Health care organizations' cybersecurity practices are under the microscope like never before. Jon Moore, Chief Risk Officer and Head of Consulting Services and Client Success, Clearwater, speaks with Iliana Peters, Shareholder, Polsinelli, about recent state and federal actions regarding the regulation of health care cybersecurity. They discuss why risk analysis is so important yet challenging for health care organizations, New York’s proposed regulations on health care cybersecurity programs, HHS’ concept paper outlining its cybersecurity strategy for the health care sector, and how health care organizations can navigate this complex regulatory environment. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Health care organizations' cybersecurity practices are under the microscope like never before. Jon Moore, Chief Risk Officer and Head of Consulting Services and Client Success, Clearwater, speaks with Iliana Peters, Shareholder, Polsinelli, about recent state and federal actions regarding the regulation of health care cybersecurity. They discuss why risk analysis is so important yet challenging for health care organizations, New York’s proposed regulations on health care cybersecurity programs, HHS’ concept paper outlining its cybersecurity strategy for the health care sector, and how health care organizations can navigate this complex regulatory environment. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. And the tech enabled twenty four seven three hundred and sixty five security operation center with managed threat detection and response capabilities. For more information, visit clearwater security.com.
Speaker 2:Hello and welcome to this episode of the American Health Law Association's podcast. Speaking of health law, I'm John Moore , chief Risk Officer and head of Consulting Services and client success at Clearwater , uh, where we advise and support our healthcare clients on how to move their organization to a more secure, compliant, and resilient state. As 2023 came to a close, we saw significant activity of both the state and federal levels with respect to the regulation of cybersecurity programs in healthcare. Uh , first we saw the governor of New York proposed new regulations requiring hospitals to establish formal cybersecurity programs among other measures , uh, to limit unauthorized access to their information systems and , uh, confidential information being processed within those systems. Uh, then the US Department of Health and Human Services released to concept paper outlining the department's cybersecurity strategy for the healthcare sector. Uh , the paper detailed four pillars for action, including publishing, publishing new voluntary , uh, healthcare specific cybersecurity performance goals , uh, working with Con Congress to develop support and incentives for , uh, domestic hospitals to improve cybersecurity and increase accountability and coordination within the healthcare sector. Uh, the cybersecurity practices of healthcare organizations are, are certainly, it appears to be under the microscope like never before, at least from a regulatory perspective, and to help dissect what further steps we might see from both federal and state agencies. In 2024, I'm pleased to be joined by one of the leading experts on the subject and, and personally one of my favorite people to talk to about , uh, these kinds of matters. Ileana Peters Ileana is a shareholder with the law firm of polsinelli , uh, working closely with healthcare clients and complex compliance questions, incident response investigations , training , uh, to protect data, avoid legal risk and legal liability, both at the state and federal levels. Uh , prior , prior to joining Selli , Eliana was with HHS Office for Civil Rights for over 12 years. Uh , and in her last role at OCR as Deputy Director, she both developed information, privacy and security policies, including on emerging technologies and cyber threats , uh, while coordinating with the Department of Justice, department of Education, and other federal agencies, state Attorneys General, and the White House. So, it's great to speak with you. Uh, again, Ileana , it's been a bit, I think, since the last time we had a conversation, but , uh, always a pleasure.
Speaker 3:Yeah, likewise. It's always good to talk to you.
Speaker 2:So, you know, some very interesting developments, as I mentioned , uh, previously. And, and so let's, I think, let's start with New York. So what's happening in the state of New York? So we have , uh, you know , the new proposed regulations. Part of that is risk analysis of the key part of the requirements proposed. And, and in this case, a very specific requirement for an annual risk analysis is a key , uh, uh, is part of those regulations. Obviously, risk analysis has been a key part of the HIPAA security rule , uh, since the beginning. Uh, as well , uh, not as specific in in the requirements here . It doesn't specifically call for an annual risk analysis. However, oftentimes that's how folks have interpreted it , uh, yet routinely we see OCR site insufficient risk analysis in , in announcing enforcement actions. I think probably every time I've ever spoken to you about this subject, we've mentioned this and it doesn't seem to be improving. Um, certainly I , although that's kind of anecdotal evidence to that. Uh , why do you think risk analysis is so important, first of all, that it, you know, that it's included in all these , uh, types of regulations and what seems to be the problem with healthcare organizations in conducting the appropriate risk analysis?
