AHLA's Speaking of Health Law

Increasing Cyber Personal Liability for Directors and Officers

May 21, 2021 AHLA Podcasts
AHLA's Speaking of Health Law
Increasing Cyber Personal Liability for Directors and Officers
Show Notes Transcript

Bob Chaput, Founder and Executive Chairman, Clearwater, speaks to Leon Rodriguez, Partner, Seyfarth Shaw, about the C-Suite and Board-led transformation that is required to manage cybersecurity risks in health care. They talk about how the digitization of health care has driven a greater number of and different types of cyber attacks across the health care ecosystem. They also discuss increased personal liability for health care directors and officers, as well as best Board and C-Suite practices to mitigate that liability. Sponsored by Clearwater

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Speaker 1:

Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from our deep team of information security experts. For more information, visit clearwater compliance.com.

Speaker 2:

Welcome everyone. It's a real pleasure to be here today. My name is Bob Chaput. I'm the, uh, founder and executive chairman of Clearwater Compliance. I'm delighted to, uh, be joined by someone who's become a friend of mine over the last, uh, several years, I think, going back to 2011, Leon Rodriguez, who is, uh, formerly with, uh, h h s as the O C R Director, and, uh, currently as a partner at Safe Farth Shaw. Uh, our conversation today is going to be, uh, centered around what we've described as the, um, increasing cyber personal liability for directors and officers. Um, Leanne, I wanna say a good day. Thank you for joining me, and thank you again for writing your kind words to the, uh, in the forward of my book, stop the Cyber Bleeding.

Speaker 3:

Great. Well, uh, Bob, it's, it's great to be here. Real pleasure. Um, you know, your, your book could not have been, uh, more timely and, and more important and, and we'll, we'll, we'll continue to be so for a long time, uh, as the healthcare industry, uh, faces, uh, greater and, and more diverse, uh, cyber attacks from, from all kinds of sources that I, that I know we're gonna explore this afternoon and, and that's gonna continue to rise.

Speaker 2:

Yeah. Well listen, um, many attorneys, uh, probably know you, um, but, but probably not a great deal. Can you tell us a little bit about your background?

Speaker 3:

Uh, sure. So I think, you know, you indicated, and, and it's hard to believe I was thinking about this before the call started. You and I have known each other, uh, now for just about exactly 10 years. Yeah. And, uh, I started as director of the Department of Health and Human Services Office for Civil Rights back in 2011. My background before that was actually, uh, predominantly as a healthcare fraud and abuse lawyer, both as a, uh, prosecutor in Pittsburgh, Pennsylvania, uh, and then later as a white collar defense attorney, uh, in those cases. And, uh, by the time I, uh, became director of O C R, uh, fraud and abuse concepts were really in the d n A of anybody in and around the healthcare industry. Uh, the boards cared about it. The, you know, c-suites care about it, of course, you know, the bar that was focused on healthcare issues, uh, that was really built into the D N A back in 2011. Uh, that was just starting to become, uh, a part, part of the DNA n uh, in, in, in the world when, when we're talking about, uh, HIPAA and, and healthcare privacy. Uh, generally, uh, fast forward for about the, uh, last four years I've been a partner. I finally left the federal government, uh, well, they sort of kicked me out actually, uh, and, uh, the, the little historical reference there. And, um, I, uh, started as a partner at cfar, Sean. I'm actually now the, uh, co-managing partner of the, uh, Washington DC office of, uh, chaw.

Speaker 2:

