of health-care insurers with a set of rules that are the most comprehensive in the U.S. These rules will require many health-care insurers to take a fresh and comprehensive look at their cybersecurity programs, governance and defenses to meet the deadlines, the author writes.
By Craig A. Newman
Craig A. Newman is a partner at Patterson Belknap Webb & Tyler LLP in New York and chairs the firm's Privacy and Data Security Practice.
Data security regulation for health-care insurers that operate in New York just got more complicated. For years, the U.S. Department of Health and Human Services' Office for Civil Rights—the industry's primary data security regulator—has zealously policed the health care field. In fact, so far in 2017, the agency has already brought four data security enforcement actions. The most recent was the February 2017 $5.5 million settlement with Memorial Healthcare System—matching the largest civil monetary fine ever imposed against a single organization—because of weak internal controls that permitted employees to improperly access more than 100,000 patient records.
And now New York has gotten into the act with a completely different set of rules that are the most comprehensive of any U.S. state. Earlier this month, New York's top banking and insurance regulator threw down the proverbial gauntlet—or, perhaps more of a sledgehammer— with its new cybersecurity regulation which has broad implications for health-care insurers that operate in New York. The regulation will force health-care insurers to navigate a minefield of new and far more exacting technical, legal and governance requirements than the industry specific regulations already in place including those under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The New York rules just took effect on March 1 and will phase in over two years but many detailed requirements must be put in place within the first 180 days.
This will require many health-care insurers to take a fresh and comprehensive look at their cybersecurity programs, governance and defenses to meet the deadlines. The regulation also places additional demands on an insurer's third-party vendors—now indirectly covered by the new rules—including health care providers and outside consulting, accounting and law firms, among others.
On March 1, the New York State Department of Financial Services (DFS) issued a “ first in the nation” cybersecurity regulation designed to protect financial institutions and insurance companies, their information technology systems, and their customers from cybercrime. The regulation applies to any entity operating with a “license” or “similar authorization” under New York's “Banking Law, the Insurance Law or the Financial Services Law”—including foreign and out-of-state affiliates of DFS-regulated entities. It directly covers health-care insurers that operate in the state.
Health-care insurers are accustomed to regulation. The HIPAA Security Rule already requires that they maintain data security programs that are reasonable in view of their scale, complexity and resources but does not dictate particular measures that must be undertaken. The New York regulation takes a starkly different approach with its matrix of specific risk-based governance, process and technical requirements. Although the new regulation includes a degree of flexibility to fit each institution's risk profile, it has 23 different sections and is far more detailed and accountability-oriented than other data security regimes. And in a clear departure from existing data security regulatory norms, the new DFS regulation holds an institution's senior leadership responsible for compliance by requiring the filing of an annual compliance certificate attesting to an institution's adherence to the regulation.
The New York regulation requires, in general, that DFS-regulated health-care insurers have state-approved plans in place to protect their businesses, information systems and the personal information of their customers. The rules require that each health-care insurer start by conducting a “risk assessment” to drive the scope of the organization's overall cybersecurity program. The cybersecurity program must be “designed to ensure the confidentiality, integrity and availability” of its information systems. Notably, the cybersecurity program is not necessarily a written, stand-alone document but rather the underlying system, process and procedures by which a covered entity ensures its compliance with the DFS regulation.
At a minimum, the cybersecurity program must do six things: (1) identify internal and external cybersecurity risks; (2) use defensive infrastructure and the implementation of policies and procedures to protect information systems and non-public information; (3) detect cybersecurity events; (4) respond to, detect and mitigate the effects of cybersecurity events; (5) recover from cybersecurity events; and (6) fulfill regulatory reporting requirements.
Beyond the cybersecurity program, there is a laundry list of additional requirements ranging from the development and implementation of a 14-point cybersecurity policy to employee training, board and senior leadership engagement to highly technical requirements like encryption, access controls and different types of internal monitoring or vulnerability assessments.
