0:14

Support for A HLA comes from Clearwater.

0:17

As the healthcare industry's largest pure

0:20

play provider of cybersecurity and compliance

0:22

solutions, Clearwater helps

0:24

organizations across the healthcare ecosystem

0:27

move to a more secure, compliant

0:29

and resilient state so they can achieve

0:31

their mission. The company provides

0:34

a deep pool of experts across a broad

0:36

range of cybersecurity, privacy,

0:39

and compliance domains. Purpose-built

0:41

software that enables efficient identification

0:44

and management of cybersecurity and compliance

0:46

risks. And the tech enabled twenty

0:51

four seven three hundred and sixty five security operation center with

0:54

managed threat detection and response

0:56

capabilities. For more information,

0:59

visit clearwater security.com.

1:02

Hello and welcome to this episode of

1:04

the American Health Law Association's podcast.

1:07

Speaking of health law, I'm John

1:09

Moore , chief Risk Officer and head of Consulting Services

1:11

and client success at Clearwater , uh,

1:14

where we advise and support our healthcare clients

1:16

on how to move their organization to a more secure,

1:19

compliant, and resilient state. As

1:21

2023 came to a close, we saw

1:23

significant activity of both the state and

1:26

federal levels with respect to the regulation

1:28

of cybersecurity programs in healthcare. Uh

1:31

, first we saw the governor of New York proposed

1:33

new regulations requiring hospitals

1:35

to establish formal cybersecurity programs

1:38

among other measures , uh, to limit

1:40

unauthorized access to their information

1:42

systems and , uh, confidential

1:44

information being processed within those systems.

1:47

Uh, then the US Department of Health and Human Services

1:50

released to concept paper outlining the department's

1:52

cybersecurity strategy for the healthcare sector.

1:55

Uh , the paper detailed four pillars for action,

1:57

including publishing, publishing new voluntary

2:00

, uh, healthcare specific cybersecurity

2:02

performance goals , uh, working with Con

2:04

Congress to develop support and incentives for

2:06

, uh, domestic hospitals to improve cybersecurity

2:09

and increase accountability and

2:11

coordination within the healthcare sector.

2:14

Uh, the cybersecurity practices of healthcare organizations

2:17

are, are certainly, it appears to be under the microscope

2:20

like never before, at least from a

2:22

regulatory perspective, and to help dissect

2:25

what further steps we might see from both

2:27

federal and state agencies. In 2024,

2:29

I'm pleased to be joined by one

2:32

of the leading experts on the subject and, and

2:34

personally one of my favorite people to

2:36

talk to about , uh, these kinds of matters. Ileana

2:38

Peters Ileana is a shareholder

2:40

with the law firm of polsinelli , uh,

2:43

working closely with healthcare clients and

2:45

complex compliance questions, incident

2:48

response investigations , training , uh,

2:50

to protect data, avoid legal risk

2:52

and legal liability, both at the state and federal

2:54

levels. Uh , prior , prior to joining

2:57

Selli , Eliana was with HHS Office for

2:59

Civil Rights for over 12 years. Uh , and

3:01

in her last role at OCR as Deputy Director,

3:04

she both developed information, privacy

3:06

and security policies, including on emerging technologies

3:09

and cyber threats , uh, while coordinating

3:11

with the Department of Justice, department of Education,

3:13

and other federal agencies, state Attorneys General,

3:16

and the White House. So, it's

3:18

great to speak with you. Uh, again, Ileana

3:21

, it's been a bit, I think, since the last time we

3:23

had a conversation, but , uh, always a

3:25

pleasure.

3:27

Yeah, likewise. It's always good to talk

3:29

to you.

3:32

So, you know, some very interesting developments, as

3:34

I mentioned , uh, previously. And,

3:36

and so let's, I think,

3:39

let's start with New York. So what's happening

3:41

in the state of New York? So we have , uh,

3:44

you know , the new proposed regulations. Part of that

3:46

is risk analysis of the key

3:48

part of the requirements proposed. And, and

3:50

in this case, a very specific requirement

3:52

for an annual risk analysis is a key

3:54

, uh, uh, is part of those regulations.

3:57

Obviously, risk analysis has been a key part of

3:59

the HIPAA security rule , uh, since the beginning.

4:01

Uh, as well , uh, not as specific

4:04

in in the requirements here . It doesn't specifically call

4:06

for an annual risk analysis. However, oftentimes

4:08

that's how folks have interpreted it , uh,

4:10

yet routinely we see OCR site

4:13

insufficient risk analysis in

4:15

, in announcing enforcement actions.

4:17

I think probably every time I've ever spoken to

4:19

you about this subject, we've mentioned this and it doesn't

4:22

seem to be improving. Um, certainly

4:24

I , although that's kind of anecdotal evidence

4:27

to that. Uh , why do you think risk analysis

4:29

is so important, first of all, that it,

4:31

you know, that it's included in all these , uh,

4:34

types of regulations and what seems

4:36

to be the problem with healthcare organizations

4:39

in conducting the appropriate risk analysis?

4:44

Yeah, I know , um, we often talk

4:46

about this question as , as you mentioned , um,

4:48

and we're also trying to figure out exactly

4:51

what the issue is, because

4:53

I think you're right, at least in my experience,

4:55

and, and I know that , uh,

4:57

you have similar experience, although we, you

4:59

know, we don't necessarily have any , uh,

5:02

audit studies or anything like that from HHS

5:04

on this particular question. Um,

5:07

but I think that the issue really is that it's,

5:09

it's, it's hard. Um, I

5:11

think it's hard for all different

5:13

types of entities. Enterprise risk

5:15

assessment is something that, you

5:17

know, is really , uh, considered

5:20

the cornerstone effort of

5:22

any robust enterprise security

5:24

program, whether you're in healthcare or otherwise.

5:27

Um, and it's, I think it's hard for everybody,

5:29

but I think it's particularly hard for

5:32

healthcare because , um,

5:34

this isn't what they do. So , uh,

5:37

I know we've talked about this before, is

5:39

that, you know, when you're talking to a

5:41

financial institution, for example , um,

5:44

they get pretty quickly why they need to know where

5:46

all their data is and why they

5:49

need to understand the threats and

5:51

vulnerabilities to that data , and

5:53

they need to really plug those holes . Um

5:56

, that's less

5:58

easy for, I think, a healthcare

6:00

institution to understand , um,

6:02

because they, you know, they don't

6:04

necessarily equate , uh,

6:07

the data with , um,

6:09

their mission. In other words, they are very

6:12

concerned about , um, patient health

6:14

and patient safety. Um, and that's

6:16

what their focus is. And I think is

6:19

, I think you'll see from those new

6:21

guidance documents out from HHS that

6:24

, um, HS um, is

6:26

really trying to flip

6:28

the conversation to try and convince

6:30

healthcare providers that , um,

6:34

a data security is patient safety. Um,

6:36

because so many of these incidents

6:39

, um, do in fact affect

6:41

patient safety and can have some really adverse

6:44

outcomes , but that's not an intuitive

6:46

, um, you know, sort

6:49

of conversation. In other words, you know, the

6:51

physician is going to want to know why

6:54

they have to spend so much time and

6:56

money and staff resources to

6:58

figure out where all their data is and

7:01

then to address , um, any deficiencies

7:03

with, with regard to safeguards for that data.

