State AGs Data Breach Settlement Reinforces the Importance of Patch Management

By Bill O’Connor, CISSP, CIPP/US

A recent settlement between Nationwide Mutual Insurance Company and attorneys general from 32 states and the District of Columbia (the “Attorneys General”) over a 2012 data breach reinforces the importance of patch management.

On August 9, 2017, the Attorneys General and Nationwide, on behalf of itself and its wholly-owned subsidiary, Allied Property & Casualty Insurance Company (collectively, “Nationwide”), entered into an Assurance of Voluntary Compliance that requires Nationwide to, among other things, pay $5.5 million to the Attorneys General. The settlement is in response to an October 3, 2012 data breach experienced by Nationwide that resulted in the loss of sensitive personal information for 1.27 million consumers. The breach affected potential customers who were seeking insurance quotes from Nationwide. The sensitive personal information included driver’s license numbers, Social Security numbers, and Nationwide internal credit-related scores.

The 2012 data breach was alleged to be the result of Nationwide’s failure to apply a critical security patch that led to hackers exploiting a vulnerability in Nationwide’s web hosting software. After the breach occurred, Nationwide addressed the software vulnerability by applying the previously unapplied software patch. Nationwide admits it experienced a data breach, but denies any wrongdoing related to the breach. Shortly after the data breach occurred, Nationwide notified the affected consumers and offered free credit monitoring and $1 million of free identity theft insurance coverage with no deductible.

In addition to the $5.5 million payment, the settlement – titled as an “Assurance of Voluntary Compliance” – requires Nationwide to complete additional tasks, which may or may not have already been completed, such as:

  • Maintaining an online disclosure statement informing potential customers that it retains a consumer’s personal information even if the consumer does not become an insured
  • For a period of three years:
    • Appoint an individual to the role of Patch Policy Supervisor to maintain, review and revise Nationwide’s patch management policies and procedures
    • Appoint an individual to the role of Patch Supervisor to monitor and manage the installation of available patches
    • Maintain and, on at least a semi-annual basis, update an inventory of all covered systems
    • Regularly review and update its Incident Management Policy and Procedures
    • Deploy and maintain a system management tool to identify available patches on a near real-time basis and scan covered systems to identify unapplied patches
    • Implement processes and procedures to notify Nationwide’s patch management personnel about available patches
    • Implement processes and procedures to evaluate the severity of available patches and prioritize any responsive mitigation actions, and document in writing the applicable risk severity and actions taken
    • Purchase and install an automated feed of common vulnerabilities to Nationwide’s intrusion detection/intrusion prevention systems and security information and event management technology
    • On at least a semi-annual basis, perform an internal patch management assessment of its covered systems
    • On at least an annual basis, hire an outside, independent provider to perform a patch management audit of its covered systems
  • One year after the settlement, certify to the Attorneys General that it is in compliance with these requirements

All organizations that collect personal information from consumers should take heed of the requirements set forth in the Nationwide settlement. These requirements reinforce the importance of implementing an effective patch management program. Failure to apply critical security patches can not only lead to data breaches, but can also make organizations vulnerable to ransomware attacks (as seen by the recent WannaCry ransomware attacks on systems that had not applied an available Microsoft security patch).

If you have any questions or concerns about your organization’s patch management program, or other data privacy and cybersecurity questions, please reach out to Bill O’Connor, CISSP, CIPP/US, or any member of Baker Donelson’s Data Protection, Privacy and Cybersecurity Team, and we will be happy to assist.

About the Author

HBMA Washington Report – July Issue

Washington Report – July, 2017
(Covers activity between 7/1/17 and 7/31/17)
Bill Finerfrock, Matt Reiter, Nathan Baugh, Josh Mendelson, Carolyn Bounds

Washington Report – July Issue

  • Senate Fails to Pass ACA Repeal and Replace Legislation
  • CMS Releases 2018 Medicare Physician Fee Schedule Proposed Rule
  • Ways and Means Oversight Subcommittee Holds Medicare Program Integrity Hearing
  • Congress Goes Back to the Drawing Board after Inability to Pass ACA Repeal/Replace Bill
  • Medicare Trustees Report Shows Slightly Improved Outlook for Medicare Trust Fund
  • Brenda Fitzgerald M.D., Appointed as CDC Director
  • HHS Healthcare Fraud Takedown Nets 412 Offenders
  • CMS Issues Status Report on 2016 ACA Risk Adjustment Programs
  • CMS Transmittals

