Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:14
Support for A HLA comes from Clearwater.
0:17
As the healthcare industry's largest pure
0:20
play provider of cybersecurity and compliance
0:22
solutions, Clearwater helps
0:24
organizations across the healthcare ecosystem
0:27
move to a more secure, compliant
0:29
and resilient state so they can achieve
0:31
their mission. The company provides
0:34
a deep pool of experts across a broad
0:36
range of cybersecurity, privacy,
0:39
and compliance domains. Purpose-built
0:41
software that enables efficient identification
0:44
and management of cybersecurity and compliance
0:46
risks. And the tech enabled twenty
0:51
four seven three hundred and sixty five security operation center with
0:54
managed threat detection and response
0:56
capabilities. For more information,
0:59
visit clearwater security.com.
1:02
Hello and welcome to this episode of
1:04
the American Health Law Association's podcast.
1:07
Speaking of health law, I'm John
1:09
Moore , chief Risk Officer and head of Consulting Services
1:11
and client success at Clearwater , uh,
1:14
where we advise and support our healthcare clients
1:16
on how to move their organization to a more secure,
1:19
compliant, and resilient state. As
1:21
2023 came to a close, we saw
1:23
significant activity of both the state and
1:26
federal levels with respect to the regulation
1:28
of cybersecurity programs in healthcare. Uh
1:31
, first we saw the governor of New York proposed
1:33
new regulations requiring hospitals
1:35
to establish formal cybersecurity programs
1:38
among other measures , uh, to limit
1:40
unauthorized access to their information
1:42
systems and , uh, confidential
1:44
information being processed within those systems.
1:47
Uh, then the US Department of Health and Human Services
1:50
released to concept paper outlining the department's
1:52
cybersecurity strategy for the healthcare sector.
1:55
Uh , the paper detailed four pillars for action,
1:57
including publishing, publishing new voluntary
2:00
, uh, healthcare specific cybersecurity
2:02
performance goals , uh, working with Con
2:04
Congress to develop support and incentives for
2:06
, uh, domestic hospitals to improve cybersecurity
2:09
and increase accountability and
2:11
coordination within the healthcare sector.
2:14
Uh, the cybersecurity practices of healthcare organizations
2:17
are, are certainly, it appears to be under the microscope
2:20
like never before, at least from a
2:22
regulatory perspective, and to help dissect
2:25
what further steps we might see from both
2:27
federal and state agencies. In 2024,
2:29
I'm pleased to be joined by one
2:32
of the leading experts on the subject and, and
2:34
personally one of my favorite people to
2:36
talk to about , uh, these kinds of matters. Ileana
2:38
Peters Ileana is a shareholder
2:40
with the law firm of polsinelli , uh,
2:43
working closely with healthcare clients and
2:45
complex compliance questions, incident
2:48
response investigations , training , uh,
2:50
to protect data, avoid legal risk
2:52
and legal liability, both at the state and federal
2:54
levels. Uh , prior , prior to joining
2:57
Selli , Eliana was with HHS Office for
2:59
Civil Rights for over 12 years. Uh , and
3:01
in her last role at OCR as Deputy Director,
3:04
she both developed information, privacy
3:06
and security policies, including on emerging technologies
3:09
and cyber threats , uh, while coordinating
3:11
with the Department of Justice, department of Education,
3:13
and other federal agencies, state Attorneys General,
3:16
and the White House. So, it's
3:18
great to speak with you. Uh, again, Ileana
3:21
, it's been a bit, I think, since the last time we
3:23
had a conversation, but , uh, always a
3:25
pleasure.
3:27
Yeah, likewise. It's always good to talk
3:29
to you.
3:32
So, you know, some very interesting developments, as
3:34
I mentioned , uh, previously. And,
3:36
and so let's, I think,
3:39
let's start with New York. So what's happening
3:41
in the state of New York? So we have , uh,
3:44
you know , the new proposed regulations. Part of that
3:46
is risk analysis of the key
3:48
part of the requirements proposed. And, and
3:50
in this case, a very specific requirement
3:52
for an annual risk analysis is a key
3:54
, uh, uh, is part of those regulations.
3:57
Obviously, risk analysis has been a key part of
3:59
the HIPAA security rule , uh, since the beginning.
4:01
Uh, as well , uh, not as specific
4:04
in in the requirements here . It doesn't specifically call
4:06
for an annual risk analysis. However, oftentimes
4:08
that's how folks have interpreted it , uh,
4:10
yet routinely we see OCR site
4:13
insufficient risk analysis in
4:15
, in announcing enforcement actions.
4:17
I think probably every time I've ever spoken to
4:19
you about this subject, we've mentioned this and it doesn't
4:22
seem to be improving. Um, certainly
4:24
I , although that's kind of anecdotal evidence
4:27
to that. Uh , why do you think risk analysis
4:29
is so important, first of all, that it,
4:31
you know, that it's included in all these , uh,
4:34
types of regulations and what seems
4:36
to be the problem with healthcare organizations
4:39
in conducting the appropriate risk analysis?
