AHLA's Speaking of Health Law
AHLA's Speaking of Health Law
How Health Care Professionals Can Limit Their Liability Following a Cyber Attack
Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, speaks with Iliana L. Peters, Shareholder, Polsinelli PC, about the steps that health care professionals can take to address cyber incidents and reduce their liability. They discuss identifying an incident response team, evidence collection and retention, engaging with IT forensics vendors, negotiating over stolen data, complying with disclosure and reporting requirements, reaching out to cyber liability insurance carriers and other third parties like law enforcement, dealing with a regulatory investigation, and the emerging legal theory of personal liability. Iliana recently co-authored an AHLA Briefing on this issue. From AHLA’s Health Care Liability and Litigation Practice Group. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Hello and welcome to another speaking of health law podcast with a H L A. My name is John Moore. I'm Chief Risk Officer and Senior Vice President of Consulting Services and Customer Success at Clearwater Clearwater. Um, we help healthcare organizations manage risks, comply with regulations and requirements, and respond and recover from cybersecurity incidents. And I am fortunate, uh, to have here with me today Eliana Peters. Eliana is a shareholder at Polsinelli. Um, she's a healthcare and privacy and security, uh, attorney. She's a former acting deputy director at ocr. And perhaps most importantly, and certainly why I always enjoy so much, uh, talking with her. She's one of the preeminent thinkers and speakers in data privacy and security in America today. And so, uh, hello Eliana, and I hope you're doing okay.
Speaker 3:<laugh>. Thank you. Thank you so much for that, um, glowing introduction. I really appreciate it. I'm, I'm doing well and I'm happy to be here today to speak with you and hopefully provide some useful information for the audience. I always enjoy speaking with you, John, and, um, working with the A H L A. So thanks for having me.
Speaker 2:Great. So I was, I was hoping today, uh, well, let me backtrack just a second. So in December, um, Eliani you, you published an article with your colleague, Kaleigh Schuler. And, and, uh, the, the topic of the article is how healthcare professionals can limit their liability following a cyber attack. And, and that was published with the HLAs Healthcare Liability and Litigation Practice Group. Um, wanted to or hope that I could ask you some questions, uh, about that article and, and that we could talk a bit more about, um, what you covered in that. Would that be okay?
Speaker 3:Absolutely. I think that's a great idea cuz this is a really important talk topic as you know as well mm-hmm.<affirmative> to all of our clients.
Speaker 2:Great. So, you know, I always, always am curious, as someone who's often asked to, to, um, you know, produce articles like this and other thought leadership pieces, I always, um, I'm curious what inspired you to write this article?
Speaker 3:Right, right. Well, one of, um, our friends, um, good friends, um, both personally and professionally, uh, is a member at HLA who came to us, us and asked us to write this article, write a article, and then we talked with her, um, Lindsey Lagan about what might be most helpful to healthcare organizations like hers. Mm-hmm.<affirmative>. And, you know, we've been hearing from a lot of healthcare organizations that these issues are, you know, top of mind. This is some of the most important issues that they're dealing with on a daily basis. So this was really sort of, uh, grassroots driven, for lack of, a better way of putting that is that this was really driven by our client base, you know, healthcare entities that, that want to know more about these particular issues because this is what they're dealing with frequently. Um, and they, it's scary, it's scary for them, and they wanna make sure that they're protecting themselves appropriately, that they have a good handle on all of these, these issues in questions. So this was really about addressing a need that was identified to us by a HLA constituency such that we could, you know, write something that was particularly helpful. Um, and so obviously we, we love when that happens. Cause it, it means that, again, what we're addressing is, is a real concern on the part of healthcare entities and hopefully provide some really valuable information for them.
Speaker 2:And the article you specifically focus on, uh, sort of the context of a ransomware attack and, and certainly, you know, something that we're seeing in the news every day, unfortunately in the healthcare, um, industry. But it seems to me anyway, and, and, and curious on your thoughts that much of what you present in the article is applicable in, in any circumstance where there's a, a cyber attack within an organization. And am I reading that right? Or how would you, uh, how would you recommend that, that the advice you present in the articles applied?