7:06

It's , it's just not something that they , um,

7:09

are , are have top of mind, whereas, you

7:11

know, they certainly have top of mind, you

7:14

know, the patient that's coming in the door next, or

7:16

the patient that may be on life support or,

7:18

you know, the new MRI machine that they

7:21

wanna buy to support the effort that

7:23

they have for saving lives . So I

7:25

think, you know, I think that's gonna continue to

7:27

be a really tough conversation. Um,

7:30

and it , and it continues to be, you know, something that

7:32

I think we're all trying to figure out how to have that conversation.

7:36

Um, and until we do, until we convince

7:38

these healthcare organizations that

7:41

they really have to prioritize

7:43

understanding where all of their data

7:46

is, where all of their assets are

7:48

, um, such that they can protect

7:50

all of that data against , um,

7:53

really any types of threats. And

7:55

those threats are increasing exponentially

7:57

as we speak , um, that

7:59

we're gonna continue to see deficiencies

8:02

in , in risk analysis. And it's , it's , it's

8:04

really unfortunate, I think , um,

8:06

because as you and I both know, that

8:09

really is the key to getting this

8:11

data security effort, right? Um,

8:14

because you can obviously throw a

8:16

lot of resources at , uh,

8:18

cybersecurity and technical

8:21

safeguards and, and other types of, you

8:23

know, applications and controls that

8:25

are meant to reduce your risk. But

8:28

if , if you don't know really where the risks

8:31

actually are, it's kind of like throwing spaghetti

8:33

at the wall to see what sticks. So , uh,

8:35

it can in a lot of , be, in a lot of ways be,

8:38

you know, a very inefficient , uh,

8:41

way to try and address the risk to your

8:43

data if you don't know, again, where all of

8:45

your data is. Um, but,

8:48

you know, I'd love to hear your thoughts too, because

8:50

again, you know , um, we're always

8:52

trying to figure this out and, and

8:55

obviously , um, you

8:57

know , uh, any thoughts that you have on

8:59

this I think are always helpful too,

9:01

because you, you see it from a

9:04

, a different side than I do , um, day

9:06

to day .

9:07

Yeah, I think certainly, you know, many of

9:09

the things you said align with our experience.

9:12

I think , uh, first

9:14

of all, I , not , not , I think I know actually

9:16

that first of all, there's still, despite

9:18

the fact that the, at least from a HIPAA

9:20

perspective, the guidance on on what's

9:23

risk analysis under the HIPAA security rule has been

9:25

out for over a decade. There's still confusion.

9:27

I , I believe on what exactly risk

9:30

analysis is. And, and part of that, the

9:32

blame for that, I think resides with

9:35

the, let's call it the cybersecurity

9:38

industry as a whole, because there's a lot of things that

9:40

are called risk analysis in cybersecurity

9:43

world, and they're not the same thing , um,

9:45

certainly as, as what OCR expects

9:47

and, and is , um, more

9:50

further described in, in their

9:52

guidance. So I think there's still some of that

9:55

confusion going on. Uh, the

9:57

next thing that we see oftentimes

10:00

and, and the bigger, more complex

10:02

the organization, the more of

10:04

an issue this is, is this idea

10:06

of scope. So to your point, you know, not

10:08

having a , a good understanding of

10:10

what the systems and associated

10:13

components are within the organization

10:15

that are used to create, receive,

10:18

maintain, transmit EPHI for , for HIPAA

10:20

purs purposes. But to your point , um,

10:22

you know, that whatever that information is

10:25

to the extent that it's necessary for

10:27

that organization or critical to that

10:29

organization's achievement of their mission,

10:31

we don't understand that. And , and , and

10:34

that's interesting in and of itself,

10:36

I think because , uh, I don't, it's,

10:38

it's difficult for me to understand

10:42

at this point how pretty much

10:44

any organization, whether it's healthcare or

10:47

otherwise, doesn't fully

10:50

understand the, how

10:52

dependent they've become on information

10:54

systems in order to , uh, achieve their

10:56

mission. And, and certainly that's the case in becoming

10:59

increasingly the case in , in healthcare. So

11:01

I think, you know, that certainly from a business

11:04

executive board perspective, leadership

11:06

perspective, we need to, to better understand

11:09

that we're, we've had good

11:11

luck working with organizations

11:14

, um, using the activity

11:17

of business impact analysis to really

11:19

help the business folks themselves

11:22

understand the implications of,

11:25

of losing , um, one

11:27

of their critical systems. You know, if, if

11:29

we lose the EHR, how long can

11:32

we continue to deliver services without

11:34

it? Or what's the impact to the organization and

11:36

our ability to deliver care and and risk to our

11:38

patients if we, if we lose , um, access?

11:41

And so, you know, having those conversations

11:43

and, and, and talking through those scenarios

11:46

with the, the, the folks , um,

11:48

delivering care, the business people themselves, I

11:50

, I think can be helpful to make the

11:53

cybersecurity of the need for cybersecurity

11:55

more real to organizations. Um,

11:58

the other thing that, that we see, and , and I

12:00

think that you mentioned this as well, is

12:02

just the , the cost associated

12:04

with, with truly doing this effectively.

12:06

And, and, and particularly that,

12:09

that initial hump of doing it the first

12:11

time. You know, if you, if you do it the first time, make

12:13

that investment and then maintain that on an

12:16

ongoing basis, it's, it's manageable.

12:19

But I don't think many organizations think

12:21

about that, even though, you know, in the, in

12:23

the OCR guidance, they talk about

12:25

ongoing risk analysis and, and , and at

12:27

least allude to what, what that means.

