Health Care Enterprise Risk Management: Issues Related to Cybersecurity

Show Notes

David Crapo and Bethany Corbin discuss enterprise risk management for health care organizations, with a particular focus on cybersecurity. They cover the sources of cyberattacks on health care organizations, risks involving third-party vendors, strategies for minimizing cybersecurity risks, legal requirements, different stakeholder responsibilities, dealing with cybersecurity breaches, and legal and regulatory trends. David is co-editor, and Bethany is co-author, of AHLA’s Enterprise Risk Management for Health Care, Fourth Edition. From AHLA’s Hospitals and Health Systems Practice Group.

Watch the conversation here.

To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.

Transcript

Speaker 1: 0:00

<silence>

Speaker 2: 0:07

This episode of A HLA speaking of health law is brought to you by A HLA members and donors like you. For more information, visit American health law.org.

Speaker 3: 0:21

Hello, my name is David Creo . I'm an attorney at the firm of Gibbons PC in the Newark office. Um , my , uh, I, my practice , uh, focuses on bankruptcy, healthcare and privacy law. In fact, I came to healthcare and privacy law through bankruptcy when a number of , uh, healthcare providers were , uh, uh, became my clients as a bankruptcy attorney. I'm also the editor of the , uh, of the fourth edition of the Enterprise Risk Management , uh, handbook, published by the American Health Law Association. Today , uh, with me is Bethany Corbin . Bethany is one of the , uh, authors of the book, and , uh, wrote a very good article on , uh, uh, on the , uh, risks inherent in cybersecurity. Uh, Bethany and I will be talking about those risks, but , uh, for healthcare entities, risks are not confined by any matter of means to , uh, cybersecurity. There is frankly no area that in which a healthcare entity , uh, or enterprise operates that doesn't involve some risk and doesn't require the management of that risk to ensure the smooth operation and even the survival of the , uh, of the entity. Among the , uh, among the areas , uh, particularly , uh, uh, touching on healthcare entities are risks involving contracting supply chains. As we learned during the covid , uh, emergency credentialing , uh, of , uh, professionals , uh, and other areas , bias particularly , uh, uh, implicit bias. We've learned that the healthcare outcomes of people in underrepresented groups in this society , uh, is , uh, are not as positive as those in , uh, more traditional Western European , uh, for Western European , uh, descended Americans. Um, clinical patient safety is a , uh, is an important area of risk. I've learned that as a , by serving as a patient care ombudsman in a number of healthcare bankruptcies , uh, informed consent is , uh, an area where the law has changed and where risks have increased infection control that was made , that that issue was put front and center by the covid , uh, uh, emergency. We also are learning in healthcare how to use different healthcare delivery MO models, all of which , uh, uh, involve a certain amount of risk , uh, financial risks. Numerous financial risks , uh, are involved in , uh, uh, healthcare , uh, businesses. Uh, and then there's the legal and , uh, regulatory risks. Healthcare is probably the most highly regulated industry , uh, today. Uh, healthcare entities have to be careful about fraud and abuse laws, hipaa, healthcare, privacy and security laws, telehealth , environmental laws, and the , uh, the issue that , uh, that , uh, Bethany will be addressing, and that is cybersecurity. So, Bethany, please tell us a little something about yourself.

Speaker 4: 3:51

Thank you so much for having me here, David. It's funny, you and I both traced our roots to bankruptcy. I actually started my career as a bankruptcy law clerk , um, and went into financial services and bankruptcy right after that, before transitioning to healthcare. Mm-Hmm . Um, I've been in healthcare goodness for over a decade as an attorney. I started , um, really with large healthcare organizations , uh, big law in Washington, dc really helping to navigate, you know, not only the risks that were associated with privacy and security , um, but also risks that we had whenever we were thinking about things like managed care , uh, pharmacy benefit management , um, and , and then also, you know, the things that came along with larger insurance clients. So I have that background. And then of course , uh, once everything started to go online and become digital, privacy became much more of a requirement in security as well. And so I switched my practice over to focusing on privacy and security. I have the CUS certification. I'm also certified in healthcare compliance and healthcare privacy compliance. And I focus a large portion of my practice now actually on helping smaller startup organizations within the healthcare industry understand their privacy and their security obligations. So that is particularly something that I focus on in the reproductive health and women's healthcare fields , especially with everything that has happened with the Dobbs decision and the new HIPAA reproductive health privacy rule that's come out. So I do a lot of work in that area, and of course, cybersecurity is one of the main concerns. So very happy to be here today.

Speaker 3: 5:24

So, Bethany , um, you have immersed yourself in cybersecurity, it seems , um, in the last five years. Has the nature of cyber attacks on healthcare entities changed? And if so, how?