Yeah, well, terrific. And, uh, as we both alluded, our path, uh, first crossed in, uh, HIPAA land as you were coming on board as OCR R Director. Um, quickly, my background includes work in, uh, privacy and security and technology as an educator. An executive an entrepreneur, uh, had the great fortune to work for, uh, some terrific companies, uh, GE Johnson and Johnson. Uh, great company in Nashville called Healthway. And then in Clearwater, have had, um, a terrific opportunity to work with some great teams serving, uh, healthcare organizations, uh, uh, working hard to address compliance and cyber risk management. And, um, you might declare me ready for the Smithsonian. I've been doing this for, um, about 40 years,<laugh>, I guess. So, um, in any event, what we wanna talk about today is the, the C-suite and board led, um, transformation in my mind that's required to help us manage cybersecurity risks in healthcare. And I'm over the course of the conversation. Uh, for those in our audience, thanks for listening in. I'm gonna ask Leon to specifically discuss some legal concepts that get to the matter of personal liability of healthcare executives and board members. And, and of course, we'll discuss some, uh, uh, best practices for the board and C-Suite to help mitigate those liabilities. But first, if I may, um, I wanna set the sage a little bit. We've both alluded to a, about a 10 year span. I'll go back to a little bit further. 2010, uh, following the passage of the, uh, the stimulus bill. We're talking about another stimulus bill. Now, this one was ara, which included the High Tech Act, um, along with the bundle of, uh, carrots. A 33 billion in incentive money came a bundle of sticks in the form of, uh, increase enforcement around privacy and security, um, increase enforcement stiffer penalties, wider net being cast over business associates. And I'll call that, uh, the, uh, era number one, uh, era of compliance. Fast forward tape a little bit to 2015. I call that ERA two, the year of the mega breaches. Um, uh, a lot of the payers, uh, Anthem, uh, Primera, uh, care first Excels, I think in total that year. There were about a hundred in, I think the numbers, like 190 million records in permissibly disclosed compromises of confidentiality. Nobody died,<laugh>. That's an important point. Now, we take a step, uh, three years later, uh, fast forward the tape 2018, all of a sudden we're implanting biomedical devices and to our patients, we're attaching devices to them that are now connected to the internet. I call that, uh, era number three, patient safety. There are now increasing concerns. And then finally, um, I don't want it to happen, but there will be, uh, bad things that happen to our patients. Uh, there will be up to and including events that may include death. And I think coming from that might be medical malpractice lawsuits and perhaps some derivative lawsuits. So, I know that's a mouthful, but, uh, Leon, I'd love to have you comment on that characterization of the last 10 years and, and are you seeing, um, boards and, and the executives with whom you work, uh, seeing the same person, it's seeing an emergence of personal liability here as well.

Speaker 3:

Yeah. No, no, no, no question. I mean, I think, you know, during my years as, as OCR director, and I think you, you, you hit that right nail on the head as far as 2015 being this sort of pivot point or inflection point. Um, back then, my primary talking point to healthcare providers was, don't be stupid. Uh, cause the kinds of, the kinds of breaches we were seeing back then, and the things that were turning into enforcement cases were people making minute to minute bad decisions. Uh, an executive is out meeting, meeting a friend for a drink. They leave their laptop in a, in a car. Um, a uh, a healthcare provider is in a dispute with a patient, and, and they go ahead and they start blabbing their information. That's generation one. Um, generation two is when we start having, you know, these really big breaches. And, and that's really, you know, that generation two continues really, in many respects, that phenomenon continues to, to this very day. Um, are, you know, you start seeing these really bad actors, uh, get into the picture, and the potential harm they can do is far broader than those, those dummy breaches we were talking about, uh, back in, in, in 2011. So, so the need for oversight has grown. You know, to their credit, I think a lot of, uh, organizations have taken that seriously, and their boards and c-suites have taken it seriously. Um, I think where the challenge becomes is what does that mean to take it seriously? What, what, what need to be their, their routines, uh, not just responding, you know, not just running to the fire when it happens, but what's fire prevention here? Um, you know, what, what is really required of them ahead of time to either prevent breaches or at a minimum be as well prepared to respond to those breaches, uh, as, as circumstances allow.

Speaker 2:

Well, I, um, a moment ago, I kind of emphasized when I talked about the year of the mega breaches, I emphasize the word conf, uh, uh, compromise of confidentiality. Um, I want to, in, in the scheme of things, what we're all about as we attempt to assure, uh, privacy and security. It's all about confidentiality, integrity, and availability of this very sensitive information to which we've been entrusted. And, um, uh, not only the information, but the data and the, and the devices and systems that operate on this data. So, I wanna pivot a little bit and talk about a scenario, uh, that I actually opened the book with. Um, and it goes like this. So, um, uh, envision, uh, if you were outside council or inside council, your client organization, so a patient visits an internist in your organization, and for whatever reason, the internist orders a, uh, a regular CT scan be performed. There's a suspicion of, of something wrong with a patient, uh, with their lungs. And, um, the, the patient reports to the radiology department at the appropriate time. But the night before, um, a hacker slipped into the radiology department and placed a so-called man in the middle device on the network, native CT scanners. The hacker, by way of placement of the device, is now enabled to intercept CT scan images. And moreover, hypo, uh, go with me on this one.<laugh>, hypothetically is able to modify those CT scan images. So he then uses, he, he modifies this particular patient's image. He then uses his access to erase any evidence that he was there. And by the way, on the way out the door, he absconds with a lot of CT images of a lot of other patient radiology radiologist. Then the following day receives the report of this particular person whose image was modified, where the cancerous nodules were removed. The radiologist sees no evidence of any tumors or any issues. He forwards his report, his, uh, uh, analysis to the patient's internist, the physician calls the patient with good news. The CT scan shows no evidence, the cancer, as a result, there's a misdiagnosis, no treatment and a patient death. Now, three things have happened here. One radiology department was hacked. And think about whether that can happen in your organization or not. I would suggest to you it can, number two, CT scan images were modified. And they might say, wait a minute, how's somebody do that? Hold that thought. But number three, radiologists were fooled as they read this modified CT scan image. Whereas before, I talked about the compromise of integrity, uh, a compromise of confidentiality. Now I'm talking about the compromise of integrity. That is, it has been modified and changed by an unauthorized individual. Now, some of you may be saying, wait a minute, this is a little bit crazy. Uh, but I will suggest to you it's not, all of the above was demonstrated in research, performed in, at Bangorian University in 2019, published in a scientific journal, and presented at various forums that, and by the way, subsequent to that, there have been numerous attacks on healthcare organizations that have gone beyond just compromising confidentiality. Now, whew, that's a lot. That's a big scenario. So, I don't know, Leon, how farfetched do you see this in the world and, and your clients with whom, uh, you're working today?

Speaker 3:

So, Bob, it's a, it's a really interesting week. Uh, I know that we shifted the schedule around from when we, you and I were gonna have this, but it, coincidentally, this is a really interesting week for us to be having this conversation. Uh, one of the things that we learned earlier this week was that there's growing suspicion, uh, that these, uh, microwave attacks that occurred in, in, uh, mainly affected US personnel, uh, in Cuba, that this maybe had been going on for, for decades, uh, before it was finally detected in. And the harm was unearthed and what have you, and military personnel, diplomatic personnel who were affected by that. Um, you hear something like that, and you ask yourself, and, and, and you sort of put it together with the scenario that you just, uh, described. Uh, and you realize that there are all kinds of out actors out there. They could be state actors, they could be, uh, uh, you know, o otherwise politically motivated actors. They could be organized criminals, um, all of whom would have both the, uh, motive, uh, and the, and the, uh, the wherewithal, uh, to execute and attack, uh, as you described, either for, for political objectives, financial objectives, uh, or, or, or for pure, for pure mischiefs. So it's a really real, uh, risk that you're talking about. And in fact, uh, cyber attackers have hundreds, if not thousands of ways to gain access to in compromise in organization's, devices, its networks, it protected health information. And when we say that, we're talking about potentially sitting inside those systems for a very long time before anybody detects, uh, that there was an intrusion. Um, and so, you know, what could be the consequences of, of a CT scan hack, like the one you described? Uh, well, patients' lives can be, uh, at risk. Um, you could have, uh, in fact, you, you have them all the time. Um, you know, uh, I've dealt with a bunch of them in my time as, uh, uh, in, in private practice, ransomware attacks that disrupted, not, not, not necessarily the, the information not be, might not be exfiltrated, but in that attack, uh, a a provider's ability to deliver services is, is disrupted an organization's finances and reputation can be at risk. Uh, needless to say, you have, uh, potential violations of, uh, hipaa, and those can result in some pretty, uh, brutal fines and, uh, corrective actions. Not to mention all of the sort of legal and remediation expenses that go with that. And, and I think this is a bit of what we're gonna focus on today. Um, all of that in turn, uh, becomes the platform for pretty significant, uh, civil liability, not just at the organizational level, uh, but potentially at the personal level for both, um, officers, uh, and directors. Um, uh, different sorts of litigation, shareholder derivative, other kinds of litigation that is, is, goes beyond the organizational level, and in fact, is going at those, at those individuals.