4:44
Yeah, I know , um, we often talk
4:46
about this question as , as you mentioned , um,
4:48
and we're also trying to figure out exactly
4:51
what the issue is, because
4:53
I think you're right, at least in my experience,
4:55
and, and I know that , uh,
4:57
you have similar experience, although we, you
4:59
know, we don't necessarily have any , uh,
5:02
audit studies or anything like that from HHS
5:04
on this particular question. Um,
5:07
but I think that the issue really is that it's,
5:09
it's, it's hard. Um, I
5:11
think it's hard for all different
5:13
types of entities. Enterprise risk
5:15
assessment is something that, you
5:17
know, is really , uh, considered
5:20
the cornerstone effort of
5:22
any robust enterprise security
5:24
program, whether you're in healthcare or otherwise.
5:27
Um, and it's, I think it's hard for everybody,
5:29
but I think it's particularly hard for
5:32
healthcare because , um,
5:34
this isn't what they do. So , uh,
5:37
I know we've talked about this before, is
5:39
that, you know, when you're talking to a
5:41
financial institution, for example , um,
5:44
they get pretty quickly why they need to know where
5:46
all their data is and why they
5:49
need to understand the threats and
5:51
vulnerabilities to that data , and
5:53
they need to really plug those holes . Um
5:56
, that's less
5:58
easy for, I think, a healthcare
6:00
institution to understand , um,
6:02
because they, you know, they don't
6:04
necessarily equate , uh,
6:07
the data with , um,
6:09
their mission. In other words, they are very
6:12
concerned about , um, patient health
6:14
and patient safety. Um, and that's
6:16
what their focus is. And I think is
6:19
, I think you'll see from those new
6:21
guidance documents out from HHS that
6:24
, um, HS um, is
6:26
really trying to flip
6:28
the conversation to try and convince
6:30
healthcare providers that , um,
6:34
a data security is patient safety. Um,
6:36
because so many of these incidents
6:39
, um, do in fact affect
6:41
patient safety and can have some really adverse
6:44
outcomes , but that's not an intuitive
6:46
, um, you know, sort
6:49
of conversation. In other words, you know, the
6:51
physician is going to want to know why
6:54
they have to spend so much time and
6:56
money and staff resources to
6:58
figure out where all their data is and
7:01
then to address , um, any deficiencies
7:03
with, with regard to safeguards for that data.
7:06
It's , it's just not something that they , um,
7:09
are , are have top of mind, whereas, you
7:11
know, they certainly have top of mind, you
7:14
know, the patient that's coming in the door next, or
7:16
the patient that may be on life support or,
7:18
you know, the new MRI machine that they
7:21
wanna buy to support the effort that
7:23
they have for saving lives . So I
7:25
think, you know, I think that's gonna continue to
7:27
be a really tough conversation. Um,
7:30
and it , and it continues to be, you know, something that
7:32
I think we're all trying to figure out how to have that conversation.
7:36
Um, and until we do, until we convince
7:38
these healthcare organizations that
7:41
they really have to prioritize
7:43
understanding where all of their data
7:46
is, where all of their assets are
7:48
, um, such that they can protect
7:50
all of that data against , um,
7:53
really any types of threats. And
7:55
those threats are increasing exponentially
7:57
as we speak , um, that
7:59
we're gonna continue to see deficiencies
8:02
in , in risk analysis. And it's , it's , it's
8:04
really unfortunate, I think , um,
8:06
because as you and I both know, that
8:09
really is the key to getting this
8:11
data security effort, right? Um,
8:14
because you can obviously throw a
8:16
lot of resources at , uh,
8:18
cybersecurity and technical
8:21
safeguards and, and other types of, you
8:23
know, applications and controls that
8:25
are meant to reduce your risk. But
8:28
if , if you don't know really where the risks
8:31
actually are, it's kind of like throwing spaghetti
8:33
at the wall to see what sticks. So , uh,
8:35
it can in a lot of , be, in a lot of ways be,
8:38
you know, a very inefficient , uh,
8:41
way to try and address the risk to your
8:43
data if you don't know, again, where all of
8:45
your data is. Um, but,
8:48
you know, I'd love to hear your thoughts too, because
8:50
again, you know , um, we're always
8:52
trying to figure this out and, and
8:55
obviously , um, you
8:57
know , uh, any thoughts that you have on
8:59
this I think are always helpful too,
9:01
because you, you see it from a
9:04
, a different side than I do , um, day
9:06
to day .
9:07
Yeah, I think certainly, you know, many of
9:09
the things you said align with our experience.
9:12
I think , uh, first
9:14
of all, I , not , not , I think I know actually
9:16
that first of all, there's still, despite
9:18
the fact that the, at least from a HIPAA
9:20
perspective, the guidance on on what's
9:23
risk analysis under the HIPAA security rule has been
9:25
out for over a decade. There's still confusion.