Speaker 4: 5:37

Yeah, it's a great question, David. You know, there've always been attacks on healthcare organizations. They were a lot less prevalent, of course, back before we had electronic health records. But definitely within the fast past five years, especially when we think about what's happened with the Covid pandemic and the transition of a lot of healthcare into a more digital format, we've definitely seen different nature of cyber attacks and also an increase in the prevalence of cyber attacks as well against healthcare organizations. So, some of the ones that I'll call out, you know, that I've seen in particular in my work, would be a huge increase in ransomware attacks in particular. So in 2021, actually two thirds of healthcare organizations had experienced a ransomware attack at one point in time that year. So it is becoming a huge threat vertical for these healthcare organizations. Um, the other thing that I have also seen now as well, is with that transition with covid to more digital health and technology, really an increase in the exploitation of data for financial gain. And what I mean by that is we're seeing a lot more of that protected health information appear on the black market over these past several years. Um, and the value of that data, a lot of people don't recognize it, but it's actually significantly more for a healthcare record than it is for a credit card record, because once somebody has that healthcare data, you really can't change it, right? And it's a lot more of your sensitive personal information than a credit card, which of course, you could go and contact your credit card company. So we've started to see the price for that healthcare data on the black market also increase , which I think is spurring more bad actors to continue their cyber attacks on healthcare organizations. The other things that I've seen too, is that increase in attack surface , um, again, as a result of covid, because we've gotten a lot more digital devices. So now, you know, almost everybody has a smartphone, an Apple watch , uh, different types of apps that they're using within the healthcare systems. And that expands the attack surface that we have. So now we don't just have cyber actors going after large healthcare organizations networks, and I'm sure we'll talk about this in a little bit as well, but we also see them going after those smaller applications and connected devices as a footprint into larger organizations. So that threat surface has really expanded. Uh, the other thing that I see too, more sophisticated phishing attacks , um, have definitely started to crop up some in which, you know, that I , I have privacy colleagues who sometimes are also looking into and saying, okay, is that actually legitimate? Because the email name is so good, right? Or the information in there, it's not something that can readily be identified all the time , um, with the sophistication increasing. And then finally, the other one that I will say that I've started to see over the past several years isn't increasing nation state actors who have started to ramp up attacks on healthcare systems as well, really with that goal of gathering intelligence to cause disruption.

Speaker 3: 8:38

Okay . Um, so , um, what about attacks involving insiders? Um, um, how has that changed if it has at all over the last few years?

Speaker 4: 8:50

Yeah, you know, it's funny, there seems to be this perception that a lot of the breaches and cybersecurity incidents that happen within healthcare organizations are the result of malicious outside actors, right? Like cyber criminals. That's actually not the case. If we take a , take a step back and look at the data and the statistics. So inside actors, there's really three categories of inside actors. Whenever we talk about that category, we have employees who are unintentionally doing things that could expose the healthcare system to a data breach or to a cyber attack, right? So they're kind of our negligent employees. We've then got employees who are unfortunately doing this to be malicious, right? They're typically going to be your disgruntled employees. And then we have that third category, which is your vendors and your contractors. So really that kind of third party , um, actor that you've engaged with. So whenever we think about insider attacks, those are the three groups that we've got. What's actually been shown by the data is that 61% of data breaches involving a healthcare organization are actually the result of unintentional insiders or negligence. So it is not a lot of that happening from those outside cyber actors. It's actually somebody within the healthcare institution did something unintentionally or negligently that then exposed the healthcare organization to this added cyber risk. Um, there's also been an interesting study that showed that about 39% of healthcare employees only receive cybersecurity awareness less than once a year. So part of the reason that we do have this huge threat vertical whenever it comes to insiders, is because there has been a lack of training in a lot of healthcare organizations to date. So , um, they've also found that 27% of the healthcare workforce saw their cybersecurity policies less than once a year. So there's a lot of miscommunication or no communication happening within that healthcare organization, and that can really open the organization up to these cyber threats in a way that wouldn't happen if there was more extensive training and communication with employees. So that's kinda that first category. The second category that we see with the inside actors, right? Or those disgruntled employees, they're accounting for about 14% of insider threat attacks. And what's really interesting here is that there was a study that showed that about 82% of healthcare organizations cannot effectively determine the actual damage that's caused by an insider attack. So that full scope of damage from an insider attack is usually going to remain unknown. And it's very interesting because then you can't really determine, you know, exactly what that risk profile was, what data was stolen or taken or misused, and that can leave a big gap as well in your security infrastructure. And then finally we have kind of that third category, which are those third party vendors. This is an area, you know, as we were just talking about , um, in terms of change over the past five years that I have seen third party vendors actually become an increasingly bad risk for a lot of healthcare organizations. And what I mean by that is there was actually a study that showed that more than half of healthcare providers have experienced one or more vendor related data breaches. So a lot of those data breaches are coming from vendors, and as I was talking about before, they're , the bad actors are using those vendors as a stepping stone into your larger healthcare organization system. Yet despite that only about 27, se , excuse me, 27% of healthcare organizations actually assess their van , their vendors annually. So part of this can be mitigated if we think about vendor management and really making sure that we have good protocols in place for how we're going to handle vendors, how we're going to audit them, what we're gonna look for in terms of their cyber infrastructure. And that becomes really important, especially when you think about these larger healthcare organizations , uh, because on average , a larger healthcare organization is gonna contract with about 1300 vendors. So if you think about 1300 potentially different entry points into your system, it becomes very easy to see why that could be a problem. When we think about inside actors