Speaker 3:Yeah, I know , um, we often talk about this question as , as you mentioned , um, and we're also trying to figure out exactly what the issue is, because I think you're right, at least in my experience, and, and I know that , uh, you have similar experience, although we, you know, we don't necessarily have any , uh, audit studies or anything like that from HHS on this particular question. Um, but I think that the issue really is that it's, it's, it's hard. Um, I think it's hard for all different types of entities. Enterprise risk assessment is something that, you know, is really , uh, considered the cornerstone effort of any robust enterprise security program, whether you're in healthcare or otherwise. Um, and it's, I think it's hard for everybody, but I think it's particularly hard for healthcare because , um, this isn't what they do. So , uh, I know we've talked about this before, is that, you know, when you're talking to a financial institution, for example , um, they get pretty quickly why they need to know where all their data is and why they need to understand the threats and vulnerabilities to that data , and they need to really plug those holes . Um , that's less easy for, I think, a healthcare institution to understand , um, because they, you know, they don't necessarily equate , uh, the data with , um, their mission. In other words, they are very concerned about , um, patient health and patient safety. Um, and that's what their focus is. And I think is , I think you'll see from those new guidance documents out from HHS that , um, HS um, is really trying to flip the conversation to try and convince healthcare providers that , um, a data security is patient safety. Um, because so many of these incidents , um, do in fact affect patient safety and can have some really adverse outcomes , but that's not an intuitive , um, you know, sort of conversation. In other words, you know, the physician is going to want to know why they have to spend so much time and money and staff resources to figure out where all their data is and then to address , um, any deficiencies with, with regard to safeguards for that data. It's , it's just not something that they , um, are , are have top of mind, whereas, you know, they certainly have top of mind, you know, the patient that's coming in the door next, or the patient that may be on life support or, you know, the new MRI machine that they wanna buy to support the effort that they have for saving lives . So I think, you know, I think that's gonna continue to be a really tough conversation. Um, and it , and it continues to be, you know, something that I think we're all trying to figure out how to have that conversation. Um, and until we do, until we convince these healthcare organizations that they really have to prioritize understanding where all of their data is, where all of their assets are , um, such that they can protect all of that data against , um, really any types of threats. And those threats are increasing exponentially as we speak , um, that we're gonna continue to see deficiencies in , in risk analysis. And it's , it's , it's really unfortunate, I think , um, because as you and I both know, that really is the key to getting this data security effort, right? Um, because you can obviously throw a lot of resources at , uh, cybersecurity and technical safeguards and, and other types of, you know, applications and controls that are meant to reduce your risk. But if , if you don't know really where the risks actually are, it's kind of like throwing spaghetti at the wall to see what sticks. So , uh, it can in a lot of , be, in a lot of ways be, you know, a very inefficient , uh, way to try and address the risk to your data if you don't know, again, where all of your data is. Um, but, you know, I'd love to hear your thoughts too, because again, you know , um, we're always trying to figure this out and, and obviously , um, you know , uh, any thoughts that you have on this I think are always helpful too, because you, you see it from a , a different side than I do , um, day to day .
Speaker 2:Yeah, I think certainly, you know, many of the things you said align with our experience. I think , uh, first of all, I , not , not , I think I know actually that first of all, there's still, despite the fact that the, at least from a HIPAA perspective, the guidance on on what's risk analysis under the HIPAA security rule has been out for over a decade. There's still confusion. I , I believe on what exactly risk analysis is. And, and part of that, the blame for that, I think resides with the, let's call it the cybersecurity industry as a whole, because there's a lot of things that are called risk analysis in cybersecurity world, and they're not the same thing , um, certainly as, as what OCR expects and, and is , um, more further described in, in their guidance. So I think there's still some of that confusion going on. Uh, the next thing that we see oftentimes and, and the bigger, more complex the organization, the more of an issue this is, is this idea of scope. So to your point, you know, not having a , a good understanding of what the systems and associated components are within the organization that are used to create, receive, maintain, transmit EPHI for , for HIPAA purs purposes. But to your point , um, you know, that whatever that information is to the extent that it's necessary for that organization or critical to that organization's achievement of their mission, we don't understand that. And , and , and that's interesting in and of itself, I think because , uh, I don't, it's, it's difficult for me to understand at this point how pretty much any organization, whether it's healthcare or otherwise, doesn't fully understand the, how dependent they've become on information systems in order to , uh, achieve their mission. And, and certainly that's the case in becoming increasingly the