12:30

Most organizations aren't doing that. It becomes a

12:32

annual compliance activity if they're

12:34

doing it at all. And , and I don't know that that's particularly

12:36

effective , um, in achieving

12:38

the goals and objectives of the risk analysis or

12:41

from a cost perspective, but, but cost

12:43

is a, you know, is an element and certainly , um,

12:46

you know , depending on the nature of the organization

12:48

or talking to in healthcare, some of those folks are more

12:50

resource strapped than others. And, and

12:52

it, you know, they're, they're trying to decide whether

12:55

they , uh, you know, buy some

12:58

new piece of equipment for their physicians

13:00

that are gonna allow them to deliver a better,

13:02

higher quality care or apply

13:05

that to risk. And I,

13:07

and I think we've gotten into the habit of defaulting

13:10

to the former instead of considering the latter

13:12

. And that comes back to bite

13:14

organizations eventually, I think.

13:16

So I dunno whether any

13:19

of that resonates with , yeah , no, I

13:20

Think you're absolutely, no,

13:23

I think you're exactly right. And I really appreciate

13:25

your , um, you

13:27

know, your excellent point that there

13:31

really is , um, a disconnect

13:33

between what the

13:36

regulators expect in a lot of these circumstances

13:39

and what a lot of vendors , uh,

13:42

provide to , um, you

13:45

know, industry , uh, members,

13:48

so all different types of healthcare entities

13:50

, um, because of the

13:52

lack of understanding, I think, and, and obviously,

13:55

you know, your team has done this so well for so

13:57

long that I'm sure you consistently

13:59

scratch your head as we do, but , um,

14:01

but it's just really surprising to

14:03

me how how many times I end up

14:06

educating , um, the, the

14:08

vendor , um, on how to do this correctly.

14:11

Um, and, and that continues

14:14

to surprise me. So I think that's a really good point.

14:17

Um, you know, because if we, if we can't,

14:19

you know, if we can't , um, educate

14:22

the industry, the cyber industry on

14:24

how to do this, right , um, then,

14:26

you know, it , it , it just makes me

14:29

more , um, worried about

14:32

educating the healthcare sector as well.

14:34

So , um, I agree that I think there needs

14:36

to be more education

14:39

on this. Um, and, you know, even

14:41

if you look at the additional documents that, as

14:43

you mentioned, came out from HHS

14:45

about, you know , um,

14:48

essential goals and enhanced

14:50

goals related to , um,

14:53

cybersecurity in the healthcare sector , um,

14:56

you know, an asset inventory is

14:59

considered an enhanced goal <laugh>

15:01

, um, which is interesting to me rather

15:03

than an essential goal. And

15:05

it talks about assets and not necessarily

15:08

about data. So I think we're

15:10

still having some disconnects , um,

15:13

uh, you know, in how we try and educate

15:15

, um, both the,

15:18

the vendors who do this work , um, and

15:20

many of them do it very well, but many of them

15:22

don't , um, and the healthcare sector.

15:24

So , um, I just, I think there is

15:27

, uh, you know, a real need

15:29

for folks to really sit down and figure out

15:31

how we can have these conversations

15:33

in a more productive way. So again, we

15:35

get the message across that, you know, this is

15:37

super important for patient safety, but

15:40

also how to do it, right.

15:42

Yeah , it , it's interesting you pointed to, to that example

15:45

of the inventory, that was the first thing that jumped

15:48

off the paper at me when I looked

15:50

at it, because historically, in most

15:52

cases , um, the

15:55

first thing that, that , uh, you're

15:57

looking to have an organization do is understand

15:59

, uh, what their data and , and , uh,

16:02

associated resources are, because how can you

16:04

protect it if you don't know that it exists?

16:06

So , um, yeah , that, that was certainly

16:09

an interesting , um, element

16:12

to the, to the new goals. Uh

16:14

, one of the, one of the complaints, and I'm , I've sure

16:16

you've heard this as well, anda about , uh,

16:18

the HIPAA security role in particular is that it's not

16:21

specific enough. That's, that's one of the things that, that

16:23

will often hear people, particularly from

16:25

folks who just want a checklist, right? If I just do

16:27

these things, I'm okay, sort of approach.

16:30

In the New York regulations or

16:33

proposed regulations, they, they seem

16:35

to be , to be moving towards more

16:38

specific requirements. So they specifically call

16:40

out , uh, MFA, for example. They

16:42

specifically call out , uh, pen testing . They

16:45

specifically call out vulnerability scans

16:47

and risk analysis and give a expected

16:49

frequency for those types of act of

16:51

activities. Um, what's

16:53

your, what's your perspective on, on

16:56

on either those, those requirements within the New

16:59

York regulations or the , this

17:02

, the often heard demand for, for

17:04

more specific , um, requirements

17:07

when it comes to cybersecurity?

17:10

Yeah, I think that's a , that's a really great question.

17:12

I mean, I think, you know , um,

17:17

the , I the idea is that, you know,

17:19

we obviously wanna make this digestible.

17:21

So as we were just talking about, we

17:23

wanna make sure that folks can

17:26

access this information in a meaningful way,

17:28

that they can understand it, that they can

17:30

implement it. Um, and

17:32

in that respect, I really don't at all object

17:35

to really more specific requirements

17:38

because I , I do think that we

17:40

have moved that way anyway. Um, you

17:42

know, when we're talking to really any regulator,

17:45

state or federal at this point, they're

17:47

asking those questions . So obviously

17:49

they ask about access controls in that

17:51

way, but they're also asking specifically

17:54

about MFA , um, for example.

