AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
How Have Cybersecurity Expectations for Health Tech Vendors Changed Over the Past 12 Months?
Security expectations for health tech vendors are rising significantly in the wake of last year’s Change Healthcare cyberattack. Hal Porter, Director of Consulting Services, Clearwater, speaks with Alexis Finkelberg Bortniker, Partner, Cooley LLP, about how the climate has changed for health tech vendors. They discuss changing contractual security requirements for vendors, key areas where potential vendors are being more vigorously evaluated, managing risk involving AI tools for vendor management, fundamentals of a strong Incident Response Plan, how vendors should respond to the changing regulatory environment, and security recommendations for technology companies and others selling products and services to health care providers. Sponsored by Clearwater.
AHLA's Health Law Daily Podcast Is Here!
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
<silence>
Speaker 2:Support for A HLA comes from Clearwater. As the healthcare industry's largest pure play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains. Purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. And a tech enabled 24 7 365 security operations center with managed threat detection and response capabilities. For more information, visit clearwater security.com.
Speaker 3:My name is Hal Porter, and I'm the director of Clearwater's Consulting team that helps digital health companies and other vendors serving the healthcare industry move their organization to a more secure, compliant and resilient state to meet industry requirements and customer expectations. Security expectations for healthcare vendors are rising significantly in the wake of last year's change. Healthcare cyber attack with a greater emphasis on robust data protection me measures thorough vendor risk assessments, comprehensive incident response plans, and increased transparency regarding security practices, which is pushing healthcare organizations to prioritize vendors with strong cybersecurity posture and to actively monitor their security controls, to mitigate potential risks across the healthcare ecosystem. For further perspective on how the climate has changed for vendors and how they're responding to these heightened security expectations, I'm pleased to be joined by Alexis Borer, a partner with the Vol Firm Cooley , who represents digital health and health tech companies across the continuum in establishing compliant corporate structures. Alexis, welcome.
Speaker 4:Thanks very much, Hal . It's great to be here.
Speaker 3:Well, it's great to be speaking with you, and I'm excited to hear your perspective on this. So let's dive in. Um , how have you seen , how have you seen contractual security requirements changing for vendors in the wake of the change healthcare attack?
Speaker 4:You know, I think the bottom line is that we've seen an increase in contractual requirements. Um, we're seeing an increased , uh, use of, of security response , uh, sort of diligence , uh, that has to be done before you even enter the contracting process. We're seeing increased , uh, contractual security requirements, increased requirements for external certification, whether it's high trusts or SOC two, and if somebody doesn't have it, then a clear pathway or process to achieving , uh, one of the two certification methods. Um, and we're seeing , uh, and I I have to say, we're seeing the most come out of larger organizations, right? Health plans, large health systems are really taking security very seriously. Um , and we're also seeing sort of an increased number of vendors that people are using , uh, for any number of things. And so, you know, I think that it, it really varies across the spectrum as to sort of who the client is. But, you know, we're, we're also seeing , uh, so again, we mentioned we're , we're seeing like actual technical specifications for what they wanna see in security, which is not something that we used to see before. We're seeing, you know, requirements for annual independent audits done by third parties, disaster recovery , recovery testing specifications for how quickly you need to be, or the goal of getting up and running, you know, is your plan allow , would allow for, you know, 48 hour recovery time at the most. Uh, we're seeing significant increased scrutiny on where data is stored and who is touching the data and, and whether or not data's going offshore , uh, and requirements for things like onsite review of facilities, even though so much of this is sort of on the cloud, but to the extent there is a facility, people wanna be able to come onsite and see what things look like. Um, and so it's just, it is now a clear and important part of the contract, whereas before it was maybe a rep , um, to compliance with HIPAA or to having industry standard, you know, security specifications. So it's definitely , um, something that people are sort of paying more attention to.
Speaker 3:Absolutely. And , and we're seeing that too. You know, you , you mentioned increased security assessments, not only the volume, but we're also starting to see , uh, many, many more questions than what we used to see. The average was anywhere from 30 to 50, and now we're seeing well over a hundred in some cases.