Speaker 3: 13:06

Now with vendors, also, are you seeing, or is the research showing , uh, vendors that are actually utilizing their client's , uh, PHI and other healthcare data , uh, in violation of their agreement, but for their own purposes, their own r and d, their own maybe even selling it

Speaker 4: 13:28

<laugh> ? Yeah, yeah. It's a fantastic question, David. You know, I have seen that happen in a couple of instances. A lot of times I see it happen where the vendor claims that they are quote unquote de-identifying the data. Um , and the contract may either be silent when it comes to de-identification, or it may expressly prohibit it. Um, but once the healthcare entity really has that data in its control, it's hard for the covered entity or other healthcare organization to be able to monitor how that data data's gonna be used downstream and whether or not it is something that is flowing into that vendors , you know, larger data sets in a quote unquote de-identified manner. So I've definitely started to see that happening. Um, you know, there's of course, you know, people who do abide by their contracts, but I also see it happen a lot of times when that contract is silent. Mm-Hmm , <affirmative> . So if you're a healthcare organization, you know, one of the things that I absolutely recommend is in your contracts with vendors, be very specific about whether or not de-identification or downstream use of that data is permitted, and if it is permitted in what circumstances. Um, 'cause that's also where I've seen , um, some entities get in trouble as well, is they'll say, yes, you can use de-identified data and try to limit the circumstances in which it's used, but those circumstances have ambiguity. And so that gives the vendors as well a lot of wiggle room in how they're going to use that data and potentially sell it downstream. But David, I, I'd love to know as well, you know, from your perspective, you do a lot of work in terms of, you know, telehealth and that side of things. Um, are you seeing anything different on this side?

Speaker 3: 14:57

Uh, yes. I'm beginning to see , um, uh, pressure being put on healthcare entities by vendors to use to be allowed to use data. And the big issue is they'll say that it's gonna be de-identified, but the question is, what's not always set out in the agreements is what does de-identify mean? Do you use the HIPAA standards? Do you use other standards? And we all know that , uh, you know, there's de-identification and there's de-identification. And , uh, there's also a greater risk now that you can re-engineer or , uh, or reverse engineer , uh, and, and get back to the, to the original data. So I see, you know, it's, you've got vendors that, you know, gee, I've got all of this data. I , I , I wanna do something with it. And you've got a healthcare provider who may or may not be sophisticated enough to understand what the vendor is about , um, and is not looking out , uh, for the information that it , uh, for the safety of the information it has.

Speaker 4: 16:11

Oh, absolutely. And I've seen very similar things as well with the, the smaller entities that I usually work with when it comes to contracting with those larger healthcare organizations. And they oftentimes do want that ability to de-identify the data to improve their platform or improve their core offerings. And it's interesting 'cause the larger sophisticated healthcare organizations, I do see pushback on that sometimes with the smaller vendors. Um, but, but whenever we're talking about, you know, larger vendors, they typically have a little bit more pull and sway and how they can get to use that data. Um, but, but I'm with you there on what does de-identification mean? You know, what does, there's also, you know, anonymous modes coming out in apps as well. What does that mean when it comes to your data? So I think that's a , a big issue we have today.

Speaker 3: 16:54

Well, I I, in , in this sense, I think the , uh, the Europeans are correct that an anonymization of data is not de-identification. Yeah . Um , and , um, the first thing I'll ask a client when they get, you know, a business associate agreement or something like that with a , uh, uh, with a vendor that says , um, you know, we can de-identify the data and use it . We, the vendor can de-identify the data and use it , uh, in certain circumstances. I asked the client first, why do you want them doing that anyway? Because, you know, this is what can happen. Um, and you know, also just you get , you know , your patients find out that what do you mean by data is, is being used in research and development by such and such a company? And, and, and , uh, so yeah, I try and get my clients to see, you know, what their , uh, uh, why they would even want to allow , uh, the use of , uh, di uh, of de-identified data. And in some cases, it has been quite legitimate. Yeah . I just tell them , you should in your own privacy notice to your patients, let them know that this might be happening.

