COVID-19 is changing the way organizations prepare and respond to an incident. To address this, Marti Arvin and Clyde Hewitt are recording a mini-series on incident response. In this podcast, they discuss what must change as a result of becoming a remote workforce.
Links to stories:
To read more about incident response read our latest blog: https://insights.cynergistek.com/blog/thinking-about-the-unthinkable-preparing-for-incident-response-with-a-remote-workforce
Hello and welcome to CTEK Voices: The Risk Perspective. I’m your host Lauren Frickle. Today, we’re back with part five of our Incident Response in the Time of a Crisis series, with Clyde Hewitt and Marti Arvin.
Hi Clyde. Hi Marti. How are you?
Hi Lauren, it’s a great to be here today and hello again to you Marti
Marti, there’s some real challenges with compliance following an incident, but it makes it much more difficult in an incident that you have to manage remotely. Can you elaborate on that?
Yes, thanks Clyde and hello everyone. We’ve talked in this podcast series about a lot of the more information technology provisions have trying to respond to an incident in the time of crisis with everyone working remotely. But when you think about the compliance aspects of it, those are equally challenging, you know, you consider how are you going to analyze the data compromise? And one of the things folks have to remember is that your discovery date is the date you knew or should have known about an incident.
And so, as you think about when that occurs there might be some delays on when you actually confirm something has happened and as we often tell our clients and we talked about incident response. You should be thinking about the idea that you might have to notify individuals from the very beginning and always keeping in mind, when have I determined that this that the data compromise actually occurred, that PHI was involved, and then do your low probability of compromise analysis to make a decision on whether you actually have notify individuals. But again, under the HIPAA regulations that discovery date is a date you knew or should have known now. We are in very challenging times and people are over their heads with work and just trying to maintain the normal operations of the healthcare enterprise.
So, you might have some good arguments that there might have been some delays in some of these activities and therefore you knew or should have known date did get bumped out a bit. But if you really haven’t prepared for this, if you really haven’t done anything to set your system up so that you would know about these incidents or have some idea of them. One might be able to argue that you should have known about an incident much earlier than you actually had actual knowledge of the incident.
So that is going to be challenging for everyone and the hackers are not stopping in the time of COVID. In fact, as we talked about in an earlier podcast, they’re getting even more aggressive. So, you have to be prepared to respond to this and to do the analysis and the thinking through how you analyze these processes and thinking about what you need to do.
So, you may need to have access to data sets. I had the unfortunate luxury, or how that’s not exactly the right word, of having to respond to data compromise for 4.5 million people. As you might imagine we were dealing with some very large datasets in trying to analyze that. How do people get access to those large data sets when they’re working remotely? You really don’t have that many might not have that many bandwidth issues if they’re sitting at their desk in your facility connected to your network. But what if they have to evaluate those datasets remotely? Are they going to be able to get access to the files? Are they going to have the resources? Or seeing are you going to be able to put people together who may need to analyze the data or manipulate the data and take a look at it.
You may have to interview people. They’re going to be challenges with interviewing individuals that are involved in the process because again, you all can’t just go into the conference room and sit down and bring people in. So, that’s going to be a challenging piece, you know, another piece of this that’s going to be challenging is secure work locations.
Clyde, do you want to touch on that a bit?
That’s an excellent question, Marti. Secure work locations can be challenging even within healthcare organizations. you know, a lot of people work in cubes cubicles or rather than having private offices. So, you know, especially when it comes time to like interview people who may be victims. You know we’ve seen that challenge, especially in organizations that have had large scale phishing attacks and it’s important to be able to interview the victims or the targets of those fishing attacks. Especially when number one, you know, they’re already uncomfortable because they realize that they you know that they have been compromised and they feel violated. But you know, how’s it going to sound to the person being interviewed if the interviewer or aka the compliance team will be setting in their house and maybe they hear dogs barking in the background or kids in the background and things like that that come with a remote workforce.
It’s going to be uncomfortable and maybe they don’t want to share this information. Maybe they don’t want to share it with their own family who may be close or confined to the house where they’re at. So that’s going to be a challenge.
The second thing is a secure work location means, you know, there’s some physical security requirements under the HIPAA security rule that say, you know, you have to protect your work, you know your work station you have to protect access to it. But you know when you’re dealing with the compliance requirements and you know, you may have to pull a whole lot of protected health information. Now, you are extending that perimeter that needs to be controlled from the hospital or you know, the IT department or the compliance department found two individuals’ homes. So that increases risk.
