AHLA's Speaking of Health Law

Legal Liabilities of Enterprise Cyber Risk Management: An Update

November 01, 2022 AHLA Podcasts
AHLA's Speaking of Health Law
Legal Liabilities of Enterprise Cyber Risk Management: An Update
Show Notes Transcript

In this follow up to their November 2021 podcast, Bob Chaput, Founder and Executive Chairman, Clearwater, speaks with Iliana Peters, Shareholder, Polsinelli, about the latest trends in enterprise cyber risk management and the legal liabilities that health care executives and legal counsel must consider. Bob and Iliana authored an article for the February 2021 issue of Health Law Connections magazine entitled, “The Legal Liabilities of Enterprise Cyber Risk Management.” Sponsored by Clearwater.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

Support for a HLA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, IRM Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.

Speaker 2:

Well, good afternoon, Eliana. It's great to be speaking with you again.

Speaker 3:

Thanks so much. It's great to talk to you again as well.

Speaker 2:

Well, listen, I know that, um, many people know who you are and the work that you've done, but for those that don't, would you mind sharing a little about your background and current work you're doing?

Speaker 3:

Sure. Thanks for that. I'd be happy to. So, as you say, most, uh, people remember when I was with HHS in the office for Civil Rights, I was there for quite a long time. Um, loved my time as a career service employee, and I worked primarily with hipaa, um, but also did other, uh, related jurisdictional issues like patient safety and genetic information, non-discrimination. But my, the majority of the work that I did at HHS in the Office for Civil rights while I was there was, uh, related to the HIPAA program, both as, um, the writer of, uh, rule making, uh, regulations, guidance documents, all of those great, uh, policy related efforts, as well as, um, enforcing the rules, um, in my role as a senior advisor for that function for many years. And then when I left, I was acting deputy, so, you know, had to deal with all of the issues related to HIPAA and other jurisdictions and office for civil rights related to data privacy and security. Now I'm in private practice at Polson, which is an AM law 50 law firm, and it's been lots of fun. Um, as you know, Bob from your work with, um, uh, a lot of clients too, that it, you know, it's fun to be able to really dig into practical issues with clients related to data privacy and security, and help them get a better understanding of, um, legal requirements of industry best practices of all of the important work that we do to help our clients do a better job at data security. So, um, that's what I do now. It's, it's great fun and, um, I'm happy to talk more about it.

Speaker 2:

Terrific. Well, as I mentioned, it's, uh, great to work together. Again. We sorta kind of worked together, although we were in different organizations, uh, quickly. My background includes working compliance and privacy, security and, and, uh, risk management as an educator and executive and an entrepreneur. I had the good fortune, worked with a number of great teams, uh, serving great companies over a career spanning 40 years after founding Clearwater in 2009 and serving as ceo. I moved to the board as executive chairman in 2018. And, uh, even though I'm semi-retired, I continue my work in cybersecurity and risk management and compliance through Clearwater, uh, Quinnipiac University and s and, um, you might have inferred, but just to put a fine point out at my focus is on risk management, uh, board governance and, uh, oversight. Uh, so with that, um, let me, let me dive in. Um, some of our listeners may know that we've worked together on this subject matter before we co-authored an article, uh, entitled The Legal Liabilities of Enterprise Cyber Risk Management. And we did that, publish it last year. Uh, today what I'd love to do is revisit some of what we discussed, notably some of the trends, and then emerging themes and, uh, hear your updated perspective on those changes Ileana, and it's, um, it's a bit crazy. Um, it's very, very hard to keep up, even for those of us who are involved on a day-to-day basis. We just continue to see bad news involving high profile tech companies with deep pockets. And when you think about that, one has to be very wary or concerned about the state of preparedness and healthcare. We'll get into a little bit of that as we, uh, dive in. So we're, we're in an evolution, um, from what, uh, from an enterprise cyber risk management point of view, where I would say around the time I started Clearwater, it was a compliance issue, uh, because of some teeth were put into HIPAA then became a security issue, evolve to a patient safety issue. And I think now we're living in the era of medical professional liability and, and ultimately likely some personal liability. So that's what I've seen and as I characterize it in that way, Iana, what are your thoughts are, are you seeing the trend continue that we wrote about a year ago?

