What ‘Reasonable’ Cybersecurity Standards Might Be

What ‘Reasonable’ Cybersecurity Standards Might Be

By Ronald J. Hedges, JD

At the end of a series of articles for the Journal of AHIMA that ran from 2015-2019 called “Legal e-Speaking,” I stressed that the trend of increased volume and variety of healthcare-related electronic information—as well as the technologies by which that information is being created, stored, and used—will put a premium on successful governance of health information.

In the past year and a half, due to the pandemic, this has become paramount. Healthcare providers have had to adopt to new or greatly expanded volumes and varieties of electronic information, including those derived from telehealth and virtual meetings, among others. Moreover, providers have encountered and sometimes integrated so-called “ephemeral” messaging apps.

Not only has electronic information become more complex but, during the last year and a half, the United States has seen the enactment of privacy laws at the state level intended to protect personal information. California, New York, and, most recently Virginia, come to mind, as do failed attempts to enact privacy laws in Florida and Washington state. For an overview of these statutes and how healthcare providers might be impacted by them, see the article I co-authored, “State Privacy Laws May Have Implications for Healthcare Providers,” that appeared in the May 2020 issue of the Journal of AHIMA.

If one or more of these privacy laws apply to a healthcare provider, that provider is obligated to protect defined personal information and, if it fails to do so, it might become subject to penalties imposed by a regulator. Moreover, depending on the privacy law to which it is subject, the provider might find itself a defendant in a civil action in which the plaintiffs seek compensatory damages and attorneys’ fees.

This article is not the place for a detailed examination of any privacy law. Instead, I want to focus on what a healthcare provider might do to avoid—or at least minimize—liability. The way to do that is to be “reasonable” in the creation, storage, transmission, and overall handling of personal electronic information.

One law that addresses personal information in a comprehensive manner is the SHIELD Act, enacted into law in 2019 in New York. The act provides that, “[a]ny person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”

A person or business would be deemed to be in compliance with this requirement of the act if it implements a data security program that includes certain requirements, including the following:

Reasonable administrative requirements:

  • “Designates one or more employees to coordinate the security program”
  • “Identifies reasonably foreseeable internal and external risks”
  • “Assesses the sufficiency of safeguards in place to control the identified risks”
  • “Trains and manages employees in the security program practices and procedures”
  • “Selects service providers capable of maintaining appropriate safeguards, and requiring those safeguards by contract”
  • “Adjusts the security program in light of business changes or new circumstances”

Reasonable technical requirements:

  • “Assesses risks in network and software design”
  • “Assesses risks in information processing, transmission and storage”
  • “Detects, prevents and responds to attacks or system failures”
  • “Regularly tests and monitors the effectiveness of key controls, systems and procedures”

Reasonable physical requirements:

  • “Assesses risks of information storage and disposal”
  • “Detects, prevents and responding to intrusions”
  • “Protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information”
  • “Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed”

Alternatively, a healthcare provider will be deemed to be in compliance with the act if it is subject to, and in compliance with, “regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. Parts 160 and 164) as amended from time to time, and the Health Information Technology and Clinical Health Act, as amended from time to time.”

Care must be taken here. Every state privacy law has a carve-out for “protected health information” under HIPAA. However, healthcare providers have a lot of personal information not subject to HIPAA, including information on employees and visitors to facilities. In other words, healthcare providers should expect to be subject to both HIPAA and state privacy laws depending on the personal information that the entity has acquired.

The conclusion is simple: A provider must be aware of what it is subject to and must be in compliance with whatever it is subject to. The requirements set out above through the SHIELD Act can be a used as a measure of what compliance—and reasonableness—might be.


Ronald J. Hedges (r_hedges@live.com) is a senior counsel with Dentons.

Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *