AHLA's Speaking of Health Law

Cybersecurity Due Diligence in Health Care Transactions

AHLA Podcasts

Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, speaks with Nathan Salminen, Senior Associate, Hogan Lovells, about steps that organizations can take to protect themselves from cyber risks in the health care transactions arena. They discuss the different kinds of risks and due diligence issues that organizations face, including those related to representations and warranties and artificial intelligence and machine learning. Sponsored by Clearwater.

New Health Law Daily Podcast Coming in January 2025

Coming in January 2025, AHLA’s popular Health Law Daily email newsletter will also be available as a daily podcast, exclusively for AHLA Premium members. Listen to all the current health law news from the major media outlets on this new podcast! Subscribe Now

Speaker 1:

Support for A H L A comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health IT companies. Our solutions include our proprietary software as a service-based platform, I R M Pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise. An advisory support from our deep team of information security experts. For more information, visit clearwater compliance.com.

Speaker 2:

Hello, my name's John Moore. I'm the Chief risk Officer and senior vice president of consulting services at Clearwater. Uh, delighted to be here with you today. And, and with me I have Nathan Salin. Uh, Nathan is a senior associate in the Washington DC office of Hogan Laves. His primary focus is on helping clients evaluate and manage data security risks in the context of commercial agreements, acquisitions, and incident response. Uh, Nathan, happy to have you here with me.

Speaker 3:

Yeah. Glad to be here.

Speaker 2:

Uh, one of the things I thought was interesting, um, one we first met and, and talked was your background is almost the inverse of mine. I started my career as a practicing attorney who became interested in technology and then ultimately, uh, privacy and cybersecurity. You kind of came at it a different way. Could you tell us a little bit about your background? I think it's interesting and, and relevant for this conversation today.

Speaker 3:

Yeah. It used to be a, a software developer and then, uh, sort of management in, um, software companies in Silicon Valley for about 13 years, uh, before I went to law school. So I, I was a very old law student<laugh>, um, which has has given me kind of an interesting, uh, opportunity in the cybersecurity space where you kind of have technology and, and law intersecting. Um, so, and that's enabled me to do some really fun work where you're kinda wearing two hats.

Speaker 2:

Yeah, that's, uh, fantastic. And I think it, I think it's particularly relevant because today I was hoping we could talk a bit about, um, cybersecurity due diligence, privacy due diligence in the healthcare, uh, transaction arena. And, uh, how's that sound to you?

Speaker 3:

Yeah, that sounds great. That's one of the main, uh, focus areas o of my work at, at Hogan has been, uh, cybersecurity diligence, worked on, uh, uh, a very large number of, uh, some very large deals. I'm so excited to talk about it.

Speaker 2:

Great. Uh, you know, my experience has been almost exclusively in the healthcare space, certainly when it comes to, to diligence work. And I, I think I'm pretty sure that, that your experience has spanned multiple industries. So one of the things I thought might be interesting to talk about is perhaps some of the trends you're seeing in, in other industries and how, uh, that might be indicative of what's to come for, for healthcare or lessons perhaps we could learn in the healthcare arena from, from that.

Speaker 3:

Yeah, absolutely. So, I mean, there's really two main, uh, you know, themes that are occurring in cyber diligence kind of across the whole economy. Um, the first one is, is not new to healthcare. Um, it's something we've all been dealing with for a long time, is there are, you know, really large data breaches and the costs associated with data breaches are getting, uh, pretty enormous, um, especially if you kind of consider the reputational impact. Um, and that, you know, affects a lot of areas of the, the work that we do in healthcare. Um, but, you know, in outside of healthcare in particular, it's really kind of started to intersect with, uh, m and a activity. You know, sort of most famously we have, uh, the incident where, uh, Verizon bought Yahoo and, uh, during the, the period between signing and closing, it came out that they had had the, the massive breach, um, which resulted in like a 350 million change in the purchase price. Um, so, you know, n not news to anyone, but, you know, the risk of data breaches is the ever-present sort of backdrop, a against, uh, which we work, uh, across all industries. But something that's, uh, a sort of a new tendency that's cropping up, um, in other industries that, you know, may well be coming for the healthcare space is sort of the, the era of the massive fine, um, across a lot of different regulatory areas. Um, there, there have started to be fines that really are big enough to make even the, the largest companies sort of stand up and take note. Um, Facebook is approaching, you know, the 10 billion mark in total fines in just the last few years. Um, a lot of it is, has started in Europe, um, and is beginning to expand from there. The US regulators are starting to kind of follow suit. Um, we're starting to see some really massive, you know, a hundred million fines, uh, occurring in the US in, in various areas. Um, but so far this hasn't really reached, uh, healthcare OCR has not been issuing, uh, fines in the, you know, a hundred million dollar range. Uh, it's certainly not the billion dollar range, but it, it seems likely that it's come and a lot of these fines have been focused on m and a activity. So most famously, uh, Marriott bought Starwood and the, the I C O, the G D P R regulator in the uk, um, initially issued 124, uh, million dollar fine, uh, alleging that when they bought, uh, Starwood, they didn't conduct sufficient cybersecurity diligence. Um, that fine was, it was reduced later down to, uh, 24 million, which was still a very substantial fine. Um, I think many people think that it's kind of a warning shot where they issued a really high fine and then backed off a bit, and maybe the next one, they aren't gonna back off. Um, so under the, you know, the gdpr, there's, there's been a great deal of, of focus on cybersecurity diligence. Um, we also, in the US we have Capital One, um, that was fined 80 million for, uh, fairly reformed diligence, but it was vendor diligence rather than m and a diligence. But, you know, it's certainly a warning sign in, in the diligence space in general. Um, but you know, it, it seems likely that we're, we're gonna potentially see that, uh, trickle over into the health space, uh, in the near future.

Speaker 2:

Yeah, that would certainly be a change. I mean, it, it seems, at least in my experience, it wasn't that long ago where whether or not cybersecurity diligence was even an element of a, of diligence in an, in a healthcare m and a transaction was almost rare. Uh, now I, I think it's far more common now than it used to be, but still not, I wouldn't say still overlooked in, in some cases in the healthcare space. I don't know whether that's your experience as well or

Speaker 3:

Not. Yeah, definitely. I mean, um, we used to, you know, four years ago, let's say, um, we would be brought in only on deals where there was, you know, like a cloud provider that had hundreds of millions of people's personal data, you know, really, really privacy oriented businesses was where we were brought in. Um, and you know, even then we were not given a really primary, uh, role in diligence. You know, we were sort of a secondary, uh, uh, specialist that would come in. Uh, now it's really just about, uh, you know, every deal, um, potentially brings us in even companies that only have their own employee data, um, tend to, to now conduct, uh, privacy and cybersecurity diligence. And oftentimes it's the headline item. You know, we may be the, you know, first to, to go on a diligence call now. Um, it's really getting a lot of, of focus, you know, partly due to these massive fines.

Speaker 2:

Yeah. That certainly gets, uh, folks attention. I, you know, one of the, one of the challenges I think that, that anyone who's, who's tried to perform cybersecurity diligence faces is the, well, you're always limited by time and, and access, uh, it seems like, and, and that poses a challenge, uh, for anyone in getting a clear picture of the risks involved. Uh, I know we talked a little bit in the past about, um, some ideas around that. Did just any that you would like to share with, with folks, maybe help think through that challenge a bit?

Speaker 3:

Um, yeah. I mean, as, as you point out, it really is a, a significant challenge to try to really get kind of under the hood and, and see the risks of an organization. You know, if you're buying, for example, you know, a chain of hospitals, um, you know, each of those might have their own practices. They have their own exceptions. They have policies, they, you know, have a history, you know, of years of practices. You know, it's a great deal of, uh, surface area where there could potentially be a compliance problem or a security risk or, you know, some other sort of item that you need to address. Um, and you're, you know, usually on a very tight timeline. You know, the pace of MNAs, uh, deals is really rapid these days. Um, auction, often there's competitive processes where that's even shorter. Um, and, you know, you, you really just have the ability to, you know, get answers to a relatively small number of questions and then to conduct a diligence call. Um, and there there are such high stakes that that's a, a tough spot. Um, another problem is that, you know, you're generally talking to the lawyers and the management, um, who may not be cybersecurity people, um, and who, you know, uh, may have an interest in kind of presenting things a certain way. Um, and it's not uncommon in the industry for diligence requests to just not be answered, you know, to the, the time comes to sign or not sign. And there's still a lot of outstanding diligence and companies decide, you know, at that time to sign or, or they maybe let it go to another bid. Um, and so it's tough. Um, there's some tricks that we've kind of found have worked pretty well. Uh, one is you wanna really, uh, push to get the actual techies, the, the CISO or other security people, uh, on the phone, you know, partly just cuz they're the ones who actually know the answers. You know, if you're talking to the lawyers, you get a lot of, we'll have to get back to you. Um, if you have the actual<inaudible>, they're, you have somebody that can actually answer the question. Um, but also, you know, being both a, a lawyer and a techie, you know, I have no, uh, ill feelings towards lawyers, but techies are, are more straightforward. You know, they, they aren't hiding the ball, they're not as interested in, you know, the, uh, deal valuation. You know, they, they tend to kind of give you the, the straight story. So I think that's really helpful. Um, another trick that I've found works really well is, um, picking. So you have to kind of at least superficially cover all of the areas that you're interested in. You don't wanna not ask, you know, are you under investigation or whatever, um, but I think it's helpful to kind of pick a few that you maybe have a vague suspicion there might be a problem in an area and really, really dig deeply in that area. So, you know, one example is, you know, if I see that they have a, a policy to encrypt phi that was just implemented, you know, roughly when they would've been looking to sell the company, right? That's gonna kind of put my antennas up. You know, maybe, maybe that's just something the lawyers papered over. And so you'll ask, you know, do you encrypt all phi? And they'll say, yes, we encrypt all phi. But then, you know, if, if that's an area where you're a little suspicious, maybe you wanna really push and you wanna start saying, okay, well for, you know, this data center, you have this application, you know, what type of encryption do you use there? What about communications between servers inside the data room? You know, you, you may wanna kind of poke that a little bit. Um, and it's not uncommon that even when they said initially, yeah, we encrypt all data, when you start really digging into the details, they have to say, okay, okay, well,<laugh>, here's some exceptions. Let's talk about this. You know, we actually don't have, you know, all the laptops aren't using our standard image or whatever. And that, you know, kind of gives you an a, a little bit more of a, a perspective on how to, to treat their other answers, right? So if they, you know, told you we encrypt everything, and it turns out it's not totally, totally true, maybe you're a little more skeptical across the board. Um, another trick that, uh, has worked pretty well is there's certain materials that are just inherently more revealing of the actual state of, uh, of cybersecurity at a company. Uh, one that I, I really have, uh, strongly recommend is that you really insist on them providing and kind of, you know, push to your priority list is, uh, minutes from any committees that sort of deal with data security. Um, so often that's, you know, just the board of a direct of directors, maybe an audit committee, or there may be like an actual cybersecurity committee or privacy committee. Um, if you can get those minutes going back a number of years, you know, th they're already talking about the issues that you wanna be aware of. So it's, you know, all sort of put together in one neat place. Um, another one is, uh, any penetration tests or hip security risk assessments. You know, anything where you have a third party, uh, that's a pining on the state of their cybersecurity helps kind of cut through a lot of the, the, uh, the, you know, hide the ball sort of activity. Another, uh, trick that, I don't know if it's really a trick, it's sort of a, a standard in the industry, but you wanna make sure that your reps, uh, in, in the agreement are drafted in a way where, um, you kind of force them to, you know, take a final position on some of the key issues. Um, it's not at all uncommon, not Bob, it's uncommon maybe, but it's, it's increasingly common, um, that we'll go through diligence and we'll hear no breaches. We haven't had any breaches, you know, no, no concerns there. And then they start pushing back on the, the rep where we say, you haven't had any breaches. And they say, well, okay, let's say no material breaches, you know, to our knowledge, you know, a lot of qualifiers, um, they wanna shorten the window of time, that kind of thing. And if you really insist on a, on a strong, you know, unqualified rep, you know, we've had a number of cases where literally the day before signing, uh, the target will say, okay, wait, we have a disclosure to make. We actually did have a breach six weeks ago. Here's the situation. Um, you know, companies that may be a little careful in responding to diligence, uh, requests, you know, perceive it differently when they have to actually sign a rep and, and do a little bit more, uh, digging, uh, are a little bit more forthcoming. Um, so tho those are some of the ways anyway that, you know, we kind of get through that, the sort of fog of war that you get in a<laugh> in a d short diligence process.

