While spending on cybersecurity is increasing for many health care organizations in 2022, the investment is likely not enough to keep pace with rapid digitization and the growing number of cyberattacks occurring across the industry. With limited time and resources, how should organizations be thinking about prioritizing efforts to manage cybersecurity and related HIPAA compliance matters in the year ahead? Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, and Joy Easterwood, Attorney, Johnson Pope, discuss risk-based cybersecurity and compliance decision making and explore the regulatory and business impacts of those decisions. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
While spending on cybersecurity is increasing for many health care organizations in 2022, the investment is likely not enough to keep pace with rapid digitization and the growing number of cyberattacks occurring across the industry. With limited time and resources, how should organizations be thinking about prioritizing efforts to manage cybersecurity and related HIPAA compliance matters in the year ahead? Jon Moore, Chief Risk Officer and Senior Vice President of Consulting Services, Clearwater, and Joy Easterwood, Attorney, Johnson Pope, discuss risk-based cybersecurity and compliance decision making and explore the regulatory and business impacts of those decisions. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for HLA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance saw software and services for healthcare organizations, including health systems, physician groups, and health. It companies, our solutions include our proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from our deep team of inform and security experts. For more information, visit Clearwater compliance.com.
Speaker 2:Okay. Uh, welcome everyone. Uh, my name is John Moore. I'm our chief risk officer and senior vice president of consulting services for Clearwater. If you're unfamiliar with Clearwater, we're a, uh, cybersecurity, cyber risk management and HIPAA compliance, uh, focused organization, serving hundreds of customers across, uh, the United States and actually some internationally, uh, today here with me, I have joy. Easterwood joy is an attorney at Johnson Pope in the Tampa bay, Florida area. Uh, welcome joy and thanks for joining me.
Speaker 3:Thanks John. Thanks for having me
Speaker 2:Joy. Could you tell us just, uh, before we get started here a little bit about yourself and, uh, your practice and, and focus?
Speaker 3:Sure. So, um, I've been a healthcare attorney for getting close to 14, 15 years now, um, and started my career, um, heavily in the, in high health industry for many years, both on the health insurance payer side, and then in house, uh, with multiple providers with the, the last being part of a, a large health system. And so, um, I've acted both as in-house counsel and privacy officer. So I know a lot about the day to day, um, you know, struggles related to HIPAA and trying to reach your goals and avoid, um, problems and stay compliant. And now I've been with Johnson Pope for a couple years and part of a, a large healthcare practice made up of wonderful people, um, who happen to be wonderful lawyers as well. And so I'm really privileged to be a, a part of that group. And, um, I spend a lot of time still and data privacy and security, a lot of health, it contracting, helping clients stay compliant with privacy and other compliance, uh, programs and laws. And I do a lot of general healthcare, um, law as well. So we generally represent businesses and, and providers and, and some health it vendors, um, even some EMR companies. So a really good mix. Um, and I will say, as you've seen John, um, the pandemic definitely did not slow down the work that we do in the data privacy and security space, and it continues, um, to stay interesting. And so I, I really appreciate being part of the podcast because one of my favorite things to do as a healthcare lawyer is help people, um, on the front end just to stay abreast of, of what's happening and try to keep their eye, um, you know, on the, on the goal of avoiding issues, because no matter what you do these days, right. Um, it's a moving target.
Speaker 2:Uh, that's certainly the, the case. And I, and given your background, I think you're the, the right person for this discussion today. I was hoping we could talk a little bit about, um, making risk based decisions and managing sort of cybersecurity, HIPAA compliance more generally for, for our healthcare, uh, customers, as you mentioned, uh, COVID obviously, you know, COVID continues to, uh, have an impact on the, on healthcare organizations across the United States, whether that's government's response to it, our, our customer's response to it, uh, patients response to it. So, so a big driver, also the threat actors that are out there's response to it as well is playing a, a big role in that. I, I thought maybe we could start by, uh, talking a little bit about kind of the trends that you're seeing, uh, that are impacting cybersecurity and healthcare and, and HIPAA compliance. Uh, I think those two things obviously overlap, but, but, uh, you know, what are you seeing out there? I know in addition to COVID, um, that that's impacting. Yeah. But, but
Speaker 3:I, I'm glad that you brought that up because I think when we first talked about doing this podcast, I have seen trends change even more. And so, you know, I used to tell people when the omnibus rule came out, that just because you knew HIPAA, you know, in, in 2003 and later doesn't mean, you know, it today. Right. So be sure to reach out to lawyers or privacy officers. And now just because you knew HIPAA, uh, even six months or a year ago, doesn't mean, you know, it now. Um, and so before we get into like what the laws and rules are and enforcement trends, um, I think we're in stage two of the pandemic risk, right? With the first one that, that kept you. And I are probably pretty busy, John being, uh, people going remote very urgently and quickly, um, as far as an it security risk, right? Mm-hmm<affirmative>, uh, before they had some processes in place with that simply in response to the pandemic and trying to keep people healthy, but still provide healthcare. And now I think we're in the phase where people are struggling with resources, right? So they're exploring additional support options, and there's a new urgency to that. I mean, providers have to have staff to provide timely and, and the best clinical care. And so, um, a again, I think we're in phase two where, uh, resources are really one of the challenges that healthcare providers are facing. And so anytime you have changes, as we know from, with it security professionals, right change, management's really important. And if you make a change, whether as vendor related or sending people elsewhere, bringing new people in, especially if they're located, for example, um, in a high risk area, then your security risk changes, your compliance risk changes. And, um, you know, I think that that's the phase that we're in right now, as far as cyber security risk I'm with you. I think that, uh, we were just very active. The OCR was seeing a lot as well, as far as cyber incidents, a trend moving towards a drastic increase where we used to deal with paper breaches, right. And now we have a lot of cyber events, uh, ransomware attacks just became so prevalent. And, you know, some of it's probably related to the pandemic and cybercriminals did not take a vacation during that time. Um, some of it related to, you know, just growth in that area. Um, we know that those were on the rise before the pandemic. And so, you know, we are on the other side somewhat, but again, we're still, I think, dealing with some of the risk inherent to pan the phases of a pandemic and how it impacts the healthcare industry and those providers and companies that are trying to support it.