Speaker 4: 18:05

Yes. Oh, exactly. And, and the FTC is really starting to crack down in terms of those privacy notices as well. So that's been a, a big risk area that I've seen with the startups lately , um, is really educating them on, on what that means for their business practices. Mm-Hmm . Um , especially as they continue to grow and innovate at such a rapid speed.

Speaker 3: 18:23

So, so, okay, we all agree that you can't prevent cyber attacks, but , uh, what types of measures should businesses be taking to minimize them?

Speaker 4: 18:39

Yeah, I wish there was a lovely magic pill that everyone could take that would prevent all of the cyber attacks. Um , I'm, I personally am tired of getting those breach notifications in the mail, and I just say, great, there goes my health data again , um, <laugh> , but unfortunately

Speaker 3: 18:54

I have three of them sitting on my dining room table at home.

Speaker 4: 18:58

Yep . I just got one. Um, as , as did my parents very recently from a healthcare organization. And, you know, at this point, I just assume my dad is out there, unfortunately. But there are measures that healthcare organizations can take to help mitigate their risk profiles , um, and reduce, you know, the chance that this could potentially happen to them. So the first thing that I always recommend is really building a robust cybersecurity compliance program. And that looks different for each entity. You know, the HIPAA security rule does provide guidance around the measures that you should consider implementing, but you'll notice it's not a full list, right? Of you have to do x, you have to have y procedures in place. It's very much tailored to the stage of your organization, your business , um, the funds that you have available at that time. And so, whenever you're building a cybersecurity compliance program, I really recommend thinking about your highest risk areas and doing that risk assessment so that you're able to prioritize and really focus on those risks that have the highest exposure potential or the more significant loss of data potential. So that's something I highly recommend. And really starting with making sure that you even understand where your data is and where it's going. Um, I can't tell you how many times I talk to companies and they don't know what they're collecting data for or where it's going, or every endpoint where it could be disclosed or used downstream. So whenever you're starting and undertaking that cybersecurity compliance program, I recommend starting with that data map. And if you don't have one, really building it out and showing that flow of data, where it sits, how it's used, who has access to it, and that will then form the basis for your risk profile and your risk assessment and your ability to then implement some of those protective measures like access controls and minimum necessary. Um, the other things that I have really seen work in this area too, are following robust cybersecurity frameworks that might not be mandatory, but they have those best practices incorporated. And so some of those would be things like the National Institute of Standards and Technology. They have some great cybersecurity frameworks and recommendations out there. Not mandatory, but it really gives you a sense of, this is what I should be doing if I want to be in line with best practices and really minimize my risks in this area. Um, the other thing that I would say as well, really making sure that you're doing some regular security audits and risk assessments and by security audits, you know , making sure that you're conducting frequent vulnerability testing, right? Penetration testing, seeing if there are those weaknesses before you get exploited. Um, one thing that has cropped up more and more in this sense is really kind of those ethical hacking programs as well, where you hire, you know, white hat hackers , um, and see if they can reach into your organization's infrastructure. And sometimes there's a reward associated with it, but there's of course, all types of contractual protections to prevent them from actually using any data that they're able to get. But I have seen that being used more and more frequently in the healthcare context as well. Um, really making sure that you're focused on data encryption tokenization. The other thing I've started to see more recently too, is the development of this zero trust architecture. And if you're not familiar with that, you know, what that really is talking about is building a kind of a healthcare cybersecurity model that's operating under the assumption that threats are gonna exist inside and outside your network. And so you should have those really strict verification controls in place for any type of device or user who's attempting to access your network, whether they're an insider that we were talking about, or a malicious outsider. Um, you know, kind of going along with that too, you can see things like your multifactor , um, authentication patch management and software updates as well. That has actually started to become more and more important when we think about the lifecycle of medical devices and the technology that's being used in healthcare organizations today. What a lot of people don't realize is that the majority of devices in a hospital system are actually legacy devices that are no longer being updated. Um, and so they're no longer getting pushed out the most up-to-date cybersecurity or security frameworks and protections into those devices. There's been studies that show that the majority of healthcare organizations don't even know how many connected devices they have on their systems, let alone how many legacy devices they have. And so that is creating a huge , um, you know, risk potential there, and ability to access infrastructure through outdated devices. So making sure that you are patching devices or, you know, any type of security problem that is found, and making sure that you are in fact changing out those legacy devices if they're no longer supported. I think that's been a really huge risk area that that's not been addressed by a lot of healthcare organizations. Um, and then the other thing that I would say here too, and it kinda goes back to what we were talking about on inside actors, is making sure those employees get the proper training , um, and making it an annual training or, you know, an annual training plus training. Whenever there are new developments or new changes in your security policies or procedures, that is absolutely crucial. And if you fail to train your workforce, you shouldn't be surprised then whenever somebody clicks on that phishing email Right. And exposes your entire network. They really need to know and have in place the tools to be able to A, understand what they should and shouldn't be clicking on and how to recognize those threats. And then b, if for some reason they do click on it, knowing who to go to and who to contact, and the risk mitigation steps to take after that so that you can try and stop any potential harm that occurred. Um, but I'll, I'll stop there. David, I'm curious as well on , you know , kind of your top recommendations.