Speaker 2:

That's, there's a number of interesting things there. And sort of another trend we've been seeing, which touches on something you mentioned is that, uh, more and more frequently, particularly when we have organizations, let's say with founders or investors who've gone down this road before or around cybersecurity diligence, they're much more inclined to prepare in anticipation of, of diligence when looking to, um, sell the organization. And, and so we're seeing more of that, Hey, we need to get our ducks in a row in the next 90 days sort of situation. And I, I think you, you touched on that, when you start to see a lot of changes that were implemented in a short period of time prior to the, the transaction, it, it starts to, on the one hand, it raises, um, questions. On the other hand, maybe it's a good sign,<laugh>, you know, it's a, there's a, it depends on, on how far down that road we've gone, right? How now you're talking about whether to the, how effective we've been in the implementation of some of those things, which is harder sometimes to tickle out during

Speaker 3:

The Yeah, and I mean, in some areas you really can fix things in 90 days, you know, you can maybe terminate a customer agreement that's problematic and you can, you know, enter into a business associate agreement if you're subcontractors or, you know, there are boxes that you can effectively check in 90 days. Um, cybersecurity isn't necessarily one of those, you know, if you have bad cybersecurity practices, um, that can be a long road to fix, and it's easy to fix the policy, and it's not uncommon. And the policy is what the lawyers, um, who are running the deal are often particularly focused on. And so, you know, it's not uncommon to, you know, have problems papered over basically during the, the m and a process. And so that, that is something we really, you know, watch work closely is, is policies that were just implemented or just updated, you know, as they started talking to the bankers about, uh, selling the company

Speaker 2:

<laugh>, I I was thinking about the scenario too, where it's, it's easy to fix, well, not easy necessarily, but fixing your vulnerabilities is different from having an ongoing vulnerability management program. So, you know, you can, people can, can look good in a, in a moment, but that doesn't necessarily mean there's an effective program in place that's gonna manage that over time. And so sort of making some of those distinctions or trying to tickle that out during those conversations and from the documentation you're provided can be exactly, can be a challenge in, in and of itself.

Speaker 3:

Yeah. And, and of course, we're not only interested in the state of the target at the moment we sign, we also have to worry about historical

Speaker 2:

Practices. Yeah, yeah.

Speaker 3:

Can go back six years, which is, you know, really wide, uh, window for them to

Speaker 2:

Audit. Yep. Particularly, I, you know, the, and we see that all the time with our work, uh, helping organizations who are experienced in an investigation or compliance review as, you know, the request for documentation. It is, you know, given me every risk analysis you've done over the last three, three to six years. And that's a, a problem for many organizations, uh, to provide that.

Speaker 3:

Yeah. And we, so it's an interesting time to be kind of watching, uh, ocr. Cause we just had a, you know, a significant tra uh, transition in the administration. They, they clearly have a different focus now. Um, and like I was talking about before, you know, we haven't yet seen these super fines, um, from ocr. Um, but we got, got a clue about six weeks ago, um, that, that, you know, some of the, uh, transition may be starting to occur. Um, there was a, a case where a company called, uh, peach State had bought a company called, uh, authentic Dates Holding Corporation. And, uh, a h c, the, the Target had had a breach in 2015 that was investigated. And then, uh, OCR r decided, you know, what if, if this company bought this other company where we see problems, maybe the company that bought it, you know, has some problems too. Maybe they're not looking very closely in their diligence. And so then they audited, uh, the, the purchaser, uh, peach State. And, you know, this has been sort of sitting out there for a long time. I imagine both companies, you know, saw the, the six year clock, uh, coming up the breach was in 2015, and, you know, assumed that this was, you know, in the past. Yeah. Um, but just six weeks ago, uh, OCR r issued a decision. They, they issued a fine for, uh, peach State. It's only$25,000, which is not necessarily a huge amount of money. Um, but it also came with the corrective action plan, um, which, you know, is a lot of folks, uh, hearing this probably know can be much worse<laugh> than a big fine. Um, and so, you know, we're sort of taking that as a clue that OCR may in fact be starting to look at, uh, you know, at least privacy and, uh, diligence and probably also cybersecurity diligence, uh, a little more closely.