CMS Shares Thoughts Behind the MACRA Proposed Rule MIPS Changes

The Healthcare Business Management Association (HBMA) Government Relations Committee was fortunate to again have the opportunity to meet with CMS directors, deputy directors and Senate Ways and Means Staff the day the proposed rule was published.  As I think we all have recognized, the most significant changes were intended to help small providers and practices.  The proposed threshold increases in patient volume or dollars have in effect exempted many providers from MIPS participation.  The ability to form virtual groups is also intended to allow maximum flexibility.  Those are positive steps in recognition of the challenges MIPS presents.

In addition, many new options are proposed.  For example, the ability to report 2018 quality measures via multiple methods as opposed to only claims, registry, etc.  More measures have been added to increase successful reporting choices and opportunities for participating providers.

While these increased options and choices may sound good at first blush, the fact is that complexity and therefore cost for providers also increases.  The thoughts and work behind the changes are well intentioned.  However, “One man’s idea of perfect order is another man’s chaos.”  Dean Koontz

Some of the most basic informed decisions providers must make are whether they want to work toward a bonus, remain revenue neutral, or accept a penalty.  Accurately performing those projections based on specialty and practice specific variables requires increasingly sophisticated software support and data analytics.  The unfortunate fact is providers can make best efforts to do everything right and still not be guaranteed of a bonus or even the amount of the bonus.  Because the program must be revenue neutral, for every winner there must be a loser.  One observation is the fact that, “most providers will be forced to the middle”.  And that is the crux of the problem with MIPS, in my opinion.  How much money and work will providers invest when there is no return on that investment?  We already know a very large percentage of eligible providers never participated in PQRS.  Are we really going to accept that none of those physicians or practices is providing quality care?  Are we really going to accept that every physician or practice that does participate is providing the best quality care?  I hope not, for that is a false belief that reporting data is the same as providing quality care.

The CMS intent is noble, to ensure all beneficiaries receive high quality care at a reasonable cost.  The methodology to achieve that is flawed.  Adding myriad options that simply increase cost and complexity for physicians and their representatives, with no return on those investments, continues to whittle away at the precious time physicians have for their real job-patient care.  That’s where quality happens, not in data reporting.  Let’s help physicians get back to what they do best by removing the overwhelming administrative burdens.  Then we will see real and meaningful quality.


Holly Louie, RN, CHBME, is the compliance officer for Practice Management Inc. and was the 2016 HBMA president.

Career Opportunity – Universe Application Programmer

About this Job

Universe Application Programmer needed.  This position is a contract-to-hire needed on site in Boise, Idaho.  Applicant needs a working knowledge of databases and ability to extract data for analysis and reporting.  A working knowledge of UniVerse, BASIC, and Retrieve is a plus.  A Bachelor’s Degree or related experience preferred.  Applicant will be responsible for developing, maintaining, and reporting in a medical billing system environment using the UniVerse database.  Other development opportunities may be available.  Send resumes to resume@pmiboise.com.

HBMA Washington Report – June Issue

Washington Report – June, 2017

(Covers activity between 6/1/17 and 6/30/17)

Bill Finerfrock, Matt Reiter, Nathan Baugh, Josh Mendelson, Carolyn Bounds

Washington Report – June Issue

  • Senate Introduces ACA Repeal/Replace Bill
  • HBMA Government Relations Committee Holds Annual Visit to CMS and Capitol Hill
  • CMS Proposes Changes to Quality Payment Program for 2018 Reporting Year
  • MedPAC Suggests Redesigning MIPS Reporting
  • OIG Audit Estimates $729 Million in Incorrect EHR Incentive Payments Were Awarded
  • Federal Budget Begins to Take Shape
  • CMS Office of the Actuary AHCA Analysis Contradicts CBO
  • Global Cybersecurity Attacks Lead to Increased Attention from Administration
  • CMS Lifts Enrollment and Marketing Sanctions on Cigna MA and Part D Plans
  • CMS Issues Reports on 2017 Marketplace Enrollment Trends
  • Houses Passes Medical Malpractice Reform Bill
  • House Passes Premium Tax Credit Verification Bill
  • CMS Transmittals