case in , in healthcare. So I think, you know, that certainly from a business executive board perspective, leadership perspective, we need to, to better understand that we're, we've had good luck working with organizations , um, using the activity of business impact analysis to really help the business folks themselves understand the implications of, of losing , um, one of their critical systems. You know, if, if we lose the EHR, how long can we continue to deliver services without it? Or what's the impact to the organization and our ability to deliver care and and risk to our patients if we, if we lose , um, access? And so, you know, having those conversations and, and, and talking through those scenarios with the, the, the folks , um, delivering care, the business people themselves, I , I think can be helpful to make the cybersecurity of the need for cybersecurity more real to organizations. Um, the other thing that, that we see, and , and I think that you mentioned this as well, is just the , the cost associated with, with truly doing this effectively. And, and, and particularly that, that initial hump of doing it the first time. You know, if you, if you do it the first time, make that investment and then maintain that on an ongoing basis, it's, it's manageable. But I don't think many organizations think about that, even though, you know, in the, in the OCR guidance, they talk about ongoing risk analysis and, and , and at least allude to what, what that means. Most organizations aren't doing that. It becomes a annual compliance activity if they're doing it at all. And , and I don't know that that's particularly effective , um, in achieving the goals and objectives of the risk analysis or from a cost perspective, but, but cost is a, you know, is an element and certainly , um, you know , depending on the nature of the organization or talking to in healthcare, some of those folks are more resource strapped than others. And, and it, you know, they're, they're trying to decide whether they , uh, you know, buy some new piece of equipment for their physicians that are gonna allow them to deliver a better, higher quality care or apply that to risk. And I, and I think we've gotten into the habit of defaulting to the former instead of considering the latter . And that comes back to bite organizations eventually, I think. So I dunno whether any of that resonates with , yeah , no, I
Speaker 3:Think you're absolutely, no, I think you're exactly right. And I really appreciate your , um, you know, your excellent point that there really is , um, a disconnect between what the regulators expect in a lot of these circumstances and what a lot of vendors , uh, provide to , um, you know, industry , uh, members, so all different types of healthcare entities , um, because of the lack of understanding, I think, and, and obviously, you know, your team has done this so well for so long that I'm sure you consistently scratch your head as we do, but , um, but it's just really surprising to me how how many times I end up educating , um, the, the vendor , um, on how to do this correctly. Um, and, and that continues to surprise me. So I think that's a really good point. Um, you know, because if we, if we can't, you know, if we can't , um, educate the industry, the cyber industry on how to do this, right , um, then, you know, it , it , it just makes me more , um, worried about educating the healthcare sector as well. So , um, I agree that I think there needs to be more education on this. Um, and, you know, even if you look at the additional documents that, as you mentioned, came out from HHS about, you know , um, essential goals and enhanced goals related to , um, cybersecurity in the healthcare sector , um, you know, an asset inventory is considered an enhanced goal <laugh> , um, which is interesting to me rather than an essential goal. And it talks about assets and not necessarily about data. So I think we're still having some disconnects , um, uh, you know, in how we try and educate , um, both the, the vendors who do this work , um, and many of them do it very well, but many of them don't , um, and the healthcare sector. So , um, I just, I think there is , uh, you know, a real need for folks to really sit down and figure out how we can have these conversations in a more productive way. So again, we get the message across that, you know, this is super important for patient safety, but also how to do it, right.
Speaker 2:Yeah , it , it's interesting you pointed to, to that example of the inventory, that was the first thing that jumped off the paper at me when I looked at it, because historically, in most cases , um, the first thing that, that , uh, you're looking to have an organization do is understand , uh, what their data and , and , uh, associated resources are, because how can you protect it if you don't know that it exists? So , um, yeah , that, that was certainly an interesting , um, element to the, to the new goals. Uh , one of the, one of the complaints, and I'm , I've sure you've heard this as well, anda about , uh, the HIPAA security role in particular is that it's not specific enough. That's, that's one of the things that, that will often hear people, particularly from folks who just want a checklist, right? If I just do these things, I'm okay, sort of approach. In the New York regulations or proposed regulations, they, they seem to be , to be moving towards more specific requirements. So they specifically call out , uh, MFA, for example. They specifically call out , uh, pen testing . They specifically call out vulnerability scans and risk analysis and give a expected frequency for those types of act of activities. Um, what's your, what's your perspective on, on on either those, those requirements within the New York regulations or the , this , the often heard demand for, for more specific , um, requirements when it comes to cybersecurity?