Speaker 2:

Yeah. I, um, whenever I hear the reference to corrective action plan, I recall my youth as a public defender. And the first time a, uh, a uh, client told me that they'd rather do 48 hours in jail than two months of probation<laugh>, I didn't understand that, but I very quickly did. It's much worse to be on the probation for that period of time than<laugh> just, uh, pay the fine. And, and certainly the other message from that is with, certainly with ocr, it's never over till it's over. And, and, uh, I think a lot of organizations believe that because OCR disappears for a while, that they're gone. And that's oftentimes not the case, uh, at all. And, you know, many years, typically, these things play out over historically for OCR r So it's certainly a lesson to be learned there as well. You know, one, one of the, given your background and, and, uh, well, I think everybody's aware that there's been an incredible, uh, progress and sort of the digitization, digitization of information in particular. But in healthcare, you know, certainly it's in all the news and, and it's a policy of the federal government to increase the digitization of healthcare with the belief that it's going to make things more efficient and effective. Um, along with that, of course, is the emergence and machine learning and artificial intelligence as, uh, tools we can use or apply to gain additional insight and, and predictions from that data, um, with your background and, and development and privacy, I thought it would be interesting to get your thoughts on challenges associated with, uh, diligence or, or just privacy issues in general related to organizations that are relying on artificial intelligence and machine learning as part of the platform or solution that they're offering.

Speaker 3:

Yeah, it, it's really a tough area. Um, you know, we obviously have a really strong interest, you know, as a whole society, um, as well as, uh, you know, individual companies, commercial interests in, you know, effectively applying AI to health. You know, it's, it's a, it's revolutionized, you know, most industries that, that involve data, even on many industries that don't involve data. Um, and, you know, we haven't fully, you know, received the benefits of that in health yet, you know, it's still kind of a work in progress. Um, and that's, you know, there's a lot of really exciting, uh, opportunities there. Um, but it's challenging from a legal perspective. Um, you know, if you work on de-identified data, you know, that is one path to, to, uh, being able to use ai. Um, but there are sometimes limitations there. You know, a lot of the, the de-identification requirements under HIPAA are, are pretty stringent. You know, you have to pull out a lot of sorts of data, um, that the AI would really, you know, like to be able to consider. Um, and so, you know, there, there's sort of a struggle where it's difficult to use identifiable P h I, uh, for ai, you know, you, it is, you know, very achievable within the, the umbrella of one covered entity. Um, but, you know, we often want to span across a bunch of covered entities to get a broader set. Um, and that that can be hard to work out. Um, one sort of shortcut, unfortunately, that we need to be aware of, kind of in the, in the m and a space that the companies are are taking is you have a startup that, you know, doesn't have deep pockets, isn't on anybody's radar, um, starts using AI on p h i, um, without really paying a lot of attention to compliance without figuring out necessarily a, a great way to do it. And then they develop, you know, these algorithms that are really valuable, and then they decide to sell those algorithms. And, you know, maybe they're thinking, you know, Hey, we're the ones that were non-compliant. The buyer won't be, you know, having to get their hands dirty and they get the algorithm. Um, but O OCR is not that easily, right? They, they're, you know, aware of this sort of tactic, and they're looking, uh, you know, at the origins of products, they, they know that, you know, AI is a problematic area. When they see an algorithm that was developed by ai, um, they kind of look under the hood and, and figure out who developed it. And, and so there's a risk that if you buy a company that has, has used p h i together with ai, um, that, that, you know, be buying a product that OCR r will at least be looking at pretty closely. Um, so, you know, that's one of the, you know, in addition to a big data breach or, uh, big fine, you know, one of the areas where, uh, you know, at least technical diligence in the privacy area can really change a deal valuation or even even fill a deal, um, is when the, the core offering of, of the seller is, you know, created and a legally, uh, problematic way. Um, so that's something you really wanna look at closely, is I, if the target has been using AI on P h I, you really wanna figure out, okay, let's talk about how to do this. Let's see the agreements, you know, uh, what's your ar responses to this argument and that argument, um, you know, suss out whether they really have a, a full compliance program that's been sort of with those, uh, risks.