Speaker 4:Uh, right. And then, and every organization seems to have their own, we're not seeing any sort of standardization. Um, and a lot of that comes from, you know, where people have been sort of bit in the past, you know, where they've had technical failings , um, uh, and so being able to enter into some of these contracts when you're on the, you know, digital health company side just means a lot more time and effort into making your client comfortable with your processes and frankly having to be more transparent about your processes.
Speaker 3:Absolutely. And, and with this stricter vendor , uh, vetting environment , uh, it it , it seems to be becoming the norm for many healthcare providers. So what are some of the key areas that you've seen in hospitals and physician groups , uh, who are conducting more rigorous evaluations of potential vendors?
Speaker 4:Yeah, I think , uh, there's a few places that this has come up. I think we're seeing , and I , and I said this already, I think we're seeing a lot more concerted effort over the larger players, which makes sense 'cause they have sort of more to lose. But , uh, large health plans in particular as they interact with vendors, have very strict, very robust sort of security and privacy departments and, and , and build outs and want you to be able to meet their requirements. Same with large health hospital systems. You know, I think we've seen like provider groups are still not necessarily asking of their vendors what they should be. Um, so things that we're, we're seeing , uh, I think I I noted earlier, we're seeing security testing , uh, and, and , um, more stringent security obligations. We're also seeing, you know, the requirement that people I mentioned are used third party audits and then deliver the response, you know, have to give on an annual basis, either a certification that they've passed an audit or identify, you know, providing the responses to those audits to vendors so they can see where the, the weak points are. Um, we are seeing , uh, i I, offshore is really big for a lot of folks. And, and , and I think there's just sort of this concern that data will go offshore and then we can't touch it and we can't, in addition, there's sort of Medicare medicaid requirements that require that, but where, where is the data going? Who's accessing it? We're seeing an increased , uh, requirement to further vet subcontractors. So more and more we're seeing people require , um, either approval of subcontractors or a flat out , you know , the other , other way around, which is the flat out , you can't use subcontractors, not consent . Um , we're , so we're seeing people have to provide lists of subcontractors. We're seeing people have to provide copies of their downstream agreements so that , uh, folks can see that there's flow down , right? That the , the ultimates of contractor. And, and I actually think that this is a big pain point for a lot of our digital health companies, which is that as, especially for some of the smaller players as , as they sort of got started and had to rely on subcontractors, whether it's, you know, Amazon web services for hosting or, you know, at any other subcontractors that you use along the way is not necessarily paying as much attention to what those contracts look like. And then being a position where your upstream , uh, customers are saying, well , we wanna see everything. Um, and so that is something that we're seeing more time and attention put into and, and just having more discussions around. Um, you know, there's also, we've been having things like debates or arguments and contracts over what is a subcontractor and what is just a vendor and, and things like that just because the , the , the obligations for disclosure , um, are just getting really broad. And then the other thing sort of to the other end. So that's what we tend to see out of larger organizations. What we're seeing out of smaller organizations, which is not necessarily a good thing. Um, and is, is people just think that a negotiated business associate is good enough. So if we have a business associate in place and it says everybody will, will agree with hipaa, will comply with hipaa, that that sort of should be enough. And, and it really isn't, right? A business associate is agreement is an agreement that we put in place 'cause we're we're required by law. Um, it does have some technical specifications for what you do, like in the event of a breach. It talks about data use, but BAAs don't have to include, nor do they include security standards. Um, and oftentimes, frankly, people think that they're protected 'cause they have a BA in place. But just because there is a HIPAA breach doesn't mean you have a breach of your BAA . So it doesn't also, doesn't necessarily mean that you have , um, sort of the right to indemnification or, or, or even termination of a contract if there is a HIPAA breach just because you have a BAA . So, you know, you need to have good reps and warranties. You need to have something to enforce, you potentially need to have, you know, we're starting to see folks that are being a little more explicit on what sort of remedies are gonna be covered by a contractor. You know, whether it's , um, you know, explicit statement saying that you'll have to pay for the notices and you'll have to pay for , um, credit monitoring and you'll have to pay any fines that come outta the government. Things like that, that are just sort of a lot more explicit and in what needs to be covered. Um, but , but generally people think because they have a BA in place, they're covered. And, and fundamentally we don't think that's good enough that a BAA is not actually diligence on your vendors <laugh> . So we're seeing that dichotomy, which is the larger players are being very deliberate , uh, and some of the smaller players just assume that a BA is good enough . I'm curious if you've seen the same thing or if you're seeing it come out a little bit differently.