Speaker 3:Right. Right. I think you're exactly right. I mean, I think what we tried to do was use a specific example because ransomware is such a frequent issue, and it is the number one risk that we're seeing in terms of cyber threats to entities of all types, but certainly healthcare entities. So in terms of looking at types of cyber incidents, it's most likely that, um, the vast majority of folks reading this article, um, or listening to our conversation now about this article, we'll be dealing with a ransomware attack, uh, at some point, unfortunately. So that's, that's really why we wanted to kind of ground it in something that would most likely be helpful in terms of an example, um, for the article. But you're absolutely right that, uh, cyber incidents, uh, you know, vary widely depending on, you know, the circumstances, the type of entity, all of those, uh, important considerations. And so these, um, you know, tips, this list, these thoughts that are included in the article are really, um, you know, transferrable incident to incident and are, are hopefully kind of just a helpful guide for all different types of cyber incidents, including, for example, business email compromises or other types of cyber incidents that are quite common for healthcare and other types of entities. So again, what we wanted to do was ground it in a practical example, because we do find that that's particularly helpful when talking about these types of issues. But hopefully to your point, the points that are made in the article, um, and the conversation that we have here is, is really transferrable to, to cyber incidents of all different types.
Speaker 2:Excellent. And so you, you mentioned the, the tips or the, the techniques that you recommend in the article. So I'd like to, if I could ask you, um, some questions about each of those. And, and importantly you lay out 12, I think, what you call important steps for a thoughtful response. And the first one of those, if I'm remembering correctly, was to, um, identify points of contact or bring together that, uh, group that's gonna be the, the response team. So who, who should be involved from an organizational perspective on that response team itself? I, I think you, you point out that it certainly goes beyond, uh, the technology group, for example. So who should be involved and, and why.
Speaker 3:Right, right. I think that's a great, a great point, um, that it does go beyond the information technology or IT group at any particular entity. And, and it also depends. So obviously if what you're dealing with is a fairly minor incident, you know, we talk about ransomware in the article because that's kind of the scale that we wanted to address. But this, this varies widely and depends really significantly on the incident response plan at any particular entity. So obviously you do wanna follow your incident response plan, and if you don't have one, obviously you should get one in place as soon as possible. But that plan may take a different approach depending on, you know, what that particular incident looks like. And if it's a fairly minor incident, maybe it really is, is, you know, the only team that needs to be involved really in those minor incidents. That said, once the incident starts to take on any type of escalation and, and starts to look like there's really any serious implications for liability for the entity. And that would include, for example, ransomware, business, email compromise extortion events, um, insider threat events that involve potential identity theft. These are all sort of, um, the types of cyber incidents that we would strongly encourage the entity to escalate and escalate quickly. In other words, to your point, John, try and figure out exactly who beyond it needs to be involved. And that shouldn't be happening at the time of the incident. That should be, that should be in your incident response policy. But what we generally suggest there is obviously, um, compliance and legal, um, as part of those, um, teams that respond to the incident, you need legal, because again, what you're doing is preparing for potential litigation. And, and the vast majority of these incidents these days do in fact result in litigation. So that's changed significantly over the last five years that I've been in private practice five years ago, you know, maybe one or two out of 10 events involved litigation at some point, but now it's really more like five or six or more out of 10 that involve litigation. So the the point is that if you have any type of escalated event, it is very likely you will be dealing with litigation at some point or the threat of litigation at some point. So you do wanna make sure that legals involved. Um, and then of course the compliance teams are always helpful, you know, to the extent you have implications for, for state or federal data privacy and security regulations and requirements, it's also really helpful to have them involved as soon as you can because it helps dictate how you're going to respond to that particular incident. So at the very least, we're talking it, we're talking compliance and legal, um, in many cases, depending on, again, how quickly this event escalates and the potential for the different types of data that are involved at the particular entity. That could also include HR folks if you have a lot of employee data that's involved. And, um, it could potentially involve the board. We have some, um, senior executives and the board, we have some clients who in certain circumstances escalate these types of incidents very quickly to, um, the C-suite and the board because of the importance that they place on data security and the impact that these type of incidents could have on their organization, particularly if, again, it impacts a large amount of data or the entity's ability to provide services, particularly for healthcare entities. As you know, John, that's a huge problem because some of these, um, incidents could significantly impact an entity's ability to provide treatment and care to patients. And so those are the types of incidents that would likely need to be escalated and escalated quickly to the C-suite and potentially the board to make sure that everybody's on board with how, um, response is going to go and the concerns that any particular individual on that team might have. Now, again, you don't wanna be having these conversations when the incident occurs, particularly because, you know, your CISO may be on vacation and unavailable. Um, you wanna make sure that you know who the right folks are on those teams prior to an incident and that you have a backup plan. So if someone who is crucial to those teams and crucial to the response is not available for whatever reason, you immediately know who the next person is that needs to step up and step in that to help. Um, so it, it really, again, depends on the type of incident, depends on the type of entity, um, but it really needs to be thought out beforehand so that you can respond appropriately and have the right, uh, capabilities in place.
