ERISA Advisory Council Reports on Cybersecurity Issues Affecting Health Benefit Plans

The Department of Labor’s Advisory Council on Employee Welfare and Pension Benefit Plans has issued a report addressing cybersecurity issues affecting health plans. While the Council has issued two reports on cybersecurity issues affecting employee benefit plans in the past (the first in 2011; the second in 2016), this report marks the first time the Council has focused exclusively on cybersecurity regarding health benefit plans alone.

This report emphasizes the vast amount of individualized data obtained, produced, and maintained by health plans makes these plans especially tempting targets for cyberattacks. Health plan datasets, after all, include not only standard personal identification information (e.g., names, addresses, phone numbers, social security numbers, etc.) but also extremely sensitive (and therefore extremely valuable) personal health information that cybercriminals can trade or sell on the “dark web” or exploit in other ways, such as through ransomware.

The Council paints a stark picture, noting that the HHS Office for Civil Rights has reported that since 2015 cybersecurity breaches among healthcare providers have affected the greatest number of individuals. Additionally, the FBI has identified the Healthcare and Public Health Sector as the US critical infrastructure sector most victimized by ransomware in 2021, and IBM has reported that the healthcare industry has borne the highest data breach costs of any industry for 12 years in a row, with the average cost totaling $10.1 million in 2022.

Before making its own recommendations on how best to combat these threats, the Council sought testimony from various outside experts and industry stakeholders, emphasizing whether DOL should expressly recognize the provision of cybersecurity for health plans as a fiduciary duty under ERISA.

While opinions on this question varied among the witnesses, the Council gleaned three “important threads” when it considered their testimonies, including:

• The relationship between the obligations of health plan fiduciaries with respect to cybersecurity under HIPAA and ERISA, including whether or not compliance with the HIPAA security rule would be sufficient to meet fiduciary standards under ERISA.
• The lack of clarity about and knowledge of ERISA fiduciary duties regarding cybersecurity for health plans, especially since DOL has not yet “made a sufficiently direct statement, whether in a regulation or guidance, declaring the basic principle that health plan fiduciaries have a duty to act prudently regarding cybersecurity risks.”
• How plans address cybersecurity issues in their dealings with third-party service providers, since “most of the action, most of the information, and most of the security risk [for health plans] lies with third-party administrators, insurers, and other service providers.”

After taking all the above and more into account, the Council concludes its report with the following recommendations:

1. The DOL makes explicit that acting prudently with regard to cybersecurity risks is a responsibility of fiduciaries of all employee benefit plans, not just pension plans.
2. The DOL makes clear that the fiduciary duty to act prudently regarding cybersecurity risks includes the duty of health plan fiduciaries to ascertain that their health plan service providers have practices and procedures in effect to deal with such risks. This would include, but not necessarily be limited to, an update to the DOL’s core publication for health plan fiduciaries, Understanding Your Fiduciary Responsibilities Under a Group Health Plan, to address fiduciary duties regarding cybersecurity risks.
3. The DOL clarifies that the Cybersecurity Program Best Practices and Tips for Hiring a Service Provider with Strong Cybersecurity Practices apply to health benefit plan fiduciaries.
4. The DOL indicates the extent to which compliance with HIPAA and HITECH satisfies any of the recommended practices in the Best Practices and Tips publications.
5. The DOL reviews, on a regular and timely basis and updates, if necessary, the Best Practices and Tips so that they reflect changes in those practices in light of the evolving nature of cybersecurity threats.
6. The DOL provides education and materials to health plan sponsors and fiduciaries to assist them in understanding and carrying out these duties, including but not necessarily limited to specific tailored and targeted educational programs and materials to inform plan sponsors and fiduciaries about their ongoing responsibilities and obligations related to cybersecurity and informing plan sponsors and fiduciaries of materials available from other agencies, such as the HIPAA Security Risk Assessment Tool which is designed to assist small-to-medium-sized organizations.

Recommendations such as these by the Advisory Council are, by definition, advisory only. Furthermore, they are directed at the DOL (specifically, the Secretary of the DOL) only, and the DOL can adopt some, all, or none of them at its complete discretion and on its own time.

Nevertheless, these recommendations (along with the report itself) provide tremendous insights regarding the cybersecurity challenges health benefit plans presently face, as well as possible approaches regulators may undertake to address those challenges in the future.

ERISA Advisory Council Report on Cybersecurity Issues Affecting Health Benefit Plans »