Speaker 3:We , we, we have , um, and you know, one of the things I wanted to ask is , um, you know, with the smaller organizations, a lot of times what will happen is the vendors that they're going to, that , that , or , or potential partners or , or key stakeholders that they're, they're looking to do business with , um, will already have a BAA that's predefined and they really have very little negotiation capabilities in , in making any changes. Um, but you know, that being said, that's, I think that's where , uh, you bring up a good point where that's not good enough. So what, what can they do to supplement that, you know , well , that could be a , a , a security question that goes back to that particular partner. Um, are there any other, you know , uh, maybe strategic , uh, uh, focus that they could have on, you know, okay, the BAA's not good enough. What can I do to help supplement that and ensure that we're protecting ourselves as well?
Speaker 4:Yeah, I think to that end, I think, you know, acting a little bit more like some of the larger players is, right? Like, do you have a diligence list? Do you have a series of questions that you're asking when you're talking to a potential vendor to make sure that they are, that their security measures sort of are up to par? So it's, it's a little bit more diligence on the front end is always helpful. You know, audit rights, for example, these are things that you can give yourself in an MSA that you don't, most people don't necessarily balk at, because it's hard for a vendor to look you in the eye and tell you, no, we're not gonna let you audit our systems if they're telling you that they're compliant. So it's a harder, some of those things are, are harder to , um, to sort of push back on , um, you know, reliance on certification. So asking for high trust or SOC two, you know, we're seeing a lot of people right now , um, rely on sort of HIPAA certifications. And that may or may not mean anything because there is not a HIPAA certification. So it can be helpful that somebody's gone in and said, you're compliant with hipaa. But again, at least in the current version, HIPAA doesn't necessarily explicitly state exactly what you need to do from a security perspective. So some of the other certifications are actually better for that. Um, and then , uh, so I , I think it , it , it comes down to sort of vendor vetting. Uh, and it comes down to there's also a little bit of a risk analysis, right? Like, what data will they have? How will they use it ? So the reliance on the data use piece is the other piece where you have some leverage, which is to say, okay, fine, we all agree to the business associate agreement, but how are you actually gonna use my data and, and what, you know, who's gonna access it ? Things like that, that will often be done separately is also another key point, because again, A BAA will say you can use it to the extent that you're allowed to by law. And , and it might talk about whether you can ident , de-identify or aggregate, but going one step further to sort of have a little bit more meat on what data is gonna be accessed and how it's gonna be used can be really important as well.
Speaker 3:Absolutely. Um, yes, and, and, you know, managing that risk across the extended supply chain , um, you know, many organizations now are, are looking to take advantage of artificial intelligence or AI to improve the process of managing these relationships and that oversight. Um, what, what are some key considerations that organizations should focus on when considering AI tools or models?