Speaker 2:So there's a, so the number of things in that response that wanna make sure that we don't lose, and, and in particular, you know, while your article itself is, is primarily focused on, you know, what an organization has to do following an attack. I think one of the key things that you brought up that we often see is the importance of being prepared for this in advance. If you're, you know, if you haven't prepared in advance, this is still good advice, but your ability to actually execute on many of the steps that, uh, that you point out in the article really will be driven by how prepared the organization is in advance, including having that incident response plan and disaster recovery, business continuity type of planning. I think you mentioned a tabletop exercise, you know, as, as, uh, helpful for organizations in preparing for this type of event. We've seen that, um, you know, a lot of organizations benefit from business impact analysis to truly understand which systems and are, uh, critical to the operation of the organization and making sure that there's not a disconnect between the business folks and, and what they're using and what the IT department has really planned for from a recovery perspective. So, you know, a lot of, a lot of good stuff. Um, there, the other thing that, that you mentioned that really aligns with what we've seen is the, the growing, uh, in the increasing amount of litigation following, uh, breach. And I guess some of that's jurisdictional dependent, but certainly we're seeing, it seems like we're seeing more and more class action lawsuits, uh, following the announcement of a breach. So I think, I think what you're saying is confirming a lot of what we're seeing. And, and to that point, you know, one of the things that, that, uh, really came out in a number, and it actually a couple of sections within your paper, is the need to maintain, uh, or not destroy evidence during the response to the incident itself. And could you talk a bit about what the, what that evidence would be in the context of this kind of IT incident and, and why there's a need to maintain that, uh, as you're responding?
Speaker 3:Absolutely. Yeah. No, no, John, I think you've, you've hit some, some really important points. Um, and, and evidence collection and retention is critical, um, to any, any response, any appropriate response to a, to a cyber incident, whether it is a small one or a large one. Um, the issue really is that a lot of IT teams with very good reason, um, immediately sort of default to a wipe and start over, um, mentality. And, and again, you know, they're doing that with good reason. In other words, they want to protect the enterprise systems. And the best way to do that in their minds, maybe to just clean everything quickly and start over. Um, the issue is there is that unfortunately, um, because of not only the threat of litigation, but also because of our various and assorted responsibilities under state, federal, and potentially international law, if that's implicated, we need the evidence about what is happening or has happened as part of that incident in order to, uh, determine what our legal responsibilities are. So, um, at the end of the day, we cannot wipe systems and start, start over. Um, again, we may have litigation responsibilities to maintain that data, but we may, we definitely have legal responsibilities under state, federal, and international law to understand the scope of the incident. And the only way that we can do that is with good forensics evidence. So if that forensics evidence is gone, if it's not available, um, then it, it, it makes it extremely difficult to understand what our legal responsibilities are and usually SI makes the situation significantly worse from a, from a legal standpoint. So, just as an example, you know, hipaa, if you're, if you're a HIPAA covered entity or a business associate under hipaa, we have to presume a breach unless we can specifically determine what information the threat actor accessed while they were in the systems, and we're not talking what information they they actually stole or took with them. We're talking what they interacted with while they were in your system, um, such that we can understand the risk to that data. And if you've wiped all of the laws or, or all of the activity, or all of the forensic breadcrumbs, for lack of a better term, then we can't determine what that threat actor actually did while they were in the systems. And as a result, we have to, we have to assume that they touched everything. Um, and that's not a good place to be, um, for, for many, many reasons. So what we wanna do is make sure that we, you know, sandbox systems, we take systems offline, we make sure that the evidence is maintained in a secure way such that your IT team can continue to remediate. And that is, you know, make sure that we get back online in a safe way, in a way where the threat actor is no longer able to interact with our systems while keeping the information that we need to really understand, again, the scope of what that incident looks like. Um, and again, that's crucial. And so, um, that's part of the reason why it's so important to do all of those activities that you were talking about, John, before an incident occurs, including tabletop exercises and having robust policies and procedures and training in place, because everybody needs to be on the same page about what the appropriate response to any particular incident should be and how that's going to go, such that when it does occur, again, your IT teams know, okay, we're gonna, you know, we're gonna segregate this data, we're gonna sandbox these systems, we're gonna make sure that there are, you know, the appropriate, uh, response ongoing while we're keeping the evidence safe for our legal teams to try and figure out what our next steps are. Um, and that's incredibly important for those, those IT teams and forensics teams as well, in terms of really understanding what the indicators of compromise were, you know, where our weak spot, if any, may be, um, such that we can remediate and not have this type of incident again in the future. So, um, so many reasons why evidence preservation is important and, um, obviously, again, not the conversation you want to be having when the incident is ongoing. That's a, that's a conversation that should happen, you know, as part of your, uh, to your point preparation for an incident.
