The SEC’s March 2022 proposed rules related to cybersecurity risk management, corporate governance, and incident disclosure by public companies may be finalized soon. Many health care organizations, especially nonprofits and private equity-backed health IT companies, may think these rules apply only to public companies and not to them. Bob Chaput, Founder and Executive Chairman, Clearwater, and Rachel V. Rose, Principal, Rachel V. Rose—Attorney at Law PLLC, discuss the new requirements and outline why all organizations in the health care ecosystem should pay attention to and meet the spirit and intent of these disclosure requirements. Bob and Rachel recently authored an article on this issue for AHLA’s Health Law Weekly. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
The SEC’s March 2022 proposed rules related to cybersecurity risk management, corporate governance, and incident disclosure by public companies may be finalized soon. Many health care organizations, especially nonprofits and private equity-backed health IT companies, may think these rules apply only to public companies and not to them. Bob Chaput, Founder and Executive Chairman, Clearwater, and Rachel V. Rose, Principal, Rachel V. Rose—Attorney at Law PLLC, discuss the new requirements and outline why all organizations in the health care ecosystem should pay attention to and meet the spirit and intent of these disclosure requirements. Bob and Rachel recently authored an article on this issue for AHLA’s Health Law Weekly. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Their solutions include their proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from their deep team of information security experts. For more information, visit clearwater compliance.com.
Speaker 2:Well, good afternoon, uh, Rachel, it's great to be speaking with you again. Our last outing was some time ago. I remember, uh, talking about hipaa, Texas style 10 years ago when the, uh, Texas House Bill 300 was fast. Few things have changed since then. Uh, really excited today to, uh, be with you talking about the recent, uh, a H L A, uh, article that we publish entitled y All healthcare Organizations must care about S E C Proposed Cybersecurity Rule changes.
Speaker 3:Bob, I completely agree, and it's great to be back collaborating with you on an equally timely topic, just with a slightly different government agency this time. The s e c instead of us vetting out the various state laws as you articulated earlier in relation to hipaa, but I think the audience will see from our collective experiences that there are some similarities to the trends we saw with HIPAA's evolution in the past and potentially the applications to the S E C as well as healthcare organiz organizations both publicly traded and private.
Speaker 2:So agree. So, Rachel, would you mind beginning, uh, if you would just share a little about your background and, and the current work for those who may not know you?
Speaker 3:Sure. I'm an attorney in Houston, Texas, and I've had my own law firm for over a decade. My practice primarily focuses on healthcare, cybersecurity securities law, Dodd-Frank, and False Claims Act matters from a variety of different standpoints, including transactional compliance litigation and representing individuals in certain matters such as ransomware attacks in front of government agencies. I was also fortunate to represent the whistleblower along with my co-counsel who brought the first cyber security fraud case that was settled under the DOJs Cyber Security Initiative. Along those same lines, I have taught bioethics at Baylor College of Medicine for, this is my 10th year now, and I'm extensively published. I'm often consulted as an expert, and I have served as a testifying expert and a consultative expert in matters related to a variety of different items in both securities laws and healthcare. Aside from that, I am very involved with the Federal Bar Association. I'm on their national board, and I'm the recent chair of the government relations committee, and I enjoy travel, and that about sums me up.