Speaker 3:

Right, Absolutely. I think that the answer is, as you say, unfortunately, yes. Um, we've just seen, uh, an explosion in the last few years of litigation of all types related to data privacy and security incidents and breaches, and frankly unrelated. Um, so, you know, we have very active, uh, plaintiff star in this area. Um, and they have taken a very sort of broad approach to the types of lawsuits that they're filing in some cases, in my opinion, um, even in unfounded, um, situations. So, you know, as you say, Bob, this can involve, um, different companies of all different tapes from healthcare sector, education sector, technology sector retail, um, you know, all different types of entities. You and I often concentrate our most, uh, most of our work in the healthcare sector. But it's really been all over, um, in terms of just the sheer number of cases that we're seeing plaintiff's attorneys bring related to data security, uh, issues of all different types. Um, you know, anything from interactions with social media companies, um, you know, different tools like chat functionality as well as, you know, as you say, what we concentrated on in our article. And that is, you know, known incidents or data breaches that may have involved leadership at particular entities or institutions.

Speaker 2:

Well, it's interesting, um, you refer to different industry sectors and as we know, uh, many of those companies, especially the technology companies, are very much part of the, uh, healthcare supply chain. Um, so it's, um, but there is a, uh, if not direct and indirect impact on healthcare. So one of the things that, um, oh, I don't know, came out maybe a month or two ago, the, the annual IBM and poman cost of a database data breach report, uh, this, this time labeled 2022 and, um, again, doesn't look good for healthcare. The average total cost of a breach, uh, increased 9.4% from 9.2 million to 10.1 million. The report went on to say that healthcare organizations have a higher breach cycle than any other industry requiring 11 months to identifying container breach. And when we wrote our article in our last discussion, we commented, hon, on how the healthcare industry continues to be a prime target for cyber incidents and how the number of attacks and frequency and scope, uh, is increased. And, and I think we may have<laugh> covered this already, but I'll ask it. Um, anyway, so what's new threat wise, attack wise? Our EXPLO exposures increasing, declining, What are you seeing?

Speaker 3:

Right. Um, again, great question, question. The, the attacks for a while had decreased a little bit, um, and at the beginning of, of the year, there was a bit of a lull, um, which may or may not have been related to activity in the Ukraine and Russia. But since then we have seen a pickup and are back to more incidents, um, than we even had last year. So, um, so again, I think that lull was very short lived. Um, unfortunately, and we are back to just as much if not more activity in terms of threats to organizations than we had last year, the year before, the year before that what we're seeing primarily is an evolution in different types of, um, you know, ransomware or other fraudulent transaction related, uh, incidents that entities, So the types of business email compromises that may involve, um, fraudulent wire transfers, um, you know, that result in access to one individual's email box or multiple individuals email boxes as well as, as I mentioned, ransomware tax that have evolved. So the threat actors are becoming much more creative in how they're perpetrating these attacks. Um, in terms of, you know, how they interact with the entities, um, in, in many different ways. They're taking data with them. They're, um, using data for ransom in terms of not just locking data up by encrypting it, but they're also threatening to publish data on the dark web or on public websites. Um, you know, they're interacting through email correspondence where they're impersonating banks during an attack to try and continue to perpetrate the fraud. You know, it's really, really become very complicated in terms of how the threat actors are deploying these, um, these different types of attacks on entities. And fortunately that means, you know, for many different reasons that the entities really need help. They need good, um, internal folks who understand what these threats look like, um, and can respond appropriately. They need help in terms of legal advice and consultation on all of the legal ramifications, you know, given all of the requirements at the state and federal level involving these types of incidents. And they need good forensics help in terms of vendors that can help them, um, either interact with threat actors, um, cuz unfortunately that is ongoing and many of these types of attacks, um, and or really determine kind of the scope of the attack itself and how to get back on their feet and determine how to move forward in a, in a secure way. Um, so, you know, Bob, to your earliest point here that we were just talking about the cost associated with these incidents is just, you know, enormous and, and growing because of all of the, uh, issues involved with any particular type of attack and with the continuing sophistication of these threat actors.