Speaker 2:Right. And, and so, you know, one of the things that we recommend, and, and I think you recommended as well in your article is that, um, an organization in order to make sure that we're preserving and, and able to conduct that analysis, uh, one of the things you recommend and and we do as well, is that the organization consider engaging with a, a, a specialist in forensics, um, and IT forensics. And, and so one of the things that I, I thought was important to, to bring out that you talk about is how that, how the organization should contractually engage, um, that forensics vendor. And in particular, uh, the reference to, I think it was the Capital One consumer data case in the Eastern District of Virginia, um, as that relates to privilege, right?
Speaker 3:Right. That's correct. So the Capital One cases, there's a, there were a series of cases, um, that recently in the last year or two years now, um, really outlined some of the challenges, uh, with protecting privilege as part of forensics investigations. And so that lots, lots of really important key takeaways there, to your point.
Speaker 2:And so if, if, if the organization is going to engage with a forensic vendor, they would, your recommendation would be that they would do that how, or through whom?
Speaker 3:Right, right. Great point. Um, so the idea is that, um, for purposes of anticipation of litigation and, and as we've talked about already, um, we do expect the vast majority of these incidents these days to result in litigation of some sort, either single plaintiff or more likely class action litigation, but certainly litigation of some type, um, in order to protect the activities related to that forensics investigation, that cyber incident response, the security incident investigation altogether, um, within that client, within that enterprise, within that healthcare entity or other entity. The important piece of that is that, um, the, the legal team, um, and now the internal legal team can certainly do this, but, um, what we see most often is the internal legal team will engage with outside counsel, um, and the outside counsel will do this, um, that is legal team needs to direct the investigation. And what that means is that the legal team needs to engage the vendor specifically for this particular incident, an investigation into this particular incident with, with all that that comes with it. So it's incredibly important to understand that your IT team, um, your compliance team cannot engage with, you know, an a vendor that you have an ongoing relationship with who you know is there every day and sits in your space and works as a compliment to your IT team, or comes in on an annual basis to do vulnerability and penetration testing. Um, that, that is not the kind of engagement that you can rely on for purposes of attorney client privilege resulting from a security incident. Your legal team needs to specifically engage and in most cases, a different vendor. Although, you know, there are ways to work with current vendors if that is absolutely necessary to do the forensics investigation related to a particular security incident. Um, because if, if that's not the way that you undertake that investigation, um, if it's not directed by the legal team, then it's pretty clearly after these sets of cases that we've been discussing, not privileged, um, and would be subject to discovery as part of that litigation that you might become subject to. So, um, there are a lot of other considerations as part of, um, you know, that analysis, including who pays for the forensics investigation, how the direction occurs. In other words, you want the legal team to be directing sort of the day-to-day, um, of that forensics investigation. They need to be copied on all correspondence. They need to give direction to IT teams, uh, forensics teams, uh, vendors, other vendors associated with the incident response. Um, you know, they need to, to get all of the reports, uh, those need to go to legal directly. Um, they, they can't be used for other purposes. So it's, it it's quite complicated. Um, and very important that the client, that the healthcare entity that the other types of entities really understand that this is a crucial part of response to the extent you do believe that litigation will result. And if it's not done properly, um, then the client has, uh, potentially put themselves in danger of not being able to rely on that attorney-client privilege, which can be significant, a significant issue. And in many of these cases.
Speaker 2:Right. And, and, and to your point, I think that, and we're seeing this more and more, I is that because of the increasing litigation or or chance of litigation, there's much more of a, a focus and desire to understand, um, the implications from a privileged perspective, not just in, in a, in specifically in the breach, but more broadly in, uh, different types of security assessments, let's say, that are, that are done. Um, one of the, you know, one of the things, uh, about ransomware or other extortion type of attacks that, that you mentioned in the article, which I think is, is sort of this novel decision point, let's say, that often occurs and it, it looks something like this. The, the attackers have exfiltrated, um, let's call it E P H I from the organization. And, and even if they haven't, uh, encrypted using ransomware, or even if they have, they'll say, well, um, that's great and you might wanna recover from that, but, but we've stolen this information and I'm gonna give you an example of what we've stolen, and if you don't pay, uh, pay us, we're going to publish that information. But if you do pay us, we're going to, um, destroy that information and, and not release it. And so the organization is in this novel decision point where do we trust these bad actors to actually follow through if we pay them? I'm curious, uh, you know, what your experience has been when, when, um, organizations face that, um, that question themselves and what might drive them to different decisions, uh, based on who they are, the organization, et cetera.