Speaker 2:Oh, that's great. Well, listen, as I mentioned, we've, uh, it's great to be working to, uh, together again quickly. My background includes work in compliance and privacy, security risk management as an educator, uh, an executive and entrepreneur. And while I certainly am not an attorney, don't have your legal background, and we've not been involved in the same cases, I've had the opportunity to serve as an expert witness in some cases involving HIPAA compliance and cyber risk management as well. Um, importantly for me, I've had the great fortune to work with great teams serving, uh, terrific customers over a career spanning 40 years. That's right. I'm an old guy, uh, companies like ge, j and j Healthways, after founding Clearwater in 2009 and serving as the ceo o I moved to the board as the executive chairman in 2018. But I continue my work in cybersecurity and compliance through Clearwater, uh, Quinnipiac University and the Institute of Advanced Network Security Ions. And my focus has been on cyber coaching, uh, board advisory services in the areas of risk management, uh, board governance and oversight, which brings us to, uh, today's topic. And we published the article, I mentioned a moment ago why all healthcare organizations must care about the proposed s e c uh, cybersecurity rule changes. And today we'd love to revisit, uh, some of what we wrote. We're not going to, uh, rewrite or, uh, read to you the, the article, but we'll focus on some trends and emerging themes and, and provide some, uh, perspective on the changes. With all the continued bad news involving high profile tech companies around cyber, uh, one must be very weary of the state of preparedness and the amount of cyber risk management hygiene and healthcare organizations. And we'll come to that. Um, as I, uh, think you've heard me say before and something I wrote in my book, stop the Cyber Bleeding. We're in an evolution from, uh, enterprise cyber risk management, having been treated, going back free high tech as a compliance issue, then it emerges a security issue, patient safety issue, medical professional liability issue, and what we'll talk about today, it's emergence as a board fiduciary liability issue and ultimately, uh, personal liability. Um, that's sort of my take that evolution. I, I'm just curious, uh, is, uh, is that a fair characterization of healthcare based on what you've seen Rachel?
Speaker 3:Absolutely. Bob, in relation to the intersection of healthcare and cybersecurity, the American Health Law Association actually has published books on enterprise risk management, and I was fortunate to co-edit one of them. And so to your point, this evolution has been around for quite some time. Another aspect it that we've seen really come to the forefront, and this goes to the efforts of the American Hospital Association, as well as Senator Warner's recent white paper that's basically focused on cybersecurity, is patient safety. And in light of a lot of the remote devices that are implanted in individuals as well as ransomware attacks on entire health systems, I would say that your characterization is absolutely accurate, and it's becoming more and more imperative for a mentality shift to occur within organizations. Some organizations are already there and have the framework already laid for an enterprise risk management. It's now just reevaluating the term cybersecurity versus cybersecurity risk management, which obviously has greater implications for boards of directors as well as executive teams in relation to their fiduciary duties.
Speaker 2:Totally agree. Um, in the article that we did, we did an analysis of some key consideration around these S E c proposed changes, fundamental requirements. We're gonna get into that, uh, why these changes are being proposed, uh, when they'll likely be implemented, what kind of organizations are covered. And that's really an important theme that we wanna drive home here today, is that, um, while some, some may take the view that, oh, this only applies to publicly traded companies, um, I think there's a, uh, a more progressive and enlightened view organizations might take. And then, um, what happens if somebody doesn't comply? So let's get started. Just a couple of the first, uh, items, Rachel, if you could speak to. So, so what, why is the S E C proposing these changes around cyber and when do you think they might be implemented?
Speaker 3:I think that's a great question. And while I don't have my Magic eight ball<laugh>, I would say that in terms of why these changes are being proposed, that's a more concrete answer. If we look back to May of 2021 with the executive order that was issued in light of the Colonial Pipelines breach, as well as the SolarWinds breach, which really affected not only a variety of government agencies and branches, but also some of our critical infrastructure, coupled with what we're seeing, again, cybersecurity is patient safety in relation to children's hospitals being attacked. For example, I believe the Children's hospital in Boston was attacked and also related to the guidance that the F D A Food and Drug Administration that is releasing in terms of medical devices and some of the cyber risks surrounding that. So why are these changes being proposed now? I would fundamentally state that it's due to the macro environment, and I just laid the groundwork from that related to cybersecurity risk management in a shift globally. It's not only in the United States, but in Europe as well, to this idea of cybersecurity risk management. Now, in terms of when these proposed changes could be implemented, as we both know, the final rule has not been released yet, but the chatter that both of us have heard is that we should look for those sometime in April of 2023. But as HIPAA gives us a blueprint, so to speak, sometimes even though a final rule is released, there could be a lag time between the date of the final rule being published in the Federal Register and the effective date. And one of those instances is the HIPAA security rule, which I know you're very intimately familiar with. And then if we spring ahead to that final omnibus rule that was published in the Federal Register on January 25th, 2013, there was a lag time there, albeit shorter than the lag time with the security rule. So the exact date of publication is likely April of 2023, but the effective date, I think that is more of an unknown.
