George Jackson, Director of Health IT and Digital Health, Clearwater, speaks with Nathan Kottkamp, Partner, Williams Mullen, about the legal ramifications that health systems need to be prepared for when planning for the potential of ransomware attacks. They discuss the importance of cybersecurity insurance, legal liabilities for third parties that are involved with a health system experiencing a breach, legal issues surrounding ransomware payments, and the three components of incident response. Nathan recently wrote and spoke about this topic for AHLA’s Top Ten 2022 article and podcast series. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
George Jackson, Director of Health IT and Digital Health, Clearwater, speaks with Nathan Kottkamp, Partner, Williams Mullen, about the legal ramifications that health systems need to be prepared for when planning for the potential of ransomware attacks. They discuss the importance of cybersecurity insurance, legal liabilities for third parties that are involved with a health system experiencing a breach, legal issues surrounding ransomware payments, and the three components of incident response. Nathan recently wrote and spoke about this topic for AHLA’s Top Ten 2022 article and podcast series. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for HLA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance at software and services for healthcare organizations, including health systems, physician groups, and health. It companies, our solutions include our proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from our deep team of inform security experts for more information, visit Clearwater compliance.com.
Speaker 2:Hi, this is George Jackson and I'm with, uh, Clearwater. I am a director of Clearwater's consulting services, particularly in the health it and digital health space. So looking forward to, to this afternoon's discussion with Nathan Ko camp with, uh, Williams Mullen, who happens to be an expert in the legal aspects of cybersecurity and has, um, passed along some really interesting information about ransomware and the legal ramifications, uh, within that space. So, Nathan, would you like to introduce yourself?
Speaker 3:Uh, sure. George, thanks so much. I'm Nathan COTC camp. I am, uh, based in Richmond, Virginia, I'm a partner in the healthcare group here at Williams Mullen. And, uh, as George indicated, I do a variety of cybersecurity things. I spend a lot of my time dealing with, uh, healthcare. So HIPAA is a big part of my practice. And, uh, as we'll see, there is, uh, there's definitely overlap with ransomware and HIPAA and some other laws as well. So look forward to getting into it. Although it's a grim topic, it's an important one. So
Speaker 2:That's very true. It is a grim topic, but it's a very important one. And, and one of the things I have have to say is that, you know, I've been in, in the, uh, cybersecurity field for over 30 years, um, recently acquired a PhD in information assurance and cybersecurity and worked for a long time with, with many clients. But one of the things, and, and I don't want to give you a plug, but one of the things I have to say is working in this field, as long as I have having legal counsel is not just essential. It's, it's mandatory. So it's great to have you talk about these topics. And one of the things I wanted to share is that, um, one of my best friends has been an attorney for over 40 years. And, you know, over the, over that time, uh, he's told me many stories now, of course, because of attorney client privilege, he's never used any client's name in 40 years. He's never given me enough information to even know what the client was. But one of the things he's basically recounted is that quite often clients call him when their building is on fire and he is the fireman. And what I wanted to say, what I wanted to ask you about are your experiences where you have clients that may have a, a misconception about what the legal ramification or the legal aspects might be of encountering a ransomware attack. You know, whether that attack leads to a breach or not. Uh, are there any stories you can think of that are maybe typical misconceptions people have about the real legal impact they may be facing, uh, once they're experiencing?
Speaker 3:Well, your, your, uh, your comment about, uh, the fire is, is very real. I would say that of all the major breaches that I've ever handled with clients, I'm not recalling a single one that had a solid breach response plan in place. So think of it like this, you're trying to build, uh, the fire engine to go to the fire as you're driving to the fire. Um, that's a really lousy way to build a, a breach response strategy, because at that point you're just in, you're in triage mitigation mode. Um, you're not really deploying anything. And, and so is really important to have lawyers in place. One of the things that oftentimes gets overlooked in these matters is, um, issues of privilege. So very often you're gonna have consulting firms who you're gonna want to engage, try and do some of the forensic work on how and why. Uh, did we get where we are is, is the cyber criminal still in our system? What has, has data been moved out? And one of the things that instinctively happens and it's totally appropriate instinctively is the business goes out and they hire the, the third party. Um, the problem with doing that is that's not going to enjoy any potential for privilege. It's unclear whether it would be privilege in the first place, but if you engage that third party expert through your council, you at least have the capacity to make an argument that what is found and, and where that investigation leads, enjoys the protection of privilege. So that's just one area where, um, I think we sometimes see clients go two or three steps down the road and then call counsel, and really they should call counsel first. And it's not because we're cyber experts. I don't claim to be a cyber expert. I, I, I have expertise as it relates to dealing with these matters and sort of knowing which cybers need to get pulled when the emergency happens. Um, but I think that's part of it too, is that there's a sense that, well, what does my, what does my lawyer really know about a cyber attack? Well, the answer is you don't have to know about the cyber piece to, to know about the cyber attack. And so that's, that's where the lawyers come in.