9:27
I , I believe on what exactly risk
9:30
analysis is. And, and part of that, the
9:32
blame for that, I think resides with
9:35
the, let's call it the cybersecurity
9:38
industry as a whole, because there's a lot of things that
9:40
are called risk analysis in cybersecurity
9:43
world, and they're not the same thing , um,
9:45
certainly as, as what OCR expects
9:47
and, and is , um, more
9:50
further described in, in their
9:52
guidance. So I think there's still some of that
9:55
confusion going on. Uh, the
9:57
next thing that we see oftentimes
10:00
and, and the bigger, more complex
10:02
the organization, the more of
10:04
an issue this is, is this idea
10:06
of scope. So to your point, you know, not
10:08
having a , a good understanding of
10:10
what the systems and associated
10:13
components are within the organization
10:15
that are used to create, receive,
10:18
maintain, transmit EPHI for , for HIPAA
10:20
purs purposes. But to your point , um,
10:22
you know, that whatever that information is
10:25
to the extent that it's necessary for
10:27
that organization or critical to that
10:29
organization's achievement of their mission,
10:31
we don't understand that. And , and , and
10:34
that's interesting in and of itself,
10:36
I think because , uh, I don't, it's,
10:38
it's difficult for me to understand
10:42
at this point how pretty much
10:44
any organization, whether it's healthcare or
10:47
otherwise, doesn't fully
10:50
understand the, how
10:52
dependent they've become on information
10:54
systems in order to , uh, achieve their
10:56
mission. And, and certainly that's the case in becoming
10:59
increasingly the case in , in healthcare. So
11:01
I think, you know, that certainly from a business
11:04
executive board perspective, leadership
11:06
perspective, we need to, to better understand
11:09
that we're, we've had good
11:11
luck working with organizations
11:14
, um, using the activity
11:17
of business impact analysis to really
11:19
help the business folks themselves
11:22
understand the implications of,
11:25
of losing , um, one
11:27
of their critical systems. You know, if, if
11:29
we lose the EHR, how long can
11:32
we continue to deliver services without
11:34
it? Or what's the impact to the organization and
11:36
our ability to deliver care and and risk to our
11:38
patients if we, if we lose , um, access?
11:41
And so, you know, having those conversations
11:43
and, and, and talking through those scenarios
11:46
with the, the, the folks , um,
11:48
delivering care, the business people themselves, I
11:50
, I think can be helpful to make the
11:53
cybersecurity of the need for cybersecurity
11:55
more real to organizations. Um,
11:58
the other thing that, that we see, and , and I
12:00
think that you mentioned this as well, is
12:02
just the , the cost associated
12:04
with, with truly doing this effectively.
12:06
And, and, and particularly that,
12:09
that initial hump of doing it the first
12:11
time. You know, if you, if you do it the first time, make
12:13
that investment and then maintain that on an
12:16
ongoing basis, it's, it's manageable.
12:19
But I don't think many organizations think
12:21
about that, even though, you know, in the, in
12:23
the OCR guidance, they talk about
12:25
ongoing risk analysis and, and , and at
12:27
least allude to what, what that means.
12:30
Most organizations aren't doing that. It becomes a
12:32
annual compliance activity if they're
12:34
doing it at all. And , and I don't know that that's particularly
12:36
effective , um, in achieving
12:38
the goals and objectives of the risk analysis or
12:41
from a cost perspective, but, but cost
12:43
is a, you know, is an element and certainly , um,
12:46
you know , depending on the nature of the organization
12:48
or talking to in healthcare, some of those folks are more
12:50
resource strapped than others. And, and
12:52
it, you know, they're, they're trying to decide whether
12:55
they , uh, you know, buy some
12:58
new piece of equipment for their physicians
13:00
that are gonna allow them to deliver a better,
13:02
higher quality care or apply
13:05
that to risk. And I,
13:07
and I think we've gotten into the habit of defaulting
13:10
to the former instead of considering the latter
13:12
. And that comes back to bite
13:14
organizations eventually, I think.
13:16
So I dunno whether any
13:19
of that resonates with , yeah , no, I
13:20
Think you're absolutely, no,
13:23
I think you're exactly right. And I really appreciate
13:25
your , um, you
13:27
know, your excellent point that there
13:31
really is , um, a disconnect
13:33
between what the
13:36
regulators expect in a lot of these circumstances
13:39
and what a lot of vendors , uh,
13:42
provide to , um, you
13:45
know, industry , uh, members,
13:48
so all different types of healthcare entities
13:50
, um, because of the
13:52
lack of understanding, I think, and, and obviously,
13:55
you know, your team has done this so well for so
13:57
long that I'm sure you consistently
13:59
scratch your head as we do, but , um,
14:01
but it's just really surprising to
14:03
me how how many times I end up
14:06
educating , um, the, the
14:08
vendor , um, on how to do this correctly.
14:11
Um, and, and that continues
14:14
to surprise me. So I think that's a really good point.
14:17
Um, you know, because if we, if we can't,
14:19
you know, if we can't , um, educate
14:22
the industry, the cyber industry on
14:24
how to do this, right , um, then,
14:26
you know, it , it , it just makes me
14:29
more , um, worried about
14:32
educating the healthcare sector as well.
14:34
So , um, I agree that I think there needs
14:36
to be more education
14:39
on this. Um, and, you know, even
14:41
if you look at the additional documents that, as
14:43
you mentioned, came out from HHS
14:45
about, you know , um,
14:48
essential goals and enhanced
14:50
goals related to , um,
14:53
cybersecurity in the healthcare sector , um,
14:56
you know, an asset inventory is
14:59
considered an enhanced goal <laugh>
15:01
, um, which is interesting to me rather
15:03
than an essential goal. And
15:05
it talks about assets and not necessarily
15:08
about data. So I think we're
15:10
still having some disconnects , um,
15:13
uh, you know, in how we try and educate
15:15
, um, both the,
15:18
the vendors who do this work , um, and
15:20
many of them do it very well, but many of them
15:22
don't , um, and the healthcare sector.