Speaker 2:Yeah. I think you, you, you triggered a, uh, kind of thought, well, not a thought a theme that I often see, particularly around HIPAA compliance and working with, uh, let's say the cybersecurity of folks out there in healthcare. And, and that is, I think both one of the, one of the strengths, but also one of the challenges of, of HIPAA and in particular, the HIPAA security rules and notion that I, uh, there's sort of the, some of those baseline controls, like risk analysis and risk response and encryption and things like that that are specifically called out in the security rule, but this notion of reasonable and appropriate. So, you know, I, there's an expectation that I'm gonna take reasonable and appropriate measures to protect the confidentiality, integrity, and availability a of, of protected health information and well what's reasonable and appropriate. And, and that changes, uh, in a lot of different ways, you know, with, with the, um, nature of the organization and how they're delivering care with the changes in the threats and vulnerabilities out there and in the world. And so all of these things play a part in determining what's reasonable and appropriate and, and for, uh, you know, the technology folks out there, they just want me to give them a list of controls that if I implement this of controls, I'm going to be HIPAA compliant. And it doesn't really work that way. At least in my experience. I don't know whether you've contemplate this as much as, as me, but I'd be interested in your thoughts when, when you're
Speaker 3:Describing what's
Speaker 2:Necessary.
Speaker 3:Yeah. Yeah. I mean, I agree with you, you know, again, before we got into this heightened time of more and more cyber, how and cybercriminals literally running enterprises, you know, across the world that they're trying to stay one step ahead of the FBI, for example, um, you know, we saw what was reasonable and appropriate early on with the security rule, maybe encryption wasn't reasonable for everybody, but now it's more widely available, right? So I think that's a good example of how that standard has continued to evolve. You know, is it reasonable to have an apple device that has built in encryption, but not have it turned on? You know, um, there's a lot of, a lot more accessibility to encryption to standard. And, and I think that's where we, we see some scrutiny over time. Whereas something happened back in, you know, 2008 versus now that standard is different. And the other thought that I had is one thing that has really improved and continues to be encouraged, right. Which might have led to, uh, one of the new things. We're gonna talk about that a law, a bill that was signed into the law earlier this year, um, is trying to encourage healthcare providers and the industry to communicate about cyber threat threats. And we've seen the office for civil rights continue to try to help people in that regard and send out alerts. Right? Think one came out two or three days ago, mm-hmm,<affirmative> related to risks that people should be aware of. And then we have the FBI putting out alerts and there's it security groups. And so there's a lot of information out there. And so what happens if you're not managing that and the rest of the industry, or the majority gets, uh, a, you know, an alert and they're taking action to close that gap and you're not. And so I do think it's a moving target and to, uh, help with risk and best posture yourself, um, you know, from a legal perspective, because this is,<laugh> a lawyer talking here, right? Yep. I mean, you want to be sure that you're monitoring those things as they continue to come out. Um, otherwise I think that it's more challenging to say, you know, in good faith that you're doing good things. If you're not paying attention based on where we are right now as an industry and the threat, um, to those ongoing notice is because really they're being put out, there's a movement towards, you know, communication and continuing to encourage that because that's one way to, to help avoid some attacks. If the industry is sharing information about the threats that they're seeing. Um, so making sure, regardless of the size of the company, the practice, the insurance company, whatever type of covered entity or business associate, you are having someone watching that. And if you're using a managed it company, for example, you know, are they monitoring those alerts and building that into your living and moving security program, I think is very critical right now, um, to risk management, you know, not just security, risk analysis, but ongoing risk management and the things that you're doing.
