Tag Archives: phi

Actuaries Beware: Pricing Cyber Risk Is a Different Ballgame

Growth in the cyber insurance market has recently occurred at warp speed, with more than 60 companies writing in the U.S. alone and with market premiums amounting to approximately $2.5 billion annually. The impressive year-over-year growth is expected to continue into the foreseeable future, with a variety of estimates placing market premium between $7.5 billion and $20 billion by the end of 2020.

This impressive premium growth is because of several factors — perhaps most notably, reporting of the various types of cyber attacks in the news on a regular basis, driving both awareness and fear. Not surprisingly, cyber risk has become a board-level concern in today’s increasingly connected world. Additionally, recent growth of the Internet of Things has given rise to the seemingly infinite number of attack vectors affecting every industry. Individuals and entities of any size, spanning all regions of the world, are potential victims.

The apparent need for new apps and devices that link to one another without focus toward security of those apps or devices gives reason to worry. It also creates an immediate need for a suite of security analytics products that helps insurance companies write cyber insurance more confidently.

State of Data

Actuaries are creative and intelligent problem solvers, but this creativity and intelligence is tested thoroughly when pricing cyber insurance. Actuaries still need the same suite of products used within any other catastrophe-exposed lines of business, but there are many challenges and complications with respect to cyber insurance that make this a particularly difficult task. That is, we still need an underwriting tool, an individual risk-pricing tool and a catastrophe-aggregation model, but certain aspects of these tools vary significantly from what we’ve seen in the past or have grown accustomed to as actuaries.

Data lies at the center of any actuarial project, but data in this space is very limited for a number of reasons. To consider why this is the case, let’s take a step back and consider the wider context. We first want to think about both how to define the cyber peril and what types of attacks are possible.

Risks could lie anywhere between smaller attacks on individuals involving brute-force attempts to steal credentials and conduct identity theft; and state-sponsored attacks on another government entity involving both physical damage and theft of critically sensitive intelligence. We may see malware deployed on a commonly used piece of software or hardware at a massive scale; infrastructures or processes taken down using denial of service; or a breach of a popular database or platform that affects many entities simultaneously.

Many of the attack variants in this hypothetical list have never happened, and some may never happen. Even within those that have happened, information pertaining to the breach — both in terms of the attack specifics used or the actual dollar impact of the attack — is hard to come by.

Several third-party data sources are currently available, but they tend to concentrate primarily on those pieces of data or attack types that are most accessible — particularly data breach and privacy violation claims. This, naturally, is a very small subset of what we need to price for as actuaries.

Unfortunately, there is fairly loose regulation around the reporting of different types of attacks. Even within the data breach family, there exists tremendous lack of standardization across states with respect to reporting. Criteria for whether a report is required may include whether the data is encrypted, how many people were actually affected by the breach and the type of data stolen (PHI, PII, PCI, etc.).

See also: How Actuaries Can Be Faster, More Efficient  

External research can be done on public sources to find the aggregate amount of loss in some cases, but there is little to no incentive for the breached entity to provide more information than is absolutely required. Thus, while we want to price data breach events at a very granular level, it’s often difficult to obtain dollar figures at this level. For instance, a data breach will lead to several costs, both first party and third party. A breached entity, at minimum, will likely have to:

  • Notify affected customers;
  • Offer credit monitoring or identity-theft protection to those affected;
  • Work with credit card companies to issue new credit cards;
  • Foot bills associated with legal liability and regulatory fines; and
  • Endure reputational damage.

It’s impractical to assume that a breached entity would find it attractive to publicize the amount lost to each of these individual buckets.

Worse, other events that either don’t require reporting or have never happened clearly give us even less to work with. In these cases, it’s absolutely critical that we creatively use the best resources available. This approach requires a blend of insurance expertise, industry-specific knowledge and cyber security competence. While regulation will continue to grow and evolve — we may even see standardization across both insurance coverages offered and reporting requirements by state or country — we must assume that in the near future, our data will be imperfect.

Actuarial Challenges

Though many companies have entered the cyber insurance space, very few are backed by comprehensive analytics. Insurers eager to grab market share are placing too much emphasis on the possibility of recent line profitability continuing into the future.