For DFS-regulated health-care insurers, the new rules present a regulatory scheme—and regulatory expectations—that impose new obligations and new approaches to data security. Here is a brief look at several of these important new requirements:
Unlike existing health-care data security regulation, the New York rules are based on a foundation of corporate accountability. In the first instance, the New York regulation requires the designation of a “qualified individual” to serve as a chief information security officer (CISO). The CISO is responsible for overseeing, implementing and enforcing the covered entity's cybersecurity program and policy. Covered entities have the option of engaging a third-party service provider to serve as the CISO, but retain responsibility for compliance with the CISO requirements and must appoint a senior employee to oversee the third-party service provider.
Not surprisingly, the CISO's responsibilities are substantial including delivering a bi-annual report to the board or equivalent governing body that covers, “to the extent applicable,” the following:
Beyond the CISO's role, the DFS regulation requires engagement and accountability at the top of an organization. According to the regulation, senior management “must take” cybersecurity issues “seriously and be responsible for an organization's cybersecurity program.” That responsibility starts with review of the organization's cybersecurity policy. The regulation requires that the board of directors, an “appropriate committee of the board of directors, or a “senior officer” approve the policy. The chairperson of the board of directors or a senior officer must also certify in writing to DFS annually that the organization's cybersecurity program complies with the regulation.
And, the New York regulation covers far more sensitive information than under HIPAA. The HIPAA Privacy Rule covers individually identifiable health information—called protected health information (PHI), and is subject to certain general data security safeguards. The HIPAA Security Rule protects a subset of that information—individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form (called e-PHI). By contrast, the New York regulation protects three different categories of sensitive information—only the last category of which directly overlaps with PHI or e-PHI:
The New York rules also apply to the security of “information systems” generally. This means that DFS-regulated health-care insurers will need to broaden their approach to cybersecurity protection to include these new elements not already covered by existing federal health-care regulation.
The new regulation not only contains extensive requirements for covered entities, but also requires third-party vendors with access to a DFS-regulated organization's information technology network or non-public information to meet minimum cybersecurity standards. Under HIPAA, covered health-care entities must bind third parties that will receive protected health-care information to comply with HIPAA's requirements in a “ Business Associate Agreement.” Such agreements may identify specific data security protocols that must be followed, but technical requirements are not mandated.
By contrast, the New York regulation sets out data security rules and protocols that regulated institutions must impose on their vendors and business partners. The regulation's focus on third-parties connected to covered entities is likely DFS's response to the massive data breaches that have grabbed headlines over the past few years—in addition to numerous related class action lawsuits and derivative demands—involving cybersecurity vulnerabilities of vendors with access to company networks.
Under the New York regulation, covered entities are required to develop and implement written policies and procedures to ensure the security of any IT systems or non-public information that can be accessed by their vendors. At a minimum, these policies must identify the risks arising from third-party access, impose cybersecurity standards on the third-party vendors, and create a due-diligence process for evaluating vendors. Moreover, organizations must establish “relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers.” To “the extent applicable,” those guidelines must address:
The reporting requirements under the New York regulation are also far stricter than under HIPAA. Unique among state and federal breach reporting laws, the new DFS regulation imposes a mandatory notification process for any “material” cybersecurity event, as defined by the regulation. Within 72 hours “from a determination” that such a cybersecurity event occurred, a covered entity must inform the DFS of the event. A cybersecurity event is “material” if it falls in the following categories:
Under HIPAA's Breach Notification Rule, institutions must report the breach of unsecured health information to the HHS without reasonable delay but in no event later than 60-days after discovery of the breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.
The New York regulation isn't likely to be the last word on data security for the industry. The National Association of Insurance Commissioners is considering a model law that each state could adopt—outlining how insurers must safeguard consumer information and respond in the event of a data security incident. The model law was unveiled last year but has undergone revisions in response to criticisms raised by the industry and consumer groups.
For health-care insurers already subject to extensive federal data security regulation, the New York cyber regulation imposes additional—and sweeping—burdens and requirements. No other data security regulation has demanded this combination of accountability, senior leadership engagement and across-the-board detail. And there's no doubt that DFS will hold those institutions accountable for ball drops.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)