Speaker 3:Right, right. Really, really good question. And, and again, a decision that is, um, a difficult one for entities of all different types, but also one that is helpful to discuss as part of your planning. So, um, this has, this question has been coming up quite often in tabletop exercises. This is often a question that the C-suite and the board, um, is very keen to discuss because it has a lot of implications to your point, um, about how the entity will not only respond to an incident, but also the, um, the fallout, um, or the repercussions of the response, um, particularly for example, for publicly traded companies. So, um, lots of factors going into the decisions to either pay a ransom or, uh, pay additional funds such that data doesn't, um, arguably get posted to the dark web or, um, sold elsewhere. Um, and so a really crucial, uh, issue, uh, again to discuss hopefully before the incident occurs. But, um, at the time of the incident, obviously there are many, many factors that play into a decision to pay or not to pay. A lot of that has to do with where the entity sits. So, um, a data owner may be less willing to pay any type of ransom or extortion amount because they own the data, um, and they, uh, have decided that where they wanna invest their funds is in, you know, protecting their data subjects, whether those are employees or patients or consumers of different types. In other words, they would rather pay for credit monitoring or assistance to their employees rather than using those funds to pay a threat actor when that data is arguably, um, subject to, uh, public review anyway. In other words, that horses left the barn. And is it helpful to put that, to try and put that, um, that g back in the, in the bottle? Uh, if you'll excuse my mixed metaphors,<laugh>. So, um, so in other words, you know, a data owner may be more willing to say, Nope, we understand we've had a breach. There's really nothing we can do about it at this point. We wanna use our resources in a way that's most productive in our eyes, and that is reinvesting in our organization and making our security controls better, as well as, you know, spending the money on our constituencies and making sure that they have the protection that they need. Um, uh, a data processor on the other hand may take a different approach. In other words, they're just the holder of the data. It's not ultimately their data, and they have responsibilities to their own clients, their own customers whose constituencies may be affected. And so they may decide that they do want to pay an extortion amount, for example, so that they can tell their clients they've done everything that it's absolutely possible to be done to protect that data, even though they don't have any guarantees at the end of the day, that that threat actor may still post that to the work dark web, may still sell it to another threat actor, um, may still, you know, take other nefarious actions involving that data. So they, they, um, they may go ahead and consider paying those amounts, even though they know, um, it may be, uh, you know, a fruitless, uh, exercise because they just want to make sure that they've done everything they possibly can to mitigate the circumstances of a breach like that. Um, and of course, you know, there are many different legal considerations when entities are, are making these decisions, including, for example, whether or not a particular threat actor group is, um, on the oath back list. Um, that's the Department of Treasuries list, uh, prohibited, uh, entities, uh, that transactions, financial transactions are prohibited, um, to be undertaken with. So, you know, obviously there are, there are many different factors that, that are still, um, at issue beyond just, you know, whether or not an entity is willing to pay. They may be legally prohibited from paying, um, and certainly if they are, you know, cyber insurance won't cover those payments, et cetera. So all of these factors play into the discussion about both when to pay ransom, but also when to pay other extortion amounts that may be demanded by threat actors.
Speaker 2:So, so not quite, uh, so much more complicated decision, uh, process than one might hope. And I guess to your point, it'd be great if we've already walked through that in advance, um, before we end up having to make those decisions while there's a digital clock ticking away on a, on a screen, some, whereas is often the case in these, uh, situations. So, you know, one of the things you mentioned is that, um, regardless of whether I pay for the, let's call it the destruction or the hoped for destruction of that information, I'm likely already in a breach situation and with that breach situation, there, there may be or is very likely some sort of reporting or disclosure requirements. Can you speak to some, uh, tips or how an organization can work through and comply with, with those types of requirements, whether that's at the, um, to OCR r or or, or potentially other, uh, at the state level as well?