Speaker 3:Yeah, I think that's a , that's a really great question. I mean, I think, you know , um, the , I the idea is that, you know, we obviously wanna make this digestible. So as we were just talking about, we wanna make sure that folks can access this information in a meaningful way, that they can understand it, that they can implement it. Um, and in that respect, I really don't at all object to really more specific requirements because I , I do think that we have moved that way anyway. Um, you know, when we're talking to really any regulator, state or federal at this point, they're asking those questions . So obviously they ask about access controls in that way, but they're also asking specifically about MFA , um, for example. So , um, you know, because we know there are it in , at least in some respect, some , some current best practices that are really, you know, a minimum standard at this point for what each piece means . So for example, again, with access controls, we're talking about, you know, sophisticated , um, credentials , uh, requirements and , and including MSA . So those are things that we keep hearing over and over again from the regulators at the state and federal level, even though they may not be specifically spelled out in the law or the guidance for that law. Uh , and the HIPA security role is a very good example. Um, so I do think it's helpful to some extent, and I'll qualify this statement obviously in a minute, but I do think it's helpful to some extent to have some really specific requirements , um, that say, okay, if you do these six things , um, then we're gonna consider you to be, you know, at least performing at , at a minimum , um, sort of baseline , uh, level for purposes of, you know, these, these very great cybersecurity risks and this, this very giant risk landscape that we're dealing with. Now, that said, obviously , um, I don't necessarily think that that is long-term the best approach, because I do think it's incredibly important that we make this , uh, space, that we make these requirements the way the security rule does, flexible and scalable. In other words, a checklist may work for a one doc shop or a small provider practice, or, you know , uh, a wellness spa or something like that. Um, a checklist is certainly not going to work for a very large health system, a very large health plan. You know, those types of efforts are just not sufficient. So if we limit our regulatory requirements to , uh, discrete set of checklist elements, then we obviously miss a huge part of that risk landscape that may apply differently to much more sophisticated organizations. Um, and so, you know, everybody's always asking me about encryption, right? You , you very well know. Everybody's always saying, well, encryption is optional under the security rule , under the HIPAA security rule. Encryption is obviously not optional. It never has been. It's addressable, which means you implement encryption or you implement the equivalent of encryption a document why you have a reasonable compensating control for encryption. Um, I think in very short order, we are going to be moving to a , to a space where quantum compute computing could very likely replace encryption as the best standard out there for protecting data. And we're gonna have all of these guidance documents and all of these laws that say, you must do encryption, what happens when encryption becomes outdated? Um, and it's very difficult for the laws to keep up. So it is much more a sophisticated analysis. I do think, and it is harder to, again, have these discussions when we don't have a checklist and we don't have a specific set of very discreet requirements that we are, we are required to implement, but at the same time, we don't have the ability to , um, pivot if we need to, if, you know, the next vulnerability is with MFA. So , um, you know, I I think it's, it's a really important , um, piece of the conversation certainly, but I do think that there are drawbacks to that approach.
Speaker 2:Yeah, and I, I certainly, I think I would agree with each of the elements you cited. It's, you know , from a , from a, certainly from a NIST perspective and, and NIST not being required, but one of the methodologies cited by OCR, there is this notion that I'm going to establish some level of baseline controls and then understand what the remaining level of risk is that I have. And , and then to the extent that it exceeds the my tolerance level, I'm going to implement additional controls. But to your point, different organization, what would be an appropriate baseline for different systems and or organizations can vary quite a bit. One of the things that I really liked about the, the hiccup , um, standards is, is that, or practices is that, you know, they've tried to break it down about, around what's in the , about appropriate sized organizations and appropriate practices, which is helpful, but if you tried to, to then translate that into regulation, I think it becomes particularly more complicated. Uh , one of the things I'm not sure if you mentioned, but but always comes to mind for me, is, you know, under, under hipaa, we have this kind of notion of reasonable and appropriate. And unfortunately, one of the other things we don't have much, if anything of is any sort of , um, case law history of the evolving standard of what reasonable and appropriate is from a controls perspective for healthcare, different types and sizes of healthcare organizations under hipaa. Uh, you know, if you, if you had sort of a , that, that history and , and that would be evolving over time, it would be a little easier for someone like yourself who's, you know, advising folks or, or even us, you know, when, when talking with organizations about what controls they should have in place, what reasonable and appropriate would really be for them, I think is is oftentimes a bit nebulous. Uh, absolutely . One , one of the
Speaker 3:Other I absolutely agree.
Speaker 2:One , yeah . One of the other things I thought was interesting under the proposed New York well regulations was the , um, two hour timeline for reporting of material cybersecurity incidents. I , I think that was an interesting to me for, for two reasons, two hours is a pretty short timeline, at least in, in, in my perspective. But the other thing is that they brought in this notion of materiality for, for evaluating , um, the impact of the cybersecurity incident. And I think we, we saw that in the SEC regulations, now we see it here. I know, certainly we're seeing more and more organizations inquiring as to how they determine materiality. So , uh, interested in your thoughts on the two hour timeline, but, but also perhaps on that , this notion of materiality when it comes to a breach , I think that's a new, new concept, at least for , for many organizations in healthcare.