Speaker 2:Yeah, I, you you've mentioned some of the and guidance that's come out recently. And I, I certainly want to get to that. Cause I think it's important, uh, in, in helping organizations think through prioritization and, and making decisions about how they're gonna address risk. Before I get that though, I didn't wanna kind of lose our theme of, of changes that are occurring trends that are occurring in the industry that are impacting, um, how organizations look at cyber security and compliance. I mean, one of the things we've seen just gosh, and probably the last six months has really changed is the world of, uh, cyber insurance. We, it used to be that you'd hear folks say, well, I'll just ensure at, I have cyber liability coverage. Are, are you seeing, um, changes in cyber insurance coverage and how's that impacting your clients?
Speaker 3:Absolutely. And, and obviously, again, as, you know, a legal counsel advising people on how to manage risk and, you know, if they're contracting with somebody that wants to propose a limitation of liability for cyber related events or data breaches in general, um, I'm always especially recommending higher levels of insurance right now, specific to cyber coverage because of the increased activity at the same time, even for insurance renewals. Now, um, what I'm hearing from brokers and clients is that the standards to get even renew your cyber policy, um, are increased. And so they wanna see things. The insurance carriers that are ensuring providers covered entities, business, associate it's for data breaches and cybersecurity. They wanna see things like dual factor authentication. Um, you know, what I hear from counterparts that are the it security professionals, is that really that's one of the best ways to counter some of these attacks, right. People using your password. Um, I personally use dual factor authentication on my personal Gmail account, for example. And so I think that the insurance carriers, uh, process a lot more cyber claims as well, obviously<laugh> yeah. Um, as this activity has increased and so they're managing that risk as well. And so to get insurance, um, to protect yourself, they're, they're saying we wanna see that you have basic things in place to that are commercially reasonable, right? Good face compliance efforts, but before we're going to ensure you, because the risk is so high in this area right now. So it's not just, what's your legal and regulatory risk. It's also, you know, can we get insurance coverage? Everybody needs it right now.
Speaker 2:Yeah. I mean, we're seeing same similar things to, to what you've expressed. I mean, certainly the, the preconditions for getting coverage in terms of controls that, that an organization has in place seeing that across the board. The other thing is, uh, even with that, even with those additional controls in place, uh, increases in premiums from, you know, 30 to 50% increases in, in premium prices. Uh, other thing we're seeing now two that, that, uh, limitations on coverage in particular, you know, it switched very quickly from, uh, a lot of the, uh, several liability insurers encouraging, uh, the payment of ransom payments, despite the fact that the FBI was discouraging it now suddenly, uh, we're seeing that they're excluding that from their coverage. So it's a, you know, some significant changes I think, in, in, uh, uh, in that area in particular.
Speaker 3:I agree. And I think that, um, you know, it's not a surprise, right? Once an insurance companies, you know, they have to maintain their business as well. So when there's a, a higher rise of any type of covered event that occurs that they're paying out and again, cybersecurity regulatory actions, this was an area that was more escalated than deescalated by the pandemic. And so, you know, they have to control, um, what they're paying out. And another thing that I, I don't know that, um, all providers, uh, or clients understand is that another requirement of most insurance policies, uh, related to these events, if you have some type of criminal related attack, right. Mm-hmm,<affirmative>, um, require, uh, reporting to law enforcement. So, um, you know, I think that, that, you know, there is something in addition to the OCR guidance on a ransomware attack and the expectations there, um, people need to be aware of, and us as attorneys, just helping people walk through the process, right. Um, should be prepared that that's likely a, a coverage requirement as well.
Speaker 2:One of the other things, and this is perhaps a more anecdotal observational, although I've seen some statistics about, um, the, the anticipated growth in class action lawsuits. Um, but certainly here, I know there's been a number of cases here in Florida with, uh, class action lawsuits quickly showing up after a breach. Are, are you seeing any increases in litigation following, uh, cyber breaches in, in your practice or generally?
