Due to the ever-growing threat of cybersecurity incidents affecting the health sector, the Biden administration has sought to modernize the data privacy and security regulatory environment to better align with evolved health care delivery, innovative technologies, and state of the art data sharing techniques. For example, the U.S. Department of Health and Human Services (HHS) has increased enforcement activities, released guidance and published regulations under the Health Insurance Portability and Accountability Act (HIPAA) and 42 U.S.C. 290dd-2 (Confidentiality of Substance Use Disorder Patient Records).
Most recently, on September 6, 2024, the U.S. Department of Labor (DOL) updated and reissued its 2021 cybersecurity guidance directed at ERISA covered benefit plans. In Compliance Assistance Release No. 2024 01, the DOL confirmed that the 2021 guidance applies to all ERISA covered employee benefit plans, including health and welfare plans. As explained in a previous Reinhart's alert, Department of Labor Provides Cybersecurity Guidance for Stakeholders of ERISA-Covered Plans, the 2021 guidance encompassed three publications addressing the intersection of cybersecurity and ERISA covered plans.
Each publication targets a different audience: (1) Cybersecurity Program Best Practices applies to ERISA plan sponsors and service providers; (2) Tips for Hiring a Service Provider with Strong Cybersecurity Practices applies to ERISA plan sponsors and fiduciaries who select and monitor service providers; and (3) Online Security Tips applies to ERISA plan participants.
Beyond clarifying that the cybersecurity guidance applies to all ERISA plans, the 2024 guidance includes the following minor updates:
Cybersecurity Program Best Practices
The DOL updated its best practices related to access control and responsiveness to cybersecurity incidents and breaches.
- Strong Access Control Procedures. Access control procedures seek to ensure that users are who they say they are and that they are granted the appropriate access to IT systems and data. The updated guidance recommends requiring strong password passphrases and employing multifactor authentication (MFA), especially phishing-resistant MFA, wherever possible.
- Responsiveness to Cybersecurity Incidents or Breaches. Fiduciaries and service providers are reminded to promptly notify participants of unauthorized acquisition of their personal data, including both personally identifiable information and protected health information, without unreasonable delay.
The DOL also offered additional resources from HHS and the Cybersecurity Infrastructure Security Agency to assist ERISA stakeholders in mitigating cybersecurity risks.
Tips for Hiring a Service Provider with Strong Cybersecurity Practices
The DOL provides tips to plan sponsors and fiduciaries to help them meet their fiduciary responsibilities to prudently select and monitor service providers that follow strong cybersecurity practices. When contracting with service providers, plan sponsors should try to include contract terms that enhance cybersecurity protection for the plan and its participants, including those addressing:
- Information security reporting;
- Permissible uses and disclosures of confidential information;
- Breach notification;
- Compliance with applicable data privacy, security and record retention laws; and
- Cyber liability and other insurance that cover breaches and incidents involving the plan and its participants.
Online Security Tips
The DOL provides tips to participants to help them reduce the risks of fraud and loss of personal data and assets from their ERISA plan accounts. In the updated guidance, the DOL recommends replacing common passwords and complex passwords (upper- and lower-case letters, numbers and special characters) with longer, unpredictable and unique passphrases. Such passphrases also tend to be more memorable and require less frequent changes—the updated guidance suggests such passphrases be changed annually if there is no security breach.
Outlook for ERISA-Covered Plans
The DOL's reissued cybersecurity guidance should remind plan sponsors, fiduciaries and service providers of all ERISA plans of the critical importance of safeguarding plan assets and plan data against cybersecurity threats. Additionally, ERISA plan stakeholders should continue to maintain awareness of the ever-changing legislative and regulatory landscape. For example, guidance published by HHS, by way of a Concept Paper, confirmed their intent to update the HIPAA Security Rule and the Centers for Medicare and Medicaid Services (CMS) plan to propose new cybersecurity requirements for program participants. Such changes are intended to further align the regulation with the evolution of technology and healthcare delivery that's occurred over the last two decades since the HIPAA Security Rule was first issued. While specifics are still uncertain, the forthcoming updates and requirements could harden current guardrails, expand enforcement capabilities and make certain voluntary cybersecurity performance goals mandatory.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