Speaker 2:So it's, um, one of the things that I know you and I have chatted about before is the fact that the s e c is has a responsibility to shareholders, to investors. Um, there's been a recent case, the, uh, Blackboard case for example, where they ended up paying a 3 million penalty to settle charges for making misleading disclosures on timely and accurate disclosures. So can you speak a little bit to the, the s SEC's interests slash angle on this accurate and timely reporting to investors?
Speaker 3:Sure, absolutely, Bob. If we look at regulation sk, which outlines how registrants need to disclose material events, that's one of the areas that these proposed s e c rules are honing in on. And basically, for those entities who already have an obligation to submit to the market any material event, what we're looking at now is a specific area that being cybersecurity. Now, for those who recall around the period of 2014, we had a, a vast number of breaches across a lot of different sectors. The target breach, the Neiman Marcus breach, and then we had community health systems. And I always hearken back to their disclosure, which was made in I believe, August of 2014, because even as the s e C is giving more teeth to cyber disclosures, this is nothing new. And one aspect that I wanna hone in on related to that is the S e c in its past publications indicated that while a disclosure is necessary, the entity should not disclose everything. You just need to disclose enough information that a, gives a reasonable investor enough material to make an informed decision. And secondly, along those same lines with what's being disclosed, is you need to protect your own internal infrastructure. So reporting a breach in certain items like c h s did in 2014, they were succinct, but there was enough information that due to patches not being updated in time, an external state actor had infiltrated their system. They didn't need to give a diagram, they didn't need to go into the types of software that they were utilizing. And that was a good balance from my perspective, from the legal side as to a timely disclosure as well as enough information for a person to make an informed decision
Speaker 2:That, um, the content, the timeliness of reporting, we're gonna pivot to, uh, in a moment, I wanna put just a, a placeholder on something, which is a theme of our article and we're gonna come back to, and that is in terms of who is covered. Right. Uh, we'll, I'll, my placeholder at this point is simply to say, don't fall into the trap of thinking that just US based publicly traded companies are required to comply with the Securities Act of 1993 or the Securities Exchange Act of 1934. And, uh, and, and they're related, uh, uh, regulations that have been promulgated. We're gonna come back to that theme about who, but because you touched on the matter of the, the content, the timeliness of reporting, let's go to the SPO four specific items that are in the proposed changes, and we covered in the article. Can you, can you run through those quickly?
Speaker 3:Absolutely, Bob, there's the reporting of cybersecurity incidents on Form eight K, and since you touched upon the Black BOD case, that is a great example, as was the c h s case of that duty already existing, where public companies must provide their investors with accurate and timely information. And although Black Bot is not a healthcare company, they did pay 3 million to settle charges for making misleading disclosures about a 2020 ransomware attack. And specifically because they omitted this key information about the scope of the attack, misleadingly characterizing the risk of an attacker obtaining such information as a hypothetical, how that translates to potential s e c liability or a class action liability from a securities law standpoint, you'd look at the 10 B five regulations as well as Rule 17 A for omissions and co. So I think all of that comes into play there. The second point is disclosure about cybersecurity incidents in periodic reports and disclosure of registrants, risk management strategy and governance regarding cybersecurity risks. To your point, Bob, this is considerable not only for publicly traded companies inside the United States, but also those that are external, as well as in our healthcare sector, a lot of hospitals, as we know, are not for profits. And lastly, disclosures regarding the board of directors cybersecurity expertise.
Speaker 2:So the, uh, that first item, uh, for lack of a better way of saying it has a lot of hair on it. People, uh, there's a lot of controversy because of the timing. Standard eight K filings are, are due within four days. Um, what, what are your, what are your thoughts about that? Can you speak to that?