Speaker 3:Yeah. And so, you know, plaintiff's attorneys get very creative, um, and because this topic of data and impacting people, um, the impact that it has on people has been a, a growing topic that's been in front of Congress and it, and it's out there all the time, right? That's, there's a reason why our laws are getting more stringent to protect individuals rights over their data. Um, and so I am seeing, um, class action lawsuits, I guess my perspective would be that, um, you know, since early on in my career, when I did plaintiff's work, mm-hmm,<affirmative>, um, I I've seen a, a, a large evolution, uh, in how far those lawsuits are progressing through our legal systems. And so, additionally, not just in the state of Florida, but we know that the state laws across all 50 states are evolving. Uh, we know that California, for example, has some of the most protective state laws related to personally identifiable information, not just Phi, right. And so watching the state laws across all 50 states, um, we know that it's a priority that data has to be protected, not just under HIPAA, but under state laws. And I think we can and anticipate that class action lawsuits are gonna continue to grow. Um, you know, these are things that if they're over 500 specifically for HIPAA, right, they impact more than 500 people. Um, you're dealing with a media reportable event and that gets attention. And so I think that we should anticipate, especially as state laws continue to, um, become more protective of people's information, the class action lawsuits are gonna continue to grow and progress, uh, through our court system. They should be a real consideration, right? When, for example, when someone is considering how much coverage to get, uh, we're not just talking about, you know, legal fees and, uh, regulatory investigations. We're also talking about defending lawsuits. Um, of course there can be actions by the state attorney generals as well. And so, um, yeah, we, we're seeing an increase, we're seeing progression of type of litigation and, and that's why we're all so busy, right. As people working in the data, privacy and security realm.
Speaker 2:Yeah. I think there's, there's still, you know, much discussion in that space around the need to show damages as a result of the breach, et cetera, probably well beyond the scope of this conversation, but, but it'll be interesting to see how that, uh, plays out at the kind of the state end, perhaps the national level, uh, going forward. Uh, you mentioned, you know, some of the, the OCR, um, activity certainly providing, uh, guidance there hasn't been, well, it seems to me that most of the focus lately from a, from a enforcement perspective has been targeting organization's ability to provide, uh, medical records in a timely fashion. Uh, well, is that, I mean, I, I think that that's accurate certainly correct me if I'm wrong, but I think there's still a still concern and, and, uh, focus on or investigation of, uh, breaches and breaches, triggering OCR inquiries, et cetera. Uh, whether or not those are specifically resulting in, in, in, uh, uh, immediate penalties or not as, as kind of slowed down, but, uh, what is, what is your perspective on kind of OCR activity and, and, um, what they're focused on right now from a cybersecurity hip complain?
Speaker 3:So I, I, yeah. I mean, I totally agree with you when you pull up the OCRs enforcement activity or press releases page, right. Mm-hmm<affirmative>, um, right now you're seeing at a very progressive pace though. It's not every six months, we're really having a lot of enforcement actions close in time based on the OCRs access initiative. Um, I believe the last press release actually included multiple, um, enforcement cases tied to access. And the office for civil rights has made it very clear that that continues to be an initiative. Um, so we spend a lot of time talking about that. So we'll, we'll talk about, Hey, let's manage your it security, but, you know, you can't breach the information, but you need to be sure you're not blocking it because we also have the information blocking rules on under the 21st century cares act. So, but what cannot be lost is that it security continues. Yes. Um, to be a compliance consideration and risk for enforcement action from the office for civil rights. And so, um, I, I think what we're also seeing, um, you know, especially public law, one 16 through 3 21, John mm-hmm<affirmative> that you and I talked about before, uh, that was signed into law on January 5th, 2021 is there's a big distinction. And I would suspect that it's noticeable, right? It, it is to us attorneys, uh, helping people navigate what to do and your, your enforcement risk is, um, if you have an incident, um, and, you know, there's a big difference between companies that really are not doing anything, uh, to, to put efforts forward for best practices in it security and meet the requirements of the HIPAA security rule missed as well as just having an active and living it security and it security management program. Um, and those that are really doing everything, um, you know, reasonable, they can, who are still falling victim to this criminal activity specifically, right. Or a workforce member that falls out of, um, compliance and, and causes an issue. And so I think that there's, um, also continuing to be a need, um, to encourage people because information sharing tied to ransomware attacks and criminal activity, um, information sharing is so important to help prepare the industry and, and kind of reign in the, the broad impact of that type of attack. Right. Um, if one company's hit by a type ransomware or a certain cyber criminal organization or attacker, and they don't share that information with others, then you're preventing the other organizations and industry from properly responding. Right. And so, um, this is a, a new movement. I think that is clearly providing that, you know, you don't wanna just have good cyber security if you're a vendor and you wanna show your clients right. That you have good security practices, because, you know, we've seen the, um, high trust certifications being something that these third party vendors really strive for so that they can show covered into fees that they wanna service, that they have a good security program, but now we're moving towards recognizing that that should help reduce, um, you know, risk of enforcement action, penalties and fines. Uh, if there is an offense, because I don't think that anyone would disagree at this point that you even, um, organizations with the best it security programs and policies, uh, can be become victims of ransomware attacks. Yeah.