15:24
So , um, I just, I think there is
15:27
, uh, you know, a real need
15:29
for folks to really sit down and figure out
15:31
how we can have these conversations
15:33
in a more productive way. So again, we
15:35
get the message across that, you know, this is
15:37
super important for patient safety, but
15:40
also how to do it, right.
15:42
Yeah , it , it's interesting you pointed to, to that example
15:45
of the inventory, that was the first thing that jumped
15:48
off the paper at me when I looked
15:50
at it, because historically, in most
15:52
cases , um, the
15:55
first thing that, that , uh, you're
15:57
looking to have an organization do is understand
15:59
, uh, what their data and , and , uh,
16:02
associated resources are, because how can you
16:04
protect it if you don't know that it exists?
16:06
So , um, yeah , that, that was certainly
16:09
an interesting , um, element
16:12
to the, to the new goals. Uh
16:14
, one of the, one of the complaints, and I'm , I've sure
16:16
you've heard this as well, anda about , uh,
16:18
the HIPAA security role in particular is that it's not
16:21
specific enough. That's, that's one of the things that, that
16:23
will often hear people, particularly from
16:25
folks who just want a checklist, right? If I just do
16:27
these things, I'm okay, sort of approach.
16:30
In the New York regulations or
16:33
proposed regulations, they, they seem
16:35
to be , to be moving towards more
16:38
specific requirements. So they specifically call
16:40
out , uh, MFA, for example. They
16:42
specifically call out , uh, pen testing . They
16:45
specifically call out vulnerability scans
16:47
and risk analysis and give a expected
16:49
frequency for those types of act of
16:51
activities. Um, what's
16:53
your, what's your perspective on, on
16:56
on either those, those requirements within the New
16:59
York regulations or the , this
17:02
, the often heard demand for, for
17:04
more specific , um, requirements
17:07
when it comes to cybersecurity?
17:10
Yeah, I think that's a , that's a really great question.
17:12
I mean, I think, you know , um,
17:17
the , I the idea is that, you know,
17:19
we obviously wanna make this digestible.
17:21
So as we were just talking about, we
17:23
wanna make sure that folks can
17:26
access this information in a meaningful way,
17:28
that they can understand it, that they can
17:30
implement it. Um, and
17:32
in that respect, I really don't at all object
17:35
to really more specific requirements
17:38
because I , I do think that we
17:40
have moved that way anyway. Um, you
17:42
know, when we're talking to really any regulator,
17:45
state or federal at this point, they're
17:47
asking those questions . So obviously
17:49
they ask about access controls in that
17:51
way, but they're also asking specifically
17:54
about MFA , um, for example.
17:57
So , um, you know, because we know
17:59
there are it in , at least
18:01
in some respect, some , some current
18:03
best practices that are really, you
18:05
know, a minimum standard at this point for
18:08
what each piece means . So for example,
18:10
again, with access controls, we're talking about, you
18:13
know, sophisticated , um, credentials
18:15
, uh, requirements and , and including
18:18
MSA . So those are things that we keep
18:20
hearing over and over again from the regulators at
18:22
the state and federal level, even though they may not
18:24
be specifically spelled
18:27
out in the law or the guidance for
18:29
that law. Uh , and the HIPA security role is
18:31
a very good example. Um, so I
18:33
do think it's helpful to
18:36
some extent, and I'll qualify this statement
18:38
obviously in a minute, but I do think it's helpful
18:40
to some extent to have some really
18:43
specific requirements , um,
18:45
that say, okay, if you do these
18:48
six things , um, then
18:50
we're gonna consider you to be, you
18:53
know, at least performing at , at a minimum
18:55
, um, sort of baseline
18:57
, uh, level for purposes
19:00
of, you know, these, these very great
19:03
cybersecurity risks and this, this
19:05
very giant risk landscape
19:07
that we're dealing with. Now, that
19:09
said, obviously , um,
19:12
I don't necessarily think that
19:15
that is long-term the
19:17
best approach, because I do think it's
19:20
incredibly important that we
19:22
make this , uh, space,
19:25
that we make these requirements
19:27
the way the security rule does, flexible
19:30
and scalable. In other words, a
19:32
checklist may work for a one doc shop
19:35
or a small provider practice, or, you
19:37
know , uh, a wellness spa
19:39
or something like that. Um, a
19:42
checklist is certainly not going to work for
19:44
a very large health system, a very large health
19:46
plan. You know, those
19:49
types of efforts are
19:51
just not sufficient. So if
19:53
we limit our regulatory
19:56
requirements to , uh,
19:58
discrete set of checklist
20:01
elements, then we
20:04
obviously miss a huge part of
20:06
that risk landscape that may apply
20:08
differently to much more sophisticated
20:11
organizations. Um, and
20:13
so, you know, everybody's always asking me about
20:16
encryption, right? You , you
20:18
very well know. Everybody's always saying, well, encryption
20:20
is optional under the security rule , under the HIPAA
20:23
security rule. Encryption is obviously not
20:25
optional. It never has been. It's addressable,
20:27
which means you implement encryption or
20:29
you implement the equivalent
20:32
of encryption a document why you
20:34
have a reasonable compensating control for
20:36
encryption. Um, I think in
20:38
very short order, we are going to be moving
20:40
to a , to a space where quantum compute
20:43
computing could very likely replace encryption
20:46
as the best standard out there for
20:48
protecting data. And we're gonna have all
20:50
of these guidance documents and all of these laws
20:53
that say, you must do encryption, what
20:55
happens when encryption becomes outdated? Um,
20:58
and it's very difficult for the laws to keep
21:01
up. So it is much more a sophisticated
21:04
analysis. I do think, and
21:06
it is harder to, again, have
21:08
these discussions when we don't
21:10
have a checklist and we don't have a specific
21:13
set of very discreet requirements
21:15
that we are, we are required to implement,
21:18
but at the same time, we don't have the ability
21:20
to , um, pivot
21:23
if we need to, if, you know, the
21:26
next vulnerability is with MFA. So
21:28
, um, you know, I I think it's,
21:31
it's a really important , um, piece
21:33
of the conversation certainly, but
21:36
I do think that there are drawbacks to
21:38
that approach.