HBMA Washington Report – May Issue

Washington Report – May, 2017
(Covers activity between 5/1/17 and 5/30/17)
Bill Finerfrock, Matt Reiter, Nathan Baugh, Josh Mendelson, Carolyn Bounds

Washington Report – May Issue

  • AHCA Update: Where does the AHCA stand in the Senate?
  • CBO Releases Analysis of Amended American Health Care Act
  • CMS Posts MIPS Participation Status Determinations
  • President Trump Selects Medicare Director
  • 184 Representatives Sign Letter Asking HHS to Allow Third-Party Premium Payments
  • Uncertainty Over ACA Cost Sharing Reductions Continues
  • eClinical Works EHR Fine Will Not Impact Provider Customers
  • Senate Committee Approves Regulatory Reform Legislation
  • Massive Cyber-Attack Hits Health Systems Abroad
  • HBMA Goes to Washington
  • CMS to Phase-Out SHOP Marketplace
  • CMS Releases Official Timeline for New Medicare Card Numbers

Growing Insurance Denials Creating Undue Physician Hardship

Growing Insurance Denials Creating Undue Physician Hardship

By Holly Louie, RN, CHBME

Much attention and dedicated work have been devoted toward clinical documentation improvement and accurate, specific coding. Clearly, those are of great importance. However, I want to address the physician Part B insurance denials that have nothing to do with how good the clinical documentation is and how accurate the coding is on the claims. Common frustrations that we see every day are myriad.

Consider requests for prepayment review for a service with an allowable billing of $8.90. It will cost two or three times that much to gather reports, orders, and supporting medical records. Is that really a reasonable use of anyone’s time?

Incorrect or delayed payor updates and edits as new codes are released and new policies are published can cause claim denials for months. In a few cases, the payor will reprocess the incorrectly denied claims. However, in many cases, it is up to the provider to monitor and resubmit the claims to obtain legitimate payment, incorrectly denied.

Radiologists are held accountable for what the referring providers document to support the medical necessity of the diagnostic testing they order. Not only is it a tremendous burden to have to obtain that documentation, but if the referring physician documented poorly, it is the radiologist’s payment that is recouped.

Some of the Centers for Medicare & Medicaid Services (CMS) medically unlikely edits (MUE) for a date of service are not consistent with standards of practice for some specialty services. Rather than paying at least the number allowed per day and requiring appeals for any services exceeding the total allowed, all units of service are denied. Yet, again, appeals are required, which greatly increases work and cost for the provider (and presumably for the MAC, or Medicare Administrative Contractor).

Entities that pre-authorize services may not have correct payor information. For example, a common problem is authorization of a specific CPT. However, the payor may actually require a HCPCS code for the service. The authorized service is denied, and when the claim is corrected to meet the payor coding requirement, it is denied again as being unauthorized. It’s a vicious circle that withholds legitimate payment for legitimate services.

More and more payors are not accepting calls from revenue cycle companies or physician billing representatives. Not all issues can be successfully resolved via email, so a large roadblock can exist. When calls are accepted, our experience is that the average hold time is 20 minutes. In addition, many insurance companies limit the number of questions that can be asked on a call. This issue is greatly exacerbated by the large volume of remittance explanations (CARC/RARC) that are so nebulous or completely inaccurate that the reason for the denial cannot be ascertained. The time and cost to even attempt to get an answer is frankly, absurd.

I think the physician community and the billing industry as a whole would like to see insurance companies held to the same rigorous mandates for transparency, accuracy, timeliness, and accountability as the rest of us.

 


Holly Louie, RN, CHBME, is the compliance officer for Practice Management Inc. and was the 2016 HBMA president.