Speaker 2:Okay. Excellent. Excellent. And you've got some interesting things to say about incident response, and I'm gonna ask you about those a little bit later on, but I still wanted to dig more into, and, and yes, uh, the privilege is one thing, the going too far down the road, or going very far down the road before you contact council, is, is another aspect of where, um, a client may have a misconception about where you can really be a benefit where you can come in and help them with that fire. Is there anything else that you can think of, or key here to talk about that maybe misconceptions clients have or things that clients could do better in managing the ransomware process?
Speaker 3:Absolutely. One of the things that I strongly encourage the use of counsel, um, in these matters is long before any instant then happens. You want to use counsel to look at your cyber insurance policy. Everybody should have a cyber insurance policy where things get really tricky is that in, in the world of insurance, cyber insurance is one of the newest products that's out there. And because it's one of the newest products out there, there is, isn't the level of consistency that you might find in other forms of insurance that have been around for so long. So you can have, uh, plans that, for example, pay for the ransom payout. You may have those that don't, you may have plans that allow you, you to use your own attorney. You may have a plan that is happy to cover your, your attorney's fees, but you have to use, uh, an attorney from their specific panel. So just, those are just some examples of all of the, the things that can go into a cyber policy. I mean, it's probably not exactly bespoke, but you do need to be thinking about these things, because the last thing you want is to be in the midst of, of an incident, thinking that you're gonna be working with your own attorney, start running an expensive tab only to find that you're gonna have to switch attorneys mid breach, uh, the portions of the, of the incident that you thought were gonna be compensated or not. Um, so council is really helpful for those sorts of things, because we've seen it. We know what it looks like at the end, and we can help you get insured for it at the outset. And so that's where, um, I think lawyers really are quite valuable for clients, um, and these sorts of things. And then just, you know, just general business planning. A lot of times lawyers who have been through these, uh, situations, folks like me, it's just talking to the C-suite and explaining what it's been like to help a client through these things sometimes allows them to be in a better position to line up their team. Who are we going to engage? One of the things that has been an integral part of breach that I've ever dealt with is, um, the media relations team. You know, you don't initially think about that when you think of a cybersecurity thing, but this is gonna have a, an absolutely detrimental effect. And in, in the world of social media, the moment a system goes down, you can probably count the number of seconds before it's gonna be out there on Twitter. Um, it it's just, it, it moves that fast. And so, um, managing the message, managing your image, uh, that stuff that is absolutely invaluable. So I, I share that with my clients, from the outset, because, you know, they ought to have a short list of their team for when things go wrong in media. Absolutely public relations absolutely ought to be on that list.
Speaker 2:Okay. That's a great insight, you know, and I'm glad that you brought up cybersecurity insurance, because that's one of the things that I also wanted to, you know, get some more ideas and, and some of your insight about, and, and I'll make a confess. It's like I've been around for a while. And as you mentioned, this is a fairly new field of insurance. Um, once they started talking about the concept of cybersecurity insurance, I'm thinking personally who in the right mind would be crazy enough to ensure against cybersecurity attacks, because it's not a matter of if it's only a matter of when, but of course you have very, very smart people, very, very smart financial people, actuaries that run the numbers, and they figured out a way to make it profitable. And of course, insurance companies are in business to make money. So what are some more of the nuances and, and, you know, the easiest way for me to talk about it is with homeowners insurance, you know, friends, families, you hear all types of good stories and, and you alluded to it, things that you believe you're comfort you're covered for, but then when you talk to the insurance company, they find some nuance that either it lets them get out of paying or lets them pay less of a benefit, it because of something that you did or did not do, can you give some examples of times where a company shot themselves in the foot, as far as getting their cyber insurance, um, really, really to respond in the way they were hoping to have that response?