And the question is, you know at some point, you know, these folks are going to have to go out and you know, you go to the grocery store and things like that. Who else may be touching their computer? I mean do they share one computer and a household to they share a couple to the kids want to get on it? There’s also the physical security issues and technical security issues of Wi-Fi. You know, does your workforce know or understand the risk of the commercially available or personally available, you know internet routers that are out there? Because a lot of these, you know have been hacked over time, you know, they’re not the most secure things. Did they even bother setting up their Wi-Fi password, you know, since these are static to be something, you know complex do they even know to do that?
So, you know, you potentially have neighbors that you know have jumped on your system you maybe you have other family members, your visitors, you know. Things like the iPhone for example, if you happen to Have a contact on an iPhone and you go into an area that has a Wi-Fi password the phones will automatically share the password if you don’t have it set correctly.
So these are some physical and secure workstations or secure work location issues that need to be thought about ahead of time and not only do you have to think of a solution but you have to implement that because if it’s not implemented it’s not going to take place.
Which means the employees who are working from home, they need a checklist. They need some sort of training to say these are the minimum things you have to do to work from home if you’re going to access your protected health information or other sensitive information.
Marti, did I miss anything?
You cover that pretty thoroughly Clyde but a couple of things that you made me think about is the fact that you know, people may say well, I’ve got my own work laptop that I’m using. So, it’s not really an issue that other family members will have access to that.
But there do you normally use that laptop? If you’re sitting in an area of your home where the home family computer sits and that’s where you’re connecting your laptop others will want to be in that room and they might want to be around, and you know. A lot of families have kids’ home from school and the kids may want to be playing computer games and things of that nature. Do they have a laptop so they can take it out to the living room and play that game? Or they going to want to be in the same space you are? If you’re just sitting there writing an article or reviewing material it might not matter that they’re in the same space, you are.
But if they’re in that space and you’re trying to have one the conversations you just discussed that might be difficult. Another thing we touched on in an earlier podcast is the idea of those files. I mentioned the large files and so maybe you have those out in the cloud. Well if this cloud setup and structure is new and use established it since COVID. Have you ensured that your settings are correct?
One of the things I dealt with in a prior life was just setting up cloud in the normal course of business and one of the things the identified is that when someone opened a file in the cloud, the system unless you change the setting, automatically downloaded the file to the local computer. Well, if I’m using my personal laptop in that happens, you might have just had a large file with a lot of protected health information downloaded to my personal device that may not have the security settings that are ideal.
So, thinking about those kinds of things now as opposed to in the middle of the incident are going to be important. And again, what is your current cloud setting where you might have it set up that way, but people are only supposed to access the cloud during the normal course of business from their work device and so that’s not an issue because it’s still living on a device that your organization owns. But in this time of crisis, are they now using their personal device and that file is now going to be copied to their personal device?
And the reason just case you don’t know that files get copied is, if you lose your connection, then you don’t lose all your data or your work. That’s one of the reasons the feature set up to download that file as you open it in the cloud.
So again, thinking through this and understanding the implications of that are going to be important and that’s important in normal incident response but even more so in today’s environment with so many people working remotely. Now, we’ve talked a bit about you know analyzing the data compromise and figuring out whether or not it’s a breach. What if it happens that you’ve determined there is a breach and it’s a significant number of individuals that are involved? You’re going to have notification requirements and in again in the normal course of incident response and thinking about this you may have vendors already established that what you’d use to set up your call center or to help you do your breach notification IE, you know printing and mailing all the letters.
Is that something that you’re going to be able to do in the current environment? Because that vendor likely has all their folks working from home. And in a call center, that’s usually people sitting in a call center responding to the calls.
Well, what if that vendor has to have all their people working from home? Is there a process or a structure that they could establish the call center with those folks working from home? And then, of course, you just increase your risk because all of these people are sitting at home taking the calls. And again, that’s assuming that the vendor can establish this and set something up to have their call center folks take calls in their home. But what’s that person doing? Where are they sitting? How are they doing that? Are they sitting next to their family member as they take the call from your patient to talk about what data might have been compromised and what the patient might need to do?
So, this is all challenging. We talked in an earlier podcast of things like the folks who do your forensic analysis, you know, normally when that happens, most organizations we’ve worked with the forensic analysis person comes on-site and they start doing their work on site.
And again, those are some of the things you’re going to see with vendors. The same thing is true that we’ve talked about in several of the podcast in this series, of the folks in you know, the attorneys and legal folks you might need to work with and talk through. Are you being able to get them on a conference bridge and talk through any issues about breach notification?
So again, in normal times incident response can be chaotic and all of the things we’ve talked about can be very very challenging. But when you layer on top of that the current environment with everybody working remotely, it just increases the risk and increases the challenges exponentially.