Baker Donelson | Washington, D.C. Update

April saw the debate in Congress heat up as Justice Neil Gorsuch was confirmed for a seat on the Supreme Court, House Republicans suspended, restarted and then ultimately succeeded in their effort to repeal and replace the Affordable Care Act, and – after a few hiccups – an agreement was reached to keep the federal government open through the end of September.

With the exception of the two week-long recesses for Memorial Day and the Fourth of July, Congress will remain in session continuously through the end of July, meaning significant legislation in a variety of issue areas will be considered in the coming months, including health care, 2018 appropriations and tax reform. In this month’s version of the Washington, D.C. Update, we discuss:

·         House Makes Good on Promise to Repeal and Replace Affordable Care Act

·         Agreement Reached over FY17 Appropriations Package

·         FY18 Budget Negotiations Begin in the House and Senate

·         Trump Administration Proposes Significant Tax Overhaul

·         Senate Confirmations Continue Their Slow March Forward

·         Trump Administration Agrees Not to Immediately Withdraw from NAFTA
Please feel free to reach out to me for additional information on these topics or other issues of importance.

Sheila Burke
Chair, Government Relations and Public Policy
Baker Donelson

 

 

House Makes Good on Promise to Repeal and Replace Affordable Care Act

On May 4, 2017, the House of Representatives succeeded in passing legislation to repeal and replace the Affordable Care Act (ACA). The American Health Care Act (AHCA) now moves to the Senate where its passage is far from assured and will likely result in significant changes to the House-passed legislation.

The AHCA, which narrowly passed 217 to 213 with all House Democrats and 20 House Republicans in opposition, closely reflects the version that was pulled from consideration only minutes before a vote on March 24. The bill, if it becomes law, would overhaul the American health care system, dramatically altering the nation’s individual health insurance marketplace, ending the Medicaid expansion and converting the program to a block grant or per capita cap system, repealing practically all taxes incorporated in the ACA, ending federal funding for Planned Parenthood, and giving states significantly more say in how and to what level health insurance is regulated in their states.

Looking forward, the AHCA now moves to the Senate, where Senate Republicans must decide how to advance a bill that most analysts agree cannot pass the Senate in its current form. Majority Leader Mitch McConnell (R-KY) has already said he will wait until the Congressional Budget Office releases its updated analysis of the bill’s impact (expected in the next two weeks) before deciding on next steps. A number of moderate and more conservative Senate Republicans have expressed concerns with provisions of the legislation, including age-adjusted tax credits, funding cuts to the Medicaid program, the defunding of Planned Parenthood and the waiving of protections for individuals with pre-existing conditions. Furthermore, key Senate Republican leaders have indicated that the process will not be rushed. Senator Orrin Hatch (R-UT), Chair of the Senate Finance Committee, said Senators should “manage expectations” and “remain focused on the art of the doable.” Meanwhile, Senator Lamar Alexander (R-TN), Chair of the Senate Health, Education, Labor and Pensions Committee, said “we will take the time to get it right.”

A working group made up of Senators McConnell, Hatch, Alexander, Mike Enzi (R-WY), John Thune (R-SD), Mike Lee (R-UT), Ted Cruz (R-TX), Tom Cotton (R-AR), Cory Gardner (R-CO), John Barrasso (R-WY), John Cornyn (R-TX), Robert Portman (R-OH) and Pat Toomey (R-PA) has been tasked with developing a proposal.

For more information on the passage of the AHCA, please see our alert, “House Makes Good on Promise to Repeal and Replace Affordable Care Act.”

Takeaway: With passage of the AHCA, House Republicans made good on their more than seven-year effort to repeal and replace the ACA. The bill, which passed by the narrowest of margins, now moves to the Senate where it will face an uphill climb and will likely incorporate significant changes if it is to be successful – which is far from sure thing. Expect the ongoing debate over the future of the ACA to continue into the summer, if not the fall or beyond.