Speaker 3:Absolutely. And I think this is where having our background with HIPAA is very helpful, and I think it's imperative to first reach out to the S E C and say, we have this incident just as we would reach out under the HIPAA breach notification rule to the government organization. And I think I'm intertwining two things here. First, if you have an obligation under a particular other law such as hipaa, as we know in the breach notification rule, there are instances which allow a person to not disclose the breach right away. And the reason is that the h h s as well as other government agencies such as the F b I might say, hold on, we wanna investigate this and we don't want to tip off people publicly yet. So that's a very different conversation in terms of when you would disclose to the market within four days. But I would absolutely recommend some interagency coordination so that on the backend, you as an organization don't get dinged by the S E C or you have something that in the event of a potential class action lawsuit, you can say, Hey, sure, we didn't report this to the market within four days, but there's a reason here is the valid reason. And always have that in writing and not a phone call in terms of four days. The other part I wanted to hone in on is, as we've seen with other organizations and tenants, a great example of this with their more recent breach, you have an initial statement and you may want to deem it, and this is where it's imperative to work with season council in this area, a potentially significant cyber security incident. And that way you've alerted the market not to the Blackboard type of situation where that was more fraudulent in terms of, quote, a hypothetical, it's not a hypothetical if you have a certain type of attack, but in order to meet your obligations with the S e C, you may wanna have a truncated version of a potential cybersecurity incident and then work with the regulator and your other government agencies to make sure that you have your set statement ready when it's ready. And then you would have to keep building on that and file additional eight ks
Speaker 2:The, um, compared the, uh, the four day requirement compared to hipaa. Uh, HIPAA is a, a, uh, walk in the park<laugh>, you must re uh, report, uh, various entities without undue delay, but in no case greater than 60 days. Right? But we have, um, to your point about there, there needs to be some, uh, deconfliction and rationalization, uh, because there are major disclosure rules. Uh, New York Department of Financial Services, 72 hours, uh, if you operate internationally, especially, uh, in the u in Europe, uh, GDPR 72 hours proposed changes coming by way of the cyber incident reporting for Critical Infrastructure Act ceria 72 hours. Um, and by the way, within that ransom payments 24 hours, uh, for those in the defense industrial base, uh, uh, D A R S and the C M M C validation process within that world, there's 72 hours. And then I just read one, uh, the other day, the National Credit Union Administration and C U a 72 hours. So the, uh, the s e c, it looks like the s e c playing hardball was 48 hours. But I think what we're seeing is an emergence of regulations that, uh, uh, really tight are tightening up this reporting requirement all the way around,
Speaker 3:I would say yes, but within four days, again, your disclosure needs to be appropriate for the amount of information that you know at that time. So I think that's something that you should work with. An entity should work with counsel on. Obviously a ransomware attack is a material cybersecurity incident. No one's going to deny that. And so the matter of disclosing that, unless of course government agencies say, no, don't disclose that right now publicly, that's very different than disclosing it to the S E C. And I think that will be interesting to see how that part of the process plays out as well. But since you mentioned the international component, as we mentioned before, we do have this regulation sk, but then we also have item 16[inaudible] small D of form 20 F and 20 F is what's required by international entities that trade on our markets, including the O T C market. And not only is there a requirement change to Form 20 F, which is analogous to the Form 10 K for US companies, but it also amends form six K to add cybersecurity incidents as a reporting topic. And for those of you who are unfamiliar, a form six K is more analogous to a form ak
Speaker 2:I want to, um, just speak a little bit to the third item that you mentioned, the disclosure of registrants, risk management, strategy, governance regarding cyber risk. And what, what I'm seeing out there and would love your comment on, on this, um, even the most sophisticated organizations with the most progressive cyber security plans do not necessarily have good robust enterprise cyber risk management. And I'm differentiating, as we've discussed before, differentiating risk management from cybersecurity here for a moment. Because risk management falls right into the set of three sweet spot responsibilities of the board, right? So, um, when I'm seeing that there are a lot of organizations that are gonna play catch up because what, what I see out there is immature, it's ad hoc, in some cases it's even seat of the pants. There's a huge need for organizations to align their cyber risk management strategies with their business strategies. And the most enlightened organizations, not, not to be completely down on this, the most enlightened organizations have pivoted from playing cybersecurity cost center defense to looking at cyber risk management as a growth driver of value driver in a business enabler. Um, what are your thoughts? What do you see out there?