Speaker 2:I, uh, you ransomware attacks in particular and, and, you know, that's come up a number of times and certainly anyone who's, uh, been paying attention to what's been going on over the last two years can see that there's just been a increasing, uh, number of ransomware attacks, having dramatic impacts on healthcare organizations, uh, you know, shutting them down for even up to months at a time, uh, driving some out of a business totally, uh, impacting the ability to deliver care, uh, a recent case of, um, of, uh, uh, a terribly unfortunate case of an infant passing away, uh, potentially linked, at least the allegations are that that was linked to, uh, inability to provide effective care due to a ransomware attack here in the United States in just a, just some, uh, some incredibly significant, um, cyber attacks, taking place at an increasing pace in, in our industry. Uh, and, and, you know, we add that to some of the other trends, uh, that we've mentioned, all of which are related, you know, the changes in the cyber insurance premiums, the, a growth in a number of, of lawsuits, some of the activity and focus of OCR, you know, all of these things are creating a, a swirl of, of activity and, and requirements and, and influencing what's reasonable and appropriate, certainly from a compliance perspective for these organizations. Um, you, you, you we've touched on a danced around, uh, you know, the, the, um, uh, new legislation that, well, the new legislation that passed earlier, uh, this year, uh, um, gosh, now I'm forgetting the citation again. Uh, one 16 dash 3 21, which was formally HR 78, 9, 8. And, and as you put pointed out, that's that's legislation, not so much of a requirement, um, or a, uh, requirement of things that we have to do, but something that would be in our best interest to do from a, from a healthcare perspective. And for those who aren't familiar with that legislation would've essentially said was that organizations had a recognize security practices. They specifically cite to, uh, the, the N cybersecurity framework and section 4 0 5 D of the cybersecurity act of 2015, if you've adopted those, uh, those practices for the year proceeding, your, um, let's say it encounter with the regulator, whether that's an audit type of city situation or, uh, potential enforcement action finds penalties, settlements, that the regulator should go easier on you because you've adopted those practices. So I know that certainly at least in our mind and in, and, uh, what we've talked with our customers should influence, um, how organizations are thinking about, uh, adopting reasonable and appropriate security measures. Uh, so I wanted to shift in that. And finally, I, I think we're kinda getting to the, what I really wanted to, to talk with you today. Joy is when you're working with your customers and, and you're trying to advise them on what they should be doing from a security and compliance perspective. And usually that comes down to, okay, what things, what controls should we be implementing in order to be compliant and, and not just with it, but more broadly too, how do you go about working with them and helping them think through that process?
Speaker 3:Yeah, so obviously, you know, again, the, these are the things that we like to do with health care attorneys, right? We're here for people when they have an attack or a breach and, or an, an inquiry from the office for civil rights. But to the extent you can think ahead and say, um, you know, if we were ever closely reviewed, uh, by the office for civil rights, um, you know, what would we have to show this compliance, right? And, and I'm just coming back to, um, 1 16, 3 21, because I think it's memorializing what we hope right. Will happen in most cases where if you have good based compliance with the, the standards, um, and the security rules specifically in a good living, breathing HIPAA compliance program, then hopefully that will reduce your likelihood of penalties and fines when you have an incident, right, and set you apart and, and set a good example that can be laid out to the office for civil rights to show, look, this happened to us, but we really have in good faith, um, been trying to comply. And so, you know, in general compliance, we have the, um, seven elements of a compliance program that's been around and we want our clients to fit under, right. Um, under the federal sentencing guidelines. So it, it's good to see this, um, kinda light being shined in the data, privacy and security regulatory realm. And so I am always trying to tell people, not only have you done a risk analysis, right? My biggest concern is hopefully everybody has at this point. Um, we do have a, a tool that's out there on the oncs website, where if people cannot afford a third party, for example, or they're starting a new company, um, I think that it, it's a good way to start thinking about HIPAA and how you're going to establish that, uh, privacy and security program. Um, and so, but I'm, I'm also concerned to ensure that they don't do a risk analysis. And then the, the follow up from there falls off the cliff, right? Mm-hmm,<affirmative>, um, I think it's very hard to sh say, or, you know, that you're doing what you can under HIPAA, because you did a risk analysis without showing that you then had a good risk management plan and you in a reasonable and appropriate way, um, were addressing the, the risk that you identified. And so documentation as a outside council, right. Is so important to me cuz you can't just say you're doing good things and you, you need to be able to show it and it doesn't have to be perfect or the most fancy format. Um, but you do need to have this ongoing security risk management program. It's part of the security rule. And so I think that there's always a lot of talk about risk analysis. Um, and you know, people will say, yeah, we did a risk analysis. We paid this company to do it or, or we did it for other regulatory purposes and reporting. Um, but then, you know, what happened after you identified those risks and how can you show that you took follow up actions? And so, you know, as a legal counsel, um, I just continue to stress to people to ensure that they document all good things that they do, right. Most providers especially are always trying to comply. Um, they're balancing it with treating patients, but you know, I don't know that they're always going to intuitively understand that<inaudible> all that stuff is really important too. And to make sure that you regroup come up with a security risk management plan and follow through with it,