 

 

Agreement Reached on FY17 Appropriations Package

Over the past few weeks, it looked increasingly possible that Congress might fail to meet an April 28 deadline for adopting a fiscal year 2017 (FY17) appropriations package, potentially leading to a shutdown of the federal government. In March, negotiations seemed to be on track, but in early April, President Trump insisted that the package include additional funding for the military and, controversially, funding to begin the design and construction of a wall on the U.S.-Mexico border. There was also briefly a time when the President seemed to imply that he would suspend federal payments for the ACA’s Cost Sharing Reductions (CSR), leading Democrats to insist on funding for CSRs be included in the appropriations measure.

However, after a one-week extension, Democrats and Republicans agreed on an omnibus appropriations package to keep the federal government running through the end of the fiscal year. The mammoth legislation contained the 11 unfinished FY17 appropriations bills, providing spending for nearly every corner of the federal government. In the House, the legislation passed 308 to 118 with 103 Republicans and 15 Democrats bucking their leadership to vote against the measure. In the Senate, it passed 79 to 18 with 18 Republicans voting against the measure. Democrats are claiming victory, saying they eliminated more than 160 Republican “poison pill riders” (including all funding for a border wall), and Republicans are hailing the $15 billion increase in supplemental defense spending and $1.5 billion for non-wall border security efforts. The bill also contains $295.9 million to help shore up Puerto Rico’s Medicaid fund and $1 billion for a health care and pension benefits fund for retired coal miners, boosts spending at the National Institutes of Health by $2 billion, and cuts the Environmental Protection Agency by just one percent (roughly $80 million).

Takeaway: Republicans, eager to avoid a government shutdown, were pleased with increased supplemental funding for the military and generally agreed to push major disputes (such as funding for Planned Parenthood) off until this summer and the fall’s negotiations over the FY18 budget. In what was expected to be the first tough appropriations negotiation of the Trump Administration, Democrats were largely successful in protecting domestic spending and rejecting funding for President Trump’s border wall.

 

 

FY18 Budget Negotiations Begin in the House and Senate

While the FY17 appropriations package dominated the headlines, the debate surrounding the FY18 budget has begun in the House and Senate Budget Committees. House Budget Chair Diane Black (R-TN) said the House Budget Committee is working toward having a markup the week of May 15 and going to the floor the following week, just ahead of the week-long Memorial Day recess. The budget resolution sets forth Congress’ policy preference as well as spending and revenue targets for the coming fiscal year. It will also likely serve as a vehicle for moving forward with tax reform under the budget reconciliation procedures. Chairwoman Black committed to balancing the budget in ten years, much like past Republican budgets have done, transforming Medicare into a premium support model, and said that the package may include some sort of Medicaid reform. In the Senate, Budget Committee Chair Michael Enzi’s (R-WY) staff have been working on a budget resolution, but few discussions have taken place among Republican members of the Committee. The White House said it would release the President’s full FY18 budget proposal on May 22.

Takeaway: With the FY17 appropriations package largely mirroring past Obama-era packages, Republicans and the Trump Administration are gearing up to have a much more significant reshaping of the federal government with the FY18 budget and appropriations cycle. If the ACA repeal effort currently in the Senate is not ultimately successful, expect to see Republican calls for significant changes to health care as part of the coming budget and appropriations fight, including converting Medicare into a premium support program and transforming Medicaid to a block grant or per capita cap.

 

 

Trump Administration Proposes Significant Tax Overhaul

On April 26, Treasury Secretary Steven Mnuchin and Gary Cohn, director of the National Economic Council, presented the Trump Administration’s tax reform proposal to the media. The proposal consisted of a one-page outline that hewed closely to President Trump’s tax proposal offered during the campaign. The outline calls for lower taxes across the board for both individuals and businesses. On the individual side, President Trump’s proposal seeks to eliminate most itemized deductions except for the mortgage interest deduction, charitable donation deduction and retirement savings deduction. It would also reduce the current seven income brackets to three – 10, 25 and 35 percent – although officials did not offer income ranges for each bracket. It also eliminates the estate tax and the alternative minimum tax, doubles the standard deduction and calls for some sort of a dependent care benefit.

Under the proposal, business taxes would be cut from 35 percent to 15 percent across the board and the new rate would apply to both corporate income as well as pass-through income. The proposal also includes a transition from a global tax system to a territorial tax system and creates an as-of-yet-unspecified, one-time opportunity to repatriate existing profits held overseas. Notably, the proposal does not include the Border Adjustment Tax supported by Speaker Paul Ryan (R-WI).