Speaker 3:Yeah, I I'll, I can answer that a little bit. It's not, um, it's not something I live in day to day, but I can certainly, um, think about some places where, where clients could get tripped up. And, um, probably the one that comes most to mind has to do with patches. So the, the companies that, or the software developers are constantly putting out patches where they discover various bugs. And that's, that's been one of the ways that cyber tax of all sorts, not the lease, which is, is ransomware have taken advantage of those. They, somebody figure out a flaw and before the, the patch can make its way around the globe, the cyber attackers who move quicker than the defenders, um, will, will go in and, and compromise the system. You'd wanna be thinking through the language of your policy as whether or not it's so narrow that you're on the hook. If there's a patch that hasn't been implemented yet, or you've got a patch and it's partially deployed, like what happens in that kind of situation? Because a lot of times there are, there are things that you can do to be up to date today that don't prevent a compromise tomorrow. And so that's where, again, I think lawyers come in handy because one of the things that we do based on our fundamental skillset is we try and think of all the, the worst possible scenarios that could go wrong. And that's not exactly what business people do. It's not exactly what, what cyber folks do. Um, so that's a special skillset to think through the parade of horribles and Lord knows they are horribles. Um, so I think that's one is, is sort of just staying on top of that and, and, you know, a related thing, and this, this isn't exactly on the topic of, of insurance, but it relates to contracting generally on this point, one of the things I oftentimes point out, uh, is that there is a difference, a very big difference within the world of HIPAA, between a breach with a capital B the defined term under HIPAA and a lower case B, which is a breach of the agreement between the parties, the business associate agreement, and depending on where you are in the negotiation, if you're the covered enemy versus the business associate, um, it can make a big deal in terms of indemnification. If you don't obtain indemnification and reimbursement for breach notification, if your term is based on the small, be breach of the business associate agreement, let me try and translate that into nonlegal speak. It is possible. In fact, it's very possible to have a breach of unsecured Phi, the big B breach under HIPAA and for the entity, the business associate, for example, to have done nothing wrong at all, their cybersecurity could be literally up to date their, they just completed their, their risk assessment. The week before training was done that afternoon and tomorrow the cyber criminals developed the next generation way of breaking into their system. And it wasn't foreseeable to anybody. There is no breach of the contract there. So if the covered entity wasn't wise enough to have the indemnity cover sort of the event, regardless of the fault, then it might be on the hook. And so that's one where I think it's, it's important to be careful in recognizing that there are events that happen that do cause massive, massive cost implications, but for which there may actually not be a fault, but you ought to be thinking about who gets to be on the hook for those costs at the outset.
Speaker 2:That is very interesting. And in fact, I was gonna ask you this question a little bit later on, but now that we're at this point, um, what about the legal impact to an individual, either a member of a corporation or an entity, a board member, possibly even an investor a is, are there ways that liability can reach through to other parties that are involved with a company that's experienced a big be breach or a small be breach?
Speaker 3:Well, I think there's a lot of ways in which this could play out. I could certainly see some sort of action against a board of rec if it was, um, being stingy on its capital outlay for cyber, um, security experts internally for new hardware, new software. Uh, one of the challenges that sort of just perennial challenge is a lot of times board members and C-suite folks don't see a breach happening because the cyber security team is doing what they're supposed to do. And so therefore there's this notion like, well, since we haven't been breached, there's not that big of a deal. So no, they don't get the extra a hundred thousand dollars in, in, uh, you know, capital that they're asking for. And they really put the squeeze on the cyber team. And so, you know, I guess, I guess you could see liability there if they don't approve sufficient funding to, to at least hit what you would consider to be a market standard for cybersecurity, um, in today's market. So that, that, that's probably the, the most likely scenario where you could see litigation.