The problem here is obvious: Cyber insurance needs to be priced at a low loss ratio because of catastrophic or aggregation risk. Once the wave of profitability ends, it could do so in dramatic fashion that proves devastating for many market participants. The risk is simply not well understood across the entirety of the market, and big data analytics is not being leveraged enough. In addition to the glaring data and standardization issues already discussed, actuaries face the following eight key challenges:

1. No Geographical Limitation

On the surface, the cyber realm poses threats vastly different from what we’ve seen in other lines of business. Take geography. We are used to thinking about the impact of geography as it pertains to policyholder concentration within a specific region. It’s well understood that, within commercial property insurance, writers should be careful with respect to how much premium they write along the coast of Florida, because a single large hurricane or tropical storm can otherwise have an absolutely devastating effect on a book of business. Within the cyber world, this relationship is a bit more blurry.

We can no longer just look at a map. We may insure an entity whose server in South Africa is linked to an office in Ireland, which, in turn, is linked to an office in San Francisco. As existing threat actors are able to both infiltrate a system and move within that system, the lines drawn on the map have less meaning. Not to say they’re not important — we could have regulatory requirements or data storage requirements that differ by geography in some meaningful way — but “concentration” takes a different meaning, and we need to pay close attention to the networks within a company.

2. Network Risk From an External Perspective

In the cyber insurance line, we need to pay attention to the networks external to an insured company. It’s well documented that Target’s data breach was conducted through an HVAC system. By examining Target’s internal systems alone, no one would have noticed the vulnerability that was exploited.

As underwriters and actuaries, we need to be well aware of the links from one company to another. Which companies does an insured do business with or contract work from? Just as we mentioned above with apps and devices that are linked, the network we are worried about is only as strong as the weakest link. Another example of this is the recent attacks on a Bangladeshi bank. Attackers were able to navigate through the SWIFT system by breaching a weaker-than-average security perimeter and carrying out attacks spanning multiple banks sharing the same financial network.

3. Significance of the Human Element

Another consideration and difference from the way we traditionally price is the addition of the human element. While human error has long been a part of other lines of business, we have rarely considered the impact of an active adversary on insurance prices. The one exception to this would be terrorism insurance, but mitigation of that risk has been largely assisted by TRIA/TRIPRA.

However, whenever we fix a problem simply by imposing limits, we aren’t really solving the larger problem. We are just shifting liability from one group to another; in this case, the liability is being shifted to the government. While we can take a similar approach with cyber insurance, that would mean ultimately shifting the responsibility from the insurers to the reinsurers or just back to the insureds themselves. The value of this, to society, is debatable.

See also: Cyber Insurance: Coming of Age in ’17?  

A predictive model becomes quite complex when you consider the different types of potential attackers, their capabilities and their motivations. It’s a constant game of cat and mouse, where black hat and white hat hackers are racing against each other. The problem here is that insurers and actuaries are typically neither white hat nor black hat hackers and don’t have the necessary cyber expertise to confidently predict loss propensity.

4. Correlation of Attacks

In attempting to model the “randomness” of attacks, it is important to think about how cyber attacks are publicized or reported in the news, about the reactions to those attacks and the implications on future attacks. In other words, we now have the issue of correlation across a number of factors. If Company A is breached by Person B, we have to ask ourselves a few questions. Will Company A be breached by Person C? Will Person B breach another company similar to or different from Company A? Will Person D steal Person B’s algorithm and use it on entirely different entity (after all, we’ve seen similar surge attacks within families such as ransomware)? If you as the reader know the answers to these questions, please email me after reading this paper.

5. Actuarial Paradox

We also have to consider the implications on the security posture of the affected entity itself. Does the attack make the perimeter of the affected company weaker, therefore creating additional vulnerability to future attacks? Or, alternatively, does the affected company enact a very strong counterpunch that makes it less prone to being breached or attacked in the future? If so, this poses an interesting actuarial dilemma.

Specifically, if a company gets breached, and that company has a very strong counterpunch, can we potentially say that a breached company is a better risk going forward? Then, the even-more-direct question, which will surely face resistance, is: Can we charge a lower actuarial premium for companies that have been breached in the past, knowing that their response to past events has actually made them safer risks? This flies directly in the face of everything we’ve done within other lines of business, but it could make intuitive sense depending on incident response efforts put forth by the company in the event of breach or attack.