Congressional Republicans and Democrats greeted the proposal as expected, with Republicans hailing the proposal as “critical guideposts” and Ranking Democrat of the Senate Finance Committee Senator Ron Wyden (D-OR) calling the proposal “an unprincipled tax plan that will result in cuts for the one percent.” Expect the proposal – which will likely serve as a starting point for debate – to be modified significantly in the coming months. Congressional Republicans are reportedly considering moving forward with the tax reform package under the Reconciliation rules, limiting debate and blunting the threat of a Democratic filibuster in the Senate. If Congressional Republicans elect to follow this path, the so-called “reconciliation instructions” from the Budget Committees to the Senate Finance and House Ways and Means Committees will significantly determine the outline of the debate. However, moving forward under these procedures means any tax reform bill, which as proposed during the presidential campaign was estimated to add about $7 trillion to the deficit, would have to be deficit neutral over ten years. So far, the Administration has not yet identified sufficient pay-fors or spending cuts to fully offset the proposal.

Takeaway: With release of the White House’s tax reform plan, the debate now shifts to Congress, where Republicans in the House and Senate will debate the proposal most likely as part of the FY18 budget process, providing additional substance to the outline presented by the Trump Administration. With its numerous stakeholders and trillions of dollars at stake, tax reform is an incredibly difficult and complex undertaking. Expect the negotiation process to be drawn out and contentious.

 

 

Senate Confirmations Continue Their Slow March Forward

Confirmations for key Trump Administration positions continue apace as 21 of the 22 cabinet-level nominees have now been confirmed by the Senate. This is in addition to the April 7 confirmation of Justice Neil Gorsuch to serve as Associate Justice of the Supreme Court. The only outstanding cabinet-level nomination is that of Robert Lighthizer to serve as U.S. Trade Representative. Mr. Lighthizer was reported favorably out of the Senate Finance Committee on April 25, but his nomination has not yet been taken up by the full Senate.

President Trump continues to be behind his predecessors in terms of the rate of both confirmations and nominations. Of the 556 key positions identified by the Partnership for Public Service as requiring Senate confirmation, 27 have been confirmed, 41 have been formally nominated, 23 have been announced but not formally nominated, and 465 have no nominee. 100 days into his presidency, President Obama had 69 appointees confirmed and 118 appointees nominated but not yet confirmed. By day 100, President Bush had 35 positions confirmed and 50 others nominated but not yet confirmed.

Takeaway: The Trump Administration has been comparatively slow selecting nominees for the more than 1,200 Senate confirmable positions. Likewise, the Republican-controlled Senate has taken longer than previous administrations to confirm appointees, averaging 30 days versus President Obama’s average of 24 days and President George W. Bush’s average of 8 days.

 

Trump Administration Agrees Not to Immediately Withdraw from NAFTA

In a series of tweets on April 27, President Trump said “I received calls from the President of Mexico and the Prime Minister of Canada asking to renegotiate NAFTA rather than terminate. I agreed subject to the fact that if we do not reach a fair deal for all, we will then terminate NAFTA. Relationships are good – deal very possible!” The posts represented an abrupt about-face from the day before when presidential advisors put out word that the President was likely to sign an executive order in the coming days to begin the six month clock to withdraw from the North American Free Trade Agreement (NAFTA). Reportedly, President Trump changed course after phone calls with Mexican President Enrique Peña Nieto and Canadian Prime Minister Justin Trudeau. Initial news reports of a potential U.S. withdrawal caused a tumble in the value of the Mexican Peso, but later sent both it and the Canadian Dollar upwards after news of the renegotiation broke.

Takeaway: In response to President Trump’s continued threats to withdraw from NAFTA, the Governments of Mexico and Canada both agreed to begin renegotiation of the landmark trade agreement. Expect the on-again off-again renegotiation of NAFTA to continue for the foreseeable future.