Speaker 2:

Well, the picking up on that, um, in the potent study, you know, represents financial exposure and liability and, and to your point, significant costs that organizations, uh, incur. We've, uh, we've seen a number of them in healthcare as, as well as lots of other organizations. Um, last week on Friday when there was an announcement that, uh, Uber had been breached, there was a stock drop that represented over$2 billion in shareholder value that disappeared. And, um, and we'll come back to that kind of theme in a moment, but what I, where I wanted to go was, you know, when you think about things like the PON study and cost of a data breach, it's really about the compromise of confidentiality. And we know, and it's a little bit of a simplification, but at the end of the day, privacy and security are, are about confidentiality, integrity, and availability. So<laugh> and I had a colleague who said one time, Well, no one is going to die from a compromise of protected health information. I don't know about that, but I do know that if there's a compromise of integrity or a compromise of availability, we're now going into the realm of more significant risk, uh, for, from the point of view of medical professional liability, uh, and even directors and officers personal liability. What are your thoughts about this move away from, uh, let me say, I'm gonna call it a recommended move away from a focus on breaches and compromise confidentiality to one that's more concerned about integrity and availability?

Speaker 3:

Right. I think that's a great question. You know, I, I agree with you that I think the question moving forward is, you know, what does, what does an attack like this mean for our organization in the moment and afterwards? So, you know, I think unfortunately we are dealing with the tapes of attacks that to your point, involve availability of data in a way that someone could in fact die. And, and in fact, studies have been done and have indicated that, um, the increase risk to, for example, cardiac patients as a result of cyber attacks is significant. In other words, the time it takes healthcare providers to respond to someone who's having a cardiac issue increases such that their care is compromised as a result if that healthcare provider's organization is undergoing a cyber attack. So these are very real, um, availability, as you say, issues that have very real patient safety implications, um, which as a result can absolutely impact what the medical malpractice situation might look like as a result of a bad, uh, outcome. Um, you know, certainly to the extent that information is not available at all, um, and those healthcare providers don't have access to the information that they need to treat an individual, um, that could have huge ramifications in terms of, you know, adverse events, uh, giving patients the wrong types of medication, not understanding their blood types, you know, really elementary stuff. But unfortunately impacts, uh, you know, every level of an organization if they're undergoing a cyber attack. And particularly one that has, um, you know, affected the availability of the information that is, you know, the healthcare providers can't access the systems they need to treat patients for whatever the reason. And, and that may be because they're down, or, uh, because they're running slowly. Um, or because to your integrity point, a threat actor has interacted with the data in the way that compromises the data itself. So these are all, as I said, very real concerns that are ongoing. Um, and in many cases, you know, it creates a real, um, you know, uh, rock and hard place situation for many of our clients, particularly, for example, in ransomware attacks because, you know, if they have a situation where, um, an a threat actor has encrypted their systems and encrypted their backup systems and has taken data with them, you know, it's very difficult to come back from that. Um, and unfortunately, these clients have to come back to as quickly as possible so they can treat individuals. Um, so they're left with the decision in, in many cases whether to engage with a ransom or not, um, and what that means for their organization moving forward. So, you know, so I think it's really, really important to your point, Bob, for these organizations to consider, what does it mean for us if we can't access our data? Um, what does it mean for us if our data is corrupted, how do we get that data back? How do we get the data back correctly? Um, and then, you know, what's the fallout from from, um, you know, from a legal perspective to your point, are we talking about medical malpractice? Are we talking about, um, you know, specific lawsuits against leadership, including the chief information officer, the chief privacy officer of these organizations, which we have seen? Are we talking about shareholder derivative suits because of the impact to the organization because of a particular event and potentially, you know, a lack of, um, you know, appropriate planning by the organization prior to the event, or a lack of appropriate response after the event of, you know, all different types of cases that we've seen, to your point, and that are really scary, uh, not only in terms of what it means for a, um, in the real world, but also what it means from a liability perspective after the event itself.