Speaker 3:Well, I would, I'm seeing quite a few things, and I think you are too. So I would love your perspective as well. I would say that overall, when I do the HIPAA risk analyses, and I know Clearwater does a great job of this too, I'm still just honest to goodness, amazed at the policies and procedures that are not comprehensive at times, not with my clients that I've had for a long time. But oftentimes when I go into a situation where I get called about a, a breach or if a new client emerges and I had a call from what I would consider a sophisticated entity, and they didn't even have a business associate agreement in place with their vendors. And so going to that cybersecurity risk management, there are certain items that I don't understand how organizations have turned a blind eye to for so long, and why people in positions of a certain level haven't been more involved in saying, Hey, do we at least have the basics met here in order to mitigate, mitigate our risk? Because as we know, Bob, and I think this is a huge component of it, insurance companies are looking more closely at compliance, as are a lot of financial institutions when they're evaluating what their risk is in terms of lines of credit or loans. And this can impact an organization's finances and overall enterprise risk management, because if your risk is too high, insurance companies may not ensure you, which we all know is a macro issue, or your premiums could be a lot greater than what you expected. So how is that going to affect other areas of your budget and your strategic plan? I think another item that we can't overlook is the regulations that emerged out of Sarbanes Oxley, which we addressed in our article, which among other things required that a financial expert serve on the public board committees for audits. So from your perspective, what are you, you seeing and what are your concerns?
Speaker 2:Yeah, the, um, uh, as it relates to co uh, comparison of Sarbanes Oxley to these proposed changes, um, I, I've seen a lot of, uh, misinformation about it. And, and fundamental difference is that SOX explicitly required that a financial expert serve on public board audit committees. And that is not the same. What is required here is that an organization disclose whether or not someone on the board has cybersecurity expertise. So it's a disclosure requirement rather than a member needs to be a member of the, uh, audit committee must have that, um, financial expertise. Um, at the same time, at the same time, um, I think what is going to be challenging for organizations is to recognize and disclose in the M D N A section of a 10 K or a 10 Q, that they have certain specific cyber risk. I know there's been a lot of fuzziness around the disclosures, but how are they going to disclose cybersecurity risk on the one hand and then later on in the disclosures say, and yep. At the same time, we don't have anyone with cyber security expertise. That's gonna be a, a dilemma. I think all of this is going to drive organizations towards solving that issue. And I was at a, uh, a National Association of Corporate Directors event recently, and a lot of people were saying, well, what, what exactly is cybersecurity expertise? How do we select someone, uh, to add to our board? And well, my opinion is you don't want a one trick pony. You don't want someone, you do want that expertise, but at the same time, it's really hard to tie up a board seat with someone who has one, uh, area of expertise. So what criteria would I put forth? First and foremost business experience, especially C-suite, somebody with board experience, preferably someone who has the N A C D D directorship certification, uh, broad business experience, entrepreneur, executive, preferably c e O experience. And then if it gets down to you wanna look in their background to see what sort of technology or security experience look for titles like cio, ciso, chief Technology Officer, and then it gets to, all right, well, what are the right certifications? I would say three. Um, one is offered by isa, it's the so-called C risk certified in Risk and Information System control. The other one is offered by an organization called I S C squared. I know there's a lot of alphabet soup here. Uh, this one is C I S S P, it's a certified information system security professional. And then last but not least, in the certification world, N A C D does offer, um, a certificate in cyber risk oversight. So I think those are interesting. Um, but at the end of the day, um, you, you really want someone who can participate broadly at the board table in those areas of, uh, talent management, especially c E o fir hiring, firing in the area of strategy formulation. And last but not least, in the area of risk management.