Vendor Relations – Your Best Friends Really Can Hurt You

By Craig Nazzaro

Your team is only as strong as its weakest link. This platitude may be overused and cliché, but within the data privacy and cybersecurity space, the expression is more of a warning and must be taken seriously as essential advice. Vendors and third-party service providers create a unique challenge to organizations that are looking to streamline the services offered to their customers while implementing controls and safeguards to protect their customer’s data.

There should be a balancing act taking place within each vendor contract, where your organization should be aiming to find the sweet spot of vendor access to your organization’s and your customer’s data, which allows a vendor to provide the requested service without risking your customer’s privacy. Too often an organization will permit a vendor untethered access to their internal systems and/or customer data while also placing insufficient controls on the vendor’s activity. This is a recipe for disaster.

The Tenth Annual Verizon Data Breach Investigations Report addresses this risk by stating, “We recommend all businesses, small and large, ask the right questions to any third-party management vendors about their security practices.” The Report underscores the importance of this advice by pointing out the frequency of hacking through vendor access: “Following the same trend as last year, 95% of breaches featuring the use of stolen credentials leveraged vendor remote access to hack into their customer’s point of sale environments.”

So what are the best practices that can be implemented in order to limit your risk?

Prior to Onboarding

When evaluating vendors and third-parties, you should have a robust due diligence process where your vendors’ data security policies, procedures and controls are thoroughly reviewed. All vendor standards should meet or exceed standards implemented by your organization. In the event of a breach through a vendor, you want to be able to show that your organization was not negligent when it came to onboarding the vendor and did not unknowingly allow for a weak spot in the organization’s data protection plan. This is especially true if, within your industry, you are promoting your organization’s data protection ability.

When negotiating each vendor contract be sure that you provide for data security reporting standards, which will include a timely notification of any breach, attempted breach or other data security incident. Include non-disclosure clauses covering any of your organization’s and/or your customer’s private information. Your agreements should also provide for the right to require changes to standards as external and internal environments change, as this space is evolving on an almost daily basis. It is a mistake to have contacts that call for or define a static security standard that cannot evolve with the best practices implemented within your industry. Finally, your contacts should provide that your organization, or an auditor which you choose, has access to your vendors’ systems.

After these controls are in place, it is also important to have a thorough understanding of what your vendor is doing with the information you permit the vendor to access. For example, as behavioral advertising continues to grow, many marketing departments engage vendors to assist and are unaware of what the vendors are doing with aggregated data that is collected by the vendors at the organization’s request. This is vital information that you should be aware of and possibly disclosing to your customers, depending on your industry and privacy policies.

Oversight Once Engaged

Proper vendor oversight does not end after onboarding is complete. You will need to provide for continued oversight that ensures your vendors are honoring their commitments and living up to the standards and processes laid out in your vendor agreements. Your organization should have controls in place to monitor if data privacy and cybersecurity risks are being appropriately identified, measured, mitigated, monitored and reported to your organization on a consistent basis. These controls should be deployed on a routine basis as frequently as possible.

Vendor data privacy and cybersecurity risks are often only thought of when looking at issues surrounding the Internet of Things (IoT) issues, where certain equipment and vendor-provided devices are creating network and/or data access points and/or FinTech issues, where lenders are entering into vendor agreements to provide services that traditionally were unavailable to borrowers. However, it is important to note that all vendors your organization is employing must be subject to the aforementioned best practices.

As was heavily reported, the hackers in the Target breach of 2013 gained access through Target’s HVAC vendors, as these vendors had remote access to Target’s network to perform maintenance issues. This is a perfect example that it’s not just the vendor’s intended use that poses risk; it’s the access that can be gained through the vendor whether said access was intentionally or mistakenly granted. For this reason, you should always be asking what access will the vendor need and is this the most limited access needed to accomplish the tasks at hand? It may be costly to carve out and limit each vendor’s access, but that cost will be eclipsed by the costs associated with a breach that could have been avoided.

The best practices outlined above are a good start to limit your exposure to hacking through vendor access. These tips will also mitigate your litigation exposure if a breach were to occur through your vendor, by providing an argument that your organization was diligent in attempts to safeguard all customer data. In addition, depending on what industry you are in, there are multiple regulatory risks and privacy issues that need to be addressed and guarded against when allowing vendors access to your internal data.