21:41
Yeah, and I, I certainly, I think I would
21:44
agree with each of the elements
21:46
you cited. It's, you know , from a , from
21:49
a, certainly from a NIST perspective
21:51
and, and NIST not being required, but
21:53
one of the methodologies cited
21:55
by OCR, there is
21:57
this notion that I'm going to establish some
22:00
level of baseline controls and then
22:02
understand what the remaining
22:04
level of risk is that I have. And , and
22:06
then to the extent that it exceeds
22:09
the my tolerance level, I'm going
22:11
to implement additional controls. But to your point,
22:13
different organization, what
22:15
would be an appropriate baseline for different
22:18
systems and or organizations can
22:20
vary quite a bit. One of the things
22:22
that I really liked about the, the hiccup , um,
22:26
standards is, is that, or practices
22:28
is that, you know, they've tried to break
22:30
it down about, around what's in the
22:32
, about appropriate sized
22:34
organizations and appropriate practices, which is
22:36
helpful, but if you tried to, to then translate
22:39
that into regulation, I think it becomes particularly
22:42
more complicated. Uh , one of the things
22:44
I'm not sure if you mentioned, but but always comes
22:47
to mind for me, is, you know, under, under
22:50
hipaa, we have this kind of notion of reasonable
22:53
and appropriate. And unfortunately, one of the other things we
22:55
don't have much, if anything
22:57
of is any sort of , um, case
23:00
law history of the evolving standard
23:03
of what reasonable and appropriate
23:05
is from a controls perspective for healthcare,
23:07
different types and sizes of healthcare organizations
23:10
under hipaa. Uh, you know, if you, if
23:12
you had sort of a , that, that history
23:15
and , and that would be evolving over time,
23:17
it would be a little easier for
23:19
someone like yourself who's, you know, advising folks
23:22
or, or even us, you know, when, when
23:24
talking with organizations about what
23:26
controls they should have in place, what
23:28
reasonable and appropriate would really be
23:31
for them, I think is is oftentimes a
23:33
bit nebulous. Uh,
23:36
absolutely . One , one of the
23:37
Other I absolutely agree.
23:38
One , yeah . One of the other things
23:41
I thought was interesting under the proposed New
23:43
York well regulations was the , um,
23:45
two hour timeline for reporting
23:48
of material cybersecurity incidents. I
23:50
, I think that was an interesting to me for, for
23:52
two reasons, two hours is a pretty short
23:55
timeline, at least in, in, in my perspective.
23:57
But the other thing is that they brought in this notion of materiality
24:00
for, for evaluating , um,
24:02
the impact of the cybersecurity incident. And I
24:05
think we, we saw that in the SEC regulations,
24:07
now we see it here. I know, certainly we're
24:10
seeing more and more organizations inquiring
24:13
as to how they determine materiality.
24:15
So , uh, interested in your thoughts on the
24:17
two hour timeline, but, but also perhaps on that
24:19
, this notion of materiality when
24:21
it comes to a breach , I think that's a new,
24:23
new concept, at least for , for many organizations
24:26
in healthcare.
24:29
Yeah, no, I, you know, I, I've been
24:31
obviously thinking about these , um,
24:34
exact issues since, since these
24:36
, uh, you know, proposed , uh,
24:38
requirements have been pushed out as
24:40
well as , as you mentioned, the new
24:43
requirements from FEC , for example.
24:46
Um, you know, I think these deadlines
24:49
are , um, a bit unrealistic.
24:52
Um, I don't think there's really any
24:54
way you can determine true
24:57
materiality within a two hour period. Um,
25:00
you know, particularly given, is
25:03
that really what we want our incident response
25:05
folks to be worried about in the first two
25:07
hours of a cyber attack? Um,
25:10
you know, I, I do think it's an important
25:13
question, and it's absolutely something that should
25:15
be evaluated at some point and
25:17
should be reported as necessary
25:19
to whatever regulators , um, are
25:21
, uh, maybe involved. Um , but
25:24
I'm just not sure it's, it's
25:26
, uh, it's the correct
25:28
timeline for that reason. I mean, I just don't
25:31
know in the, in the vast majority
25:33
of cases, what we would say two hours in
25:35
other than we've had an attack, and
25:37
we're trying to figure out what it's , um,
25:40
and whether or not it's material is going to
25:42
depend on, on many factors , um, that
25:44
will be determined over time. Um , and
25:47
so I really think that that's
25:49
, um, that's going to be a very
25:51
hard standard to meet, arguably. And
25:53
, uh, again, really wonder
25:56
if that's the best use of resources
25:59
in that timeframe, or if that's a burden
26:01
that that really should be , um,
26:03
you know, placed in a different timeframe.