Speaker 2:

Yes. And speaking of some of those liabilities, there's, um, uh, the former, uh, ciso, not to get into it at any depth at all, but former CISO at Uber, going back to, uh, breaches a number of years ago, uh, is in court now, uh, uh, being sued as a, uh, as a result of that breach and, and certain actions, not just the breach, but certain actions that were taken that were probably inappropriate. But if I can focus on a little bit further on executives and, um, director liability, I certainly know that Yahoo, Equifax target are not healthcare entities, but they're classic cases where there were major, uh, security incidents that resulted ultimately in, uh, derivative shareholder lawsuits. Now obviously in healthcare, we have a lot of, uh, not for profit organizations that are part of the healthcare delivery world, if you will, health systems and integrated delivery networks. Um, how should, I guess there can be class action lawsuit. You're the attorney, I'm not, there can't be derivative lawsuits cuz there are no shareholders not with it. How should trustees and directors in these nonprofit health systems and edn be thinking about their organization liability and even getting into the matter of duty of care and potential personal liability?

Speaker 3:

Right. You know, I think these are all really complicated issues to your point. Um, and, you know, really digging into any particular type of entity, you know, would take additional facts and more time. But, um, I think to, to answer your question at, at a sort of a very high level is that unfortunately, um, you know, there are a lot of large non-profits, um, that could very well be an attractive target for plaintiffs attorneys, just like, you know, a any other large entity. Um, and, and unfortunately, small non-profits and small entities are just as vulnerable to data security incidents and breaches as the large ones are. So, you know, on the whole, the vulnerabilities to these types of attacks exist across the different types of organizations, but whether an entity is for profit or non-profit, um, you know, may affect some of its, you know, regulatory obligations, you know, ver for example, FTC jurisdiction versus, versus, uh, HHS jurisdiction or state a jurisdiction, um, but also could affect the types of lawsuits, to your point, Bob, that could be filed against the, the entity. That doesn't mean however, that there is any immunity from lawsuits though, because you're a nonprofit, to your point. I, I really do think that because of the nature of some of these larger non-profit organizations, and we particularly see this in the healthcare sector, um, as you know, Bob, a lot of our non-profit clients, you know, even though we're not in the same organization, we obviously have clients in common and they get sued on a regular basis, um, for these, uh, these types of issues, whether it's a medical malpractice issue, again, to our earlier point, that results from an unavailability of data or, uh, you know, an uh, uh, um, integrity issue with the medical records themselves. You know, for example, there's errors in the, in the medical records, um, and that somehow results in a bad result absolutely results in litigation for nonprofits. Um, but also, you know, arguably to your point, the other duties that these organizations have, um, particularly under state law, uh, whether that's, um, you know, consumer protection, um, you know, or, uh, other tort related issues, uh, that are driven, you know, by the fact that that entity either does business in a state, whether it's for profit or non-profit, or, uh, because it holds the information for certain residents. So, you know, so it really is, um, you know, a wide range of liability that could affect, uh, a particular non-profit organization as well as a for-profit organization and could result depending on the type of allegation, um, in liability, you know, for the organization itself as a whole, as a corporate, um, concern or for particular individuals depending on how that allegation is articulated and what the legal landscape looks like, for example, in that state. Um, and how those, um, those state laws can be used to, uh, you know, bring action against the organization itself or the leadership members of that organization because of a duty that they may or may not have fulfilled in a particular circumstance.

Speaker 2:

Sure. I want to, um, what that was one of the themes that we had, uh, written about and talked about last year, that is the possibility of the legislatures and the courts holding executives and directors, uh, holding their feet to the fire, I guess, when it comes to enterprise cyber risk management. The other theme that we wrote about was the emergence of, uh, defacto, uh, we'll call it standard of care, uh, speaking of healthcare, medical malpractice lawsuits, which require a deviation from a standard of care. So a couple of, almost two years now, in January of 2021, a bill was passed somewhat, um, in my opinion, mislabeled the HIPPA Safe Harbor Bill, uh, HR 78 98 that amended the High Tech Act. And, and as you know, for, well, the, but for our listeners, uh, it, it said a couple of things in, in terms of the amendment. Number one, that the secretary that is the Secretary of hhs, and therefore, uh, the director of OCR, will consider recognized security practices, uh, when, uh, they, uh, look at pursue an enforcement action or do an investigation. And in considering those recognized security practices, that that may result in reduced fines, uh, maybe the reduced time or length of an audit lessened, uh, remedies, so to speak, and corrective action plans. And when finally went on to say there are two recognized security practices, the standards and guidelines practices, et cetera, uh, set forth by the NIST Act, their, that, their, that being, excuse me, the National Institute of Standards and Technology. And then the second, um, citation was the Cyber Security Act of 2015 that promulgated the so-called 4 0 5 D work groups. And, and therefore the work and the approaches put forth by four or five D in other words, punchline this and 4 0 5 D were the two recognized security practices. First thing, can you comment on this bill being called, uh, HIPAA Safe Harbor Bill? I just never got that, and I'm just curious what your thoughts are.