If you have any questions or concerns about your organizations data privacy and cybersecurity protocols or industry specific questions, please reach out to Craig Nazzaro, Sam Felker, Eric Setterlund or any member of Baker Donelson’s Data Protection, Privacy and Cybersecurity Team and we will be happy to assist.

Craig Nazzaro
Atlanta
404.443.6719

cnazzaro@bakerdonelson.com


www.bakerdonelson.com

What You Need to Do Now: Responding to the Major Cybersecurity Attack Against Organizations

By Alisa Chestler, CIPP/US

Regardless of whether you have experienced any disruptions to date, you cannot ignore the major global cybersecurity attack that continues to plague organizations. A particularly destructive piece of malicious software, the WannaCry ransomware infection has hit more than 100 countries and brought thousands of organization to a grinding halt.

As we continue to assist clients with their current and ongoing issues, Baker Donelson offers some key thoughts and action plans for management, business teams and IT security personnel. First and foremost, as this attack was based upon a known vulnerability, please make sure that your IT team has installed the MS17-010 patch to the Microsoft Windows operating system. For more detailed information, we recommend your IT security personnel keep track of the recent information through the U.S. Computer Emergency Readiness Team (US-CERT), which is a division of the United States Department of Homeland Security. [Multiple Ransomware Infections Reported]

RECOMMENDED STEPS:

·         Communicate. Prepare and send an alert for employees and staff regarding their roles in preventing such attacks on your networks. For example, remind them to be on the lookout for phishing scams and to report them to the Help Desk immediately if they are making it through your spam filters. Further, remind employees that very few emails contain an “emergency.” Even if an email appears to be from a known source, everyone should be thoughtful when opening email attachments. Please also make sure employees know how to get to the Help Desk 24 hours a day, seven days a week, as system incidents are not limited to a 9-5 workday.

·         Review Your Incident Response Plan. Ensure communication lines among management, counsel and key IT personnel (IT Information Security Team) are open and ready to implement your incident response plan. Pull out the response plan and make sure it specifically anticipates a ransomware attack of this nature. If your plan does not, or if you do not have a written incident response plan, please contact your Baker Donelson counsel for assistance. Documented Incident Response Plans are an expected compliance obligation for all organizations regardless of the size, industry or kind of information maintained by the systems.

·         Know Your Patching Compliance. Patch Management programs are the lifeblood of any IT security structure. Thousands of organizations were immune to this strain of ransomware because they were up-to-date with their patches. Management should ask (if they don’t already know) whether critical patches are up to date. If they are not, initiate a plan to get your programs as current as possible.

·         Use This as an Opportunity. Management, legal and IT security can no longer keep “kicking the can” when it comes to information security. Whether the systems include information on trade secrets or personal information of individuals (including employees), or the systems just keep the machinery up and running, computer systems and programs are the lifeblood of organization. Knowing your compliance and contractual obligations before an event is critical. This is also a good opportunity to revisit some prior decisions. For example, many organizations continue to delay implementing multi-factor authentication. Organizations continue to resist multi-factor authentication for a variety of reasons, including employee morale. However, this tool is widely becoming one of the most important information security protocols.
If your organization has become infected with this (or any other) ransomware and a system is already encrypted, then swift action must be taken. Baker Donelson has an incident response team that can help you systematically address the most pressing issues quickly and efficiently.

Baker Donelson’s Data Protection, Privacy and Cybersecurity Team was recently recognized as a member of the “Honor Roll of Cybersecurity Law Firms” in the United States as determined by The BTI Consulting Group. Recognition as a member of the Honor Roll reflects corporate counsel’s view of the Baker Donelson team as strong cybersecurity performers. To link to the Baker Donelson series on ransomware, please click here.

If you have any questions regarding the topics in this alert, please contact Alisa Chestler, CIPP/US, or any member of the Firm’s Data Protection, Privacy and Cybersecurity Group.

About the Author

Alisa ChestlerCIPP/US

615.726.5589
achestler@bakerdonelson.com


www.bakerdonelson.com