26:07
Um, I think too , from a materiality
26:09
standpoint, this sounds very
26:11
much like a harm standard.
26:14
Um, and, you know, we've moved away from a harm standard
26:17
, um, in the vast majority of
26:19
our , um, breach
26:21
notification requirements, certainly at the federal
26:23
level. You know, that sometimes that language still
26:26
remains at the, at the state level. Um,
26:28
but, you know, HHS is
26:31
taking an approach, HSS in the
26:33
office for civil rights is taking an approach that
26:36
every cyber attack is
26:40
material that you have to notify everyone
26:42
in every cyber attack. So
26:45
is that the standard? Is that what we mean
26:47
by material? I don't, I don't think so,
26:49
but that's the, that's the approach that the
26:51
Office for Civil Rights is taking. Now, they do
26:54
not allow a risk assessment for purposes
26:56
of a cyber attack involving , um,
26:58
some kind of threat actor. If there's
27:00
a criminal involved, they expect you to notify
27:03
every one of everything. Um, and
27:06
again, I don't, I don't think that's what the
27:08
HIPAA breach notification rule provides
27:10
for, but I don't think that's
27:12
what we mean by material either. Is
27:14
it really material for
27:16
everyone? Is every incident really
27:19
material all the time ? Um,
27:21
I don't think so. Um, and I think
27:23
the vast majority of our industries don't
27:26
think so, but I do think that's where
27:28
the government is moving. And so I
27:31
would like to see additional
27:34
guidance from our state of federal
27:36
regulators on what exactly they
27:38
mean by material. Um, you
27:40
know, I think it's, it's a little bit easier of
27:43
a calculus to do if you're talking about
27:45
a publicly traded company, and
27:47
we have some idea of the valuation
27:50
issues that may be , be resulting
27:52
from a particular type of incident given
27:55
, uh, what might happen in
27:57
terms of , you know , um, reputation,
28:00
litigation risk, regulatory
28:03
risk , um, uh, you know,
28:05
just plain old business interruption.
28:08
Um, and so I think from that perspective,
28:11
I think that's an easier analysis to do. If
28:13
what , if that's really what we're talking about in the publicly
28:16
traded realm, which is what , what I think we're
28:18
looking at from an SEC perspective. But
28:21
with regard to these other regulators at
28:23
the state and federal level, I don't think it's that
28:26
clear. Um, and I think it's a much harder question
28:28
because I think arguably the burden is
28:30
much higher at a state and federal level,
28:33
because what we are seeing from
28:35
those regulators is an extremely aggressive
28:37
approach to considering everything material. Um,
28:40
and I think we need to sort that out.
28:43
Yeah, I , I , I certainly would agree. I
28:45
mean, I think there's, if you're thinking about it
28:47
in the context of SEC regulation,
28:49
there's, there's plenty
28:52
of commentary as to, to
28:54
what materiality means in that context.
28:57
But to your point, I think it that
28:59
that term is being adopted outside
29:01
of the, those financial reporting
29:03
context. And I'm not sure that the,
29:06
that folks who are doing
29:08
that necessarily themselves are,
29:13
are adopting the definitions that we
29:15
have from a financial reporting perspective, or,
29:17
or they're thinking that it means something else
29:19
and not, certainly not a hundred percent clear
29:22
to me. That's, that's for sure. So,
29:24
wanted to quickly shift directions
29:26
here and , and talk a bit about , uh, HHS
29:29
and , and , um, the recent publications
29:31
and the concept paper in particularly , uh,
29:34
detailing their cybersecurity
29:36
strategy where they talk about healthcare organizations
29:39
having access to numerous standards. I
29:41
, I , I don't think we disagree there, and
29:43
many of these standards have been around for some time.
29:46
Um, what's your perspective on existing cybersecurity
29:49
standards and their application in healthcare
29:51
and , um, healthcare organization's
29:53
ability to align with those standards
29:56
or practices?
30:00
You know, I think , um, it's
30:03
a really good question, and I
30:05
think in my experience, again, a
30:07
lot of these standards , um,
30:09
are, are frankly the lowest common denominator,
30:13
which in theory should work well. Um,
30:16
but we're still not seeing even
30:18
implementation of these arguably
30:22
very minimum standards. In
30:24
other words, you know, I think the,
30:27
the standards that have been set
30:30
forth , uh, for example, including
30:32
from the HHS FACAs , um,
30:34
you know, responding to the, the four or
30:37
five D requirements, for example , um,
30:40
you know, this was part of the cybersecurity act a
30:42
few years ago. Mm-Hmm. <affirmative> , um, you
30:45
know, they're absolutely right. I mean, I, I
30:47
don't think there's anything wrong with that guidance. I think
30:49
it's good guidance. I think it absolutely
30:51
should be implemented. Um,
30:54
but it , it arguably
30:56
doesn't even meet the requirements of security
30:59
rule in many respects, the HIPAA security rule in
31:01
many respects. So it
31:03
may be appropriate, again, for smaller
31:06
entities , um, but it may not be
31:08
appropriate for much larger entities
31:10
, um, given what is reasonable
31:12
for those larger entities. So
31:15
again, I , you know, I I'm still a
31:17
bit concerned that there
31:20
are , uh, you know, standards that are
31:22
floating around, including these new ones
31:24
that were published yesterday that
31:27
are , um, you know, divided
31:30
in a way that makes what
31:32
is arguably already required
31:34
under the law look
31:36
like , uh, a reach , um,
31:40
in , in , in terms of using statements
31:42
like enhanced goals. In other words, you
31:44
know, mm-hmm , <affirmative> , um, something that we should reach
31:46
for. Um, I don't, I personally
31:49
don't think, and I think I heard from
31:51
you that you agree, but I don't wanna put words in your mouth
31:53
that, you know, knowing where all your assets
31:55
are isn't an essential goal.