Clyde, is there anything you’d like to add on the notification requirements and the thoughts on that?
Yes Marti, you brought up some great points and it triggered a thought that I think our listeners may want to understand having a remote workforce, not only for yourself but for your vendors how do they communicate between each other.
It brings up the whole issue of vendor management and the fact that you know the best time to think about these things and plan for these things is actually before you need them.
In the height of the crisis, you may find yourself, you know, literally backpedaling trying to get caught up and get ahead of all the work requirements because you know, even though the federal government is already, you know mentioned that you know, they’re going to have some discretionary enforcement for certain things around the Privacy requirements. They are so far silent on the notification requirements under the breach notification rule.
So, you know, you need a clock for the federal government for PHI is ticking. Now, remember there’s 51 states out there and the district that you know all have their own requirements and many of those are even shorter. So, trying to get ahead of this especially when you’re working remotely, and all communication has to take place via phone call or conference bridge. It tremendously slows down the thought process and reaching a decision.
So, Marti did those are some of the things I thought of back to you.
Yeah, thanks Clyde and that’s a great point you made about the 60 days. And remember under HIPAA the rule says you have to notify without undue delay but no more than 60 days. And we’ll for the little onesie-twosie breaches that you’re still going to be having in the current environment that may not be as much of a challenge.
But if you have a significant incident that’s going to require the triggering of your incidence response plan, that’s likely going to be a significant number of people and every point you just made Clyde is very valid. That you know, that that clock is ticking both the state clock and the federal clock and so you have to be cognizant of that and my recommendation would be if you find this to is challenging and you’re creeping up across that on that deadline, whatever it is. Under state law or federal law and if you’re required under state law to notify a state entity often it’s the State Attorney General, it might be the Secretary of State, or someone else.
Consider doing a temporary notice or an interim notice just to let them know. Hey, we’re not ignoring this during COVID, we are working on it it’s more challenging and we hit our 60-day mark, we had our 45-day mark, and we’re still evaluating it as quickly as we can, but we’re not yet ready to notify.
And my suspicion is that most state entities and OCR is going to say, you know, keep working get the notice out as quickly as you can and they’re not going to engage in enforcement action if that’s the case. But think about this and consider what your risk are because if you seem to be lagging on this and having not considered it or thought about it at all, then I think there is potential that they could you know engage in their enforcement action. What we’ve heard from OCR right now is that they will exercise their discretion not to enforce. But I think again we all need to be able to demonstrate that we’ve engaged in good faith efforts to try to evaluate this and get the notices out if there’s a determination that notice is required.
So, I think we’ve covered this pretty thoroughly but Clyde you have any closing thoughts on this?
Yes, I do Marti. As we were discussing this another thought came to mind and that happens to be using a remote workforce. Especially to not respond to inbound calls but to make outbound calls. Has your organization set up technical means so that when an employee who is working from home and using their cell phone or their home phone, when they make an outbound call to a patient or somebody? What’s the caller ID going to look like?
I mean so many Americans right now are receiving, you know, the fishing calls in the spam calls and the robocalls. They’re leery to pick up and give any information whatsoever to you know, the caller so and a lot of times they won’t pick up at all.
So, if you have a remote workforce have you implemented a process such as you know installing softphones on either the work computer or the personals home or the workforce is a home computer. So that when they make the phone call the caller ID show schools’ Acme Medical Center or Acme hospital. So that the person being called understands that you know or has a higher level of confidence this is a legitimate call. So, without having those technical capabilities, you know, somebody received a phone call on the caller ID said, you know Clyde’s mobile, they’re not going to give me any information even if I’m legit.
Well, and it’s not going to say Clyde’s mobile if you’re not in their contacts, so it’s just going to come across this some phone number from some state and you’re absolutely right that is going to be challenging. But again, think about these things in advance to the extent you can, and I reiterate we know all of our clients and everybody out there is under a tremendous amount of stress.
And part of our reason for in engaging in these podcast is too just try to support you and give you things to think about and considerations and thoughts about this and if there’s anything we can do to support you if you have an incident, we encourage you to reach out and we hope you find these podcast helpful and allow you to consider some of the risks that maybe you haven’t had the opportunity to sit down and think about in the middle of trying to run your operation just on a day-to-day basis.
So again, hope you’ve enjoyed this. If you’re looking for the additional podcast in this series. You can find them on the CynergisTek website cynergistek.com.
Lauren, I’m going to turn it back to you.
Awesome, thank you so much, Clyde and Marti. Yep, just a reminder to our listeners’ blog posts around this topic along with the other series can be found at cynergistek.com.