Speaker 3:

Sure, sure. I think the idea is that it's a safe harbor because if you, you have implemented, again, these recognized security practices, and to your point, Bob, the only ones that are specifically articulated in the statute and that are being considered by HHS right now and its investigations are, um, n special publications guidance and, um, the four five DCA guidance, um, the Federal Advisory Committee guidance after the, the CISA Act. So, so we know for sure, um, that HHS is in fact considering now implementation of that guidance NCA cadence for purposes of determining whether or not to, uh, reduce potential civil money penalties related to potential HIPAA violations. So that's why it is considered a safe Harbor statute is because it, it's not a, it, at least as far as I understand it so far, maybe we will see it's not a get out of jail free path, but it helps as a mitigating factor with regard to civil money penalties that could be levied against a particular entity related to potential violations of hipaa. Um, and in the circumstances that we are talking about specifically, for example, after a breach. Yeah. Um, but, you know, there is an ongoing rule making about this as well. Um, and so I think it remains to be seen if there will be other types of guidance documents or practices or certifications that may also result in additional mitigation for civil money penalties as well.

Speaker 2:

Mm-hmm.<affirmative>, are you seeing, um, and you mentioned a second ago, there's still working on, I guess doing some rule writing. Are, are you seeing OCR taking, uh, HR 78 98 into account at this point, or not yet?

Speaker 3:

Oh, absolutely. It was actually a, a bit surprising to me that we, um, started getting data requests specifically on this issue from HHS OCR as part of ongoing investigations for clients now, um, even before a rule making was announced, so almost immediately after the statute was passed, we started to get, um, data requests or that is information gathering requests from HH HHS in open investigations involving data security, um, potential violations, um, for our clients. So the short answer is yes, absolutely. OCR is already requesting information on implementation of either n special publications guidance or saca guidance prior to a particular data security incident.

Speaker 2:

And that's good to hear, and certainly sounds like it, it supports the idea of, uh, of adopting NIST or what's been promulgated by the 4 0 5 D work groups, um, all of which is great stuff. Um, hey, speaking of OCR enforcement, since we were in our respective roles at me at Clearwater and you at ocr, and I'll say, uh, working together, so to speak, uh, to help organizations becoming and remain compliant, there's been a, uh, pretty significant shift away from, uh, risk analysis and risk management towards a right of access as an area of focus. Um, do you expect this to continue? And, and if so, do you think this is a good time for organizations to take their foot off the risk analysis and risk management pedal

Speaker 3:

<laugh>? It's a great question, Bob. I don't think the focus has actually shifted that much. I just think that OCR has published more information about the investigations related to patient access rather than the ongoing, uh, data security investigations, because there are many ongoing at OCR right now. So as you know, Bob, at any time there's a change in administration, there's always a bit of a lag in terms of settlements and civil money penalties that come out of HHS office for civil rights related to HIPAA issues. Um, in my experience when I was there, that was just because the, the new director of, of the Office for Civil Rights, who is a political appointee, had to get up to speed, really understand the implications for these types of cases, get a good understanding of, of specific cases that the regional offices wanted to move forward to civil money penalties or settlements in. And that all took time. And so the, the sort of more straightforward cases were the ones that continued to move fairly quickly through that process, even during changes in political appointees for ocr. Um, as you may know, um, OCR has had another change. They have a new director, and, um, you know, the last director wasn't there very long. So I would imagine that there are in fact a lot of cases potentially related to these data security issues and including risk analysis and risk management that have been in process for a while at ocr. And again, I'm just guessing, given the types of investigations that I'm working on with my clients, um, but I would guess that there are some, uh, you know, fairly close to settlement, but we just haven't seen them given the changes in leadership, um, in the office from an administrative perspective. So I think the short answer to your question is absolutely not. Entities should absolutely not, uh, sort of push risk, risk analysis and risk management to the side, uh, because there hasn't been, you know, any really huge activity from an enforcement perspective that has been published, uh, related to these HIPAA requirements because I, I would emphasize that in my experience with my clients and the investigations that I know are ongoing now, um, HHS is every bit as involved in asking those questions still, we're just not seeing publication of those issues, at least per now.