Speaker 2:

So, um, all of a sudden, it doesn't sound like an IT problem.<laugh> and, um,

Speaker 3:

<laugh>,

Speaker 2:

Which, uh, as a, as a CIO over the years, and a number of organizations, I found out if I hung up, hung around in a meeting long enough, everything would turn into an IT problem. But this is certainly not, this is, this is beyond the c i o and the ciso. And I'd like to explore, um, with you, if inadequate cyber risk management can lead to what, you know, I just mentioned a medical malpractice lawsuit, derivative lawsuit, uh, aimed at executives and board members. So, uh, if you're up for that,

Speaker 3:

Yeah, I mean, I think you, you need to look at it. And, you know, these are, are, they're gonna be a lot of lawyers on the phone, so they're gonna, they're gonna forgive me for repeating first year of law school for them. Um, but, you know, there are, there are really, uh, basic concepts of civil liability that come into play in these situations. You know, first there is just the general idea of, uh, negligence. I mean, those are, those are the kind of lawsuits, the, you know, slip and fall and car accidents and things like that. But these are much bigger scale of those things. Yeah. Um, where you have, um, you know, you have, you have a basic thing. There's a legal duty. So, you know, somebody who's on a board or on a, uh, in, in the C-suite has a legal duty either to the shareholders of that organization, uh, or to its, uh, patients, uh, their, their guests. And, and, and all of that, you know, sort of creates that, that legal relationship between them. Uh, and once you have that duty, that duty can be what we call breached. It can be broken, uh, and if that duty in turn causes an injury. Now, injury is a big concept here. I think we're maybe gonna expand on this in a bit, but it's not just, if the information was stolen, if the information was compromised in any way, that makes it less than 100% available for the benefit and use, uh, for, for, for the benefit of the patient that I, that creates an injury, or if it creates, uh, other liabilities for the company that creates an injury. Uh, and then finally, uh, there needs to be a relationship. There needs to be what we call causation, uh, between that breach, that failure to comply with, with the duty and the injury that, that resulted. Um, but, you know, again, that's, that's just taking the concepts that we see in car accident cases every day and taking'em to a much bigger and far scarier scale in a lot of ways.

Speaker 2:

Yeah. So, um, clearly when you get, and, and you are the attorney, I am not, um, when you get into discussion of standards of care in the clinical environment, certainly there are established, um, standards of care, um, many of them spelled out in the E C R I guidelines, uh, trust when it comes to acceptable medical care. Do we have anything yet that we could call a cyber security or a cyber risk management standard of care?

Speaker 3:

Um, I, I, I think it's still evolving. Um, I mean, I think, I know that, that, you know, I think we're gonna, we're gonna start talking about your book pretty soon, but I think you, you've outlined a, a series of activities, uh, that are expected. I will say this. I think that there are, um, regulatory standards that exist in regulatory expectations that are imposed on organizations that in turn, uh, translate into expectations for healthcare providers and their, and their principles. Uh, so for example, um, the HIPAA regulations themselves, um, both the privacy and security rules, uh, set out a, a variety of, uh, physical, uh, administrative and technological requirements that need to be observed in order to, um, uh, protect the security and privacy of health information. Those then roll up to an obligation to the principles of company to ensure, uh, that those standards are actually robustly, robustly implemented. Uh, so I think that's one, one place where we find the standard. And when we're talking about, um, both board members and C-suite executives, they are what's called, um, uh, known as, you know, they're fiduciary. So they have a, they, they power, uh, an obligation to act for, as I said before, the benefit of both the patients, uh, and, and, and the shareholders. And there is a, a, a duty of care of what is, uh, what is expected of them.

Speaker 2:

So, um, I, I want to just circle back for a moment to the, to this concept of, uh, negligence. Um, you know, there has to be injury, uh, due to negligence is what I heard you say. What then is required to, just to probe into that a little bit further, what's, what is required to show negligence?

Speaker 3:

Well, you, you, you, you, you need, you need to, um, show that, you know, generally here, what you'll be talking about is a, a failure attack. So, I mean, I think there are, there are sort of the, the acts of commission and the act of omission, right? So when, when we're talking in, in the context here, and particularly what, you know, when think about what the responsibilities are of a board and board members, and the responsibilities of a, um, um, executives of a company, um, really often what we're gonna talking about, a failure to engage in a series of activities that would be expected of them in order to, uh, prevent. So it's, it's the failure tapped, and that's where that breach that we talked about, that's where that occurs. Um, and then if, if that failure to act, in fact, uh, played a role, doesn't need to be the only thing that played a role, but if it played a role in making a company vulnerable to a breach of health information, um, then pretty much in every case that right there will have established negligence. And the reason I say that right there is that in most of these cases, it'll be fairly easy to establish that there was an injury. So e even, even, even, even, even if that data was never, uh, exfiltrated, and even if that data was never, um, you know, held for ransom in some way, e even, even if none of those things happen, just the fact that you have the uncertainty and everything that, uh, is involved in responding to the uncertainty of what happened to that information, that in and of itself is an injury, uh, that could lead to pretty significant liability for the company. And of course for its, its directors and, and executives.