Speaker 3: 24:42

Well, one of the things that we do at my firm that I think is a very, is a very good thing is they send, you know, they, they send around these fake phishing emails. Now, some of them, it is pretty easy to figure out. They're phishing, but some of them are a little more sophisticated. They're, they're, they're getting to be sophisticated. And I think this is good for a couple of reasons. First of all , uh, you can, you can get an employee , uh, into training when that employee needs training, if, you know, if the employee is clicking on too many of these , uh, these things. The other thing is you can identify what groups of employees, if there are groups that , that have , uh, that seem to have a problem with clicking on, on anything. So I think that's, you know, I I , I, I think it is imperative and it's kind of part of the training , uh, of , of your employees. But the other thing is getting to the point where you're willing to sanction employees who, who , um, I mean, and not just the malicious ones, but the ones who are not, who are just not paying attention, are not following through with, you know, various security rules and policies and protocols. Uh, because I'm seeing that in a lot of the , uh, uh, in a lot of the , uh, OCR settlements , uh, of HIPAA violations. And that is, you know, you're letting people get away with this stuff. And it's, you know, and it's hard. I mean, because people will say, well , it's not that bad. You know, it's not like, you know, it's not like somebody, you know , uh, sold , uh, documents to , uh, to the highest bidder. But, you know, the problem is though, this is, as you point out, it's, we've got an increased set of , uh, of , uh, of vectors that , uh, uh, of, of <inaudible> vectors. And, and we all, all of us need to be more aware, especially in healthcare and you and I as attorneys , uh, in the , with the information that we've got. Uh, uh, so that's, that would be my , uh, my, that, that would be my, my , uh, soap box . Uh, uh, uh, uh, my , the , what I'd be on my soapbox about is, is making sure employees are trained and if necessary sanctioned. And no one wants to do that. I certainly wouldn't wanna do it, but, you know, it's gotta be done. So,

Speaker 4: 27:15

Yeah. And it really reinforces that compliance culture that you should be establishing, especially, you know, kind of top down from the board as well. But if you're not willing to sanction employees for it, then it really shows that you're not necessarily committed to upholding the integrity and the security of your data. So I, I think that's really important, David, what you called out there and as you mentioned, right? Nobody wants to do it. Um , but whenever we think about risk mitigation and protecting your company, right? And , um, if you get it , you know, looked at by OCR, et cetera, showing that you do have that strong compliance framework in place and that you adhere to it,

Speaker 3: 27:48

Right? Right. So , um, you talked about the security , um, the security rule under HIPAA being more, not a , not a prescriptive rule. And, and one of the, one of the reasons we understand is, is that with technology changing so quickly, if it, if the security rule was more , uh, uh, was more prescriptive , uh, uh, the, the rule would be outdated, as , you know, as soon as the , uh, ations were published to the Federal Register <laugh> . Um, but what are some of the actual legal requirements that people, you know, healthcare entities need to be aware of as far as cybersecurity protection?

Speaker 4: 28:40

Yeah, it's a great question. Um, you know, there are, there are some that are imposed by law and, you know, just kind of taking a step back, right? We do definitely have, you know, the HIPAA security rule in place here. Um, we've also started to see on a privacy level, more state laws coming into effect as well, that govern the privacy of consumer data and how you're allowed to use and disclose that data as well. So we've got a bit of a patchwork framework here. Mm-Hmm . Um , which can, you know, impact which laws are applicable, which laws aren't, what's required versus, you know, what's recommended. So whenever I think about it , um, and, you know, and trying to comply with, with the HIPAA security rule and the other laws that are out there, some of the things that, that I really focus on are, you know, the kind of that multifactor authentication, right? Making sure that you're requiring multiple forms of verification to access systems that can greatly reduce unauthorized access, even if you have passwords that are compromised. Um, so that's really kind of strongly recommended as a best practice under HIPAA security guidelines , um, access controls as well, right? That's in the security rule with respect to making sure that you're protecting that electronic PHI and limiting access to sensitive data based on the user rules to really help minimize threats and exposure , um, employee training, right? That is absolutely crucial as we, as we've talked about, right? But thinking about security awareness and training programs for all of your employees, and really building that into your larger compliance framework , um, because that can also be very helpful when it comes to risk mitigation , um, if you ever are audited, right? It can be a mitigating circumstance. Um, you know, things like patch management, that's not something that's technically legally required, right? Um, still kind of goes under best practice, similar with things that we were talking about, like zero trust architecture, right? Where those types of things aren't legally required, but still fall within kinda those best practices. And if you, you know, take the HIPAA security rule as a whole, right? You can see where they would interplay, but you can also see as David, as you were mentioning, right? Why they may not be required aspects for you to have, because no organization can do everything, especially, you know, with their size, their funding, that type of things. Um, you know, the other things too, you know, incident response plans definitely required in terms of making sure that covered entities have those procedures in place for responding to incidents and making sure that they have those clear response plans that are tested so that they can respond effectively and efficiently to any of those threats or the breaches that do actually happen. Um, you know, making sure that they have processes, procedures, et cetera, to comply with those breach notification requirements that we have under HIPAA as well. So things like that, you know, I, I think are, are the things that we're thinking about when we talk about what's really required by law,