Speaker 4:You know, you can't have a conversation in, in digital health or health tech or really probably any space today without talking about ai. Um, and I've had, I've been very lucky , uh, that I not only represent a number of companies who have, you know, products that, that sort of work with and in around ai, but also have the pleasure of sitting on a group of , uh, uh, an organization that's sort of a group of, of CTOs and CIOs for local hospitals in the Northeast. And so hearing sort of how they've approached ai , um, but I think, I think ai, like we've said before, you know, is something that, that people just need to have on their radar and need to be aware of. And I think, you know, there's some key basic questions that everybody talks about when they talk about ai, right? I think it's important to understand what AI is actually being used, right? Are we talking machine learning? Are we talking large language models? 'cause AI really, everybody has defined it differently. And so understanding what tech is being used , uh, is really important as you sort of vet your, your vendors. Um, you know, in the HIPAA con context, understanding how your PHI will be used by a vendor , um, you know, will it be going into, you know, for, you know, <laugh> , will it be going into their will to train their models? Uh , will they be using PHI to do that? Will they be using de-identified data to do that? Um, will the, will the training just be for sort of your own use case, or will it be broader for their platform? Um, just generally understanding, again, like what also what, where, what platform they're built on, right? Is it a model that was built internally that's proprietary to the company? Are they working off of, you know, open ai ? Just understanding again, and this goes the same questions we've had all over again, right? So who is the company? What are they doing? Who are there some contractors I think is really important. You know, in addition to the sort of all the other things that we talk about when we talk about ai, which is sort of data bias. Like are they addressing with things like , uh, bias and , and how they, you know, how they train their models, what their models are getting at. Um , all these questions are really important to use. Um, you know, things like, do I have the right <laugh> to put in certain data? I had this discussion recently with the , with is, you know, if a clinician is going onto a model and saying, I have a patient with X symptoms, you know, what are some possible outcomes or , or, you know, is that giving it PHI or, or have I given them a little enough information that they, that's not PHI , you know, is your clinical team or are your users giving data that you, you shouldn't be given as an organization? And so I think what AI has also brought up is a little bit of just sort of like corporate compliance and the importance of some centralized functions and making sure that we know sort of , you know, where it's being implemented across the platform, who's using it, how it's being used. And I think that becomes really important as we're starting to see state laws related to use of ai, right? So as a, you know, if you're like a telehealth company and your vendors are using ai, you know, the classic example is I had a client who was going to use AI to, to do like a con consum , uh, customer satisfaction , patient satisfaction sort of chat post service , um, to meet their , some of their quality requirements. And, you know, certain states have requirements about making sure that your people who are interacting with AI chat bots know that they're interacting with ai. And so as the person who's , you know, as the, as the healthcare provider who's launching that, that because their obligation, not just the vendor. And so if you, if an organization doesn't know what technology is being used and the services they're buying, it becomes harder for them to comply with laws also. So it's important. Um, and, and so what we're seeing to that end is people, or at least people trying to see, is also a lot of times the AI is not there yet, right? Like it's, we hope that we'll be able to integrate AI later, or how we will integrate AI changes. And so we're seeing people starting to require or at least ask for notice of the use of ai. Um , so that, again, as the customer, the purchaser of technology, I know what's being used and where it's being used so that I can meet my own requirements. But also , um, <laugh> , something that somebody mentioned on, on a call recently was that some of their vendors are integrating AI sort of without letting anybody know. And it is , becomes, they're sort of testing it live, and then it becomes something that you get used to using. And then a year later they say, oh, now that you're using the AI supported function, that we're gonna have to charge you double and you didn't even know that you were there. And so what are you paying for? Which is, you know, that's a business issue. It's not necessarily a legal issue. Um, but these are all things that we need to be thought about. And so what we're seeing, again, is more centralized decision making around how AI is being used within organizations. And, you know, folks who are doing this in a thoughtful manner are, again, asking more questions upfront about the, the, in the companies that they're working with, because, you know, there's a lot more technology out there, there's a lot more opportunity out there. And , and understanding, again, and , and this all flows back to like what data using, how are they using your data data , um, you know, it's just important to sort of be able to track and manage.
Speaker 3:Absolutely. And curious
Speaker 4:If you've seen anything different on that end.
Speaker 3:Absolutely. And, and, you know, you mentioned thoughtful organizations moving forward with it, we're, we're seeing, you know, in that regard, we're seeing , uh, formal AI governance, you know , being established questions within them around, you know, what AI technologies are you utilizing, what tools, what models , um, you know, very specific questions around are there model cards or, or model diagrams , uh, that outline the capabilities that it has and that you're utilizing in your platform. You know, if you're using something that is open source or , um, you know , uh, uh, through a different vendor. So absolutely, we're seeing that as well. Yeah .