Speaker 2:

There, there have been some, I, I'll call them recent, but I may be taking a little bit of liberty<laugh> by calling them recent, um, uh, litigation that's been brought against corporate executives and board members. Now, these are, these are situations outside of healthcare and, um, there may be some conflict here.<laugh>, I mentioned these in the book, and if you can't speak to them, that's fine. I understand totally. But there have been class action lawsuits, shareholders of a target, uh, Yahoo, uh, Equifax filed lawsuits claiming that the board violated their fiduciary responsibilities. They, they weren't paying attention, they weren't exercising that duty of care. Can you comment on any of these and, and, and if and how similar cases may emerge in healthcare?

Speaker 3:

Well, I, I, I think I can comment generally. I, I, uh, I, I realized that the, i I would, I would be having to do conflict checks for, for like a week, um, I think to, to get through all the different, uh, you know, situations that may, may have happened out there. So, but I, I mean, I think, I think, you know, you've certainly pointed to, uh, some prominent examples that are, that are out there. Um, you know, I think part of what we need to, to realize, uh, here is the degree to which, um, health information is a, a particularly juicy target for bad actors. Uh, and so I have a colleague who is, is more of a cyber lawyer than a, than a HIPAA lawyer. Um, but, you know, he has a slide he takes everywhere, and he says, the, the most valuable information on the dark web is health information. It's not your banking information, it's not your stock portfolio. It's actually your health information that commands the biggest money on the dark web. And, and so that means that even though some of these monster breaches that we've been hearing about, uh, and, and there are many, many more, uh, than the ones you were talking about, these monster breaches that in turn roll over into significant civil liability, uh, end up with, uh, directors and officers of companies, you know, CEOs of companies being dismissed, uh, are occurring outside of the healthcare industry. It's really a matter of time, uh, before, um, we're gonna be, we're gonna be hearing about these in, in, in the health industry. And at that point, we're gonna be having, I think a, i I think the, the damage that that's going to do in, in the health industry is gonna be far greater actually, uh, yeah. Than these other environments.

Speaker 2:

I, I, I think so as a, not an attorney, as a practitioner in the privacy and security space, um, there have been cases, there was a case last September, uh, in Germany outside the US in, uh, hospital in Duc, Dusseldorf, Germany, where a patient presented themselves and they were diverted away because the hospital was under a ransomware attack. And the, it ended up the patient dying, and there was a lot of analysis and, and investigation done, and it wasn't directly attributed to their not getting care, but the notion of a ransomware attack locking down an environment, it happened subsequently to the, that case had happened that, uh, uh, universal health services had happened at University of Vermont Health System. Uh, cancer patients were turned away. Uh, we're, were, we're not able to receive chemotherapy on their scheduled time. Right now, as you and I are engaged in this conversation, there's a case on the West Coast, there's an attack of Scripps Health System on the West Coast where patients are being turned away from treatments that they would otherwise get or not able to access their portal to provide medical records who know the specialist with whom they're supposed to have an important appointment. So I, uh, my observation is, it, it is, as you pointed out, a matter of time before, um, we have a cyber driven medical or hospital malpractice lawsuit. Um, I wanna pivot a little bit now. So we talked about fiduciary responsibility and duty of care, general legal concepts. I wanna turn to another legal standard, and, and it's within hipaa, uh, the world you lived in for a long time. Um, HIPAA defines a number of terms including reasonable diligence. So how, how will judges, uh, whether they're in the court system or their administrative law judges, how, what, what is this concept of reasonable diligence and what should the board and C-suite be thinking about vis-a-vis that term?