Speaker 2:You, yeah. You mentioned a, a number of things there. I, I know that we use in working with our customers that, uh, we found effective. So to, to your fir last, I think it was your last point of the, you know, the risk analysis, isn't, isn't a in and of itself a HIPAA compliance, nor is it a cybersecurity program. Um, you know, we usually recommend, well a number of different frameworks for people to build their program upon one is an this cybersecurity framework, which was, you know, identified in the legislation as a, a recognized practice. The other is the mm-hmm,<affirmative> seven elements of an hope. I think I have this right. Seven elements of an effective compliance program. Um, mm-hmm,<affirmative>, you know, in terms of setting up what that compliance program looks like, certainly from a governance perspective and making sure that we have appropriate, um, documentation in place like charters and that kind of thing, um, I think is really helpful for organizations who are trying to build a program it's like building a house. If I have a, a, you know, a framework to build that on certainly is helpful. Uh, you know, one of the, the, the way we usually think about that is, is along the lines of the adoption in this framework is we need to understand, uh, sort of where we are currently as an organization or our current, uh, profile, uh, where we need to be our target profile. And there's a number of things that, that go into the creation of that target profile. Uh, and then what's the gap between the two that we need to fill, uh, a, you know, target profile perspective. We're, we're looking at what are the compliance re requirements that, uh, we need to consider. And, and I think of the, there's the things we have to do, which, which are the, uh, HIPAA, you know, for some folks at GDPR or other, uh, state regulations that we need to be a compliance with, then there's the things that we've promised to do. Um, you've mentioned some of those, you know, if, if I'm a business associate and I'm entering into a business associate agreement, well, then that pulls certain obligations into what I'm gonna do. Or I may have contractually obligated myself to, uh, have be SOC to compliant or have a high trust certification. Those kinds of things, uh, certainly come into play in terms of what's my target profile, uh, requirements for my organization. Then there's the things now that, that I want to do, or that are in my best interest to do. And, and certainly that's adopting in this cybersecurity framework or adopting recognized security practices, whether that's, um, the 4 0 5 D um, uh, requirements or not requirements, but guidance that's come out on guidance, not<inaudible> is the right word, but the 4 0 5 D recommendations, um, that have come out as, as sort of guiding what that target profile should look like. And, and then of course I have all of that. I still need to do my risk analysis to understand whether that's gonna be sufficient, uh, to manage my risk as an organization. And all of that goes into my target profile. So that that's the way we we've typically talked to, to, uh, our customers about it. And I think from what I'm hearing from you, a very similar sort of approach.
Speaker 3:Yeah. I I'm in total alignment with you. I think that there's a reason why for a living and breathing program, right? Mm-hmm,<affirmative> the seven elements works. I mean, that is the structure in healthcare that people should be following for all compliance. It works. Um, generally it, it helps give you a structure and, and I find it effective, uh, for privacy and security programs, right. And then of course, HIPAA requires you to have designated privacy and security officers and, and do training. Um, so some of those things are inherently built into the privacy and security rule requirements. Um, and I think that legal threshold analysis that, and to a, a risk analysis under the security rule that should be performed periodically too, because data privacy and security laws are so fluid right now, um, and ever changing. Right. And so, for example, we know that we're waiting for final changes to the privacy rule to come down, um, it, over the past, I think it was 2016 when the access guidance came down. There's a reason to do that threshold legal analysis, um, on a frequent basis to make sure that you're still compliant with the laws that apply to you, that you haven't missed something where you, would've no noticed in a gap analysis, right. That maybe GDPR applies to you, or maybe the state where you're situated has a new privacy law that's, um, even more stringent than HIPAA in some areas. And so your privacy and security policies, um, should be modified to ensure that that state law is as well. And so I, I think that for managing risk, you always wanna start with what laws at this point in time apply to our business, and then, you know, uh, I'm exactly what you said, John, uh, you know, we can't just talk about HIPAA. There's a lot of contractual obligations. There's insurance considerations, licensure, not just in Florida, right? Um, in any state, in many states under their, their governing boards for the type of profession have confidentiality requirements. We have state super confidential information that varies by state. Um, what are those requirements? And then there's a movement in accrediting bodies also saying, you know what, privacy and security is important. Let's be sure that we are including that, um, in audits. And, and so recognizing what those are, because maybe you can do something under HIPAA, but it would be a breach of your technology contracts. Um, if you allow it or, or do it in this fashion, and you need to recognize that you could have a contractual breach issue or a material breach issue<affirmative> and then of course reviewing what incidents you had, you know, did we follow through whether or not it was a breach? Uh, maybe it was a complaint. Maybe you had an incident that you did an investigation on to determine if there was a breach. And did you address any risks that you in that process? And so the risk analysis is one piece in determining, um, you know, how you need to respond. And I think determining how big of a risk, something truly is in the data, privacy and security realm to your organization. Um, obviously there's also been a, a huge movement towards data having value right early on in HIPAA. We tended to see that everybody just allowed de-identified data, right? Because under HIPAA, you comply with the deidentification safe Harbor. That data is no longer considered Phi well now even de-identified data has value. And so that depending on what the business is, might be extremely, uh, important to that company. And so that varies, right, but in identifying what data needs to be protected and what safeguards should be there, both in a it security framework, like you mentioned, and again, it continues to be the forefront. Um, but also what's important to the, to the organization as far as data are our contracts aligned with that, if we're doing a fresh assessment, right. Have we modified contractually, uh, where are our business risk and, uh, focus on, on data is, and then obviously if you know of a risk and you're doing nothing, that's gonna create greater enforcement, uh, risk for the organization.