6. Definition of a Cyber Catastrophe

Even something as simple as the definition of a catastrophe is in play. Within some other lines of insurance business, we’re used to thinking about an aggregate industry dollar threshold that helps determine whether an incident is categorized as a catastrophe. Within cyber, that may not work well. For instance, consider an attack on a single entity that provides a service for many other entities. It’s possible that, in the event of a breach, all of the liability falls on that single affected entity. The global economic impact as it pertains to dollars could be astronomical, but it’s not truly an aggregation event that we need to concern ourselves with from a catastrophe modeling perspective, particularly because policy limits will come into play in this scenario.

We need to focus on those events that affect multiple companies at the same time and, therefore, provide potential aggregation risk across the set of insureds in a given insurance company’s portfolio. This is, ultimately, the most complicated issue we’re trying to solve. Tying together a few of the related challenges: How are the risks in our portfolio connected with each other, now that we can’t purely rely on geography? Having analytical tools available to help diagnose these correlations and the potential impacts of different types of cyber attacks will dramatically help insurers write cyber insurance effectively and confidently, while capturing the human element aspect of the threats posed.

7. Dynamic Technology Evolution

If we can be certain of one thing, it’s that technology will not stop changing. How will modelers keep up with such a dynamic line of business? The specific threats posed change each year, forcing us to ask ourselves whether annual policies even work or how frequently we can update model estimates without annoying insurers. Just as we would write an endorsement in personal auto insurance for a new driver, should we modify premium mid-term to reflect a newly discovered specific risk to an insured? Or should we have shorter policy terms? The dynamic nature of this line forces us to rethink some of the most basic elements that we’ve gotten used to over the years.

8. Silent Coverage

Still, all of the above considerations only help answer the question of what the overall economic impact will be. We also need to consider how insurance terms and conditions, as well as exclusions, apply to inform the total insurable cost by different lines of insurance. Certain types of events are more insurable, some less. We have to consider how waivers of liability will be interpreted judicially, as well as the interplay of multiple lines of business.

It’s safe to assume that insurance policy language written decades ago did not place much emphasis on cyber exposure arising from a given product. In many cases, silent coverage of these types of perils was potentially entirely accidental. Still, insurers are coming to grips with the fact that this is an ever-increasing peril that needs to be specifically addressed and that there exists significant overlap across multiple lines of business. Exclusions or specific policy language can, in some cases, be a bit sloppy, leading to confusion regarding which product a given attack may actually be covered within. This becomes the last, but not least, problem we have to answer.

Conclusion

The emerging trends in cyber insurance raise a number of unique challenges and have forced us to reconsider how we think about underwriting, pricing and aggregation risk. No longer we can pinpoint our insureds on a map and know how an incident will affect the book of business. We need to think about both internal and external connections to an insured entity and about the correlations that exist between event types, threat actors and attack victims. In cases when an entity is attacked, we need to pay particular attention to the response and counterpunch.

As the cyber insurance market continues to grow, we will be better able to determine whether loss dollars tend to fall neatly within an increasing number of standalone cyber offerings or whether insurers will push these cyber coverages into existing lines of business such as general liability, directors and officers, workers’ compensation or other lines.

Actuaries and underwriters will need to overcome the lack of quality historical data by pairing the claims data that does exist with predictive product telemetry data and expert insight spanning insurance, cyber security and industry. Over time, this effort may be assisted as legislation or widely accepted model schema move us toward a world with standardized language and coverage options. Nonetheless, the dynamic nature of the risk with new adversaries, technologies and attack vectors emerging on a regular basis will require monitored approaches.

See also: Another Reason to Consider Cyber Insurance  

In addition, those that create new technology need to realize the importance of security in the rush to get new products to market. White hat hackers will have to work diligently to outpace black hat hackers, while actuaries will use this insight to maintain up-to-date threat actor models with a need for speed unlike any seen before by the traditional insurance market.

Some of these challenges may prove easier than they appear on paper, while some may prove far more complicated. We know actuaries are good problem solvers, but this test will be a serious and very important one that needs to be solved in partnership with individuals from cyber security and insurance industries.

A Proposed Code of Conduct on Wellness

So many wellness industry misdeeds to expose, so little room on the internet.

This posting will start out as one of my typical shock-and-awe postings featuring a wellness vendor raising the bar for dishonesty and employee harms. Uniquely, though, we will close with a surprisingly uplifting slam-bang conclusion that could change the wellness industry forever…but only with your help.

The Bad News

It’s that time of year again, when traditionally the C. Everett Koop Award Committee bestows an award upon a fellow committee member or award sponsor, in recognition of doing the best job of fabricating dramatic savings while making only trivial improvements in employee health. That’s par for the course, and isn’t even news any more.

