Listen to this article

It is common knowledge that medical professionals are legally bound to keep patient information confidential, thanks to regulations like the federal Health Insurance Portability and Accountability Act of 1996. But even if a business’ closest approach to HIPAA is stocking Band-Aids, a cyber-hack that leaks confidential customer data could land the company in the hot seat — and business owners who don’t know this could be in for a big headache.

“HIPAA is a federal law that that prohibits the disclosure of protected health information [PHI] from being disclosed without the patient’s consent,” explained Karen Painter Randall, a partner at Connell Foley LLP and chair of the Cybersecurity, Data Privacy and Incident Response Group. “Certain organizations are considered covered entities under HIPAA including health care providers, health plans, health care clearinghouses and business associates. These covered entities must keep protected health information private and secure or face legal and regulatory scrutiny.”

But it doesn’t stop there, and it does get messier. “Personally identifiable information [PII] is also a category of sensitive data that is regulated,” she added. “Since there is no uniform federal law, 50 states enacted their own ‘data breach notification law,’ which requires all businesses to notify individuals if their PII has been stolen or compromised.”

Each state’s data breach law “differs in some respects, but all of them cover PII, which is typically classified as a person’s name in combination with other information such as a social security number or driver’s license number, credit cards, debit cards, and financial account numbers, that may be used to easily identify the person,” Painter Randall said. “Some data breach notification laws protect an individual’s email address if a cybercriminal is able to obtain the password to the account.”

Businesses that don’t think they’re in the health care segment can easily get snared by HIPAA, she warned. “In some states, PII may include medical information such as name, medical/mental health history, mental/physical condition or treatment/diagnosis by a health care professional and even health insurance policies. So even if the business is not considered a covered entity or business associate under HIPAA, if it collects and stores medical information about employees or customers, increased security measures should be put in place.”

If it’s determined that a cyber hack led to unauthorized access or acquisition of medical information, “the business may have an obligation to notify those persons affected under the applicable state data breach notification law,” she said. “If a business suffers a breach and PHI or PII is compromised, the business may suffer legal, regulatory, ethical, and reputational harm. Moreover, the compromised data could be used to launch cyber-attacks via social engineering or sold for identity theft. Dark web marketplaces can also monetize stolen personal and financial data. Data breaches can end up costing a business millions, and result in permanent brand damage.”

In fact, so-called “biometric privacy laws” represent a growing trend, according to Painter Randall. “Biometrics are unique characteristics of the human body and may include fingerprints, facial recognition and retina scans to help identify an individual,” she detailed. “Illinois was one of the first states to enact legislation to protect an individual’s biometric privacy rights under the Biometric Information Privacy Act, and the last several years have seen an increase in litigation seeking to enforce this law.”

So, based on a business’ jurisdiction and the data that it collects and stores, “it is imperative that the entity consult with knowledgeable cybersecurity persons to remain informed of its security and privacy obligations as noncompliance can result in class action litigation and monetary exposure,” warned Randall. “You can’t protect what you don’t know you have.”

At-risk companies

That can be a particularly deep pitfall for small- and medium-sized businesses, according to Paperclip Chief Revenue Officer Chad Walter. “The increasing cost and complexity of cybersecurity issues is one of the biggest challenges for small- to medium-sized business,” he said. “It’s not uncommon to hear them say that ‘we don’t have sensitive data, so why would we be a target?’”

The thing is, “If you’ve got more than one employee you do store sensitive data and you are a likely target,” he cautioned. “Your business has social security numbers, date of birth information, even health information, if an employee ever calls in sick. Much of this data may trigger legal requirements to keep it protected. And if you take credit or debit card, or other kinds of payments – onsite or through e-commerce – you may have reporting requirements and potential liability for cyber hacks or other unauthorized access.”