17:57

So , um, you know, because we know

17:59

there are it in , at least

18:01

in some respect, some , some current

18:03

best practices that are really, you

18:05

know, a minimum standard at this point for

18:08

what each piece means . So for example,

18:10

again, with access controls, we're talking about, you

18:13

know, sophisticated , um, credentials

18:15

, uh, requirements and , and including

18:18

MSA . So those are things that we keep

18:20

hearing over and over again from the regulators at

18:22

the state and federal level, even though they may not

18:24

be specifically spelled

18:27

out in the law or the guidance for

18:29

that law. Uh , and the HIPA security role is

18:31

a very good example. Um, so I

18:33

do think it's helpful to

18:36

some extent, and I'll qualify this statement

18:38

obviously in a minute, but I do think it's helpful

18:40

to some extent to have some really

18:43

specific requirements , um,

18:45

that say, okay, if you do these

18:48

six things , um, then

18:50

we're gonna consider you to be, you

18:53

know, at least performing at , at a minimum

18:55

, um, sort of baseline

18:57

, uh, level for purposes

19:00

of, you know, these, these very great

19:03

cybersecurity risks and this, this

19:05

very giant risk landscape

19:07

that we're dealing with. Now, that

19:09

said, obviously , um,

19:12

I don't necessarily think that

19:15

that is long-term the

19:17

best approach, because I do think it's

19:20

incredibly important that we

19:22

make this , uh, space,

19:25

that we make these requirements

19:27

the way the security rule does, flexible

19:30

and scalable. In other words, a

19:32

checklist may work for a one doc shop

19:35

or a small provider practice, or, you

19:37

know , uh, a wellness spa

19:39

or something like that. Um, a

19:42

checklist is certainly not going to work for

19:44

a very large health system, a very large health

19:46

plan. You know, those

19:49

types of efforts are

19:51

just not sufficient. So if

19:53

we limit our regulatory

19:56

requirements to , uh,

19:58

discrete set of checklist

20:01

elements, then we

20:04

obviously miss a huge part of

20:06

that risk landscape that may apply

20:08

differently to much more sophisticated

20:11

organizations. Um, and

20:13

so, you know, everybody's always asking me about

20:16

encryption, right? You , you

20:18

very well know. Everybody's always saying, well, encryption

20:20

is optional under the security rule , under the HIPAA

20:23

security rule. Encryption is obviously not

20:25

optional. It never has been. It's addressable,

20:27

which means you implement encryption or

20:29

you implement the equivalent

20:32

of encryption a document why you

20:34

have a reasonable compensating control for

20:36

encryption. Um, I think in

20:38

very short order, we are going to be moving

20:40

to a , to a space where quantum compute

20:43

computing could very likely replace encryption

20:46

as the best standard out there for

20:48

protecting data. And we're gonna have all

20:50

of these guidance documents and all of these laws

20:53

that say, you must do encryption, what

20:55

happens when encryption becomes outdated? Um,

20:58

and it's very difficult for the laws to keep

21:01

up. So it is much more a sophisticated

21:04

analysis. I do think, and

21:06

it is harder to, again, have

21:08

these discussions when we don't

21:10

have a checklist and we don't have a specific

21:13

set of very discreet requirements

21:15

that we are, we are required to implement,

21:18

but at the same time, we don't have the ability

21:20

to , um, pivot

21:23

if we need to, if, you know, the

21:26

next vulnerability is with MFA. So

21:28

, um, you know, I I think it's,

21:31

it's a really important , um, piece

21:33

of the conversation certainly, but

21:36

I do think that there are drawbacks to

21:38

that approach.

21:41

Yeah, and I, I certainly, I think I would

21:44

agree with each of the elements

21:46

you cited. It's, you know , from a , from

21:49

a, certainly from a NIST perspective

21:51

and, and NIST not being required, but

21:53

one of the methodologies cited

21:55

by OCR, there is

21:57

this notion that I'm going to establish some

22:00

level of baseline controls and then

22:02

understand what the remaining

22:04

level of risk is that I have. And , and

22:06

then to the extent that it exceeds

22:09

the my tolerance level, I'm going

22:11

to implement additional controls. But to your point,

22:13

different organization, what

22:15

would be an appropriate baseline for different

22:18

systems and or organizations can

22:20

vary quite a bit. One of the things

22:22

that I really liked about the, the hiccup , um,

22:26

standards is, is that, or practices

22:28

is that, you know, they've tried to break

22:30

it down about, around what's in the

22:32

, about appropriate sized

22:34

organizations and appropriate practices, which is

22:36

helpful, but if you tried to, to then translate

22:39

that into regulation, I think it becomes particularly

22:42

more complicated. Uh , one of the things

22:44

I'm not sure if you mentioned, but but always comes

22:47

to mind for me, is, you know, under, under

22:50

hipaa, we have this kind of notion of reasonable

22:53

and appropriate. And unfortunately, one of the other things we

22:55

don't have much, if anything

22:57

of is any sort of , um, case

23:00

law history of the evolving standard

23:03

of what reasonable and appropriate

23:05

is from a controls perspective for healthcare,

23:07

different types and sizes of healthcare organizations

23:10

under hipaa. Uh, you know, if you, if

23:12

you had sort of a , that, that history

23:15

and , and that would be evolving over time,

23:17

it would be a little easier for

23:19

someone like yourself who's, you know, advising folks

23:22

or, or even us, you know, when, when

23:24

talking with organizations about what

23:26

controls they should have in place, what

23:28

reasonable and appropriate would really be

23:31

for them, I think is is oftentimes a

23:33

bit nebulous. Uh,

23:36

absolutely . One , one of the

23:37

Other I absolutely agree.

23:38

One , yeah . One of the other things

23:41

I thought was interesting under the proposed New

23:43

York well regulations was the , um,

23:45

two hour timeline for reporting

23:48

of material cybersecurity incidents. I

23:50

, I think that was an interesting to me for, for

23:52

two reasons, two hours is a pretty short

23:55

timeline, at least in, in, in my perspective.

23:57

But the other thing is that they brought in this notion of materiality

24:00

for, for evaluating , um,

24:02

the impact of the cybersecurity incident. And I

24:05

think we, we saw that in the SEC regulations,

24:07

now we see it here. I know, certainly we're

24:10

seeing more and more organizations inquiring

24:13

as to how they determine materiality.

24:15

So , uh, interested in your thoughts on the

24:17

two hour timeline, but, but also perhaps on that

24:19

, this notion of materiality when

24:21

it comes to a breach , I think that's a new,

24:23

new concept, at least for , for many organizations

24:26

in healthcare.

24:29

Yeah, no, I, you know, I, I've been

24:31

obviously thinking about these , um,

24:34

exact issues since, since these

24:36

, uh, you know, proposed , uh,

24:38

requirements have been pushed out as

24:40

well as , as you mentioned, the new

24:43

requirements from FEC , for example.

24:46

Um, you know, I think these deadlines

24:49

are , um, a bit unrealistic.

24:52

Um, I don't think there's really any

24:54

way you can determine true

24:57

materiality within a two hour period. Um,

25:00

you know, particularly given, is

25:03

that really what we want our incident response

25:05

folks to be worried about in the first two

25:07

hours of a cyber attack? Um,

25:10

you know, I, I do think it's an important

25:13

question, and it's absolutely something that should

25:15

be evaluated at some point and

25:17

should be reported as necessary

25:19

to whatever regulators , um, are

25:21

, uh, maybe involved. Um , but

25:24

I'm just not sure it's, it's

25:26

, uh, it's the correct

25:28

timeline for that reason. I mean, I just don't

25:31

know in the, in the vast majority

25:33

of cases, what we would say two hours in

25:35

other than we've had an attack, and

25:37

we're trying to figure out what it's , um,

25:40

and whether or not it's material is going to

25:42

depend on, on many factors , um, that

25:44

will be determined over time. Um , and

25:47

so I really think that that's

25:49

, um, that's going to be a very

25:51

hard standard to meet, arguably. And

25:53

, uh, again, really wonder

25:56

if that's the best use of resources

25:59

in that timeframe, or if that's a burden

26:01

that that really should be , um,

26:03

you know, placed in a different timeframe.