Speaker 3: 31:22

Right? And re we, we need to remind our clients that the , uh, that , uh, um, addressable standards addressable does not mean optional.

Speaker 4: 31:37

Yes, <laugh>

Speaker 3: 31:38

Do it unless you have a reason for not doing it. Yes .

Speaker 4: 31:43

Fully agree with that <laugh> ,

Speaker 3: 31:45

Because I've, I've heard it, I've heard it even with some sophisticated clients. Well , it's not required. It's just addressable and <laugh> , and I try and explain to them that, you know, no , no, no , it's not optional. So what types of obligations do different types of , uh, stakeholders at healthcare , uh, entity have vis-a-vis , uh, uh, keeping data safe and secure ?

Speaker 4: 32:14

Yeah, you know, there's this misconception that kind of floats around out there, that cybersecurity and security in general are just the responsibility of the IT and security teams. Uh , that's actually not the right way to think about this, right? Cybersecurity is an enterprise wide obligation. And so whenever you're thinking about that within your organization, there's a couple of different ways that you can kind of break that down so that you can clearly see the different roles that all of your stakeholders would play in keeping the organization safe and secure. So one of the things that I always, you know, start with is kind of the leadership or the management team, right? They're usually gonna be the ones who are responsible for establishing those cybersecurity policies and procedures. Um, you know, potentially with, you know, budget approval, et cetera. They are gonna be responsible for allocating those sufficient resources for the cybersecurity programs , um, or for any type of training that you wanna have on cybersecurity. They're also generally the ones who are leading risk management and governance and doing that kind of incident response if there is a breach or a cyber attack. Uh, they'll also typically be responsible for things like contingency planning and compliance and regulatory adherence. So a lot of that , um, you know, kind of organizational focus on cybersecurity and compliance really happens kind of at that leadership management level in a lot of organizations. Um, one step higher than that, right? We have the board and a lot of companies sometimes forget about their board , but making sure that you have board compliance and sign off with the importance of cybersecurity protections and measures in place is absolutely essential, right? So your board's gonna really have kind of oversight on cybersecurity strategy, right? That high level strategy that we're talking about for that organization. They'll have, you know, kind of that ultimate accountability for data breaches that do happen, but they're also responsible for really making sure that the company is fostering a culture of cybersecurity compliance. So if your board isn't trained, and if your board isn't on, you know , on point and understanding of the importance of cybersecurity, you can't really expect your employees and your management team as well to be on board with that. So compliance has to go all the way up to the board. Then of course, we do have the IT and the security teams, right? They're gonna implement those technical safeguards. They'll handle things like vulnerability management, cyber threat monitoring , um, penetration testing, all of that type of stuff, right? Making sure that the data is backed up. Um, if there is disaster recovery, they'll be kind of at the front lines of that. And they can also do some help with vendor risk management as well , um, depending on the cyber team that you have in place after that, right? We've really got your employees Mm-Hmm, <affirmative> , what they're gonna be responsible for on the cyber side is adhering to the cybersecurity policies and procedures, right? Making sure that they are compliant and not putting the organization at risk. They should be responsible for recognizing and reporting threats if they do suspect that something is wrong. Um , making sure that they are complying with access controls and only accessing that information that they need to be able to perform their jobs. And then of course, actually participating in the training that the management and leadership teams , um, set forth and have budgeted for. And then finally, right, you kind of have those vendors or your business associates. So those third parties, you know, are gonna have to maintain their own security standards. They're gonna need to comply with your security standards. Um, they're gonna have their own data protection measures as well. You'll wanna make sure that that is up to standard for what you expect. I've seen a lot of organizations here have kinda a , a security assessment that they make vendors go through before they'll agree to work with the vendor just to make sure everybody's on the same page about those minimum requirements. Um, and then, you know, making sure that they have processes for reporting any breaches up to you if it's a breach of, you know, your healthcare data, and also doing kind of their own independent security audits and certification. So those are some of the different stakeholders , um, that usually have a pretty active role in the cybersecurity framework.