Speaker 3:

Yep. Um, I mean, you know, it, one, one of the interesting, uh, uh, the, the, the, the terms here, the, the way they're used in hipaa, um, are really used to define what the, uh, potential penalty scale is within hipaa. And, and so you have a, a, a continuum potential penalties that parallels the same continuum. You might see in a civil liability context. The words are a little bit different. Um, but you, you go from, um, a, a reasonable diligence standard, um, which really just talks about the, and, and that's sort of on the lower end of the HIPAA scale. Yeah. Um, that it, it talks in terms of the, um, obligation. We are, you know, we're talking about the duties that you have in, in, in the civil liability context. It talks about just the discharge of the obligations that an organization has when we're talking about hipaa, uh, to, to take care to, um, uh, prevent against harm, such as, uh, something like a cyber breach. Yeah. Um, as you go further up that scale, there, there is, uh, there is, I'm sorry, further down that scale there is reasonable cause, uh, which means that a minimum, you should have at least been aware of this, uh, potential harm. And then there's willful neglect where you really, uh, you know, willfully failed to, uh, take action to, to prevent the harm we're talking about. Now, the interesting thing about these in the HIPAA context is they almost don't matter in terms of potential civil liability, uh, I'm sorry, they almost don't matter in, in terms of potential HIPAA liability in the sense that those numbers roll up so fast,<laugh>, the way the HIPAA penalty, uh, scale works that, um, you're gonna get clobbered in, in a HIPAA case with millions of dollars in, in fines almost no matter what. Once, once you're in, you're gonna be out for a couple million dollars. Yeah. And I, and I think that's gonna work the same way in the civil liability context in the shareholder derivative, uh, context that we're talking about here, because these breaches are so large, so many patients are affected that it's the same idea once you're in, it doesn't matter whether you were, um, you know, you were, you were negligent but didn't realize you were negligent. It doesn't matter whether you're up at the scale of willful, you know, willful negligence, it's almost not gonna matter because the hit is gonna be so brutal. Yeah. Um, that, that e either way, it's gonna be a pretty, pretty punitive outcome. Like,

Speaker 2:

So as we bring together some of the concepts of fiduciary, uh, uh, responsibilities, fiduciary and duty of care on the one side and hipaa, uh, concept of, of reasonable diligence. So what's the bottom line here for the C-suite and the board?

Speaker 3:

Yeah, I, you know, from my perspective, and I've actually served, uh, uh, on a number of nonprofit boards for, you know, 2, 2, 2 decades now. So, uh, I mean, I certainly understand sort of the, you know, what, what, what, what a good functioning board is. Um, I think the one thing you can't, as, as a board do, or as a C-suite, and I think we had talked before, you know about the CIO and the cso, and, and the first thing you ha you can't do is assume, right? We hired a great CIO o we hired Bob Chaput, he's been doing it for a while, and, uh, and we're good. You know, that's it. That we don't have to worry about it anymore, and, and we don't. And, and so, um, you have to establish, uh, routines and mechanisms of oversight, both at the board level and at the C-suite level. It doesn't necessarily mean every day, um, but to assure yourselves that everything that is, you know, that that standard of care is being met by the organization that we've talked about before, and, and that all the, um, you know, you know, and in, in other conversations, we drill into concepts of risk assessment and risk management. Um, that, that those steps, you have reasonable assurance that those kinds of steps are, are being taken and that the organization has the resources that it needs, uh, in order to respond. The other little sort of twist I'll put on this is that it's not just, you know, part, part of us to do it ahead of time. And, and so I think those are routines, you know, whether it's every six months or every quarter or every year, um, that, that routines need to be set up of being up to date on what's going on, uh, with these issues. Um, but also if you do have a problem, if, if you have, uh, a breach, or even if you discover a problem in your safeguards that doesn't, uh, amount to a, a breach, then you need to make sure that your response, uh, is a robust one that assesses the root causes of that issue that you've discovered, and that, um, uh, takes action, uh, to respond to whatever those root causes are, uh, and then in the future to have some routine of auditing and, and, and, um, review in order to, um, continue to prevent those, those potential problems, um, and, and to detect them as quickly as possible.

Speaker 2:

So if, um, I, I think those are some great, um, pointers and, and illustrations of some common best practices. Um, what, what else might you add to that? What are some best practices that you'd recommend for board members c-suite executives to mitigate liabilities?