Speaker 2:

Yeah. Okay. All right. Well, that's great and, and I'm glad to hear that, um, because I'm cut from the cloth that, um, until, or unless you really understand what your exposures are, it really doesn't make sense to spend a lot more money on security, uh, safeguards and controls, uh, in the absence of that. So, um, I'm glad to hear your perspective as well in our previous conversations. And I believe also in our article, we, we have talked about a couple of cases that involve compromise of integrity, Uh, compromise of availability. And I want to fast forward the tape a little bit, just pretty recently, uh, August 1st, uh, speaking of a H L A, the Health Law Connections, uh, magazine included an article entitled A Patient Cyber Harm Strategies and Tips for the Prevention Preparation, Risk Management and Transparency. And I was really intrigued to see, uh, patient cyber harm, Uh, because I'd previously used the expression cyber driven medical malpractice lawsuit. I was intrigued to see that, especially among the legal community, and they talked about a number of things. Uh, how much do patients need to know about the impact of, uh, uh, any ongoing cyber attack? Do healthcare, uh, delivery organizations commit malpractice by accepting a patient, uh, without giving, uh, letting that person know that their systems are impaired or down in some way? Can it be held liable for misrepresenting, uh, et cetera, et cetera. It was pretty intriguing and, and I thought, terrific article. We don't wanna re plow the great coverage in the article, but I was really, as I said before, interested and encouraged to see quote, patient cyber harm the subject of an article. Uh, what are your thoughts? Do you have any, um, any concerns with the approach taken by the authors? Uh, what, what, if any comments you have on the article?

Speaker 3:

Yeah, no, I think that's a, you know, it's a great point in terms of trying to understand the ramifications of any particular type of incident. Um, and, and something that I think, you know, um, different entities of all types, whether we're talking about, you know, um, healthcare providers or vendors to healthcare providers or even health insurance companies, sort of what that can mean for their business operations and how those business operations are, or the lack thereof can, can specifically affect patients. Um, you know, and I, I think at the end of the day, if, if that's what these articles are highlighting, then I think it's a great point in terms of really understanding, you know, the fallout for any particular type of incident and, um, you know, the, the impact to the people that they serve, which is ultimately the question that we're all most concerned about. Um, so, you know, so I think that's a great point and, and really just kind of dovetails into our conversation earlier about availability and integrity. You know, um, what does a particular type of attack mean for an organization, particularly if there are implications for the availability of data or the integrity of the data and how that's going to specifically impact, um, patients.

Speaker 2:

And, and, you know, a consistent, I think I said a moment ago, uh, fast forwarding to more current times, another activity, and this falls under our second trend, uh, executive and director liability. Um, another recent development, uh, was in the, uh, spring, I think it was in early May, the comment period closed on proposed changes by the Securities and Exchange Commission, uh, under the banner of, um, um, cyber security disclosures back in 2018. They put out a statement and some guidance, but more recently, they're looking for changes that would include, uh, publicly traded companies. Again, disclosing which board members have cybersecurity expertise, if any. Um, how often the topic of cyber security is discussed at the board level, what, if any, oversight the board has over cyber matters, and they even wanna go further with certain financial organizations and investment funds. Um, and as we've discussed, most of the large healthcare delivery organizations are not specifically subject to scc, not withstanding. Do you think these disclosure changes, if they are adopted, will make a difference within the healthcare ecosystem?

