HIPAA requires covered entities and business associates to implement reasonable and appropriate security measures in § 164.308(a)(1)(ii)(B), the risk management Administrative safeguards, but although it does provide some guidance in making that determination, it does not spell out what is reasonable and appropriate. On February 16, 2016, however, the California Attorney General’s Office released its 2016 Data Breach Report, which provides a list of safeguards that the Attorney General believes constitute reasonable safeguards—that is, reasonable security practices required by California law.

The report analyzed 657 data breaches reported 2012–2015 and set forth recommendations for mitigating the risks associated with such breaches. The report’s findings are alarming: California had 49.6 records compromised, which amounted to 10 million more than the number of California residents. The report noted that the health care industry was particularly vulnerable to breaches, most of which were due to stolen or lost documents or electronic devices containing unencrypted data.

In Assembly Bill 1950 (“AB 1950”), California requires organizations to implement “reasonable security procedures and practices . . . to protect personal information from unauthorized access, destruction, use, modification, or disclosure.”

Turning to the security measures that the Attorney General’s report requires, the report states that the controls required represent the “minimum level of information security” that all organizations handling personal data should meet. It does not pull any punches by continuing: “The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

The Controls are notable for their graduated approach: they start with controls that either have demonstrated the greatest reduction in risk or must be completed before moving on to other steps. The Attorney General consider the first five to be foundational elements of any cybersecurity program. And all of the controls are scalable to the needs of each organization, much like the HIPAA security measures are scalable.

Like, a good HIPAA risk analysis, the controls start with an Inventory of Authorized and Unauthorized Devices:

1. Inventory of Authorized and Unauthorized Software.
2. Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers.
3. Continuous Vulnerability Assessment and Remediation.
4. Controlled Use of Administrative Privileges. The Report states that organizations “should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.” This requires prompting users not only for something that they know (e.g., a username and password), but also something that they have (e.g., a physical token that generates one-time passwords) or something that they are (e.g., a fingerprint or retina scan).
5. Maintenance, Monitoring, and Analysis of Audit Logs.
6. Email and Web Browsing Protection.
7. Malware Defenses.
8. Limitation and Control of Network Ports, Protocols, and Services. See the discussion of 4., above.
9. Data Recovery Capability.
10. Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches.
11. Boundary Defense.
12. Data Protection.
13. Controlled Access Based on the Need to Know. See the discussion of 4., above.
14. Wireless Access Control.
15. Account Monitoring and Control.
16. Security Skills Assessment and Appropriate Training to Fill Gaps.
17. Application Software Security.
18. Incident Response and Management.
19. Penetration Tests and Red Team Exercises.

The report goes on to note the number of breaches that could have been prevented by encryption that is affordable for small and large businesses alike—particularly in the health care sector, which the Report notes “appears to be lagging behind other sectors in this regard.” It goes on to suggest that organizations should implement “strong encryption,” including full disk encryption on mobile devices and desktop computers when not in use.

Even though this report addresses only electronic data, many of its principles would seem to apply to paper records, and even though it applies only to California businesses, it may spread beyond the state’s borders and be considered a national standard unless and until Congress or Health and Human Services revises HIPAA to better define what is “reasonable and appropriate.”

For the full text of the report, go to https://oag.ca.gov/breachreport2016.