Speaker 3:Yeah, no, I, you know, I, I've been obviously thinking about these , um, exact issues since, since these , uh, you know, proposed , uh, requirements have been pushed out as well as , as you mentioned, the new requirements from FEC , for example. Um, you know, I think these deadlines are , um, a bit unrealistic. Um, I don't think there's really any way you can determine true materiality within a two hour period. Um, you know, particularly given, is that really what we want our incident response folks to be worried about in the first two hours of a cyber attack? Um, you know, I, I do think it's an important question, and it's absolutely something that should be evaluated at some point and should be reported as necessary to whatever regulators , um, are , uh, maybe involved. Um , but I'm just not sure it's, it's , uh, it's the correct timeline for that reason. I mean, I just don't know in the, in the vast majority of cases, what we would say two hours in other than we've had an attack, and we're trying to figure out what it's , um, and whether or not it's material is going to depend on, on many factors , um, that will be determined over time. Um , and so I really think that that's , um, that's going to be a very hard standard to meet, arguably. And , uh, again, really wonder if that's the best use of resources in that timeframe, or if that's a burden that that really should be , um, you know, placed in a different timeframe. Um, I think too , from a materiality standpoint, this sounds very much like a harm standard. Um, and, you know, we've moved away from a harm standard , um, in the vast majority of our , um, breach notification requirements, certainly at the federal level. You know, that sometimes that language still remains at the, at the state level. Um, but, you know, HHS is taking an approach, HSS in the office for civil rights is taking an approach that every cyber attack is material that you have to notify everyone in every cyber attack. So is that the standard? Is that what we mean by material? I don't, I don't think so, but that's the, that's the approach that the Office for Civil Rights is taking. Now, they do not allow a risk assessment for purposes of a cyber attack involving , um, some kind of threat actor. If there's a criminal involved, they expect you to notify every one of everything. Um, and again, I don't, I don't think that's what the HIPAA breach notification rule provides for, but I don't think that's what we mean by material either. Is it really material for everyone? Is every incident really material all the time ? Um, I don't think so. Um, and I think the vast majority of our industries don't think so, but I do think that's where the government is moving. And so I would like to see additional guidance from our state of federal regulators on what exactly they mean by material. Um, you know, I think it's, it's a little bit easier of a calculus to do if you're talking about a publicly traded company, and we have some idea of the valuation issues that may be , be resulting from a particular type of incident given , uh, what might happen in terms of , you know , um, reputation, litigation risk, regulatory risk , um, uh, you know, just plain old business interruption. Um, and so I think from that perspective, I think that's an easier analysis to do. If what , if that's really what we're talking about in the publicly traded realm, which is what , what I think we're looking at from an SEC perspective. But with regard to these other regulators at the state and federal level, I don't think it's that clear. Um, and I think it's a much harder question because I think arguably the burden is much higher at a state and federal level, because what we are seeing from those regulators is an extremely aggressive approach to considering everything material. Um, and I think we need to sort that out.
Speaker 2:Yeah, I , I , I certainly would agree. I mean, I think there's, if you're thinking about it in the context of SEC regulation, there's, there's plenty of commentary as to, to what materiality means in that context. But to your point, I think it that that term is being adopted outside of the, those financial reporting context. And I'm not sure that the, that folks who are doing that necessarily themselves are, are adopting the definitions that we have from a financial reporting perspective, or, or they're thinking that it means something else and not, certainly not a hundred percent clear to me. That's, that's for sure. So, wanted to quickly shift directions here and , and talk a bit about , uh, HHS and , and , um, the recent publications and the concept paper in particularly , uh, detailing their cybersecurity strategy where they talk about healthcare organizations having access to numerous standards. I , I , I don't think we disagree there, and many of these standards have been around for some time. Um, what's your perspective on existing cybersecurity standards and their application in healthcare and , um, healthcare organization's ability to align with those standards or practices?
Speaker 3:You know, I think , um, it's a really good question, and I think in my experience, again, a lot of these standards , um, are, are frankly the lowest common denominator, which in theory should work well. Um, but we're still not seeing even implementation of these arguably very minimum standards. In other words, you know, I think the, the standards that have been set forth , uh, for example, including from the HHS FACAs , um, you know, responding to the, the four or five D requirements, for example , um, you know, this was part of the cybersecurity act a few years ago. Mm-Hmm. <affirmative> , um, you know, they're absolutely right. I mean, I, I don't think there's anything wrong with that guidance. I think it's good guidance. I think it absolutely should be implemented. Um, but it , it arguably doesn't even meet the requirements of security rule in many respects, the HIPAA security rule in many respects. So it may be appropriate, again, for smaller entities , um, but it may not be appropriate for much larger entities , um, given what is reasonable for those larger entities. So again, I , you know, I I'm still a bit concerned that there are , uh, you know, standards that are floating around, including these new ones that were published yesterday that are , um, you know, divided in a way that makes what is arguably already required under the law look like , uh, a reach , um, in , in , in terms of using statements like enhanced goals. In other words, you know, mm-hmm , <affirmative> , um, something that we should reach for. Um, I don't, I personally don't think, and I think I heard from you that you agree, but I don't wanna put words in your mouth that, you know, knowing where all your assets are isn't an essential goal. It's already required by the law. Um, and, and yet we have new guidance from HHS that says it's actually , uh, a reach goal, an enhanced goal. So , um, you know, I don't, I don't necessarily think that , uh, the guidance is wrong. Um, I think most of it is , is very correct. Um, and my concern is really whether or not it's , uh, it's where we need to be. Um, and I, I do think that , um, you know , given the overlap or potential overlap with our legal requirements, we need more , uh, again , clarity from particularly HHS and our other state and federal regulators about what is required and, and why these guidance documents may sort of hit differently for , uh, different entities based on what may or may not be required. Um, and, and that's just as we discussed a little bit earlier, still not clear to me. Um, I do think that these , um, documents should in fact, indicate the standard we're all trying to meet , um, no matter what our , um, size and resources are. Um, while the enforcement of such standards may be different, depending on the size and type of entity and the resources available to it. In other words, I still think that the best approach is to ensure really robust requirements , um, that are , you know , scalable for different types of entities, and the lack of implementation is an enforcement issue.