Speaker 3: 36:18

Yes. Um, we , uh, I, I know at my firm, we get the, anytime we're being taken on as counsel for more sophisticated clients, we're getting these rather lengthy , uh, questionnaires and I get called in to do the privacy side of, and , uh, so yeah, no, it's, it's, people are taking this more seriously and we don't, as a firm fight back on those. Um , so

Speaker 4: 36:46

I agree, and I've seen that too in , in practice working with smaller startups, right? And smaller healthcare organizations, they get those, it's so funny, right? They get those , um, risk assessments and security questionnaires, and a lot of them say, I don't know what any of this means, or I don't have any of this in place. How can I work with this vendor? And it's really important, right? If you are kind of in that earlier stage to think about and plan out your cyber strategy before you go and try to make those partnerships , um, and contracts with the larger vendors, because you should absolutely expect that a larger vendor's gonna give you that cybersecurity questionnaire , um, or form to fill out and complete. And so I've seen that actually not only derail deals, but also put deals on hold so that then five months down the line, once the company finally builds up that cyber infrastructure, they're ready to do it. Whereas, you know, they could have started five months earlier and not had that delay in finalizing that deal,

Speaker 3: 37:40

Right? Right. So , um, what, you know, you've, you've done put your policies in place, you've done your risk assessment, educated your employees, et cetera, but you have a breach. What happens then ?

Speaker 4: 37:57

Yes. The, the unfortunate situation that a lot of companies sadly have to deal with , um, no matter how hard you try this could still happen. Mm-Hmm , <affirmative> . So once you've got a data breach, what do you do? One of the first things that I have seen companies do is they just unplug their system. And so that's a huge no-no right? Do not automatically go and unplug your system because you could potentially be erasing some of that investigative data that can help to, you know, pinpoint where something is coming from, or the data that you actually need to be able to fill out and comply with your breach obli , um, your breach notification obligations. So the first thing that I always say is, you know, try to find out exactly where it's coming from, right? Have your team really trying to locate separate or segregate the servers if that's something that's not already done. And then immediately, if you've got cyber insurance , um, call your cyber insurance carrier. That's something I highly recommend doing. A lot of companies claim they don't want to do it because they don't want their rates to go up, but a lot of times cyber insurance companies have access to all of these different, you know, investigators, right? Um, different types of vendors that you can use that can actually help you , um, with your breach. So call your insurance company. They can point you to the right direction in terms of vendors , um, next steps, et cetera, and really help you through this. Um, in addition, great , by this point in time, you should have already developed and have on file and hopefully have tested , um, an incident response plan. So make sure that you follow that incident response plan with respect to who you're calling when you're calling them , um, how frequently you're giving updates to which individuals , um, and really make sure that you've notified that incident response team. And I recommend, if you haven't, before a breach occurs, testing that. And what I mean is, do a dry run of it. Make sure it works from a practical perspective. I can't tell you how many times I have seen companies put that incident response plan into play for the first time when they have a breach, right? And it does not go to plan, right? They're like, oh, we don't have this person's email, or this person's phone number on there, or, oh my gosh, that person's not answering. We don't have a backup person. And so that is not something that you wanna figure out during a breach. So test and then implement. Um, really assess and investigate the breach. Try to preserve evidence when you can. That's gonna be extremely important. Um, not only for, you know, the future for making sure that you can ensure something like this doesn't happen again, but also, you know, making sure that you know the extent of the damage, right? And being able to trace it, hopefully , um, you know, potentially with assistance of FBI , um, mitigate further damage, right? Make sure that you're patching those vulnerabilities at the appropriate time that you're restoring your systems. If something has impaired your access to data, make sure that you're able to get those , um, alternate or offsite data storage areas and systems up and running. Uh, you really don't want there to be a delay, especially in healthcare and your ability to access a patient's data. So that's a key crucial thing to make sure that you've got up and running right away. Um, comply with your breach notification requirements as well. So you're oftentimes going to have to notify individuals , uh, depending on if you're a business associate, you might have to notify the covered entity. Uh, you might have to notify regulators and media. So make sure that you're keeping track of, you know, the findings that you have, and make sure you understand and know the timeframes for that notification. Uh, the other thing I really recommend too is working transparently and communicating transparently with stakeholders, right? So your board or your partners, whoever is really gonna need to know about this, make sure you're being transparent and open with your communications. And then before you go public, you know, with something like this, make sure that you have involved a public relations manager if you have the budget for it. 'cause they can really help you to manage those external communications so that you're not unfortunately, you know, saying something that could cause further liability or things like that as well. Um, and then after the breach, right , when you've got some time, things have settled down, take time to really evaluate and strengthen your cybersecurity. Um, look at kind of that post-incident review. What happened? How did it happen? Why did it happen? Did we fix that vulnerability? Now, update your risk assessments, update your incident response plan if there were things that didn't work , um, and enhance your employee training if that was a result of an insider. And then make sure that you're monitoring your systems closely so that that actor doesn't get back in.