Speaker 3:Right, right. No, and that, that's, that really becomes, um, part of the most resource intensive part of the investigation. To your point, John, that, um, that results, um, you know, initially as part of any particular security incident response or security and invest security incident investigation, the entity, um, along with, you know, their outside council, their forensics vendors, um, you know, other vendors that they may have involved to help, uh, really determine, again, the scope of the incident, how appropriately to remediate, um, you know, whether or not we're gonna be dealing with payments of ransoms or other, um, uh, extortion amount, um, you know, their cyber, uh, insurance team, the focus at the beginning of any particular incident really is on, okay, let's, let's figure out what happened and let's get back on our feet as quickly as possible as it should be. Um, obviously particularly with healthcare entities, any day that they can't provide, uh, quality treatment is, is a day that is, is really a problem, um, for all of us. So, um, idea is, you know, we wanna focus our at the beginning on really understanding what happened in the incident and texting it. So whatever that means then, um, to your point, comes the hard part in terms of really figuring out our legal responsibilities, again, at the state, federal, and international level, um, and what our, um, reporting duties are under those legal responsibilities. And that varies widely depending on the type of entity and the type of information involved. So obviously there are different requirements for patient data in a healthcare entity that's covered by HIPAA than there are for employee data in that same entity. Um, and so really understanding, again, what data was involved, um, what the incident looks like, what the reporting requirements are, again, you know, reporting as part of a publicly traded company is different than, you know, not reporting as a private entity. Um, and all of these issues, um, have to be discussed fully with the legal and compliance team to make sure that everybody understands what the reporting requirements are. And that's often quite complicated because you have residents, um, of multiple states involved in many of these incidents. And state law arguably applies where the data subject lives and not where the entity is located. So in any particular incident, you could arguably have multiple states involved. Again, you could have HIPAA reporting requirements, um, and at a certain level, HIPAA requires reporting to the media. Many states do as well. Um, so you're dealing with media reports, you're dealing with reports to credit monitoring bureaus, if that's also required because of certain information that may be involved, as well as, again, um, reporting requirements, um, based on your legal or financial status. That is, um, if, you know you have certain financial requirements as a financial institution or the publicly traded company, again, all of these reporting requirements may come into play, um, and may result, um, in, you know, a significant amount of work to notify individuals, media, credit bureaus, regulators at the state, federal internet, international level, um, and then dealing with questions from all of those constituencies, um, dealing with press once this gets picked up. Um, and so, um, all of all of those are, again, incredibly resource intensive efforts and not something that, uh, an entity typically has a lot of experience with. So they need help, um, their compliance and legal teams are gonna need help. Um, and what that looks like varies, you know, could include credit monitoring vendors and notification vendors and communication specialists. Um, and all of that may be a part of the appropriate response for any particular entity.
Speaker 2:You mentioned, and I wanted to ask you this earlier, and then I, I slipped my mind that cyber liability insurance carriers, when is it appropriate for an organization or when would you recommend that an organization reaches out to their cyber liability in insurance carrier when they're experiencing an an incident, whether it's a ransomware attack or some other, um, cyber incident?
Speaker 3:Great question. Um, arguably as soon as possible, um, if the entity does plan to, um, take advantage of its cyber insurance, um, they do wanna put their cyber insurer on notice as quickly as possible. Um, I don't act as, as, uh, coverage council, so I can't, um, I can't opine, um, on specific provisions of any, um, uh, insurance policies, but I do know<laugh>, given my experience that the, the insurance company really needs to know about those claims as soon as possible. But the other purpose of of alerting the cyber insurance company as soon as possible is they have so many resources to help their insureds, um, respond appropriately to these incidents. So many of the cyber insurers that we work with, um, as a law firm, um, you know, have a, a really fantastic mechanism to help, um, their insureds understand how to respond and the next steps that need to happen, as well as making sure they get good help. So, um, you know, if the, if the cyber insurer is involved, they're going to help, um, you know, identify the right legal team if you're, if, if the client's interested in outside counsel, the right forensics team to work on any particular types of incidents, the right notification vendors, you know, really, um, uh, acting as a point person to help the entity respond to a security incident. So not only is it important for, of course, coverage under your insurance policy and making sure you're working with the right vendors for coverage purposes, because obviously you need to make sure that happens in order to get those claims covered. Um, but also, um, in many cases it, it's extremely helpful for entities who don't have experience responding to these types of incidents to have that, um, that extra help from their cyber insurer to make sure that they're doing things in the right way and, and on the right timeline. So the sooner the better, um, from all of those considerations, um, to make sure that you have the right coverage, um, in terms of claims, but also to make sure that you have the right help, um, both from your insurer themselves, as well as from the vendors they work with on a regular basis.