Besides keeping systems secured with antivirus and other defenses, “it’s a good idea to practice zero trust,” said Walter. “Always verify requests. If you get phone call from a vendor for a wire transfer to pay an invoice, or if you get an email from them, call the vendor directly to verify it. Don’t call the number on the email, and don’t click on any links. Doing that could open up your systems and your sensitive data. A little paranoia can result in big savings.”

If a business does get penetrated, then a second layer of defense, encryption, may help, he noted. “At Paperclip, we offer clients secure processing, transcribing and communication of sensitive content. The data is encrypted before it’s stored, so even if a cybercriminal is able to access it, the data will be worthless to them. In 2022 alone, we safely processed about 70 million documents from large, medium and small organizations.”

But even encrypted data has a soft spot: Businesses typically search their data, daily or more often, and each search can unlock the encryption and expose it to hackers who are patiently lurking in the wings, waiting an opportunity to pounce. “Our Paperclip SAFE gives clients the ability to keep data encrypted while they search through it,” explained Walter. “By maintaining encryption on a 360-degree basis – while it’s being transmitted, stored or searched – we can keep it safer throughout multiple cycles. Cybersecurity today is like a military conflict, where you cannot let your guard down for an instant.”

Shielding sensitive information

In her role at Connell Foley, Painter Randall lives cybersecurity, and shared some best practices that businesses should embrace.

“The threat landscape is rapidly evolving and attackers are becoming more brazen, so the potential for a cyber-attack is always looming in the background,” Randall Painer cautioned. “Small- to medium-size businesses are under the impression that they are not being targeted by cyber adversaries because they don’t have the same assets as larger enterprises. However, since Colonial Pipeline and the Ukrainian Russian conflict, nation-state actors have shifted to targeting small- to medium-size businesses because they have weaker security, smaller IT budgets and talent, and less-robust defenses. Businesses need to put measures in place to protect against a cyber-attack. A good first step would be considering adopting a zero trust approach to security using the NIST (National Institute of Standards and Technology) framework.”

To create a safer environment, her top tips include:

• Create a culture of security. Everyone has a role in protecting their business from a cyber-attack including end users, leadership and key stakeholders and security professionals. Focus on risk mitigation and a foundation on resiliency.
• Deploy multifactor authentication (MFA). This step is an easy and important one to protect your network and individual user online accounts against unauthorized account access when credentials are exposed as part of a breach. MFA includes an added level of authentication during the login process. Therefore, even if a threat actor has access to an account password they will not be able to gain unauthorized access to the account without the second prong of authentication.
• Conduct regular security awareness training to minimize risk and prevent breaches.  Training can include simulated phishing exercises for employees on issues such as recognizing attempted fraud, phishing emails and other social engineering attacks. Make sure the workforce is accountable for their actions.
• Implement endpoint protection response. Adopt an integrated security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.
• Maintain tested/restored backups of your critical information.
• Use encryption. Deploy it for at-rest and in-transit sensitive data and/or personally identifiable information.
• Be prepared. Create an Incident response plan and specific attack playbooks to detect, respond to recover and limit the consequences of a malicious cyber-attack. Engage in yearly tabletop exercises.
• Vet and manage third-party vendors. Such entities may have access to your network and sensitive or proprietary information. Consider drafting agreements with vendors to ensure they comply with cyber and data security practices.
• Keep software up to date with patch management.
• Manage your passwords.
• Incorporate a layered defense approach.
• Transfer liability risk. Do this by purchasing a cyber liability insurance policy.

And she shared one more piece of advice: “Keep your eye on the developing new artificial intelligence (deepfakes) and ChatGPT frontier. Some experts characterize the new technology as information warfare machines. Products, services and solutions are being invented faster than ever expected, and with this innovation comes promise but also warnings about issues like writing malware without malicious code, information reliability, bias, disinformation, and the elimination of jobs. AI’s capability is both awesome and terrifying. If it goes badly: ‘It’s lights out for all of us’ according to the creator of ChatGPT, Sam Altman.”