Speaker 2:Yeah. I, I almost sometimes get the feeling, and I I hope that this is just me being a bit jaded, is that we, there's certain requirements that exists for organizations, organizations aren't hitting those requirements and, and they , um, suggest, well, I just didn't know what to do. So we, we just keep trying to find different ways to tell them what to do. Um, when not knowing what to do really isn't the problem. Uh, you know, there's a, there's a different problem either whether that's , um, whether that's an enforcement problem, a financial problem, a technical problem, all of the above. Uh, you know, I'm, I'm not sure that we're necessarily, I , uh, that generating more guidance is going to, to move the needle much. But that said, the, the concept paper suggested that , um, with additional authorities and resources, HHS will propose in corporation of these cybersecurity performance goals that we were discuss just discussing into existing regulations and programs that will inform creation of new enforceable cybersecurity standards. Uh , you know, and how, so the question is , I think there's a couple questions. One, if they do that to, to your point, are we lowering the bar , uh, in , in , in some cases anyway , in regard to the requirements, citing specifically the, you know, the , the enhanced goals versus the , um, essential goals. And how do you think HHS will will verify that these, or will they even bother to verify that, you know, that these standards are implemented?
Speaker 3:Yeah. Um, you know, I think that that's sort of a piece from the , um, the, you know, the , obviously we , we've had two HHS documents come out fairly recently. You know, we had these new goals come out yesterday Mm-Hmm , <affirmative> , which were a result of the , um, you know, the, the four area concept paper areas of priority that you talked about at the beginning of our conversation , um, that came out from HHS, you know, a couple weeks ago. Um, and that was really in , in conjunction with, you know, the White House effort to prioritize cyber , um, cybersecurity and cybersecurity efforts, you know, in , in every sector, really. So this is the HHS piece. Um, as you mentioned, one of those four , um, uh, areas of , uh, importance emphasized by the concept paper was greater enforcement and accountability , um, by HHS. Um, and that would include , um, you know, additional regulations under the HIPAA security role . So we do already know that HHS is working on changes to the HIPAA security role as a result that is now on, on the secretary's rulemaking calendar at HHS. Um, and so we do know, this is obviously a , a , a presidential priority. Um, my concern is that , um, OCR arguably has pretty broad enforcement authority already. Um, they have an entire audit authority that they're not using. And what they are enforcing is they are in fact , um, investigating every single breach affecting 500 or more individuals that comes into the office. That's a lot of cases, but it's also a lot of cases where entities were victims and they are reporting as they're required to do under the law. We know that there are a lot of entities out there that aren't reporting. Um , they don't have good, you know, cybersecurity programs, they don't have good HIPAA programs, they don't have good compliance programs, and they're not reporting breaches when they occur. And HHS is not looking into any of those entities. And so I continue to be concerned that if the people that we are punishing, because OCR is continuing to move forward with this work, they are offering settlement agreements and all in , in many of these cases , um, if the , if the entities that we're investigating and punishing are the ones who are at least trying to do what's right , um, you know, what's the incentive of continuing to try to do what's right if we're not even looking at the entities that aren't even trying to do what's right, because we're never going to move this needle, this cybersecurity needle , if the vendors that provide services aren't doing this, right? If the, you know, if the healthcare provider down the street who we share medical records with isn't doing this right. You know, if the , if the hospital or cancer center or whatever that looks like that we share patients with, isn't doing this, right. So I'm still trying to figure out why HHS thinks there needs to be more enforcement when they arguably aren't using the tools in their tool chest that they already have. Um, you know, they haven't done audit since before I left the agency, which was six years ago. Um, so, you know, I think that's the, that's the piece that I continue to come back to is that, you know, we can have these requirements in the law and we can have these very important guidance documents and goals , um, and we can have all of this , uh, effort to educate entities. Uh , but if we don't get the enforcement right, if we don't get the enforcement piece , I think it will continue to discourage to actually discourage entities to come into compliance. Um, and that continues to concern me, but I would love your thoughts on that as well. Yeah,
