Diagnosing Best Cybersecurity Practices at Your Law Firm with HIPAA
This may seem like a big, convoluted task, but it doesn’t have to be. In this series of blogposts, we’ll go over how to draft both an acceptable use policy and an incident response plan, thanks to some handy guidance from a perhaps surprising source: HIPAA.
Why HIPAA?
An individual prepares to sign an agreement.
HIPAA, as you probably know, protects personal demographic data of patients, as well as their medical history and current status, what health care services they are or have been offered, and payment details for those services. HIPAA and the ensuing Privacy Rule cover what circumstances that information can be used or disclosed. This information can only be disclosed under defined exceptions like for purposes of facilitating medical services or in cases where the patient explicitly permits.
This should start sounding familiar to any lawyers reading: confidential information in the context of the Model Rules of Professional Conduct is not only information disclosed by the client to the attorney but also information pertaining to the representation. Depending on the matter, this can include personal information about the client’s past, present, or future mental or physical states, key demographic data, and of course will include the scope of the representation and the payment details. And the Rules of Professional Conduct, regardless of what state you practice in, state that the client’s confidential information can only be shared in specific circumstances – to protect the client, to advance the client’s interests, and in cases where the client explicitly gives permission.
By now it’s hopefully starting to make sense: if HIPAA and the confidentiality rules binding lawyers operate under very similar constraints and duties of confidentiality to protect very similarly defined personal information, with similar levels of harm if that information were to be improperly disclosed, it stands to reason that HIPAA might provide some helpful guidance or at least some pointers for developing some comprehensive cybersecurity strategies in the legal world.
In fact, just to start out with, HIPAA doesn’t actually mandate any security measures, but rather encourages entities that handle this sensitive and confidential information to consider the following factors:
- The size, complexity, and capabilities of the entity,
- Its technical infrastructure,
- The costs of any security measures,
- And the likelihood and possible impact of potential risks to the electronically-transmitted personal information.
Let’s try to apply some of these concepts to your legal practice now.
What’s an Acceptable Use Policy, and what does HIPAA have to say about it?
An acceptable use policy (AUP) serves as the source of truth for all procedures and guidelines for how employees should use the firm’s network, software, and any devices the firm uses or provides for its employees. At the same time, however, it’s important to emphasize that the AUP not only protects the company but also protects the employees.
In keeping with this mindset, HIPAA standards of security encourage that the initial step when developing these policies is to do an assessment of current risks. This doesn’t have to be as intimidating as it sounds: it can start as simply as, “There is a risk that employees in an in-person environment might leave devices with confidential information open and unattended. This means that others without authorized access might be able to purposely or inadvertently see that confidential information.” In this case, the next step would be to ensure that the AUP includes a clean desk/clean desktop policy where, for example, the employees are automatically logged out after a period of inactivity, or employees are instructed to log out of any client portals, document sharing platforms, etc. before leaving their desks. Some of the software you may use at your firm may already have this configured in settings, but if not, you can work with your technology provider to get that set up if necessary.
Another risk might be losing login or password credentials, so the acceptable use policy would also include, for example, mandatory usage of a password manager or two-factor authentication. Depending on your firm’s resources and the kind of data you handle, it might even require your employees to use a security key or passkey. The software your firm uses may also mandate that you change your passwords on a regular basis – if that’s the case, you may want to evaluate or adjust that basis, and make sure to outline what the password requirements are in the AUP. If it feels like this is obvious stuff, that’s a good thing: it means you’re already aware of vulnerabilities and how to handle them. You also want to make sure you’re covering even the most obvious stuff, because it might not be obvious to your employees.
That’s why HIPAA also encourages entities to conduct regular trainings for employees that includes clear and concise instructions for accessing, storing, transmitting electronic personal information. The training should also go over the mandates in the AUP and raise awareness in employees of the risks that you’re trying to mitigate and prevent. The AUP should be considered a living document and updated frequently – after all, technology is always evolving, so it stands to reason that cybersecurity should also be always evolving!
You can reference this checklist when evaluating your AUP:
Does it:
- Help employees know what they can and cannot do with firm technology?
- Educate employees about cybersecurity and best practices?
- Prevent employees from causing a data breach or other compromise in the firm’s cybersecurity?
Of course, the AUP is not going to be perfect. However, HIPAA guidelines can give you a boost in starting to diagnose risk, and that’s when you can take steps within your firm to mitigate it. In our next blogpost, we’re going to discuss incidence response plans in case something does happen so you can get on it, stat.