Speaker 3:

Well, I think it also, it's a, a, a structural issue. Um, you know, so on any any board, you're gonna have, um, a, a variety of, uh, abilities and, and, and, and, and focuses. So I think part of it is a, is a board structure and composition issue. Um, and, and I think this is already, you know, if you look at board recruiting these days, I think this is something that's, that's out there, which is, you know, focusing on, uh, uh, privacy and security expertise as a criterion for board appointment. Yeah. Um, I think is, is a, is a key issue. Uh, but then you, you know, those sort of working committees of your board, um, they, they need to, they, the, the, the, the responsibility within the board to focus on those issues needs to be, uh, de uh, delegated within the board to a committee, uh, with, with the right expertise to review, uh, what the organization, uh, is doing with these issues. Similarly, at the C-suite level, uh, certainly the c E O and any kind of c o, uh, needs to really be in tight touch, uh, with their, their CISO and, and their CIO so that they are assured, um, again, not just that they have the right people there, but that, that the right people that are doing what they need to do on a regular basis. And, you know, you and I talk in other contexts, for example, about the importance of risk assessment being constantly updated. That's something that A C E O and A A C O really need to be on top of.

Speaker 2:

Yeah. Yeah. Well, I'm, um, looking at the time and, and thinking of, uh, some of the great, uh, advice and, uh, content that you've provided here today. Um, I guess what I'll do is I'll, I'll wrap up, say a few things and, and then ask you for any final thoughts that you may have. Um, so given, uh, given all the great advice that you've given up to this point in time, um, I would add that the executives and the board, um, you know, what's the old adage? Um, eyes open, nose in, but fingers out<laugh>. So, uh,<laugh>, yeah, I, I think at the executive level, I would be recommending, and I do recommend that they focus on three things. Number one, and this gets to the matter of risk management. Identify and prioritize all of your organization's unique risk. And this is a call or a statement about if you've seen one hospital, you've seen one hospital, if you've seen one ambulatory surgery center, you've seen one, this is a call 0.1, you are about your unique risk to avoid going after some controlled checklist and thinking that you're gonna find something, a one size fits all. Number two, that once you identify your risk, you're gonna have to decide on what basis certain ones are acceptable and others are not. And this is about setting your risk appetite. So debate, discuss, settle on your risk appetite and determine what level of risk your organization is prepared to accept. And number of three, once you have done your risk analysis, you've identified your unique risks, or in a long list from your most serious to your least serious, you draw a line in the sand with your risk appetite and the ones that are not acceptable, you have to manage those. And that includes either avoiding those risks, uh, don't use those risky laptops anymore, practical or in practicals that may be mitigate the risk, you know, implement the darn encryption that you've not implemented so far, uh, and or transfer the risk, you know, but do some of the information, but also work with your cyber liability insurance broker, and then execute on that plan. So, one, identify your risk. Two, settle on your risk appetite. Number three, manage your risk and, and do this in the context and, and the alignment with your overall vision, mission, strategy, values, services of your organization. Um, that's the note on which I would end. Um, it's, we're seeing it evolve beyond, um, good news. Um, many organizations you pointed out, are starting to act not regarded as an IT problem, dealing with IT as an enterprise risk management problem. We're seeing a lot of organizations incorporate this within their E S G programs, environmental sustainability governance programs, because it's becoming a social responsibility to, in and out of healthcare, to take care of your customers, or in our case, your patient's information. So on that note, I'll, you know, hand it over to you Lan Leanne to see if you have any final thoughts.

Speaker 3:

Great. Well, the, the one thought, uh, and, and I think you were, you were too modest to have this thought and you, you can't see what I've just put up on the screen cause there's a podcast, but, um, I think you should read Bob's book, um, uh, stop the Cyber Bleeding that really has, uh, a number of really concrete and affirmative recommendations in there, uh, as to the things that you can do. Um, the other thing is leadership matters, uh, in this space. So, I mean, I think we've talked in terms of very concrete activities to be expected of the board and the C E O and the C E O O. Um, but it's also a matter of setting an organizational wide tone, uh, that privacy and security matter, uh, that everybody, not just the CISO and the cio, but everybody really at every part of the organization needs to hold up their end of the bargain. Uh, and, and, and, and to follow the rules and to have policies that really set that tone. And, and so I think with that, um, you will be far better. You know, it doesn't mean you're gonna prevent every bad thing that can happen, um, but you'll prevent a lot of'em that could happen. Uh, and you'll be far better positioned if something goes wrong. Um, and, and so I think that's probably in the end in terms of just even a, a, a set of values and, and approach. That's the key thing is it's really important to set an enterprise wide tone.

Speaker 2:

I, I think that, uh, very, very well said. So, uh, thanks again everyone for listening in. Really appreciate the opportunity and thanks Leon. Great to be with you again.

Speaker 3:

Thanks for inviting me on.