Speaker 2:Yeah. I think this, this is when things get a certain degree, very challenging for folks. Cause it let's assume I, you know, I do the work to understand what my regulatory contractual compliance requirements are. I, I do the work to understand, uh, you know, what would be reasonable and appropriate for, for my organization from a security perspective. And, and we mentioned 4 0 5 D I think that's a, a very interesting, uh, set of documents, uh, to, to examine because they, they try to take a look at what's appropriate for different organizations based on size of, of the organization. So, you know, kind of recognizing that, uh, that a large hospital system would have more resources available for security and, and more risk that they'd be trying to address in a small, uh, physicians practice and, and making distinctions around what would be the, the, the recommendations for security controls between those different organizations. But I, you know, we, we can do that work and come up with the, um, let's call it the, the remediation plan or the list of controls that we should be implementing as an organization, uh, the activities that we need to be doing on an ongoing basis, but then, uh, like most well I've told this story a number of times with different customers only once have I run into an organization that told me, Hey, John, uh, you know, we have an unlimited budget when it comes to security and compliance. So, uh, you know, we're gonna do whatever. That's the only happened to me once and that was in, in, uh, wall street firms. So most of the customers certainly that we work with in healthcare, there's limitations on budget, there's limitations on resources. Um, you know, even though they're spending more, the they're trying to still do more with less there's gaps in capability, around in particular security resources right now. And, and I think some of the framework you laid out in, into starting understand how we can prioritize, uh, that list of activities that we need to do, um, is, is important. And, and I think a lot of times, uh, there's an opportunity for folks to think through that a little bit more. So the ideas that you mentioned, like what, how sensitive is the data, what's the quantity of the data obvious those come into play? When I think about the impact of a breach, um, that may result from lack of a control or control, that's on my list that I might be thinking about implementing, or, you know, what's the system that's gonna be impacted by that? Uh, you know, ransomware obviously oftentimes is shutting down organizations. Well, it shuts them down because they lose critical systems. Uh, so maybe I should be thinking about and prioritizing those controls that are most closely linked to my most critical systems, uh, that allow me to operate as a business. So, you know, there's a lot of different factors, as you've mentioned, that can go into the prioritization of the list of, uh, of controls that we need to implement as an organization. And, you know, budget obviously is one of them, resources is another one, but some of these other risk factors and business factors and compliance, etc. You know, it all has to be weighed in, in prioritizing that list. It seems to me
Speaker 3:Anyway. Yeah. And, and I think I missed just a couple things. I know we're, uh, you know, there's so much to talk about on this. Yeah.<laugh> make it useful. Yeah. But I I'd be Remi not to mention a couple other things. So, you know, there's nothing worse than doing your assessment. Right. And coming out with the gold stamp, we've got all greens, you know, we had a couple yellows, we remediated it and then ending up on the other side and saying, well, now we have this type of regulatory review or issue. Um, and we didn't recognize that the front end to that assessment that either a certain law applied, or we had this data sitting somewhere. Right. Mm-hmm<affirmative> um, and so, you know, I think that one thing I, I should have paid extra attention to in my prior comments is that if you're doing this assessment right now or, or advising client, um, the 21st century cures act information blocking provisions are active. If it's a health it provider, or one of the actors, which that analysis should be done under the cures act, um, there's many other requirements that apply. And so I, if we're doing a, a true, you know, data compliance assessment, we have to think about that law. And we need to think about it in the HIPAA realm, because we wanna be sure that we're not barring access to things even for, as a provider, right. Um, that are permissible for use Sur dis disclosure. And so we don't wanna get so overly protective that we're now blocking access, whether it's tied to the OCRs access initiative, or now the 21st century cares act information blocking provision. So I strongly encourage that legal assessment, you know, what, what laws apply to us at this point, for sure. And then ongoing, because there's many laws now that touch data, electronic communication, interoperability in healthcare. Um, and so we can't just look and consider one area. And then one thing that people can do to manage, which we always talked about as a good practice, right? John<laugh> yeah. Our table talk exercises. And the reality becomes we're a small provider. How practical is it for us to do a table type pop exercise for a ransomware attack or an emergency. Right. Um, and so now, because of the, where we are today and ironically storms seem to be occurring more, right?