26:07

Um, I think too , from a materiality

26:09

standpoint, this sounds very

26:11

much like a harm standard.

26:14

Um, and, you know, we've moved away from a harm standard

26:17

, um, in the vast majority of

26:19

our , um, breach

26:21

notification requirements, certainly at the federal

26:23

level. You know, that sometimes that language still

26:26

remains at the, at the state level. Um,

26:28

but, you know, HHS is

26:31

taking an approach, HSS in the

26:33

office for civil rights is taking an approach that

26:36

every cyber attack is

26:40

material that you have to notify everyone

26:42

in every cyber attack. So

26:45

is that the standard? Is that what we mean

26:47

by material? I don't, I don't think so,

26:49

but that's the, that's the approach that the

26:51

Office for Civil Rights is taking. Now, they do

26:54

not allow a risk assessment for purposes

26:56

of a cyber attack involving , um,

26:58

some kind of threat actor. If there's

27:00

a criminal involved, they expect you to notify

27:03

every one of everything. Um, and

27:06

again, I don't, I don't think that's what the

27:08

HIPAA breach notification rule provides

27:10

for, but I don't think that's

27:12

what we mean by material either. Is

27:14

it really material for

27:16

everyone? Is every incident really

27:19

material all the time ? Um,

27:21

I don't think so. Um, and I think

27:23

the vast majority of our industries don't

27:26

think so, but I do think that's where

27:28

the government is moving. And so I

27:31

would like to see additional

27:34

guidance from our state of federal

27:36

regulators on what exactly they

27:38

mean by material. Um, you

27:40

know, I think it's, it's a little bit easier of

27:43

a calculus to do if you're talking about

27:45

a publicly traded company, and

27:47

we have some idea of the valuation

27:50

issues that may be , be resulting

27:52

from a particular type of incident given

27:55

, uh, what might happen in

27:57

terms of , you know , um, reputation,

28:00

litigation risk, regulatory

28:03

risk , um, uh, you know,

28:05

just plain old business interruption.

28:08

Um, and so I think from that perspective,

28:11

I think that's an easier analysis to do. If

28:13

what , if that's really what we're talking about in the publicly

28:16

traded realm, which is what , what I think we're

28:18

looking at from an SEC perspective. But

28:21

with regard to these other regulators at

28:23

the state and federal level, I don't think it's that

28:26

clear. Um, and I think it's a much harder question

28:28

because I think arguably the burden is

28:30

much higher at a state and federal level,

28:33

because what we are seeing from

28:35

those regulators is an extremely aggressive

28:37

approach to considering everything material. Um,

28:40

and I think we need to sort that out.

28:43

Yeah, I , I , I certainly would agree. I

28:45

mean, I think there's, if you're thinking about it

28:47

in the context of SEC regulation,

28:49

there's, there's plenty

28:52

of commentary as to, to

28:54

what materiality means in that context.

28:57

But to your point, I think it that

28:59

that term is being adopted outside

29:01

of the, those financial reporting

29:03

context. And I'm not sure that the,

29:06

that folks who are doing

29:08

that necessarily themselves are,

29:13

are adopting the definitions that we

29:15

have from a financial reporting perspective, or,

29:17

or they're thinking that it means something else

29:19

and not, certainly not a hundred percent clear

29:22

to me. That's, that's for sure. So,

29:24

wanted to quickly shift directions

29:26

here and , and talk a bit about , uh, HHS

29:29

and , and , um, the recent publications

29:31

and the concept paper in particularly , uh,

29:34

detailing their cybersecurity

29:36

strategy where they talk about healthcare organizations

29:39

having access to numerous standards. I

29:41

, I , I don't think we disagree there, and

29:43

many of these standards have been around for some time.

29:46

Um, what's your perspective on existing cybersecurity

29:49

standards and their application in healthcare

29:51

and , um, healthcare organization's

29:53

ability to align with those standards

29:56

or practices?

30:00

You know, I think , um, it's

30:03

a really good question, and I

30:05

think in my experience, again, a

30:07

lot of these standards , um,

30:09

are, are frankly the lowest common denominator,

30:13

which in theory should work well. Um,

30:16

but we're still not seeing even

30:18

implementation of these arguably

30:22

very minimum standards. In

30:24

other words, you know, I think the,

30:27

the standards that have been set

30:30

forth , uh, for example, including

30:32

from the HHS FACAs , um,

30:34

you know, responding to the, the four or

30:37

five D requirements, for example , um,

30:40

you know, this was part of the cybersecurity act a

30:42

few years ago. Mm-Hmm. <affirmative> , um, you

30:45

know, they're absolutely right. I mean, I, I

30:47

don't think there's anything wrong with that guidance. I think

30:49

it's good guidance. I think it absolutely

30:51

should be implemented. Um,

30:54

but it , it arguably

30:56

doesn't even meet the requirements of security

30:59

rule in many respects, the HIPAA security rule in

31:01

many respects. So it

31:03

may be appropriate, again, for smaller

31:06

entities , um, but it may not be

31:08

appropriate for much larger entities

31:10

, um, given what is reasonable

31:12

for those larger entities. So

31:15

again, I , you know, I I'm still a

31:17

bit concerned that there

31:20

are , uh, you know, standards that are

31:22

floating around, including these new ones

31:24

that were published yesterday that

31:27

are , um, you know, divided

31:30

in a way that makes what

31:32

is arguably already required

31:34

under the law look

31:36

like , uh, a reach , um,

31:40

in , in , in terms of using statements

31:42

like enhanced goals. In other words, you

31:44

know, mm-hmm , <affirmative> , um, something that we should reach

31:46

for. Um, I don't, I personally

31:49

don't think, and I think I heard from

31:51

you that you agree, but I don't wanna put words in your mouth

31:53

that, you know, knowing where all your assets

31:55

are isn't an essential goal.

31:58

It's already required by the law. Um,

32:00

and, and yet we have new guidance from

32:02

HHS that says it's actually , uh,

32:05

a reach goal, an enhanced goal. So

32:07

, um, you

32:10

know, I don't, I don't necessarily think

32:12

that , uh, the guidance

32:15

is wrong. Um, I think most of it is

32:17

, is very correct. Um,

32:19

and my concern is really

32:21

whether or not it's , uh,

32:24

it's where we need to be. Um, and

32:26

I, I do think that , um, you

32:30

know , given the overlap or potential overlap

32:33

with our legal requirements, we need

32:35

more , uh, again , clarity

32:39

from particularly HHS and our other state and

32:41

federal regulators about what

32:44

is required and, and why

32:47

these guidance documents may sort

32:49

of hit differently for , uh,

32:51

different entities based on what may or may not be required.