31:58
It's already required by the law. Um,
32:00
and, and yet we have new guidance from
32:02
HHS that says it's actually , uh,
32:05
a reach goal, an enhanced goal. So
32:07
, um, you
32:10
know, I don't, I don't necessarily think
32:12
that , uh, the guidance
32:15
is wrong. Um, I think most of it is
32:17
, is very correct. Um,
32:19
and my concern is really
32:21
whether or not it's , uh,
32:24
it's where we need to be. Um, and
32:26
I, I do think that , um, you
32:30
know , given the overlap or potential overlap
32:33
with our legal requirements, we need
32:35
more , uh, again , clarity
32:39
from particularly HHS and our other state and
32:41
federal regulators about what
32:44
is required and, and why
32:47
these guidance documents may sort
32:49
of hit differently for , uh,
32:51
different entities based on what may or may not be required.
32:54
Um, and, and that's just as we discussed
32:57
a little bit earlier, still not
32:59
clear to me. Um, I do think
33:01
that these , um, documents
33:04
should in fact, indicate the
33:06
standard we're all trying to meet , um,
33:09
no matter what our , um, size
33:12
and resources are. Um,
33:15
while the enforcement of
33:17
such standards may be different,
33:20
depending on the size and type of
33:22
entity and the resources available to
33:24
it. In other words, I still think
33:27
that the best approach is to
33:29
ensure really robust requirements
33:31
, um, that are , you
33:34
know , scalable for different
33:36
types of entities, and the lack
33:39
of implementation is an enforcement issue.
33:42
Yeah. I, I almost
33:44
sometimes get the feeling, and I I
33:47
hope that this is just me being a
33:49
bit jaded, is that we, there's
33:51
certain requirements that exists
33:54
for organizations, organizations aren't
33:56
hitting those requirements and, and they , um,
33:59
suggest, well, I just didn't know what to do.
34:01
So we, we just keep trying to
34:03
find different ways to tell them what
34:05
to do. Um, when not
34:07
knowing what to do really isn't the problem. Uh,
34:10
you know, there's a, there's a different problem either
34:12
whether that's , um, whether
34:15
that's an enforcement
34:18
problem, a financial problem, a
34:20
technical problem, all of the above. Uh,
34:23
you know, I'm, I'm not sure that we're necessarily,
34:26
I , uh, that generating more
34:30
guidance is going to, to
34:32
move the needle much. But
34:35
that said, the, the
34:37
concept paper suggested that , um,
34:40
with additional authorities and resources,
34:43
HHS will propose in corporation of these cybersecurity
34:46
performance goals that we were discuss just discussing
34:48
into existing regulations and programs
34:50
that will inform creation of new enforceable
34:52
cybersecurity standards. Uh , you know, and
34:54
how, so the question is , I think there's a
34:57
couple questions. One, if they do that to, to your
34:59
point, are we lowering the bar
35:01
, uh, in , in , in some cases
35:04
anyway , in regard to the requirements,
35:06
citing specifically the, you
35:08
know, the , the enhanced goals versus the
35:10
, um, essential goals. And
35:12
how do you think HHS will will verify
35:15
that these, or will they even bother to verify
35:17
that, you know, that these standards are
35:19
implemented?
35:22
Yeah. Um, you know, I
35:25
think that that's sort of
35:27
a piece from the , um,
35:31
the, you know, the , obviously we , we've
35:33
had two HHS documents
35:36
come out fairly recently. You know, we had these
35:38
new goals come out yesterday Mm-Hmm , <affirmative>
35:40
, which were a result of the
35:42
, um, you know, the,
35:45
the four area concept
35:47
paper areas of priority that
35:49
you talked about at the beginning of our conversation
35:52
, um, that came out from HHS,
35:55
you know, a couple weeks ago. Um,
35:57
and that was really in , in conjunction
35:59
with, you know, the White House effort to prioritize
36:02
cyber , um, cybersecurity
36:04
and cybersecurity efforts, you know,
36:07
in , in every sector, really. So this
36:09
is the HHS piece. Um, as
36:11
you mentioned, one of those four , um,
36:16
uh, areas of , uh,
36:19
importance emphasized by the
36:21
concept paper was greater
36:24
enforcement and accountability , um,
36:26
by HHS. Um, and that would
36:29
include , um, you know,
36:31
additional regulations under the
36:33
HIPAA security role . So we do already know
36:35
that HHS is working on
36:37
changes to the HIPAA security role as a result
36:39
that is now on, on the secretary's rulemaking
36:41
calendar at HHS. Um, and
36:45
so we do know, this is obviously a , a , a
36:47
presidential priority. Um,
36:49
my concern is that , um,
36:55
OCR arguably has pretty broad
36:57
enforcement authority already. Um, they
36:59
have an entire audit authority that
37:01
they're not using. And what
37:05
they are enforcing is they
37:07
are in fact , um,
37:10
investigating every single breach
37:13
affecting 500 or more individuals
37:15
that comes into the office.