Speaker 2:I mean, certainly if I, if you look at it just from an optics perspective, the , the fact that, and , and not all of the enforcement actions exclusively limited to organizations that have large breaches, but certainly the most, the largest, most visible sort of, you know, multimillion dollar sort of enforcement actions tend to be , uh, against organizations that have reported some breach or another. And I think that, you know, that it's, it's easy for those folks and and their peers to make the argument, well , you're, you're punishing the victim essentially. And, and, and I think there's some, to your point, some merit to that argument. The audits in particular that you referenced are amusing. And as much as my take on that was, Hey, we, we audited folks and, and pretty much everybody failed, so we better not do that again. Uh, you know, or, or, or what will we have to do? And , and that is seemed, I don't know, it raises a lot of questions, I think to your point about what the, the most effective approach to enforcement would be. And, and I guess to a certain degree that depends on what your goals of enforcement are, and if your goals of enforcement are to, to encourage everyone in the industry to implement, you know, some level of cybersecurity to protect the, the not. And at this point, it's not just the confidentiality, integrity and availability of information, but we're really talking about patient lives, you know, at some point, although that comes through in the , in many different ways that, that, that how we're doing enforcement has proven not to be effective in accomplishing that. And so what would be the point of continuing to do in enforcement in this way? We're just going to continue to get the same results , it seems to me anyway , uh, to , to , you know, you raised a , a couple of things and related to this, wanting to get your thoughts and, and along those lines is , so, you know , one of the other things mentioned was increased financial consequences. I assume that means fines and penalties and that type of thing. And, and the other is that they, you know, different, different , uh, attempts to, to rethink this, whether that's in the form of additional measures coming through the , you know , being pushed out through Medicare and Medicaid requirements or updating the HIPAA security role or proactive audits, which I , I think maybe you, you were pointing towards in, in your com commentary or the incorporation of these , uh, performance goals. What, what do you think, what do you think the , the, the answer is if , uh, or which of these things you think would be most effective in achieving the goal? If we say the real goal is to, to better protect the patients and patient data and businesses within the critical infrastructure sector of healthcare? It's a big question, <laugh> . Yeah.
Speaker 3:That is a really, yeah, that is a really hard question, <laugh> . Um, uh, and tomorrow I will be queen of the world and solve all the problems. Yeah,
Speaker 2:That's a <laugh> I wish I
Speaker 3:Could. That's , so that's a really hard question. Um, I do think it's a really good question though, and I think that's the question that, you know, we should be having this conversation with our state and federal regulators for sure, because I do think there are ways to get that to that. I mean, the regional extension centers from medi Medicare and Medicaid perspective have really been a center of, of , um, assistance for a lot of entities for a very long time. And, you know, maybe there are ways to leverage that kind of , um, infrastructure to help educate better , um, those, you know, those types of entities , uh, about their responsibilities and to push resources to those entities. So I don't think this needle is going to move until we actually start providing additional resources. Um, and that's, you know, that's already hard as, as a , a , a national issue because there's just not enough people that do this work. There's not enough people that do this work well. Uh, there's not enough money in these entities for this work to be done. It's arguably pretty expensive work to do. So I definitely think that there will need to be additional resources, particularly for certain types of entities, because there are a lot of entities in the healthcare sector that are operating , um, with, with no margins that are, you know, providing charity care , uh, that are doing really critical access work. And they don't have the funds to do this. I mean , they just don't . So I , I don't think there is going to be a lot of movement , um, unless there are additional resources, and that those resources are pushed to those entities in the right way, in ways they can , um, leverage them . Um, and so , uh, that's always a very difficult conversation, you know, how do we, how do we give people money potentially, or , um, other types of technology resources and, and at the same time make sure that, you know, it gets to them in the right way and they're implementing it in the right way and they're using it for the right things and all of that. Very, very hard question , very hard . Um, and I think on top of that, we still to our, our , um, conversation just now, we still need to , uh, make the stick better. So if we're gonna make the carrot better, we also need to make the stick better, and the stick right now is not working. Um, so I do think that there needs to be a reevaluation of how we do this enforcement work and what that really needs to look like in terms of trying to get to entities that aren't doing anything. Um, you know, something is arguably better than nothing if , even if it's not perfect. Um, but there are a lot of entities out there that aren't doing anything. Um, and we know, we know that they have really, really terrible controls or lack thereof. And so, you know, I think those are the two pieces that I'm sure I'm absolutely sure folks at HHS and that are in the state agencies are struggling with is really how do we get the carrot right, but also how do we improve on the stick at this point? Because until we do both, I think it's gonna be very hard to get to where we need to be. Um, and, you know, again, that's, that continues to be a really hard question.