Speaker 3:Well, it sounds as though Bob, between you and I, we fit the bill for<laugh> for what's going to be required. And to your point, we both have different backgrounds with some overlap, but we've both written books, we've both served as experts, we have a broad base of experience. We're both entrepreneurs just in different ways, and we both are educators and hold a variety of different degrees. So I think that if you want a template, you can look at either of our backgrounds,<laugh>
Speaker 2:Well, well, I don't know how to react to that. It's very kind and, uh, very self-promoting<laugh> for us. Um, hey, let's turn to enforcement cuz I really wanna get dive into the theme of why all organization, but around the enforcement area. I mentioned the broad bag, um, broad, black, broad case, sorry about that. Uh, which, uh, did today has nothing directly to do with the proposed changes. And we know that within S e c, there's the division of enforcement and we know they have whistle boat blower programs, and, uh, they are out there, you know, investigating, detecting, and investigating a wide range of violations of security rules. What bad thing happens if organizations fail to comply with these proposed changes? What are your thoughts on that?
Speaker 3:I see three areas of potential issues arising. I would say first one of the biggest threats to organizations, large or small, particularly large, are class actions. And because of securities class actions being typically high dollar types of cases, you have firms who either have financial backing or get financial backing. And so factoring in a potential class action lawsuit is absolutely critical into an enterprise risk management program. Secondly, that's one bad thing that can happen because not only the lawsuit and the impact on reputation, but also the cost associated with it. Secondly, you mentioned the whistleblower programs and Dodd-Frank is a great program and they strive to protect whistleblowers in every way possible. And there is a rule that came out of Dodd-Frank and it's Rule 21 F dash 17 A, which actually the s e c has been enforcing more and more lately. And specifically they're looking at our organizations, whether it's in the initial documents you sign in the confidentiality documents or in a severance or separation agreement, are you precluding someone from bringing fraud to the attention of the S E C or other government regulatory agencies because that is an area that they are coming down hard on. And then lastly, related to that type of whistleblower, that's a type of case because I do the whistleblower side for cybersecurity, that I would bring under 10[inaudible] five or a 17 a in terms of material co commission or omission. So I think that if someone's off by a day in reporting, that's a, I mean a judgment call. I don't think that's a strong case at all, but I would look to more of the language. Do they have that tiered approach that we talked about earlier about, okay, we know there's a material event, but we don't have all the facts yet. So you wanna be judicious with what you're putting out to the market, not only in your s e C filings, but on your website too, because the securities laws covered that as well.
Speaker 2:That's, uh, a great set of, uh, concerns and, uh, not the, and if I may add, obviously the, uh, fines and penalties that, uh, may come out of, uh, any sort of settlement agreement. I, I'd like to fast forward the tape, so to speak and go to the essence of our article and, uh, ask you to talk about some of the top reasons why private companies should care about these proposed s e c disclosure changes.
Speaker 3:I, I agree with you. I think this is imperative. And if we look back historically, again at Sarbanes Oxley, initially the SOX rules and regulations were only adopted by publicly traded companies. But because of all the accounting implications under gap, the generally accepted accounting principles and fasbe, which relate to healthcare in general, a lot of our not-for-profit hospitals in private for-profit hospitals also adopted the requirements of Sarbanes-Oxley. And there are several advantages to, to doing this, Bob. First and foremost, as we know, oftentimes a not-for-profit or a private entity can be acquired by a publicly traded entity or in today's environment, a private equity firm that's registered with the S E C. And I think that's another side portion there. What is the private equity firm's duty to report to the S E C in terms of breaches, especially when they're a major holder or have a more active role in a portfolio company? I think that's going to be an area that we'll see evolve over time as well. So while the US securities in Exchange Commission typically has jurisdiction over publicly traded companies, we do have firms, we have pensions, right, that have to register with the S E c. We even have Reg D private offerings that register not being held to the same requirements, but they are registered with the S E C. So can that come into play potentially? And that's what I would look at. So what circumstances do private companies have to comply? A if you're looking at, uh, potential acquisition, b maybe you're a subsidiary company that's private, or there's a joint venture with a private company with a publicly traded company. I think there are a lot of different combinations there, but what are your thoughts, uh, Bob, especially on the mentality of certain executives saying like, oh, we don't have to deal with the S E C.