Speaker 2:Okay. Okay. Fair enough. Fair enough. And I, and I heard, I understand the, a venture company firms, venture capital firms are paying more attention to the portfolios, really, uh, improving their cybersecurity posture. And I was told that part of the impetus between that related interest is that even venture capital capital firms and investors might have some liability, if there's a breach or, or if there's, uh, substantial negligence on the part of the companies they've invested in, um, any truth to that,
Speaker 3:No, it's, it's, it's definitely a consideration there's sort of two, uh, elements of it that are significant. One is if you're, uh, acquiring an entity and in your diligence process, you do not, not uncover a fatal flaw by the time the deal is done. There may be nothing to collect from the previous owners. I mean, if you know it beforehand, you can adjust the sales price. You can put things in escrow, do all sorts of things, but once the deal is done, and then you discover that there was a flaw, there's nothing you can do about it. The other aspect of the us too, is that as, um, consolidations occur with greater and greater frequency, particularly like private equity and things like that, there's also the element of understanding how a new acquisitions data systems are going to integrate with other data systems. So every time you add a new link, you are adding additional risk, not only the weakest link issue, but every time you create a link, you've got more links that could potentially be compromised. So it's, um, you know, it's sort of a cascade effect of, um, not only do you have the inherent risks of the entity that's being in acquired, but then you have the incremental risk of bolting that on, and sometimes not using the prettiest bolts, you know, it, it could be a sloppy sort of bolt on, uh, and, and that just increases the risk for everybody and, and, and everything.
Speaker 2:Yeah, that's, that's very clear. Now, let me swing back to the idea of, uh, of ransomware itself and, you know, it's any, anybody that's watched a police procedural drama, you know, understands the concept of not paying the ransom. And in fact, we have many real life, uh, situations that you could hear about in the news, uh, about not paying the ran. And we know the position of the FBI. Um, one of the things that I want to ask you about are, are your thoughts on whether companies should or should not pay a ransom, but in addition to that, I've been reading that countries are talking about outlying the payment of ransoms, uh, and there's some discussion about whether or that or not, that would happen within the United States. So I wanted you to give me your thoughts on a, is it even possible from a legal framework that you could limit an individual, right. To pay a ransom, whether it on a state or federal level and B if it is possible, is it something that we should really be doing?
Speaker 3:It's a great question. And I think it's a, it's a, it's a significant public policy question. It's probably an economist question to, um, I mean, to go back to one of your things, first of all, so I can deflect on my own, which is, I don't want to give an answer in terms of whether I recommend or not. Um, I think it probably is gonna be situations specific. Um, I will also say that there are, there are laws that are being proposed about the state level and some federal, uh, laws that would affect what might happen if you do pay a ransom. The ones that exist at the moment have to do with entities that are enemies of, of the state, if you will. So the department of treasuries office of foreign asset controls maintains a list of like terrorist organizations. So if you make a payment to an entity, that's on the list, you can be prosecuted for supporting terrorism. So there's this sort of back, uh, back way of, of having the matter become substantially worse. Um, but in terms of, of having prohibitions on paying the ransom, I, I really struggle with how effective that is gonna be. Um, I fear that the, the practical implication of that is, is sort of to double punish the victim. Um, if you are the victim of an attack, you just want your system. And, um, you know, it, the risks are bad enough as they are just with paying. And then to think that you might pay, you might pay and not get your data back and get punished based on some new law that's told you, you shouldn't have tried in the first place. That's a pretty lousy deal. Um, so I, I don't know, um, this is why I'm not a policy guy, Better be the lawyer who gets to implement the policy.
Speaker 2:Yeah, that's fair. That's absolutely fair. And, and yeah, you, you bring up the, I, the, the idea that you could be in a position where you pay the ransom and you still don't get your data back, uh, you may receive another demand to pay even more in ransom. Um,
Speaker 3:I, I was looking at a, uh, prior to jumping on this, uh, this discussion, I did a little bit of digging and found a, a report that was in, uh, Forbes that published on, on its website from a 2021 report with some really interesting, um, figures, roughly a third of entities that had been victims of a ransomware attack, paid the ransom of, of those who paid the ransom, a mere 8%, got all of their data back. So 92% didn't have a full recovery, only a third of those that paid got more than half of their data back. So in some sense, knowing that is also sort of a practical for anybody that's paying attention, you might as well just assume it's gone. And if you go forward with the assumption that it's gonna be gone, I think that changes your behavior in terms of the architecture of your system and the way that you handle backups and emergency plans and segregation data. Um, because if you, if you, if you approach it with the notion of, yes, this gonna be hassle, it's gonna be expensive, but if we just pay these guys, we'll get our data back. I think you're fooling yourself.