Speaker 2:And I guess it's not just the cyber liability and insurance care, if there's other third parties that you might want to engage with as well. I, I think you mentioned, um, law enforcement and in particular the F B I and information sharing organizations, and why might a organization want to do that?
Speaker 3:Right? No, no, great point. It, it sort of goes back to our previous conversation about making sure that, um, you know, the right folks are engaged at the right time, both internally and externally. So again, you know, the cyber insurance team is going to help the, um, entity that's experiencing the incident, um, ensure that they have the right, for example, outside counsel, engage as students possible so that outside council can then help engage vendors for purposes of attorney client privilege. Um, and so all of that sort of worked hand in hand in terms of, you know, making sure that the right team internally is identified, as we talked about at the beginning of our conversation, as well as the right external team such that we can get the benefit of, you know, great service providers, but also, uh, cover our bases, like with regard to attorney-client privilege mm-hmm.
Speaker 2:<affirmative>, so an organization has, has, uh, followed your steps to this point. They've, you know, been able to contain the incident, they've notified the appropriate, uh, individuals. They've, uh, secured a forensic, uh, investigation, uh, team to assist them. They've, uh, gone through the notification process itself, um, but they're probably not done yet. Um, you know, one of the things, particularly if an organization has a breach involving 500 records or more, is that they're gonna, uh, have some level of regulatory investigation. Can you talk about what that might look like for an organization and, and what they may be required to do in response to that?
Speaker 3:Right, right. Um, and so, um, great, great question, Don, because again, this is sort of a continuum of, um, all the different responsibilities and we've talked about, you know, immediate response and, um, what that looks like. And then we've talked about, you know, really determining your legal obligations and undertaking the right reporting and notifications and what that looks like. And then, um, obviously what would result would be, again, regulator investigations and potential litigation. Um, and with regard to regulator investigations, um, to your point, um, at least at hhs, um, any report involving 500 or more individuals will result in an investigation. Um, and so, uh, part of the conversation as you're doing that reporting to regulators is, well, what, what may happen, um, once we report to regulators, um, will we have a state ag investigation in addition to this HHS investigation, maybe depending on the states you're reporting in. And so, um, you know, it's really important to have those conversations about what a resulting investigation might look like. Obviously we have a lot of resources on that based on our experiences, but those can be quite extensive, quite intensive, um, resource driven investigations that could potentially go on for months and years. So, um, ensuring that the entity has good help in that respect too, is also very important because these investigations are not to be taken lightly. Many of them do result in, um, both, uh, state and federal, potentially international penalties of some sort settlements or fines. And so, um, again, this is an area for real, uh, potential exposure, uh, from a liability perspective for the entity. They, they definitely, I would not suggest going this alone, getting good again, council help, um, uh, is really important to respond to these types of investigative inquiries from regulators, um, at both the state and federal level, potentially at the international level. Um, and again, those, those run soup to nuts from, you know, details about the breach itself to, um, audits of security controls in place, administrative, physical and technical controls, um, asking for production of documents of all different tapes. Um, many of these, uh, an initial response to, for example, HHS could be, um, hundreds if not thousands of pages long. So, um, these are really, really important conversations when you're having them with the regulator and could result in significant liability. So again, it's really important to understand what those look like, what questions you'll be asked, what documents you should produce, um, and making sure that you do that in a, in an effective way.
Speaker 2:Certainly historically, one of the areas where, uh, Clearwater has, has been engaged in, uh, and typically this council recommending our assistance in, in responding to those types of regulatory investigations, is producing things like risk analysis and, and other, uh, artifacts that the, that the regulators seek. So very, uh, very familiar with, with, uh, that process and what that often looks like for an organization. So we're coming up to, to time Eliana, and, and, uh, you know me, when I get started talking to you, I always gotta be careful cuz I could go on four days. But I did wanna ask you one more question and, and, and that is this what I think is kind of an emerging legal theory, and that's around personal liability, certainly at the C level or maybe at the, the board level, which at least we're, I'm starting to see, I think you're starting to see as well. And, and how might that evolve and what are the implications, uh, for that do you think going forward?