See also: The Yuuuuge Hidden Costs of Wellness

However, this year, the Koop Award Committee apparently decided that actually improving employee health was too high a bar for a wellness program to clear, so the committee gave the award to a committee colleague, Wellsteps, for a program in which the health status of Boise School District employees deteriorated. We’ve done the arithmetic so you don’t have to. The award application below shows that 5,293 employee biomarkers improved, while 6,397 got worse.

Screen Shot 2016-08-14 at 7.46.59 PM

In addition to the objective failure of the program, consider employee self-reported health. The single most important question to ask to gauge the state of someone’s health is: “How is your health?” Wellsteps buried the answer to that question at the end of a long list, but squint hard enough and you can see that Boise employee self-reported health status declined, by a small but statistically significant (p=0.0007) amount:

Screen Shot 2016-08-14 at 7.48.39 PM

There are many other problems with this program, too. Wellsteps is shaming even the lightest drinkers, attributing massive savings to improved health despite the deterioration in health, suppressing data showing increased health spending and flouting clinical guidelines. All that is covered in this Linkedin Pulse.

In all fairness, here is the response from Wellsteps’ Troy Adams (best known in the wellness industry for posting that ”It’s fun to get fat, and it’s fun to be lazy”) to my initial observations that Wellsteps is harming employees and fabricating savings. Surprisingly, I agree with both points:

  1. Yes, the Wellsteps data is “rock solid;” and,
  2. Yes, having just walked into from 92-degree heat, I am at least temporarily full of “hot air.”

The Good News

Fabricating savings is part of the Koop Award DNA, but bestowing an award on a vendor that actually harmed employees crosses a bright red line. Rather than complaining about it (or more accurately, in addition to complaining about it), I thought it might be time to take steps to prevent this type of performance from being considered acceptable, let alone prizeworthy.

So I convened a group, including WELCOA‘s respected and forward-thinking new CEO, Ryan Piccarella, and leading wellness gurus Jon Robison and Rosie Ward of Salveo Partners. Together, we crafted a very simple and minimalist Code of Conduct. (I don’t want to take more than my share of the credit. This was a joint effort. I just happened to be the one who initiated the email chain.) In full, it appears below. It is definitely “minimalist,” a Code of the first-do-no-harm variety. And yet, as low a threshold as it is, many vendors – including Wellsteps and many previous Koop Award winners – would not be able to meet it.

What we would ask of ITL’s readership is:

  1. Circulate this posting/the Code widely;
  2. As brokers or customers, insist that your vendor(s) follow the Code of Conduct…and add it as an actual contractual term;
  3. As brokers or vendors, announce that you will be following the Code. (While this blog is my own effort, I am also affiliated with Quizzify. Quizzify will be announcing this week that it intends to make this Code of Conduct a contractual term, meaning that failing to adhere to it would constitute a breach of our obligations under the contract.)

The Employee Health Program Code of Conduct

Our organization resolves that its program should do no harm to employee health, corporate integrity or employee/employer finances. Instead, we will endeavor to support employee well-being for our customers, their employees and all program constituents.

Employee Benefits and Harm Avoidance

Our organization will recommend doing programs with/for employees rather than to them, and will focus on promoting well-being and avoiding bad health outcomes. Our choices and frequencies of screenings are consistent with U.S. Preventive Services Task Force (USPSTF) and CDC guidelines and Choosing Wisely.

See also: Wellness Promoters Agree: It Doesn’t Work  

Our relevant staff will understand USPSTF guidelines, employee harm avoidance, wellness-sensitive medical event measurement and outcomes analysis.

Employees will not be singled out, fined or embarrassed for their health status.

Respect for Corporate Integrity and Employee Privacy

We will not share employee-identifiable data with employers and will ensure that all protected health information (PHI) adheres to HIPAA regulations and any other applicable laws.

Commitment to Valid Outcomes Measurement

Our contractual language and outcomes reporting will be transparent and plausible. All research limitations (e.g., “participants vs. non-participants” or the “natural flow of risk” or ignoring dropouts) and methodology will be fully disclosed, sourced and readily available.

More Issues With Healthcare Privacy

Think your healthcare organization or health plan has healthcare privacy covered? Think again.