32:54

Um, and, and that's just as we discussed

32:57

a little bit earlier, still not

32:59

clear to me. Um, I do think

33:01

that these , um, documents

33:04

should in fact, indicate the

33:06

standard we're all trying to meet , um,

33:09

no matter what our , um, size

33:12

and resources are. Um,

33:15

while the enforcement of

33:17

such standards may be different,

33:20

depending on the size and type of

33:22

entity and the resources available to

33:24

it. In other words, I still think

33:27

that the best approach is to

33:29

ensure really robust requirements

33:31

, um, that are , you

33:34

know , scalable for different

33:36

types of entities, and the lack

33:39

of implementation is an enforcement issue.

33:42

Yeah. I, I almost

33:44

sometimes get the feeling, and I I

33:47

hope that this is just me being a

33:49

bit jaded, is that we, there's

33:51

certain requirements that exists

33:54

for organizations, organizations aren't

33:56

hitting those requirements and, and they , um,

33:59

suggest, well, I just didn't know what to do.

34:01

So we, we just keep trying to

34:03

find different ways to tell them what

34:05

to do. Um, when not

34:07

knowing what to do really isn't the problem. Uh,

34:10

you know, there's a, there's a different problem either

34:12

whether that's , um, whether

34:15

that's an enforcement

34:18

problem, a financial problem, a

34:20

technical problem, all of the above. Uh,

34:23

you know, I'm, I'm not sure that we're necessarily,

34:26

I , uh, that generating more

34:30

guidance is going to, to

34:32

move the needle much. But

34:35

that said, the, the

34:37

concept paper suggested that , um,

34:40

with additional authorities and resources,

34:43

HHS will propose in corporation of these cybersecurity

34:46

performance goals that we were discuss just discussing

34:48

into existing regulations and programs

34:50

that will inform creation of new enforceable

34:52

cybersecurity standards. Uh , you know, and

34:54

how, so the question is , I think there's a

34:57

couple questions. One, if they do that to, to your

34:59

point, are we lowering the bar

35:01

, uh, in , in , in some cases

35:04

anyway , in regard to the requirements,

35:06

citing specifically the, you

35:08

know, the , the enhanced goals versus the

35:10

, um, essential goals. And

35:12

how do you think HHS will will verify

35:15

that these, or will they even bother to verify

35:17

that, you know, that these standards are

35:19

implemented?

35:22

Yeah. Um, you know, I

35:25

think that that's sort of

35:27

a piece from the , um,

35:31

the, you know, the , obviously we , we've

35:33

had two HHS documents

35:36

come out fairly recently. You know, we had these

35:38

new goals come out yesterday Mm-Hmm , <affirmative>

35:40

, which were a result of the

35:42

, um, you know, the,

35:45

the four area concept

35:47

paper areas of priority that

35:49

you talked about at the beginning of our conversation

35:52

, um, that came out from HHS,

35:55

you know, a couple weeks ago. Um,

35:57

and that was really in , in conjunction

35:59

with, you know, the White House effort to prioritize

36:02

cyber , um, cybersecurity

36:04

and cybersecurity efforts, you know,

36:07

in , in every sector, really. So this

36:09

is the HHS piece. Um, as

36:11

you mentioned, one of those four , um,

36:16

uh, areas of , uh,

36:19

importance emphasized by the

36:21

concept paper was greater

36:24

enforcement and accountability , um,

36:26

by HHS. Um, and that would

36:29

include , um, you know,

36:31

additional regulations under the

36:33

HIPAA security role . So we do already know

36:35

that HHS is working on

36:37

changes to the HIPAA security role as a result

36:39

that is now on, on the secretary's rulemaking

36:41

calendar at HHS. Um, and

36:45

so we do know, this is obviously a , a , a

36:47

presidential priority. Um,

36:49

my concern is that , um,

36:55

OCR arguably has pretty broad

36:57

enforcement authority already. Um, they

36:59

have an entire audit authority that

37:01

they're not using. And what

37:05

they are enforcing is they

37:07

are in fact , um,

37:10

investigating every single breach

37:13

affecting 500 or more individuals

37:15

that comes into the office.

37:17

That's a lot of cases, but

37:20

it's also a lot of cases where

37:23

entities were victims and they are reporting

37:26

as they're required to do under the law. We

37:29

know that there are a lot of entities

37:32

out there that aren't reporting. Um

37:34

, they don't have good, you know, cybersecurity

37:37

programs, they don't have good HIPAA programs, they

37:39

don't have good compliance programs, and

37:41

they're not reporting breaches when they occur. And

37:45

HHS is not looking into any

37:47

of those entities. And

37:50

so I continue

37:52

to be concerned that if

37:54

the people that we are punishing, because

37:57

OCR is continuing to move forward with this

37:59

work, they are offering settlement

38:01

agreements and all in , in many of these cases , um,

38:05

if the , if the entities that we're investigating and

38:08

punishing are the ones who are at least trying

38:10

to do what's right , um,

38:13

you know, what's the incentive of continuing to

38:15

try to do what's right if we're not even

38:17

looking at the entities that aren't

38:19

even trying to do what's right, because we're

38:21

never going to move this needle, this

38:24

cybersecurity needle , if

38:27

the vendors that provide services aren't

38:29

doing this, right? If the, you

38:31

know, if the healthcare provider down the street

38:34

who we share medical records with

38:36

isn't doing this right. You know,

38:38

if the , if the hospital or cancer center

38:41

or whatever that looks like that we share patients

38:43

with, isn't doing this, right. So

38:46

I'm still trying to figure out why HHS

38:49

thinks there needs to be more enforcement when

38:51

they arguably aren't using the

38:54

tools in their tool chest that they already

38:56

have. Um, you know, they haven't done

38:58

audit since before I left the agency,

39:01

which was six years ago. Um,

39:03

so, you know, I think that's the, that's

39:06

the piece that I continue to come back to is

39:09

that, you know, we can

39:12

have these requirements in

39:14

the law and we can have these very

39:16

important guidance documents and

39:19

goals , um, and we can have

39:21

all of this , uh, effort

39:23

to educate entities. Uh

39:26

, but if we don't get the enforcement

39:28

right, if we don't get the enforcement piece

39:30

, I think it will continue

39:33

to discourage to actually discourage

39:36

entities to come into compliance. Um,

39:38

and that continues to concern me, but

39:40

I would love your thoughts on that as well. Yeah,

39:43

I mean, certainly if

39:45

I, if you look at it just from an optics

39:47

perspective, the , the

39:50

fact that, and , and not all of the enforcement

39:52

actions exclusively limited to organizations

39:54

that have large breaches, but certainly the

39:56

most, the

39:58

largest, most visible sort

40:01

of, you know, multimillion dollar sort of

40:03

enforcement actions tend to be , uh,

40:06

against organizations that have reported

40:08

some breach or another. And I

40:10

think that, you know, that it's, it's easy

40:13

for those folks and and

40:16

their peers to make the argument, well , you're,

40:18

you're punishing the victim essentially.