Speaker 3:

I think they, th those types of disclosure obligations, I don't, I don't necessarily think that, um, you know, more reporting to, uh, state federal agencies is necessarily a good thing, just to be clear. But I do think that the spirit of the requirements is well taken in terms of really helping an organization to understand exactly what their responsibilities are, you know, what they should be looking at, who should be understanding their responsibilities and implementing controls. You know, really who in the organization should be evolved in all of these questions that we've been talking about. So, so at the end of the day, if that's what we're trying to get to is helping organizations understand who needs to be involved with the decisions related to, uh, data security, um, with regard to the risk associated with security incidents and breaches, I think that's absolutely the right approach. Um, there needs to be more encouragement for, um, you know, leadership for the board to be involved in these conversations and to ensure that everybody's on the same page about how the organization's going to move forward, um, in terms of addressing, um, the risks, um, and, um, any fallout from an incident.

Speaker 2:

And then, um, in the spirit of trends in new developments, aside from the, uh, Securities and Exchange Commission, uh, we have the Cyber Incident Reporting and Critical Infrastructure Act, um, that's calling for covered entities as they turn out to be defined to report to, uh, cybersecurity information security agency, any ransom payments, 24 hours, any business, uh, disruptions, any substantial loss of our favorite three words, confidentiality, integrity, and availability. Any thoughts on those new requirements?

Speaker 3:

I think, I think, again, it's, you know, I'm not necessarily convinced that, again, more reporting is going to be helpful for many reasons, because I think the obligations for responding to and reporting for entities themselves are already quite high. And I'm not sure that additional information going to these regulatory bodies is, is really going to help them take action. Um, you know, I guess that remains to be seen, but I think at the end of the day, if what we're trying to do is highlight these issues for those organizations, that is a helpful exercise in terms of, you know, again, really understanding what the requirements are, what are the issues that we need to be concerned with, Um, you know, all of those important questions.

Speaker 2:

As always, it seems like our time, um,<laugh> just totally flies by. What, um, how would you, um, end the session with, with thoughts, uh, recommendations, best practices that you'd like to leave our listeners with?

Speaker 3:

Yeah, thanks Bob. Um, you know, I think, again, it's, it's just what we've been talking about during this whole conversation that is really the, the scope of these, um, incidents in terms of, um, you know, preparing for, um, and responding to, uh, the incidents is just increasingly, um, uh, difficult to manage. So, you know, at the time of the incident is really not the time to be trying to figure out all of these important questions. So really preparing for, um, any of these types of incidents is, is crucial for any type of organization, but I would argue particularly for healthcare organizations, given all of the patient safety issues that they could be dealing with as a result. Um, and so I would encourage entities to really start digging into if they haven't already, and if they have to continue to really ensure that they understand what those obligations look like, how they're going to deal with these types of incidents, what the fallout can be, um, and, and making sure that they have good planning associated with all those questions.

Speaker 2:

Well, I couldn't agree more. I think, um, that is great advice. I will leave on this note. Um, if I had to prioritize, and there are so many directions organizations need to ultimately go in as it relates to enterprise cyber risk management, But I think, um, a key point you mentioned was having a strong incident response capability in place today is just a preeminent priority. Bad things are happening. They're happening to these large sophisticated technology companies who have deep pockets. We know they're going to happen in healthcare. And my second priority would be to get back to the basics of risk management and at the executive and board level, three things, identify and prioritize what your unique cyber risks are. Debate, discuss, finally, settle on your appetite for risk. And then ultimately managing each risk by making informed decisions about what you're going to accept and what you're going to treat. That is avoid mitigator transfer. This is a serious growing financial issue. It's an ESG issue, it's a social responsibility. And at the end of the day, most importantly for our healthcare organizations, it could be a matter of life and death for our patients. So with that, I wanna say thank you so much Eliana to uh, uh, be together again and have this dialogue. I appreciate your time and, um, all of your very, very thoughtful input.

Speaker 3:

Oh, absolutely. Great to talk to you as always.

Speaker 2:

Thank you.

Speaker 1:

Thank you for listening. If you enjoyed this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about ALA and the educational resources available to the health law community, visit American health law.org.