Speaker 2:

Yeah. What, what I think I've seen often is you have folks in the a i ML space coming into healthcare from other industries that are less regulated, and, and therefore they're

Speaker 3:

Absolutely right,

Speaker 2:

Uh, you know, unaware of the implications of the regulation and, and go forth regardless. Or, you know, they, a lot of times folks from the world of innovation, uh, tend to move forward and ask for forgiveness later. And, and, and I think that, you know, you're able to pull that off in, in some sectors. I, I'm, it's, I'm less confident that you can get away with that in healthcare, particularly when it comes to the confidentiality or privacy of, of patient information. I, I think there's

Speaker 3:

Yeah.

Speaker 2:

Raises some additional questions yet to be seen, though I think it's probably one of the areas that's still emerging. I know the, the health sector coordinating council, joint cybersecurity work group, uh, has a, a subgroup working and looking at particularly cybersecurity privacy issues related to AI and machine learning. I'm part of that and, and probably will be some publications coming out, uh, some guidance from there and in near future. So it's an interesting, definitely an interesting area to look at, particularly with the level of investment that's occurring in, in, uh, in health IT and digital health, and a lot of that going to machine learning and AI type of, of organizations. One, one of the other things you, you touched on earlier was, was sort of the reps and warranties, uh, challenge. And I wanted to kind of go back and, and revisit that. I mean, certainly what we're seeing is, um, it, it seems like, anyway, there's, there's more and more concern from counsel, uh, around how, uh, risk is articulated, let's say, or characterized in any sort of, um, diligence report because of concerns about the implications for reps and warranties insurance. What's your experience been there and, and can you talk a little bit about that challenge?

Speaker 3:

Yeah. Uh, it's really, you know, a bad time for, uh,<laugh> acquirers in that, in that space right now. Um, what sort of we've seen is that, um, particularly the gdpr, you know, it theoretically as a maximum fine of 4% of global revenues, although that only applies in very narrow cases. Um, but insurers have seen that. And, you know, real big alarm bells have gone up on their side,<laugh>. Uh, they, they've gotten really spooked about not just the gdpr, but now privacy as a whole. Um, and in, in, uh, the healthcare space that's certainly front and center in their minds. Um, and the result has been that they are increasingly quick to just exclude, um, you know, all of cyber, all of privacy, both compliance with, you know, uh, hipaa, um, entirely from coverage, um, which is really a big blow to the, the buyer. You know, that's the whole point of getting an insurer is to cover, you know, the risks associated with the deal. And, and this is often, you know, one of those main risks. And so insurance where you have all of privacy and cyber excluded, um, is really a lot less valuable to the buyer than in insurance that covers those things. Um, and insurers, you know, in a lot of cases have been kind of getting away with it. You know, we're starting to see, um, more clients pushing back and going and getting quotes from four different insurers. And, you know, one of their first questions is, you know, are you gonna commit to cover cyber and privacy? And, and, you know, maybe if not, then they go with a different insurer. Um, but, you know, we're in the early stages, like the market has more to do in pushing back<laugh> on that. Um, in the interim, you know, as you note, there are things you can do to kind of, you know, minimize the, the risk that you're gonna fall into that situation. Uh, one of them is, is is thinking about how you approach the report. You know, certainly you always want the report to be, you know, completely accurate, and you don't wanna be hiding the ball in anything. Uh, but you also wanna be careful that you're not sort of over dramatizing risks. You know, one of the things we've seen is, you know, a company will have, for example, a, a notice of privacy practices that doesn't, you know, quite compliance, some nuance. And, you know, there's a danger that in the memo, you know, you, you say you have a privacy lawyer that you know, frequently looks at MDPs. That's kind of where their mind is at. You know, they're, they're, uh, sort of, it's a little bit of the, if all you have is a hammer, you know, everything looks like a nail, they'll spend three paragraphs on, you know, this m MVP is not compliant. Um, and, you know, if you make that sound like it's a really huge deal, uh, the insurer who probably is not a HIPAA lawyer and may not even, you know, have an, uh, expertise in privacy may just see that as, huh, they're saying there's a HIPAA problem, and so we're gonna exclude hipaa. Um, so I think it's important to kind of caveat the risks appropriately, um, in reports so that you're not, you know, overstating, you know, maybe if the MPP is out of compliance, the real implication there is you need to spend$2,000 to have a lawyer, you know, revise it. You know, maybe it doesn't make sense to exclude, you know, all of hipaa, uh, for that. Um, and of course, there's other mechanisms, uh, that you can use. Um, the most common is special indemnities. Um, used to be that it was really hard for us to get a privacy or cyber special indemnity from the seller. As more and more insurers have been, uh, excluding privacy and cyber, um, we've started to find that the, you know, market is responding to that, and it's becoming easier to get a special indemnity, um, particularly when it's excluded. Um, and of course then, you know, it's a little different than insurance. You know, you have only a certain pool of money. You know, it may not be as good as getting insurance, um, but it's still something you can definitely do to, to minimize that risk. Um, another thing that, uh, sort of a little bit of a different angle to get at the same problem is we've been seeing more and more deals where there's, uh, fairly extensive closing conditions, um, which doesn't really shift the risk. You know, you still bear the risk, uh, but you can shrink the pool of risk. Um, you know, if you, if you strategically identify, um, some key measures that, you know, would help the, the, the situation be a little bit better when they turn the keeps over to you,