Speaker 3:Yeah, I think that's a, I think that's a great question. Um, I, you know, I, I'd love your thoughts on that. I'm gonna back to you for a while,<laugh>. Yeah, well, you
Speaker 2:Know, I, yeah, I think what, you know, what we're seeing is sort of like when we went down the road with Graham Le Bly and some of these other things, certainly in the publicly traded organizations, the responsibilities of the board and, and what does that mean from a cybersecurity perspective? And, and, and I think from a leadership perspective, and I think there's a recognition, and certainly this is not always the case. I don't know whether it's even mostly the case, but where, where there's an, there's an intentional decision by leadership to, let's say, underinvest given the level of risk involved in cybersecurity controls. And, and so it's understandable, um, understand, I think it's understandable why there, why there might be an exploration of potential personal liability a at that point. Now, you know, you run into all of the typical hurdles if you're gonna try to make that legal argument. But, but I think there's, there may be, there seems to be a more and more of an acceptance of that being a potential approach that, that
Speaker 3:Yeah, yeah. No, I, I think you're right. I mean, I, I, I totally agree with you and I I think that was really well put. Um, I think the case law on this from my perspective is, is really varied at this point. Um, but I think at the end of the day, you're right, um, the, you know, leadership cannot put their heads in the sand and expect to not, um, not be held liable if that, if that's the approach that they take. So at the end of the day, um, all the case laws is somewhat varied. I think you're absolutely right that this is something that has to stay on the radar of executives at, at both the C-suite and the board levels, and, um, you know, will hope for additional good guidance on, on how this might move forward, both with, um, shareholder and derivative derivative lawsuits as well.
Speaker 2:Uh, my father who practiced law for, uh, gosh, I don't know, 50 years used to always speak about sort of the, the facts driving certain legal, emerging legal precedents, and you get bad facts, situations can often, uh, you know, drive these things. And I think that, you know, what, what's emerging in, particularly in these cases of ransomware is that, um, not only is to your point, is that, you know, preventing the, or impeding the, um, ability for an organization to provide appropriate care, but that it may be having much more of a negative impact on the provision of care and patient outcomes than, than we originally hoped. And, and I think there's certainly some anecdotal evidence to support that as well as, you know, some pending litigation and, and, um, and I think some emerging surveys and others that have suggested that, um, that there's probably, uh, let's call them potential plaintiffs out there whose care has been negatively impacted as a result of a, a cyber incident, and, and that the malicious cyber actors themselves are probably directly responsible. However, um, you know, they, their success may have been assisted by an underinvestment and, and appropriate attention to, uh, cybersecurity by the, the leadership or, or board. I think, uh, you know, is the, I think how the theory would go.
Speaker 3:Right, right. I agree. I think, I think this is definitely something that is on the radar, um, of a lot of different, um, you know, plaintiff's attorneys, plaintiffs of all different types, including shareholders and others, um, and, and those who are potentially affected by cyber incidents, particularly in the healthcare industry, which we're seeing more direct evidence of. So I think this, to your point, will be a, a really interesting area to continue to watch. And obviously, um, you know, Bob should put it, Clearwater and I have had thoughts on this too and in other articles with the hla. Um, so, uh, so definitely something that we're watching and, and we'll continue to watch as well.
Speaker 2:Yep. So, uh, thank you very much, Juliana. It's, you know, it's as always, it's been a tremendous pleasure to have the opportunity to talk with you and, and talk to you about such an important subject. I think that, uh, you know, instead of ending on the, on the potential horror that that could result from all of this, I, I think we go back to what you recommended in the beginning, which is making sure that you're prepared as an organization for an event like this occurring. And, and to the extent that you've done that preparation in advance, certainly you have the opportunity to reduce the risk and potential impact to you and your organization, and perhaps more importantly, your, your patients. And so I think that's the, the, the real takeaway, uh, or not the only takeaway, one of the important takeaways of, of our discussion. And I, I think you'd probably agree with that.
Speaker 3:Absolutely, absolutely. Preparation is key. Um, and to be really successful in terms of responding to these, these types of issues, um, I think preparation is crucial.
Speaker 2:Yeah. Any last thoughts you'd like to share?
Speaker 3:No, I think, I think, um, again, thanks so much for the conversation. Always good to talk to you. Um, and I hope people really find this helpful and take this to heart in terms of, um, you know, their, the work that they do and, and, um, important services that they provide to everyone.
Speaker 2:I agree. And so thank you and, and thank you to the, to the listeners that, um, you know, come here to listen to these speaking of health law podcasts, we enjoy, and, you know, having the opportunity to present information like this to you and, and hope that, uh, you find it valuable and, and if so, we'll continue to do this. So thank you very much. And, and this is, my name is John Moore and, uh, uh, was happy to, to be here today with Eliana and share this with you.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.