Speaker 4:And I guess one thing I should have added is we're also seeing it on the other end on the , uh, right. I'm here at Cooley. Cooley does a lot of , uh, transactional work, and we're , we're seeing it come up in diligence and we're seeing it come up as, you know, reps and warranties in , in, in deals because purchasers and investors wanna know what their risk is, if there's risk, and how it's being used and hasn't been thoughtfully managed. And so , um, you know, a lot of this comes up to like where the next round of funding is and if investors are asking questions, and you have to be more mindful of how you manage it.
Speaker 3:Most definitely. All right . Um, one issue , uh, changing gears a little bit here. Uh , one issue of particular concern , uh, that came out of the change healthcare , uh, incident , uh, was that , uh, uh, concern around incident response planning. Uh, so what are some of the fundamentals of a strong incident response plan?
Speaker 4:You know, incident response plans tend to be very technical. And, and as a lawyer, we tend to advise folks that it's really important that they have one, right? That , that it be , uh, reviewed periodically so that it's, it makes sense within the organization that it can be used properly. Um, but one of the things that we find on our end as council is that there is a , a huge divide between a good incident response plans and actual implementation , uh, or an execution. And it has a lot to do with, a lot of people are putting a lot of time and effort into developing this response plans, which can be done really well, but then not necessarily training their teams on on what it means or how to use it or how to access it, or who the right, right , the right time to, to sort of initiate it is. And so , um, to, to us, you know, from, again, from, from the legal perspective, in addition to sort of what are the elements are, it's just making sure your , your team is properly trained and un to speed on who's responsible and what would trigger the need, for instance , response. Um, you know, because great policies don't mean anything , uh, if, if employees don't know how to access 'em or use them. And , um, we're seeing that, you know, I I , I mentioned to you, we're seeing that come up , uh, in, in things happening, like an issue was identified, but the call center , um, I didn't flagged it or identified it as like a technical issue that an app wasn't working as in supposed to a , uh, possible security or, or breach , uh, or possible, right? Like misuse of data. Um, and so it never made its way to the privacy team and, and this wonderful incident response plan that they have couldn't be activated. And now you have delays in notifying customers, you have delays in potentially notifying the harmed individuals , uh, and all of this can, can really impact the organization. And so, you know, so many people rely on training, you know, through like modules that you click through and, and really we need to see a little more of that. But I guess I would put it back to you 'cause you do a lot more of this on the ground working with people to develop IR plans . So what are you seeing is important and, and , um, again, how are you helping to manage that divide between a great plan and , and how people use it?
Speaker 3:Absolutely. And yeah , so we're absolutely seeing that as well where they're , you know, they may have a very good incident response plan, but yet they don't do any tabletop exercises or they don't , uh, communicate it out and have training on it with their staff and their employees. So , um, you know, we, we work with our clients to help develop , uh, and test robust incident response plans, but also , uh, conduct incident response tabletop exercises in order to validate and test these plans and to ensure that they're communicated out and that the , the staff are trained on it. Um, you know, and, and this is all part of an overall business resiliency program , uh, that we work with our clients on. Uh, so, you know, you're absolutely correct in the event of an incident, if a team isn't properly trained on what to do, how to do it, and with whom to do it with , um, you know, the organization and its critical business processes can definitely sustain financial or reputational damage in addition to any damage that might be caused by the incident itself.
Speaker 4:Yeah , no , that makes a lot of sense.
Speaker 3:So with o's proposed updates to the HIPAA security rule , uh, and new legislation that's been introduced over the past six months , uh, regulators seem to be applying greater focus towards vendors , uh, as well. So how should healthcare vendors be responding to the changing regulatory environment?