A series of supplemental guidance issued by the Department of Health and Human Services Office of Civil Rights (OCR) in recent weeks is giving healthcare providers, health plans, healthcare clearinghouses (covered entities) and their business associates even more to do. They must review and update their policies, practices and training for handling protected health information. This is beyond bringing their policies and practices into line with OCR’s restatement and update to the Omnibus Final Rule that OCR published Jan. 25, 2013.

Covered entities generally had to be in compliance by Sept. 23, 2013, but many covered entities and business associates have yet to complete the policy, process and training updates required to comply with the modifications implemented in the Omnibus Final Rule.

Even if a covered entity or business associate completed the updates, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance concerning its interpretation and enforcement of HIPAA against covered entities and business associates published by OCR since Jan. 1, 2014 alone:

·         HIPAA Privacy Rule and Sharing Information Related to Mental Health

·         Spanish Language Model Notices of Privacy Practices

·         CLIA Program and HIPAA Privacy Rule; Patients' Access to Test Reports

·         Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS)

Beyond this 2014 guidance, covered entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule, such as:

·         HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool

·         The HIPAA Privacy Rule and Refill Reminders and Other Communications About a Drug or Biologic Currently Being Prescribed for the Individual

·         Health Information of Deceased Individuals

·         Student Immunizations

·         Model Notices of Privacy Practices (English)

With OCR stepping up both audits and enforcement and penalties for violations, covered entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, covered entities and business associates should not only carefully watch for and react promptly to new OCR guidance and enforcement actions but should document their commitment and continuing compliance and risk-management activities, while taking well-documented, reasonable steps to encourage business associates to do the same. This documentation could help demonstrate that an organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation.   

When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws, such as: the privacy and data security requirements that often apply to personal financial information; trade secrets or other sensitive data; and judicial precedent.

Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices

Health plans, their insurers, employer and other sponsors, and business associates have work to do. Health care providers, health plans, health care clearinghouses and their business associates will need to review and update their policies and practices for handling and disclosing personally identifiable health care information (“PHI”) in response to the omnibus restatement of the Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”) of its regulations (the ” 2013 Regulations”) implementing the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rulemaking announced January 17, 2013 may be viewed here.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) restrict and safeguard individually identifiable health care information (“PHI”) of individuals and afford other protections to individuals that are the subject of that information. The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that the Office of Civil Rights found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, Office of Civil Rights officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While the Office of Civil Rights had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating the Office of Civil Rights' HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR's interpretation and enforcement of HIPAA.

Highlights Of Changes
Among other things, the 2013 Regulations:

  • revise the Office of Civil Rights' HIPAA regulations to reflect the HITECH Act's amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA's civil and criminal penalties for violating HIPAA's Privacy, Security, and Breach Notification rules;
  • update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose personally identifiable health care information is breached, the Department of Health & Human Services and in some cases, the media when a breach of unsecured information happens;
  • update interim enforcement guidance the Office of Civil Rights previously published to implement increased penalties and other changes to HIPAA's civil and criminal sanctions enacted by the HITECH Act
  • implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose personally identifiable health care information for marketing and fundraising purposes and prohibit Covered Entities from selling an individual's health information without getting the individual's authorization in the manner required by the 2013 Regulations;
  • update the Office of Civil Rights' rules about the individual rights that HIPAA requires that Covered Entities afford to individuals who are the subject of personally identifiable health care information used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic personally identifiable health care information in electronic form;
  • revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of personally identifiable health care information protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
  • clarifies and revises other provisions to reflect other interpretations and information guidance that the Office of Civil Rights has issued since HIPAA was passed and to make certain other changes that the Office of Civil Rights found appropriate based on its experience administering and enforcing the rules.

Covered Entities And Business Associates Must Act To Review And Update Policies And Practices
The restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks. The Office of Civil Rights, even prior to the regulations, has aggressively investigated and enforced the HIPAA requirements.

The commitment of the Office of Civil Rights to enforcement most recently was demonstrated by its recent settlement with Hospice of North Idaho (HONI). On January 2, 2013, the Office of Civil Rights announced that the Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing electronic personally identifiable health care information. The Hospice of North Idaho settlement is the first settlement involving a breach of electronic personally identifiable health care information affecting fewer than 500 individuals.

While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. Rather, the Office of Civil Rights continues to roll out a growing list of enforcement actions demonstrating that the potential risks of HIPAA violations are significant and growing. See also:

Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities of the need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to decide if additional steps are necessary or advisable.