Speaker 2:Thank you for that. Thank you for that, really. Um, and so the other thing I'd like to ask you about is that you lay out three components of incident response, and I love the way that you set it up. So I wanted to ask you, if you kind of go through, you know, the three steps, the three components that you talk about.
Speaker 3:Sure. Um, I break them down as, as one is preventive. Two is operational and three is strategic. So, um, the preventive piece is a lot of the people part of this. And we think a lot of the time when we think about cyber incidents, we're thinking about the technology. We're thinking about getting hacked, um, breaking through firewalls and things like that. The reality is that the vast majority of cyber incidents occur because of some human error, human activity, laziness, distractedness, gullibility, I mean, you name it, human fallibility is available in unlimited quantities and cyber criminals take advantage of that. So commons sense training that is practical is at the level that people will understand and appreciate it is way more often the once a year, uh, video cast that you have to sit through at, at onboarding and you know, is, is essentially meaningly. This cybersecurity is something that should be pervasive in the organization. It should be a point of pride for the organization, and it should be, uh, brought up on a regular basis because it is a regular thing. It's sort of almost invisible, but it's always there. And, and the organization ought to be taking those sorts of preventive measures on the operational side. This is the more the architect stuff. This is having a solid system, having good data backup, having good experts, either in-house or to call having a plan, having a plan to review the plan, if something changes, not just sort of setting it, forgetting it. And the other thing is on the set it and forget it, technology is ever changing. So yesterday's security is today. And so that's something that just needs to be a part of, of ongoing operations. And it also, as I, as I indicated before, it's where the board, it's where the governing body needs to, to step up and say, we can't function without our data. We're gonna need to spend on our data security. Yes, it's a cost center for the business, but it costs a whole lot more to be out of business. So that's just something that on the operational side is absolutely vital. And then the, then there's the strategic plan. Um, this is the concept of having, uh, a data incident response plan. And you didn't call it, it breach. We don't like to use the word breach until we've gotten further down and there's legal analyses, and it's a specialized word, but you have an incident response plan and there may be organizations say, yeah, we're, we're ready. Like if, if the, if the incident is relatively minor and they're asking for no more than a hundred thousand dollars fine, we're just, we have that in our piggy bank. We'll just pay it, hope that hope to be done. Others may take a position. We don't care what, what the amount is. Um, we're never gonna pay. We want that to be our message. And so let's be strategic about it. Let's be ready to go and say, we don't tolerate hacking. We were prepared for this. We apologize for the inconvenience, but our backup systems are great. We expect to be back up and running in 48 hours with data as of Sunday, sorry for about Monday, Tuesday, and Wednesday, but that's where we are. And we're not gonna give into the criminals that's way easier to do. If you think of about it now for the disaster later, trying to figure that out in the moment it can be done, but it's, it's much harder. So that's, that's why I break these like core pillars down to the preventive operational and strategic.
Speaker 2:Okay. Terrific. Nathan, I think that's a really great positive way to end our discussion. I could talk to you for another hour and we haven't covered some of the grim topics that are out there that could be covered. Um, before we wrap up, I just, is there anything else that you'd like to say
Speaker 3:For healthcare providers? I do wanna just point out something that that is not necessarily intuitive, but it's important as, as you're dealing with these ransomware situations. And that is that the OCR office for civil rights has, uh, issued guidance, that they have determined that their at least current position is that if you suffer a ransomware attack, it needs to be treated as a breach for the purposes of running through the breach analysis under HIPAA, which contains a presumption that a breach has occurred is very hard presumption to overcome it's possible. But I think the, the, the mindset of a lot of, of folks out there is that if you have, let's just call it the clean and classic ransomware, your system gets hacked. They, uh, lock up your data, you pay the ran, they unlock it. And there's no indication that any data has gone out at all. So no true data compromise in the traditional sense. A lot of people might say, well, that's not a breached. I think the OCR would differ. And so that's a place that you, you really need to be careful about HIPAA obligations as it really, to these, these incidents. So just, just a little extra reminder for any of the listeners that are healthcare entities, uh, to remember that that HIPAA absolutely comes into play, and it's not the easiest thing to negotiate.
Speaker 2:Okay. Thank you for words of wisdom. All right. Well, thank you so much for, and really, really appreciate it.
Speaker 3:Thanks. It's been a pleasure.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L a speaking of health law, wherever you get your podcasts to learn more about a H a and the educational resources available to the health law community, visit American health law.org.