Speaker 3: 42:13

And you , you're talk , you talked about testing , uh, your incident response. So you're, you're in favor of tabletop exercises , uh, conducted periodically, then.

Speaker 4: 42:23

I am, absolutely. Yeah . I, I've unfortunately seen what happens when those tabletop and , you know, activities do not occur. And it is, it is chaos, right? In an already chaotic situation. So making sure that you've kind of got it in muscle memory a little bit, right? You've gone through it once or twice, you know what you're supposed to do that can help take out some of the stress whenever you've already got a situation that's filled with unknowns.

Speaker 3: 42:51

So my my my last question is , uh, what do you see as far as , uh, trends in , uh, government regulatory enforcement of data privacy and security laws, especially the dealing with cyber attacks?

Speaker 4: 43:07

Yeah, you know, there, there have been some developments. Um, we have started, as I mentioned, right? We've seen more state laws coming into play with respect to privacy. Um, on the privacy side too, we have seen the Federal Trade Commission really emerging as a regulatory actor in this space. Um, in 2023, we saw some really aggressive enforcement actions , um, and activity by the FTC and state regulators. And really the FTC has started to emerge kind of as a leader, I would say, in that health privacy enforcement. Um , we've also seen, especially for, you know, smaller companies , um, in the, in the startup space, the FTC, going after them for unfair and deceptive practices related to their privacy policies and how they're communicating the use of data with, you know , with consumers versus potentially using that data in ways that they say they're not. Um, that , that's obviously the healthcare organizations of any size. Um , but we've really started to see that happening. The other thing that's interesting too , um, is we've started to see some new AI regulation, and that opens up kind of a different, you know, vertical or, or <laugh> threshold as well. But new AI regulation is coming down the pipeline, and we've started to see AI being used a lot more , um, in these medical devices, in hospital systems to help make things more efficient from an administrative perspective. And so making sure you know, that the AI you're using, David, I know you were talking about earlier , um, other, you know, other risk areas, enterprise risk management and bias, right? So making sure that we don't necessarily have any of the bias coming into ai. That's a big one. And then making sure that we are, you know, thinking about on the cyber side , um, that we're keeping up with the latest, you know, regulations. There hasn't been like a ton of regulations, you know, in the cyber side, but we're still seeing a lot of activity there. We're seeing new best practices emerging. We're seeing different cybersecurity frameworks coming into play and making sure that you're abreast of all of that. Um, but David, any any thoughts on that as well from your end?

Speaker 3: 45:04

I am looking to see what the states are going to be doing, because we had, we have 19 states in the last couple of years have , uh, have en enacted their own consumer privacy laws. Now, these are not necessarily, they're not focused on healthcare, although you have states like Nevada and Connecticut that have actually , uh, uh, started addressing , uh, healthcare in their consumer protection statutes. Um, which will be interesting to see how that works out bumping up against hipaa. But I will be interested to see, because I know Connecticut particularly has been particularly aggressive. New Jersey, my home state is in the past, has been aggressive over the last year or so, not so much, but , uh, I'll be interested in watching the states.

Speaker 4: 45:53

I agree. A lot of activity there.

Speaker 3: 45:55

Yeah . And, and I agree with you also, the FTC is ready and rearing to go as far as , uh, as enforcing , uh, uh, data privacy and security laws. And we'll see how the political situation , uh, goes , uh, because there are some people who are not happy about the FTCs newfound , uh, uh, desire to enforce consumer privacy laws. Yeah .

Speaker 4: 46:21

<laugh> .

Speaker 3: 46:22

Um, so that's , uh, that's, that's where I see things going. So , um, do you have anything else that you'd like to say?

Speaker 4: 46:35

No, I think just remaining vigilant, you know, as you navigate this space , um, realizing, you know , things change very frequently whenever we're talking about the new threat vehicles that are available, the ways that cyber actors are getting into healthcare organizations. So, you know, I, I would recommend against getting complacent and always striving for how you can improve your cybersecurity compliance program. How can you improve that incident response? You know, maybe it's good, but there are definitely ways you can always make it better. And so really striving for that and really making sure that you have somebody who's tasked with monitoring kind of the state of cybersecurity , uh, when it comes to healthcare organizations, so that they can identify what some of those newer, you know, actors may be doing out there and some of the newer techniques they're using. And then you can start to guard against that. So that would be my, my takeaway from that.

Speaker 3: 47:25

Well, thank you Bethany, for joining me today on this. I've, I've enjoyed this discussion and , uh, hopefully we will be able to continue it , uh, in different , uh, in different situations.

Speaker 4: 47:35

Thank you so much for having me, David. This was such a great time.

Speaker 2: 47:46

Thank you for listening. If you enjoyed this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.