<laugh> mm-hmm,<affirmative> um, when businesses are down due to a ransomware attacker, otherwise I, I think that tabletop exercises really need to be a priority. And, you know, as attorneys, we can advise on the law, but we also wanna advise our clients on how to be prepared and compliant, right. They also have to provide in the provider contact patient care, or they're a vendor that's supporting patient care. And so when there's a ransomware attack or something that shuts down the business and systems cannot be accessed, um, that's where John, the case you mentioned, right. We start worrying about it will a patient be harmed. You know, we have to prepare and think about those other things. So particularly for providers or entities supporting healthcare for providers, because we wanna ensure that patient safety is maintained, those cable, top exercises, if they haven't been done recently should definitely be prioritized. How are you gonna restore systems? We don't wanna have to negotiate with cyber criminals, right. Um, if we don't have to. And so knowing how data will be backed up and restored and how patient care regardless of the size of the practice will be maintained during that is really something that should be prioritized in this risk management realm. Um, otherwise you're having your first experience when somebody comes in. And the only thing that pops up on their computer is a ransomware now. Right. Um, and then just again, identifying and managing old data and having a good retention and, and disposal process, I think is a way to manage risk as well. That, um, there's nothing worse than helping someone, um, through managing breach notification requirements under state and federal law and it's data that could have been destroyed 15 years ago, or somebody doesn't realize that they have anymore. Um, and so that's something to think about when managing risk.
Speaker 2:Yeah. I think, uh, you, you took me back to a point that I think we all need to remember, and that is, you know, this industry exists at the end of the day to deliver care. And, and if we're, uh, you know, not able to, to achieve our mission, then, then we failed whether that's an individual organization or, or whether it's the industry as a whole. And, uh, so I think that's, that's important and certainly, uh, we're seeing more and more interest and, and from organizations and certainly encouraging the tabletop exercises, uh, business impact analysis, I think that's the, the kind of two areas where it can be, it it's most clear to those who are in positions of, of decision making and influence within organizations, the reliance that organizations have on it systems for delivering care for achieving their mission and the implications to the organization, if there's a disruption, uh, in those it systems, whether they come from, uh, from a, uh, natural cause, you know, storms or whether it's the result of threat actors that seem to be out there and, and, uh, don't hesitate to target healthcare. Uh, so I think we're coming up to the end of our time for this conversation. I know joy, uh, we've talked before and you, and I could probably, you talk for hours and hours about, uh, this topic and related topics, but is there anything, um, last thoughts or, or comments you'd like to share with you don't wanna
Speaker 3:Ask that question, John. Cause I just sit here and my brain keeps going and yeah, again, I mean, we, we wanna continue to, to help people and, you know, in healthcare, I think it's a one my favorite place to be as an attorney because generally we're really helping people, um, in the healthcare system, keep us all better and we find that the clients wanna be compliant. They wanna do the right thing. They definitely care about patient safety. And so managing risks in the it security context, it's worth a fresh look, right. And it's definitely now something because we're all electronics, um, that has a higher impact on patient care. And so I think just continuing to share this information and, and have these discussions is hopefully meaningful. Um, and again, I appreciate you having me here. Uh, I think we should get together for that lunch again,<laugh> now that, um, restaurants are being more frequented, but, um, thanks for having me. And, and I hope that, you know, we had a meaningful discussion today that can help people think about these things. Um, and if we talk again in a couple months, I'm sure that things will have changed even more and hopefully know we might even have the, the final changes to the, the privacy rules. So more to come for. Sure.
Speaker 2:Yeah. Well, thank you joy. It's always, uh, it's always such a pleasure to talk with you always informative. I know for me, and I'm sure it was for, for the listeners out there as well. Um, yeah, it's, it's changed quick, uh, the environment that we're operating in. I think fortunately we're seeing, you know, much more attention being played to, uh, cyber security, to com HIPAA compliance and needs for that. And, and the impact on the mission overall from, from, uh, cyber security and, and, uh, the need to protect patient data and, and, and making, or that patients have that data in a way that informs their decision making. So a lot of activity, uh, certainly going on in healthcare, a lot more things we can talk about and, uh, hopefully we'll have the opportunity to do that going forward. Um, I'm, uh, John Moore and again, I'm the chief risk officer and senior vice president for consulting services at Clearwater, uh, cybersecurity, HIPAA compliance, cyber risk management firm focused on healthcare. Uh, and thank you all for, for tuning in today and listening goodbye now.
Speaker 3:Thanks. Bye.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to a, a speaking of health law, wherever you get your podcasts to learn more about ALA and the educational resources available to the health law community, visit American health.org.