AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
Top Ten 2025: Cybersecurity Developments to Watch
Based on AHLA's annual Health Law Connections article, this special series brings together thought leaders from across the health law field to discuss the top ten issues of 2025. In the sixth episode, Elizabeth Trende, Chief Legal Officer & General Counsel, United Network for Organ Sharing, speaks with Michelle Garvey Brennfleck, Shareholder, Buchanan Ingersoll & Rooney, about the current cyber threat environment for the health care industry and what health care entities can do to better protect themselves from cyberattacks. They discuss the proposed Health Infrastructure Security and Accountability Act, the importance of cyber risk assessments, and how the new administration may impact policies on protected health information. From AHLA’s Academic Medical Centers and Teaching Hospitals Practice Group.
Watch the conversation here.
AHLA's Health Law Daily Podcast Is Here!
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
<silence>
Speaker 2:A HLA is pleased to present this special series highlighting the top 10 health law issues of 2025, where we bring together thought leaders from across the health law field to discuss the major trends and developments of the year. To stay updated on all the major health law news, subscribe to ALA's New Health Law Daily podcast, available exclusively for premium members@americanhealthlaw.org slash daily podcast .
Speaker 3:Good morning. This is the a HLA speaking of Health Law podcast. My name is Emmy Trendy , and I am the Chief Legal Officer and General Counsel of the United Network for Organ Sharing . Today I have the pleasure of speaking with Michelle Bren Fleck , who is chair of our A HLA Academic Medical Centers and Teaching Hospitals practice group, where I'm also part of the leadership group. And Michelle recently authored the article, cybersecurity Developments in 2025. So, Michelle, when you're not volunteering for a HLA, tell us a little bit about your practice at Buchanan Ingersoll.
Speaker 4:Well, thanks Emmy so much for having me this morning. It's great to be with you . Uh , my practice is broad ranging. I advise clients including academic medical centers, teaching hospitals, health systems, physician practices on a variety of issues ranging from strategic transactions to thorny regulatory fraud abuse matters. And I also have a subset expertise in data privacy and cybersecurity, which is why I'm here speaking with you today. So thanks again for having me.
Speaker 3:Wonderful. Well, thank you so much for taking the time and, and talking with us this morning. I wanted to start with a question today in the information economy and the cyber world being what it is, information data's everywhere. Why do you think that the healthcare industry in particular remains such a high target for threat actors?
Speaker 4:Thanks, Emmy . It , it really does. I think, you know, we continue to hear in our day-to-day practice how healthcare is a key target of threat actors and cyber criminals. I think it really is for three reasons. One is the sensitive data at issue. Two is the potential for operational disruption of healthcare providers and other stakeholders. And then three is the significant harm that can be posed to individuals when their information is at risk. So if we think about that first item, the sensitive data at play , um, you know, healthcare is powered by data. Um, we saw in the change healthcare attack that occurred in early 2024 that estimated 190 million individuals were impacted. That number is actually up from a prior estimate of 100 million. Um, and that 190 million is two and a half times the number of people that were impacted by the second largest data breach. So that's a , a lot of data, and that's one incident. So we of course, have the sensitive health information , um, you know, in the form of medical records at play. But then more attractive to threat actors is the social security numbers, the financial information that, you know, may be housed within those records. And threat actors know that they know that that information may be sellable on the black market. They also know that providers, insurers clearing houses and others may be more inclined to pay ransomware in order to get that data back , um, as best they can, or at least to, you know, get operations back up and running. So, you know, again, that that data is the driver and, you know, healthcare is just a huge source, a , a goldmine of that type of information. Uh, we also then see that there is a potential for operational disruption and impact mm-hmm <affirmative> . So of course, if a health system has their electronic medical record system breached , that can cause the system to delay or pause, suspend need to reschedule procedures , um, which of course can put patients at risk and can cause providers to be less productive. Um, and , and again, threat actors know that and seek to capitalize upon that disruption again, in an effort to , um, you know, for example, have their ransomware paid , um, with the change healthcare breach. You know, again, turning back to that, we saw that for weeks there was delay in revenue cycle management and claims processing, and we're still, yes , to see the ripple effects of that today. Um, you know, that matter is still under investigation, but more importantly, we're still, you know , continuing to see that there is litigation and an attempt to recover , um, again, from those whose claims payment was significantly disrupted. And then third, we see that there, you know, is significant risk on an individual level. Um, you know, first and foremost from a patient care perspective, potentially , um, again, if there is a disruption in the ability of a healthcare provider to provide care or to be paid for the care , um, you know, but also you and I and, and everyone mm-hmm <affirmative> . Who receives healthcare , um, you know, we, we have so much of our data that is out in the universe. Um, and again, threat actors can seek to access that information and use it for their own gain. So there's risk of, you know, identity theft and, you know, again, credit monitoring and other , uh, methods of mitigating risks are, are essential and important to safeguard that information. But once it's lost and is in the hands of a bad actor, you know, it , it in many ways is , is not possible to get it back . Um, so again, I think that, you know, healthcare is just a treasure trove of information for cyber criminals, threat actors, and , um, you know, organizations really need to be mindful of, of how best to protect it.