Speaker 2:Yeah , I, I mean, I think, I think one could make the argument, I know I've, I've thought about this argument that, that cyber reliability insurance carriers move the needle more in the last two years with the increasing requirements for coverage for healthcare organizations than, than the federal government has done through their enforcement actions in the last probably decade. Uh, you know, you, you, if you really wanna , depending on how you look at it, and the , um, certainly from a, from a demonstrable implementation of additional controls and, and , uh, improved maturity of practice that the cyber liability insurance carriers made a significant , um, drove significant progress in those areas, particularly in the last two years. And I , you know , there's, I think there's a couple reasons for that. Uh , and, and , and it's not all intended to be critical of OCR or other , uh, you know , state level enforcement. I, I think that , um, it , it became very, it becomes very real at a very high level within the organization when , uh, when someone comes to the board or comes to the leadership team and says, Hey , uh, we're not gonna have cyber liability insurance coverage at all if we don't do the following. Uh, you know, suddenly then there's, there's money for MFA and there's money for , um, for , um, you know, some of the other required controls that that insurance , uh, companies we're expecting to see. So, you know, I think there's something to be learned from that to , to your point in regard to the, the carrots , um, the proposed New York regulations come with potential grants to be made to facilitate enforcement, and the HHS concept paper included mention of the federal support resources and this idea of the administration for strategic preparedness and response. So Asper , um, serving as a one-stop shop , that , that was a , I guess , a bit new to me. How do you think HHS might use Asper and, and, and is that, would that be an effective way to, to perhaps ensure that, that the carrots that are provided are deployed in a way that's most efficient and effective for the overall industry?
Speaker 3:Yeah, no, great question. And I, I really appreciate your point about the cyber insurance piece of this, because I think you're absolutely right. Um, I think, you know, we have gotten more questions from , um, clients in the last year, I would say , um, about how to do this better , uh, about how to do tabletops, about how to get their incident response plans in shape , all of that as a result of their , uh, the requirements they're trying to meet from , um, from their cyber insurers. Um, so I do absolutely agree with you that that is a really powerful lever. Um, and, you know, maybe that's exactly what Asper should consider. Um, you know, I think there's been talk for a long time about some kind of, you know, effort to address , uh, insurance issues because as you well know, cyber insurance is getting much and much harder to get. Um, and whether or not we need a government effort to address that , um, that comes with those same types of requirements. Um, so if we're going to, you know, help ensure you as part of a, you know, a government type program for this type of insurance, you are going to have to provide the documentation on these following, you know, 12 items or whatever that looks like. Um, otherwise, I think Asper has, you know, the experience to , um, really be boots on the ground here. That's what they do. You know, they do that. I mean, HHS parts of HHS certainly do that, you know, other parts of HHS certainly are boots on the ground in , in many circumstances. But I think Asper really , really has that reputation. Um, they're, you know, they're seen as helpful. They're seen as , uh, you know, a really great resource , um, and they can get out there and, and get , um, you know, get the conversation moving, I think in a way that maybe the regulators can't. Um, so if, if Asper comes knocking on your door, it looks much more like they're trying to help. Uh , whereas if ONC or OCR comes, or OIG comes knocking at your door, maybe you're more reluctant to open the door. So I do think, you know, there are, there are some really powerful levers that you've emphasized that could be really helpful , um, in this , um, you know, in this problem. And , um, I am hopeful that , uh, HHS will try and, you know, exercise those levers in a productive way , um, um, you know, moving forward. But, but again, really hard questions.
Speaker 2:Yeah. C certainly that , and , uh, we're, we're coming up to the end of our time, Eliana . I know we could probably continue to discuss this for hours, if not days, and, and maybe we'll be lucky enough to continue our conversation , uh, you know, at some other time. And, and I'm sure we'll be certainly be talking again about this, but I think we're gonna have to call it , uh, a day here. So thank you very much for your excellent insights , uh, that you shared. You know, as, as always, I, I always , um, appreciate your thoughts and, and your insight from your experience, both, you know, working within the government and, and trying to , uh, interpret and enforce some of the , uh, regulations that do exist as well as your work in, in the private sector, helping organizations come into compliance and address , um, cybersecurity risk. I, I really enjoyed our conversation, as I always do. Uh, and I want to just thank our audience for listening today, and I hope everyone has a great day.
Speaker 3:Yeah, likewise. Thank you so much. I always enjoyed talking with you. And I, I likewise, so appreciate your insights. I I really think that you , um, you and your team have a wonderful handle on this stuff and, and appreciate working with you at every opportunity. So , um, also wanna thank our audience and , um, I hope we'll , uh, see all of you soon.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law org .