40:21

And, and, and I think there's some, to

40:23

your point, some merit to that argument.

40:26

The audits in particular that you referenced

40:28

are amusing.

40:30

And as much as my take on that was, Hey,

40:32

we, we audited folks and, and pretty

40:34

much everybody failed, so we better not do that again.

40:37

Uh, you know, or, or, or what will we have

40:40

to do? And , and that is seemed,

40:43

I don't know, it raises a lot of questions,

40:46

I think to your point about what the,

40:48

the most effective approach

40:51

to enforcement would be. And,

40:54

and I guess to a certain degree that depends on

40:56

what your goals of enforcement are, and if your goals

40:58

of enforcement are to,

41:01

to encourage

41:05

everyone in the industry to implement,

41:07

you know, some level of cybersecurity to

41:10

protect the, the not. And at

41:12

this point, it's not just the confidentiality, integrity and

41:14

availability of information, but we're really talking about

41:16

patient lives, you know, at some point, although that

41:18

comes through in the , in many different ways that,

41:21

that, that how

41:23

we're doing enforcement has proven

41:25

not to be effective in accomplishing that. And so what

41:28

would be the point of continuing to do in enforcement

41:30

in this way? We're just going to continue

41:32

to get the same results , it seems to me anyway

41:35

, uh, to , to , you know, you raised

41:37

a , a couple of things and related to

41:39

this, wanting to get your thoughts and, and along

41:41

those lines is , so, you know , one of the other things mentioned

41:44

was increased financial consequences. I

41:46

assume that means fines and penalties and that type of thing. And,

41:48

and the other is that they, you know, different,

41:51

different , uh, attempts to, to

41:53

rethink this, whether that's in the form of

41:55

additional measures coming through the , you know , being

41:57

pushed out through Medicare and Medicaid requirements

42:00

or updating the HIPAA security role

42:02

or proactive audits, which I , I think maybe

42:04

you, you were pointing towards in,

42:06

in your com commentary or the

42:09

incorporation of these , uh, performance

42:11

goals. What, what do you think, what

42:16

do you think the , the, the

42:18

answer is if , uh, or which

42:21

of these things you think would be most effective

42:24

in achieving the goal? If we say the

42:26

real goal is to, to better

42:30

protect the patients

42:32

and patient data and businesses

42:35

within the critical infrastructure

42:37

sector of healthcare? It's

42:42

a big question, <laugh> . Yeah.

42:43

That is a really, yeah, that is a

42:45

really hard question, <laugh> . Um,

42:48

uh, and tomorrow I will be queen of the world and

42:50

solve all the problems. Yeah,

42:52

That's a <laugh> I wish I

42:53

Could. That's , so that's a really

42:55

hard question. Um, I do

42:57

think it's a really good question though, and I think that's

42:59

the question that, you know, we

43:02

should be having this conversation with our state and

43:04

federal regulators for sure, because I

43:07

do think there are ways to get that to that. I

43:09

mean, the regional extension centers from medi

43:11

Medicare and Medicaid perspective have

43:14

really been a center of,

43:16

of , um, assistance for

43:19

a lot of entities for

43:21

a very long time. And, you

43:23

know, maybe there are ways to

43:26

leverage that kind of , um,

43:28

infrastructure to

43:31

help educate better , um,

43:33

those, you know, those types of entities

43:36

, uh, about their responsibilities

43:38

and to push resources to those entities.

43:40

So I don't think this needle is

43:43

going to move until we actually

43:45

start providing additional resources.

43:48

Um, and that's, you know, that's

43:50

already hard as, as a , a

43:52

, a national issue because there's just not

43:55

enough people that do this work. There's

43:57

not enough people that do this work well. Uh,

43:59

there's not enough money in these entities for

44:02

this work to be done. It's

44:04

arguably pretty expensive work to do. So

44:07

I definitely think that there will need

44:09

to be additional resources, particularly

44:12

for certain types of entities, because there

44:14

are a lot of entities in the healthcare

44:16

sector that are operating

44:18

, um, with, with no margins

44:21

that are, you know, providing charity

44:23

care , uh, that are doing really critical

44:25

access work. And they don't

44:27

have the funds to do this. I mean , they

44:30

just don't . So I , I

44:32

don't think there is going to be a lot

44:34

of movement , um, unless there

44:36

are additional resources, and that those

44:39

resources are pushed to

44:41

those entities in the right way, in

44:43

ways they can , um, leverage

44:45

them . Um, and so , uh, that's

44:47

always a very difficult conversation, you

44:49

know, how do we, how do we give people money

44:53

potentially, or , um,

44:55

other types of technology resources

44:58

and, and at the same time make sure that,

45:01

you know, it gets to them in the right way and they're

45:03

implementing it in the right way and they're using it for the

45:05

right things and all of that. Very, very hard

45:08

question , very hard . Um, and I think on

45:10

top of that, we still to

45:12

our, our , um, conversation

45:15

just now, we still need to

45:17

, uh, make the stick

45:19

better. So if we're gonna make the carrot better, we

45:21

also need to make the stick better, and the

45:23

stick right now is not working. Um,

45:26

so I do think that there needs

45:28

to be a reevaluation of

45:31

how we do this enforcement work and

45:34

what that really needs to look like in

45:36

terms of trying to get to

45:39

entities that aren't doing anything. Um,

45:42

you know, something is arguably better than nothing

45:44

if , even if it's not perfect. Um,

45:47

but there are a lot of entities out there that aren't

45:49

doing anything. Um, and we know, we

45:52

know that they have really, really

45:55

terrible controls or lack thereof. And

45:58

so, you know, I think those are the two

46:00

pieces that I'm sure I'm

46:03

absolutely sure folks at HHS and

46:06

that are in the state agencies are

46:08

struggling with is really how

46:11

do we get the carrot

46:13

right, but also how do we

46:15

improve on the stick at this point? Because

46:18

until we do both, I think

46:20

it's gonna be very hard to get

46:22

to where we need to be. Um,

46:25

and, you know, again, that's, that

46:27

continues to be a really hard question.