Speaker 3:Excellent. Well, well, with that in mind, I mean, it , the healthcare space is constantly innovating. And the only innovators that are, that are keeping pace with that I would say are the threat actors who are trying to come up with new ways all the time. They're , they're learning from each of these cyber attacks and improving and getting ready for the next wave of, of trying to attack our vulnerabilities that we, that we won't anticipate. And with all that in mind, it paints a really intimidating picture. The numbers that you just talked about are really heart stopping. What can we do and, and what can providers and, and what can the attorneys who are advising them right now do to try to anticipate that next level of threat?
Speaker 4:And that's a great question, and it's a really challenging one. I think first and foremost, my recommendation is for organizations to try to get a handle on what data it is that they house . Um, and that's a very easy, you know, recommendation to state. Um , and it's much more difficult for organizations to implement. So , uh, you know, we frequently work with organizations that are engaging in data mapping exercises to see, you know, what data is, is coming into their systems, what is that data doing as it's flowing through their various systems, and then how is it leaving their systems ? So I think that that data mapping exercise is key because organizations can't adequately protect data that they may not know they have. Um, so, so that's, you know, first and foremost , uh, a recommendation. Second, we often work with organizations that are developing policies and procedures around data management and risk assessment. And it's, it's crucial that those policies and procedures be living and breathing documents that are not, you know, stuck up on a shelf or, you know, in this electronic age sitting in a database. Um, so organizations need to not only have those policies and procedures, but know how to implement them. So training and education is key with respect to , um, you know, making those policies and procedures really live and breathe . Uh, organizations also can benefit from security risk assessments. Um, certainly that is , uh, you know, again, one of those , um, easier said than done undertakings, we often see success in organizations that have penetration testing or stress testing done. Um, you know, so they may hire an outside consultant that sort of puts on the hat of the threat actor or the cyber criminal and tries to access the systems of the organization , um, and to identify vulnerabilities within that system. So, you know, in my mind, what better , um, you know, safeguard against the threat actor, a cyber criminal, then having, you know , uh, someone with IT expertise try to act in that role and penetrate the system and then identify vulnerabilities. We also see that trainings in the form of tabletop exercises are crucial . Um , so those involve organizations taking a hypothetical data security incident or a breach and running through what to do in the event that that occurs within their organization. So that may involve folks from the administrative, legal, IT and security teams, as well as communications that can work together to go through a mock exercise and sort of learn from, you know, what went well, what did not go well. Um, and I've seen organizations a huge difference in organizations that have , um, worked through an instant response plan and performed a tabletop exercise versus those that have not, and perhaps when an event occurs are not as coordinated as they might be in real time .
Speaker 3:Uh , you know, we just went through a tabletop and in my organization at unos , and it was absolutely an invaluable experience. It's one thing to have the plan on paper, right ? But to have everyone really testing it in an environment of live dialogue where you have everyone active and present and committed to issue spotting up front , I can see how it's just such a tremendous asset for anyone. So full , fully agree with you on, on those pieces of advice.
Speaker 4:And I would, I would just also chime in to say, you know, often in the heat of the moment, so you'll have the incident response that's sort of the, you know, heat of the moment, what to do perhaps to operationalize, get back up and running after an incident or a breach, but then the dust does settle. And we frequently encourage organizations in that period where perhaps the, you know, immediate threat has been resolved, perhaps law enforcement has been contacted and is assisting in an investigation or is, is running an investigation of its own. There's often a period of time, again, when the dust has settled and an organization is looking to assess, you know, what happened here, what individuals were impacted, what data do we have at issue? You know, looking through perhaps with a forensic firm, you know, what, what happened here? What, what's going on? And I often encourage organizations really to try to pause , um, during that investigation that follows, you know , the immediate incident and to determine, you know, has there actually been a breach? And we, we have this conversation with organization time and time again where, you know, there's been this bad event and everyone assumes that, that that event is a, you know, a breach that is a, you know, HIPAA defined breach that will lead to individual notifications. And I do encourage, you know, working with council , working with the IT folks to really get at what happened here, what's going on, because there may be a low probability of compromise to the information at issue. And you know, HIPAA doesn't allow many graces, but it does have the low probability of compromise get out of Dodge in the event that there's been an incident that doesn't rise to the level of a breach. So I really encourage organizations to take a beat and work with counsel to go through that analysis , um, because it may end up safeguarding them from making notifications to individuals and then dealing with the, you know, often fallout of those notifications in the form of class action lawsuits and, you know , um, even just the bad press that may come from notifications to many individuals.