Speaker 2:Yeah, well, I think you nailed the most of the, uh, most of the answers, but I would add to it, um, you know, forget about acquisitions, forget about, uh, IPOs, forget about exit strategies. Um, how about taking care of current stakeholders, um, including, uh, not only your investors, but your employees, uh, your bankers, your insurance companies, your vendors, et cetera. Um, I would also, you touched on this earlier, the, um, the three top credit ratings, uh, agencies in the us Moody's, Fitch Standards and Poors are all including, uh, cyber risk management is considerations when they apply a certain credit rating. So the cost of capitals at play here as well. And I would add, um, this matter, uh, it's a little squishier quite frankly, but I would add this matter of managing talent risk in the new world. I mean, who wants to go to work for a company that just has a tarnished reputation as it relates to taking care of business and having their ducks in a row when it comes to cyber risk management? So that's what I would add at at this point. Um, I, I would go on to, um, just as we kind of wrap up, those are, those are critical considerations and hence the theme of the article, why all healthcare organizations should pay attention, um, to this. So now we get to, so, so now what, what do, what do we do today? Um, well first of all, I would say don't go on holiday<laugh> waiting for all this to happen. There's a lot that, that organizations can do. Uh, one for example is be prepared to disclose a breach or an incident. In fact, I think the phrase is a material cybersecurity incident before you understand the full scope. I mean, that's gonna be tricky and challenging and you refer to it earlier, uh, Rachel as well. Um, keep your, uh, investor relations and PR department in the loop on everything that's happening in this regard. Uh, obviously seek help, legal help from inside general counsel, competent outside counsel. If you don't already have a disclosure committee, I would be working to stand up a disclosure committee generally, but certainly one whose agenda includes the matter of dealing with these material cybersecurity incidents as they come in. Um, there are some other thoughts we could go into here and I'll pause and and see what your thoughts are. Rachel,
Speaker 3:Bob, I concur with everything that you have said. I would also emphasize to all of our listeners that our article, why all healthcare organizations must Care about the S E C proposed Cybersecurity rule changes really gives a nice breadth of considerations for the individual entities that goes into some different areas than what we discussed here today. I also believe that regardless of the size of an organization, that there are ways that entities can take a form of enterprise risk management. And a great place to start is what is the ingress and egress of my data, whether it's protected health, information sensitive, personally identifiable information, and a burgeoning area that I would say we're just now beginning to see that every single entity, regardless of their status as a public not-for-profit, private, or government entity, is the illicit use of data, which is what the Federal Trade Commission has been honing in on with its recent enforcement actions against Flow, for example, and GoodRx or two that come to mind.
Speaker 2:Sure. Well, I would say, um, we'll wrap it at this point. Um, terrific advice that you've provided, a really appreciate the chance to collaborate. Again, I would leave our listeners with three, um, with a couple of thoughts. Uh, the first is to remember that boards have three major concerns. They're worried about talent management, specifically hiring and firing the ceo. They're worried about strategy and they're worried about risk management. This is a great opportunity to add cyber risk management into what should already be in the purview of the board. So, uh, for CISOs and CIOs out there where the responsibility has, in my opinion, inappropriately been relegated, uh, stop throwing around the techno babble, uh, stop talking about the latest shiny new gadgets and tools and controls, and start focusing on and talking about, uh, business risk management in the cyber area, especially hook it into the matter of growing the business and enabling the business and, uh, and driving value for the business. And with that, I'll wrap it up. And Rachel, if you have any final thoughts, I'd love to hear them and, and we'll call it a day.
Speaker 3:Bob, your points are well taken and I think you summed it up perfectly. I have nothing further to add other than to thank a H L A for having us as their guests, as well as to thank our audience for participating today.
Speaker 2:Thank you all very much.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.