46:31

Yeah , I, I mean, I think, I

46:33

think one could make the argument, I know I've, I've

46:36

thought about this argument that, that

46:39

cyber reliability insurance carriers

46:41

move the needle more in the last two

46:43

years with the increasing requirements

46:46

for coverage for healthcare organizations

46:49

than, than the

46:52

federal government has done through their enforcement

46:54

actions in the last probably

46:57

decade. Uh, you know, you, you,

47:00

if you really wanna , depending on how you

47:02

look at it, and the , um,

47:05

certainly from a, from a demonstrable

47:10

implementation of additional controls

47:13

and, and , uh, improved

47:16

maturity of practice that the

47:18

cyber liability insurance carriers made

47:20

a significant , um, drove

47:22

significant progress in those areas, particularly

47:25

in the last two years. And I , you know , there's, I

47:27

think there's a couple reasons for that. Uh , and,

47:29

and , and it's not all intended to be critical

47:32

of OCR or other , uh,

47:35

you know , state level enforcement. I, I think that

47:37

, um, it , it became very,

47:39

it becomes very real at a

47:41

very high level within the organization when

47:44

, uh, when someone

47:46

comes to the board or comes to the leadership

47:48

team and says, Hey , uh, we're not gonna have cyber

47:50

liability insurance coverage at all if we

47:52

don't do the following. Uh, you know, suddenly then

47:54

there's, there's money for MFA and there's

47:56

money for , um, for

47:59

, um, you know, some of the other

48:01

required controls that that insurance , uh,

48:04

companies we're expecting to see. So, you know, I

48:06

think there's something to be learned from that to

48:08

, to your point in regard to the, the

48:11

carrots , um, the proposed

48:13

New York regulations come with potential

48:16

grants to be made to facilitate

48:18

enforcement, and the HHS concept

48:20

paper included mention of the federal

48:23

support resources and this idea of

48:25

the administration for strategic preparedness

48:28

and response. So Asper , um, serving

48:30

as a one-stop shop , that

48:33

, that was a , I guess , a bit new

48:36

to me. How do you think HHS

48:39

might use Asper and, and, and is that,

48:41

would that be an effective way to, to

48:43

perhaps ensure

48:47

that, that the

48:49

carrots that are provided are deployed

48:53

in a way that's most efficient and

48:55

effective for the overall industry?

49:01

Yeah, no, great question. And I, I really appreciate

49:04

your point about the cyber insurance

49:06

piece of this, because I think you're absolutely

49:08

right. Um, I think, you

49:11

know, we have gotten more questions from

49:13

, um, clients

49:16

in the last year, I would say

49:18

, um, about how to do this better

49:20

, uh, about how to do tabletops, about

49:22

how to get their

49:24

incident response plans in shape , all

49:26

of that as a result of their , uh,

49:29

the requirements they're trying to meet from , um,

49:32

from their cyber insurers. Um,

49:34

so I do absolutely agree with you that

49:36

that is a really powerful lever.

49:39

Um, and, you know, maybe that's

49:41

exactly what Asper should

49:44

consider. Um, you know, I think there's been

49:46

talk for a long time about

49:49

some kind of, you know, effort

49:51

to address , uh,

49:53

insurance issues because as you

49:55

well know, cyber insurance is getting much and much

49:57

harder to get. Um, and

50:00

whether or not we need a government effort

50:02

to address that , um, that

50:04

comes with those same types of requirements. Um,

50:07

so if we're going to, you know,

50:09

help ensure you as part of a,

50:11

you know, a government type program for

50:14

this type of insurance, you are

50:16

going to have to provide the documentation on

50:18

these following, you know, 12

50:21

items or whatever that looks like. Um,

50:24

otherwise, I think Asper has,

50:27

you know, the experience to , um,

50:30

really be boots on the

50:32

ground here. That's what they do. You

50:34

know, they do that. I mean, HHS parts

50:37

of HHS certainly do that, you know, other parts

50:39

of HHS certainly are boots

50:41

on the ground in , in many circumstances. But I think

50:44

Asper really , really

50:46

has that reputation. Um, they're,

50:49

you know, they're seen as helpful. They're

50:51

seen as , uh, you know, a really

50:54

great resource , um, and

50:56

they can get out there and, and get , um,

50:58

you know, get the conversation moving,

51:01

I think in a way that maybe the

51:04

regulators can't. Um, so

51:06

if, if Asper comes knocking on your door,

51:08

it looks much more like they're trying to help. Uh

51:11

, whereas if ONC or OCR

51:13

comes, or OIG comes knocking at your

51:15

door, maybe you're more reluctant

51:17

to open the door. So I do

51:19

think, you know, there are, there are some really powerful

51:22

levers that you've emphasized

51:25

that could be really helpful

51:27

, um, in this , um,

51:30

you know, in this problem. And , um,

51:32

I am hopeful that , uh,

51:35

HHS will try and, you

51:37

know, exercise those levers in a

51:39

productive way , um, um,

51:42

you know, moving forward. But, but again,

51:44

really hard questions.

51:47

Yeah. C certainly that , and , uh,

51:49

we're, we're coming up to the end of our time, Eliana

51:52

. I know we could probably continue to

51:54

discuss this for hours, if not days, and,

51:56

and maybe we'll be lucky enough to continue our

51:58

conversation , uh, you know, at

52:00

some other time. And, and I'm sure we'll be

52:02

certainly be talking again about this,

52:05

but I think we're gonna have to call it , uh,

52:07

a day here. So thank you very much for your excellent

52:09

insights , uh, that you shared. You know, as, as always,

52:12

I, I always , um, appreciate

52:14

your thoughts and, and your insight from

52:16

your experience, both, you know, working within

52:19

the government and, and trying to , uh,

52:21

interpret and enforce some of the , uh,

52:23

regulations that do exist as

52:25

well as your work in, in the private sector,

52:28

helping organizations come into compliance

52:30

and address , um, cybersecurity risk.

52:32

I, I really enjoyed our conversation, as I always

52:34

do. Uh, and I want to just thank

52:36

our audience for listening today, and I hope

52:39

everyone has a great day.

52:41

Yeah, likewise. Thank you so much. I

52:43

always enjoyed talking with you. And I, I

52:45

likewise, so appreciate your insights. I

52:47

I really think that you , um,

52:50

you and your team have a wonderful handle on

52:52

this stuff and, and appreciate working with

52:54

you at every opportunity. So , um,

52:56

also wanna thank our audience and , um,

52:59

I hope we'll , uh, see all of

53:01

you soon.

53:08

Thank you for listening. If you enjoy

53:11

this episode, be sure to subscribe to

53:13

a HLA speaking of health law wherever

53:15

you get your podcasts. To

53:17

learn more about a HLA and the educational

53:20

resources available to the health law community,

53:22

visit American health law org

53:25

.