Speaker 3:Absolutely. Those, those are well-known side effects, unfortunately and fully agree with, with consulting with counsel to see how extensive your response has to be in the event that you do experience one of these attacks. Um , I wanted to circle back a minute. You , you talked , uh, you touched for, for a moment on the change healthcare ransomware attack. And in response to that, the, the Health Infrastructure Security and Accountability Act or hisa was introduced as proposed legislation to increase the government oversight and cybersecurity over covered entities and business associates, those categories that are subject to hipaa. Now, looking at that legislation, it emphasizes the importance of an annual cyber risk assessment and to a lot of folks who are impacted, that might be a new term. Can you just give an overview of what a cyber risk assessment is and what would a typical cyber risk assessment look like?
Speaker 4:Of course. So, so hsa , um, is, is sort of a modernization of hipaa, and it is still in its proposed form. And, you know, I would caution all the folks who may be listening to keep an eye on it because we'll see what appetite legislators and the regulatory agencies have to , to , um, you know, move, move ahead with HSA under this new administration. You know, given that there may be priorities , um, you know, in, in different areas, but again, HSA would seek to modernize HIPAA and to formalize much of what we've talked about already. So we've talked about, you know, these security risk assessments looking at, you know , um, stress testing and penetration testing and identifying where an organization may have vulnerabilities, PISA would, would essentially formalize those processes. So these, you know, annual cyber audits would be , um, again , sort of a formalization of what we already are seeing in this space as best practices with now under hisa , potentially I should say, with regulatory oversight with the support of the government and, you know, ultimately with an eye not only to protect individual information, but also national security. Um, and, and you know, I would anticipate that that would continue to be a focus , um, you know, under this administration, given our relations with other countries and threats that, you know, may be coming from abroad. Um, so, you know , again, what we would see under Hessa if it moves forward is essentially a formalization and additional regulatory oversight under over what many organizations are already doing , um, from a best practice perspective. But I say that and, you know, acknowledge that there are many organizations that are under resourced , um, you know, that may not have the capital required , um, to really get behind a security campaign , um, and, you know, to engage in the significant upgrade to , um, what they may have in , in the way of security safeguard. So with that, you know, the HSA as proposed did , um, account for funding opportunities for rural organizations and others that may not have, you know, the deep pockets that would be required to move into compliance with hsa . And again, we'll see, you know, where that funding, you know, where those funding sources may be , um, under the new administration if Hessa does move forward.
Speaker 3:Great. Very , very good advice. And tha thank you for that overview also, you , you also mentioned the, the recent administration change causing a , uh, causing a few, few ripples and some, some anticipatory anxiety probably. Uh , now that President Trump has taken office, have you seen any recent developments in reproductive healthcare or protection of , uh, of protected health information PHI or do you have any predictions of what might be coming down the pike in those areas?
Speaker 4:That's, that's a great question and you know, sort of a , a real time answer is that we're, we're continuing to work with our clients on how to best approach these issues. So you may be aware that in the summer of 2024, really in response to the Dobbs decision, which overturned Roe v Wade, there was an update to hipaa, to the privacy rule that would seek to protect reproductive health information and essentially to prohibit the use or the disclosure of HIPAA protective health information or PHI in furtherance of an investigation dealing with a reproductive health issue and, you know, an individual accessing a reproductive health care provision of reproductive healthcare payment for reproductive healthcare . And again, it was , um, sort of HIPAA's angle at protecting that information in those settings. So the final rule did go into effect , um, and we have been counseling organizations on compliance with the final rule, particularly from a policies and procedures perspective. One aspect of the final rule that does not become effective until February, 2026 at this point , um, is a required update to organizations, notices of privacy practices , um, where they would be required to include, you know, information about the use and disclosure of reproductive health information. So what we've done in that setting, again, because that portion of the final rule doesn't become effective until February of 2026, and, you know, may under this new administration undergo change, we've worked with organizations to put that updated language in their NPPs, but also to include some language that would allow it to be, you know, stricken without impacting other components of the NPP in the event that there is a change in the, you know, in the guidance that the , uh, you know, in connection with the new administration. So we've, we've sort of been working with clients , um, to, to approach these changes in a reasonable way to sort of get ahead of them, but also to acknowledge that these, you know, that the new administration and its priorities may shift the, the way that these NPPs in particular are structured.
Speaker 3:Great. So time for everyone to dust off those NPPs if you have not done so already. That's a great place to start. Well, thank you very much, Michelle, for taking the time this morning to give a great , uh, high level sneak peek of the detailed article. If you, if you'd like to follow up , please take the time and read , uh, Michelle's article, cybersecurity Developments in 2025, where you can get a greater glimpse into sort of those top 10 hot button issues. There were probably 10 more that , uh, that occurred just since we've , uh, we've been recording this, but , uh, certainly a, a very attractive and interesting area to practice in right now. So Michelle, thank you for taking the time with us and everyone have a great day.
Speaker 4:Thanks so much, Emmy. Great to be with you this morning. Take care.
Speaker 2:Thank you for listening. If you enjoyed this episode, be sure to subscribe to ALA's speaking of health law, wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.