FTC Trial Spotlights Security PracticesInsights on Issues that Regulators Scrutinize
Early testimony in the FTC's administrative trial involving its security complaint against LabMD provides insights into the kinds of issues that regulators consider pertinent when it comes to data security practices.
See Also: A Toolkit for CISOs
LabMD decided to go to trial rather than agree to the FTC's proposal that called for the lab to implement a comprehensive information security program that would be evaluated every two years by an independent, certified security professional for the next 20 years (see FTC vs. LabMD: Next Battle Begins).
There's no such thing as perfect security because threats are always evolving.
LabMD alleges the FTC is overstepping its boundaries into health data security issues that fall under the auspices of the Department of Health and Human Services, which enforces HIPAA.
The trial is worth watching because it could shed light on how the FTC evaluates data security when the agency pursues enforcement actions against companies for alleged unfair business practices..
In its statements so far, the FTC seems to be foreshadowing that the data security standards it used to conclude that LabMD's security practices are inadequate are not necessarily based on its own specific recommendations, but rather on a mix of other government and industry standards, best practices and guidance.
The transcript of the proceedings on May 20, day one of what could be a multi-week trial, helps illustrate the kind of security issues regulators consider in their investigations. Here are four tips, based on the early testimony:
Tip 1: Regardless of the size of your organization, you need a thorough, timely and documented risk assessment. Consider this testimony:
FTC Attorney: Could LabMD have corrected its failure to use an appropriate set of risk assessment measures at relatively low cost?
Expert Witness: Yes.
FTC Attorney: How could LabMD have done that?
Expert witness: LabMD could have used some of the freely available tools for risk assessment.
Note that as the trial proceeds, LabMD will argue that, contrary to the testimony of FTC's witnesses, the lab did take steps to protect data. A LabMD attorney told the judge: "There will be testimony from those who were there that will describe the technological processes and efforts that were put in place by LabMD to protect the protected health information."
Tip 2: Make sure your organization has adequate user controls, such as to prevent the use of peer-to-peer networks.
Testimony on day one shows that one incident that led to the FTC complaint against LabMD involved a billing manager downloading a file-sharing program called Limewire onto her computer to share music on a peer-to-peer network over the Internet. The problem is that the Limewire program apparently allowed other files, like patient data, to also be shared.
Here's some testimony:
Judge: This LimeWire program you're talking about, if that had never been downloaded by an employee, would we not be here today?
FTC attorney: It is likely that we would not know about the defects in LabMD's security practices had we not known that ... the [LabMD] file was on the P2P network.
Judge: So whatever information got out there in cyberspace was a result of LimeWire?
FTC attorney: It was a result of the company's security failures that allowed LimeWire to be used by an employee.
Again, as the hearing proceeds, LabMD will have opportunity to argue against FTC's various allegations.
Tip 3: Get back to basics. Make sure users are required to periodically change their passwords. Consider this testimony:
LabMD Attorney: People didn't change passwords for over five years.
Judge: Does that mean anybody can sit there and access whatever they needed to?
LabMD Attorney: It doesn't mean they didn't log off. I can keep my password for five years and you'll never know what it is. That doesn't mean because my password is five years old that somehow you're going to have access to the information on my desktop.
Tip 4: Make sure your organization takes a layered approach to security because no one approach is a sure bet. Here's a discussion from the trial:
Expert witness: There's no such thing as perfect security because threats are always evolving. And as we define mechanisms to protect or protect against or prevent or mitigate a risk, there's a new risk. And so it's an arms race, and even if I've addressed particular risk and vulnerability, that vulnerability could evolve to evade the techniques that I'm using to mitigate that risk.
FTC Attorney: If there's no such thing as perfect security, what is the result of an appropriate defense-in-depth strategy..?
Expert witness: A layered approach...
The early testimony in this case offers valuable food for thought when it comes to scrutinizing your organization's security efforts.