Speaker 2:

It's a, it's a challenge. I, I think in particularly for us, it, it was a challenge when we started doing diligence coming from primarily a background of performing risk analysis as it's described within the OCR R'S guidance for risk analysis. Because in that world, uh, we're looking at all reasonably anticipated threats and vulnerabilities, uh, to your E P H I. And when you start to go down that path, you generate a lot of different risk scenarios, the majority of which typically are risks that are just of just doing business. And you're accepting those and, you know, there's appropriate controls in place and you, you move along. But when you, uh, describe risks at that level of detail, for many in the, for an audience of reps and warranties, insurance folks, alarm bells go off everywhere because they're, you know, they're, they're only thinking about risk as being something that's, that's, uh, critical or, you know, extremely high risk. So they, differentiating between those different levels is a, is not their experience. And, and so it's been a challenge that certainly we needed to be aware of when talking about or describing Yeah. Risk in that context.

Speaker 3:

Well, and I'd, I'd go even further. It is, what you're saying is definitely true. The insurers see that, you know, those, those reports and those risk analyses and, and perceive them to be much more serious than they maybe are in a lot of cases. Um, but I even think a lot of, uh, buyers and a lot of lawyers that perform diligence, um, tend to do that. You know, there's sort of a, one of the sort of, uh, you know, ironic twists of what we do is that a, a company that has been thoroughly analyzing its risk and has been, you know, conducting pen tests and vulnerability scans and, you know, all these sorts of measures to identify problems is a less risky company than that same company that hadn't done all those things. Um, but they're more likely to have a report<laugh> in the data room that identifies a bunch of risks. And so you need to kind of, you know, keep that in mind as you're reviewing those reports as the insurers do, um, in thinking about, you know, hey, these, these guys brought in, you know, Mandiant, you know, it's a really prestigious security firm to do a two month long penetration test that they paid, you know,$200,000 for, and like, yeah, that's gonna find 15, you know, high risk things. Whereas this other company, maybe they brought in a company you've never heard of from the same city they're based in, um, that, you know, they paid$2,000 to do, you know, a fairly superficial risk assessment. Um, and that only found one high risk vulnerability. You know, you need to sort of think about that. That first company probably is actually in a better position than the second, even though you have, um, 15 vulnerabilities one way, you know, you want, so you wanna think about sort of the th like, how deeply have they been looking? But you also want to, uh, think about their remediation, you know, a vulnerability that, uh, e even if you have a lot of vulnerabilities that were discovered in the most recent pen test, um, that might not be such a bad thing if they can show, hey, we've been, you know, tracking these, here's the spreadsheet where we have'em. Here's the status of our remediation of each, you know, we've remediated this percent and so-and-so is assigned as being responsible for this. And, you know, if they can really, um, you know, evidence a, a thorough remediation process that flows from these assessments, um, that can be a very positive fact, um, despite having a, you know, an alarming sounding report.

