CISA cybersecurity vulnerability announcement underscores importance of risk assessment when transferring PHIs to patients

April 29, 2021
Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

Covered entities should be balancing a patient’s right to request his/her medical records or designated record set in a particular electronic format with an unacceptable level of security risk to the covered entity’s systems.

The Cybersecurity and Infrastructure Security Agency (CISA) recently announced the exploitation of vulnerabilities in certain Pulse Connect Secure products, which affected U.S. government agencies, critical infrastructure entities, and private sector persons. The cyber threat actor, which the National Institute for Standards and Technology (NIST) describes as “an individual or group posing a threat”, “is using this access to place webshells [a malicious web-based interface that enables remote access and control] on the Pulse Connect Secure appliance for further access and persistence.” Webshells have the ability to remotely control a variety of functions, including bypass authentication and password logging. 

This type of attack serves as a reminder to covered entities, business associates, and subcontractors alike. In particular, covered entities should be balancing a patient’s right to request his/her medical records or designated record set in a particular electronic format with an unacceptable level of security risk to the covered entity’s systems. Generally, mail and e-mail are considered readily producible formats by a covered entity. HHS set forth an important explanation (one entities should bear in mind when addressing the 21st Century Cures Act and Information Blocking):

A covered entity also must provide access in the manner requested by the individual, which includes arranging with the individual for a convenient time and place to pick up a copy of the PHI or to inspect the PHI (if that is the manner of access requested by the individual), or to have a copy of the PHI mailed or e-mailed, or otherwise transferred or transmitted to the individual to the extent the copy would be readily producible in such a manner. Whether a particular mode of transmission or transfer is readily producible will be based on the capabilities of the covered entity and the level of security risk that the mode of transmission or transfer may introduce to the PHI on the covered entity’s systems (as opposed to security risks to the PHI once it has left the systems). A covered entity is not expected to tolerate unacceptable levels of risk to the security of the PHI on its systems in responding to requests for access; whether the individual’s requested mode of transfer or transmission presents such an unacceptable level of risk will depend on the covered entity’s Security Rule risk analysis. See 45 CFR 164.524(c)(2) and (3), and 164.308(a)(1). However, mail and e-mail are generally considered readily producible by all covered entities. It is expected that all covered entities have the capability to transmit PHI by mail or e-mail (except in the limited case where e-mail cannot accommodate the file size of requested images), and transmitting PHI in such a manner does not present unacceptable security risks to the systems of covered entities, even though there may be security risks to the PHI while in transit (such as where an individual has requested to receive her PHI by, and accepted the risks associated with, unencrypted e-mail).

Cyber threats are becoming more prevalent. Covered Entities should balance their obligations of providing patients with a copy of their medical records in a timely manner (30 days under HIPAA or 60 days with the statutory extension or potentially less time under a specific state’s law) and in the manner requested by the patient, unless security risks to the system out-weigh the individual’s preferred method. Be certain to document why the request could not be accommodated and collaborate with the patient to reach an acceptable method of transfer. In doing so, the covered entity can satisfy its obligations to provide the patient’s records while maintaining the confidentiality, integrity, and availability of all of its patients’ PHI. 

About the Author

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.