Speaker 4:Yeah, look, historically, OCR, who's always been notoriously understaffed , uh, has really focused on covered entities, right? The entities themselves. Um, there's been a few moves over time. For example, you know, it used to be that a covered entity was responsible for ensuring that everybody had the aas, suddenly business associates became responsible on their own. Um, I, I do think, especially given change healthcare last year, that there is an inevitable shift that business associates have as much sort of obligation or responsibility here as they're covered at any partners and, and not just from a contractual basis, but under the law. Um, and so I do, I I do expect that we'll see , um, more , uh, direct oversight of vendors and not just of covered entities. I also think that covered entities, just given the the state of the state are more likely to sort of report on their vendors when they find issues to OCR. Again, not, not one because they're vulnerable to their vendors, especially 'cause of the ven you know, how reliant like change healthcare, for example, right? Like how reliant everybody is on these vendors. And so there's a little bit of, of protecting themselves and of trying to police the industry in the hopes of, you know, keeping data , uh, secure. Um, so I do think that we're gonna see more of it. I think , um, the , uh, you know , I do think OCR is still short staff and, and there's a lot going on. And so I , you know, whether it happens this year or in three years, I think it's inevitable that it's coming. Um, and then I do think that, you know, the , what the, the new proposed rule did, frankly, it is sort of a lot of what we started talking about at the beginning, which is Pippa had recommendations, they had sort of addressable issues. Uh, the proposed rule would really take more of the security requirements and make them required the requirements, not just something you could deal with. Um, and really, frankly, it's just a lot more technical in what you'd expect to see, so that if there's a lot less discretion , um, that impacts vendors because vendors now are gonna have to comply with, right, these more specified with these new specifications and, and you know, it's a good thing 'cause it means it'll be a little more uniform. 'cause right now every customer could have their own spec specifications , uh, and hopefully a lot of this is stuff that people are already doing, but not necessarily. Um, but it , it is clear, I guess that just because of sort of the nature of the, of how the new proposed rule, again is very tip tech technical, that there will be a lot of impact on vendors because vendors are the ones who are sort of executing and managing these things. Um, so a again, I think, you know, I I I think if it is inevitable that there will be more of a focus on vendors and, and, and, you know, continued focus on CEEs, but more of a focus on vendors and, you know, the proposed rule, I said did a lot of things in , in just putting in place more will would if passed. And then , you know, comments closed I think last week. So we, we had to see where it's gonna go. Um, but, you know, stricter change, man , uh, protocols , um, more risk management, pla prac , uh, planning, you know, better actual security policies, <laugh> , um, and again, and, and new specifications , uh, actual security specifications that would create some uniformity. Um, and just there'd be more to, to, to answer to because there's less sort of flexibility in how you can implement the rule. Um , you know, I think to note it isn't a , uh, it isn't new legislation, but if you look at the, the audits that we have been seeing out of OCR, they are all touching on and asking questions about tracking technologies. You know, it's sort of a , here's 15 questions we need you to answer 'cause we're doing an audit , um, related to a breach. But while basically while we have you, we're gonna ask you questions 'cause we can <laugh> , uh, and, and they're all asking about data tracking. And so I think, you know, we , there's been a lot of talk about tracking technologies. We've seen , um, guidance come out on tracking technologies. I think it's still at the forefront is something that people are concerned or that the OCR is concerned about mm-hmm <affirmative> . Um , and so , uh, we'll see where it goes. You know, we've heard some grumblings, right ? It's funny, I have, I have some partners who say that, that we're sort of headed for a sort of a , a broad national data privacy law. Um, I'm not sure that I've seen any indication of that, especially not under this administration. But, you know, I think to a certain extent, a little bit of wishful thinking. 'cause we are still in such a, a sort of a, you know, is slightly piecemeal , uh, regulatory , uh, environment. And, and a lot of the states took up things like AI last year and we think we'll continue to do that. And so, you know, for now, compliance is just continuing to get harder. Um , but hopefully will help in terms of keeping privacy secure data secure , not privacy secure. Sorry. Okay.