Speaker 2:

Yeah. Well, you knows, it's, for us, I think of that as the distinction between evidence of a program and, and no evidence of program. I, I can look at an organization and not be able to necessarily identify any particular risks other, because I have no e evidence to go on to do that other than to say that they have no program in place, uh, which is much more concerning. I mean, that's a, a much more of a concern than, than saying, Hey, these folks have a rigorous program in place and they're identifying vulnerabilities all the time and have a program to remediate them, et cetera, et cetera. And, and so that, that's a, I think, an important distinction to, to make when talking about sort of the, the maturity of a, of an organization and where they are from a cybersecurity perspective.

Speaker 3:

Exactly. The scariest answer I ever get in diligence is we've never had any vulnerabilities. You know, we've never had a data breach. None of these terrible things have ever happened. Like it's not true. Every company has hundreds of vulnerabilities, whether they have identified them or not. Um,

Speaker 2:

Just because you didn't look doesn't mean that they're not fair. Uh, you know, exactly that sort of thing. And,

Speaker 3:

And if they haven't looked for vulnerabilities, they probably, uh, are not identifying breaches, you know, a company that's

Speaker 2:

Yeah, they would've no idea to know, right? They would've no way to know whether they've, whether they've had a, a breach or not, which is, again, even more disturbing cuz you know, oftentimes the first time folks like that end up finding out they've had a breaches when the FBI walked through the door with some of their records in hand, or someone, some security researcher, uh, you know, finds on the internet that thousands of their medical records have been indexed by Google. Uh, you know, those kinds of scenarios, which are, which are very dis disturbing sort of scenarios, at least in my mind anyway.

Speaker 3:

Yeah. Which that just one, one little plug that, uh, spinning off of that one fact that I really like to see in diligence is, uh, when companies have a bug bounty, uh, program, or at least some kind of responsible disclosure, uh, policy or, or program set up, um, that's sort of, you know, like a, a pen test on steroids if they have that. So you mentioned security researchers, I just wanted to note

Speaker 2:

That. Yeah, no, and that's a good point. We didn't, we didn't even get to, to scrape the surface today about sort of the, the unique area of, of let's call diligence on healthcare organizations whose primary product or solution is a software platform or pro or software product, which, which is this own unique world in and of its, uh, itself, I think. So maybe that's a, a conversation. Yeah.

Speaker 3:

We'll do another one.

Speaker 2:

Yeah, absolutely. So, uh, you know, probably, uh, I think we're running short on time now. I don't know whether there's any other sort of thoughts you wanted to share with, uh, folks or, or not

Speaker 3:

Sure. I mean, um, yeah, just as a general theme, you know, this is becoming so central diligence that, you know, in my view, any company that, uh, has p h i or, or even other kinds of personal data, really needs to go through a pretty thorough review. Um, I think it's, you know, important to kind of assert, you know, if you're, if you're involved in performing the diligence, I think it's kind of important to assert that in, you know, the importance of your role in that process. Cause there's a lot of specialists, you know, you're sitting, you know, there next to real estate and you know, uh, IP and environmental and all these different specialists. It's easy to get kind of lost in that crowd. Um, but we're kind of a special case right now where, where the risks are are, you know, potentially orders of magnitude greater, um, than some of the other specialties. And, um, you know, sort of resetting expectations to kind of, you know, put yourself at the front of the list, I think is, is, uh, really important.

Speaker 2:

Yeah, I think there's still a, still a, a tendency by some to think of it as plumbing. Uh, yeah. And it's become the kind of plumbing that if you have a leak can cost you tens of millions, if not hundreds of millions of dollars. So I think if we think of it exactly in that context, then it becomes a little more important for the, for, from a diligence perspective as well as just thinking about the role that, um, it and cybersecurity plays for the success fund organization.

Speaker 3:

Yeah.

Speaker 2:

So, uh, thank you very much, Nathan. It was really great talking with you today. I am, I know I got a lot out of it and I'm sure our audience, uh, did as well. Appreciate you taking the time to share your experiences with us. It's, it's

Speaker 3:

Same. Yeah. It was great. Uh, thank you guys so much for having me. It was really fun.

Speaker 2:

Great. So this is John Moore. I'm Chief Risk Officer and, uh, senior Vice president of Consulting Services at Clearwater. Appreciate y'all, uh, tuning in today and listening to an another podcast on a H L A. Thank you.

Speaker 1:

Thank you for listening. If you enjoy this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a H L A and the educational resources available to the health law community, visit American health law.org.