Speaker 3:Yep . Well, we've covered several different topics. Um, what, what summary recommendations do you have for technology companies and, and others that are selling products and services to healthcare providers on how to ensure that the security concerns don't derail their growth plans? Yeah.
Speaker 4:Um, start early and start bright deep, I think , um, plan for the future state now. Uh, so we talk to a lot of folks who, for example, they're like, oh, initially we won't have to be HIPAA compliant, but we expect that one day we will be, and if you're heading that direction, just do it. And , and again, it starts from the building blocks, right? Like your vendors , your subcontractors, like all the things that are harder to change as you get up and running . And so I think there is a little bit of , of , of building a compliance infrastructure or, or a plan for, for, for compliance in the space , uh, early, whether it's, it's gonna be, you know, some of these things are expensive, high trust SOC two , and so figuring out like how you're gonna get there , um, as sooner the better. Um, and then building a culture of compliance. I think to the extent that you're, you're developing products upfront as a, as a partner with your customers in compliance, I think it's, it's helpful. Um, you know, one of the things that we haven't talked about yet is <laugh> is cyber , uh, insurance. So, you know, having a plan for that, that can get really expensive and I think we'll only continue to be more expensive. And so understanding the, the state of the market and what you need now and what you'll need as you grow , um, but fundamentally, you know, you need to be smart in this space and you need to be answer , able to answer questions. So deliberately building your, your security infrastructure, I think is really important. I'm curious how, what your , your advice would be.
Speaker 3:No, I, I completely agree and, and you're absolutely right. You know, with cyber liability insurance, we've seen such drastic changes over the last, you know, even the last just couple of years , um, with regard to how, you know, the, the, the insurance , uh, industry itself approaches it. And, and you know, it used to be that you would, you know, go in and apply for a , a , a policy. It would be reviewed by, you know, someone, one, one person maybe , uh, you know , uh, an agent and then, you know, you would either be approved or not. And now we're seeing their teams of security experts that are reviewing your responses. Um, and, you know, the vetting process has gone from one questionnaire to, you know, multiple stage questionnaires, <laugh>. So it , it's, it's really changing quite a bit. Um, so yeah, absolutely. We're definitely seeing , uh, some, some very distinct changes in that environment as well. And it's, it's definitely on the, the provider , uh, who is looking, you know, seeking to get that insurance to understand, you know, what their first party and third party requirements are and, and what meets their business needs, and then working with the provider to ensure that, that they're going to be covered in, in any situation that they needed .
Speaker 4:Yeah, and I guess the last thing that I would add to that is just having good partners in this, whether it's a clear water or a coolee, right? Your lawyers can help tell you when you, when to start thinking about things, what the risk is , uh, and a good team that understands the space to help you build it out , uh, is also really important. Um, and, you know, it's always better to bring us in earlier than later because, you know, the, the , the early expense saves so much later headache , uh, that ends up being a lot more sort of expensive and, and difficult to deal with and, and can impact like product development and actual sort of use of, of your, of your tools and your technology. So
Speaker 3:Yep . Completely, completely agree. So definitely on the same page there, <laugh>.
Speaker 4:Yeah , <laugh> , it's like , uh, it's self-serving, but I swear it's not, it really makes a difference .
Speaker 3:Indeed . Indeed . Well , Alexis , um, those were , uh, really the topics , uh, for discussion today. Uh , I really appreciate your time and, and your , uh, your, your vision here and, and , uh, the , the comments that you've had and, and the great information you provided. Um, is there any other questions or thoughts that you'd like to leave us with?
Speaker 4:No, I really appreciate your time and thank you for having me. I enjoyed the conversation and as I said, it's always good to know sort of what's happening in a very practical implementation standpoint. Um, you know, as , as the lawyers, we see one side , um, and, and getting to talk to somebody who's sort of helping folks as they build is, is always super helpful. So thank you .
Speaker 2:Thank you for listening. If you enjoyed this episode, be sure to subscribe to ALA's speaking of health law, wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org .