37:17
That's a lot of cases, but
37:20
it's also a lot of cases where
37:23
entities were victims and they are reporting
37:26
as they're required to do under the law. We
37:29
know that there are a lot of entities
37:32
out there that aren't reporting. Um
37:34
, they don't have good, you know, cybersecurity
37:37
programs, they don't have good HIPAA programs, they
37:39
don't have good compliance programs, and
37:41
they're not reporting breaches when they occur. And
37:45
HHS is not looking into any
37:47
of those entities. And
37:50
so I continue
37:52
to be concerned that if
37:54
the people that we are punishing, because
37:57
OCR is continuing to move forward with this
37:59
work, they are offering settlement
38:01
agreements and all in , in many of these cases , um,
38:05
if the , if the entities that we're investigating and
38:08
punishing are the ones who are at least trying
38:10
to do what's right , um,
38:13
you know, what's the incentive of continuing to
38:15
try to do what's right if we're not even
38:17
looking at the entities that aren't
38:19
even trying to do what's right, because we're
38:21
never going to move this needle, this
38:24
cybersecurity needle , if
38:27
the vendors that provide services aren't
38:29
doing this, right? If the, you
38:31
know, if the healthcare provider down the street
38:34
who we share medical records with
38:36
isn't doing this right. You know,
38:38
if the , if the hospital or cancer center
38:41
or whatever that looks like that we share patients
38:43
with, isn't doing this, right. So
38:46
I'm still trying to figure out why HHS
38:49
thinks there needs to be more enforcement when
38:51
they arguably aren't using the
38:54
tools in their tool chest that they already
38:56
have. Um, you know, they haven't done
38:58
audit since before I left the agency,
39:01
which was six years ago. Um,
39:03
so, you know, I think that's the, that's
39:06
the piece that I continue to come back to is
39:09
that, you know, we can
39:12
have these requirements in
39:14
the law and we can have these very
39:16
important guidance documents and
39:19
goals , um, and we can have
39:21
all of this , uh, effort
39:23
to educate entities. Uh
39:26
, but if we don't get the enforcement
39:28
right, if we don't get the enforcement piece
39:30
, I think it will continue
39:33
to discourage to actually discourage
39:36
entities to come into compliance. Um,
39:38
and that continues to concern me, but
39:40
I would love your thoughts on that as well. Yeah,
39:43
I mean, certainly if
39:45
I, if you look at it just from an optics
39:47
perspective, the , the
39:50
fact that, and , and not all of the enforcement
39:52
actions exclusively limited to organizations
39:54
that have large breaches, but certainly the
39:56
most, the
39:58
largest, most visible sort
40:01
of, you know, multimillion dollar sort of
40:03
enforcement actions tend to be , uh,
40:06
against organizations that have reported
40:08
some breach or another. And I
40:10
think that, you know, that it's, it's easy
40:13
for those folks and and
40:16
their peers to make the argument, well , you're,
40:18
you're punishing the victim essentially.
40:21
And, and, and I think there's some, to
40:23
your point, some merit to that argument.
40:26
The audits in particular that you referenced
40:28
are amusing.
40:30
And as much as my take on that was, Hey,
40:32
we, we audited folks and, and pretty
40:34
much everybody failed, so we better not do that again.
40:37
Uh, you know, or, or, or what will we have
40:40
to do? And , and that is seemed,
40:43
I don't know, it raises a lot of questions,
40:46
I think to your point about what the,
40:48
the most effective approach
40:51
to enforcement would be. And,
40:54
and I guess to a certain degree that depends on
40:56
what your goals of enforcement are, and if your goals
40:58
of enforcement are to,
41:01
to encourage
41:05
everyone in the industry to implement,
41:07
you know, some level of cybersecurity to
41:10
protect the, the not. And at
41:12
this point, it's not just the confidentiality, integrity and
41:14
availability of information, but we're really talking about
41:16
patient lives, you know, at some point, although that
41:18
comes through in the , in many different ways that,
41:21
that, that how
41:23
we're doing enforcement has proven
41:25
not to be effective in accomplishing that. And so what
41:28
would be the point of continuing to do in enforcement
41:30
in this way? We're just going to continue
41:32
to get the same results , it seems to me anyway
41:35
, uh, to , to , you know, you raised
41:37
a , a couple of things and related to
41:39
this, wanting to get your thoughts and, and along
41:41
those lines is , so, you know , one of the other things mentioned
41:44
was increased financial consequences. I
41:46
assume that means fines and penalties and that type of thing. And,
41:48
and the other is that they, you know, different,
41:51
different , uh, attempts to, to
41:53
rethink this, whether that's in the form of
41:55
additional measures coming through the , you know , being
41:57
pushed out through Medicare and Medicaid requirements
42:00
or updating the HIPAA security role
42:02
or proactive audits, which I , I think maybe
42:04
you, you were pointing towards in,
42:06
in your com commentary or the
42:09
incorporation of these , uh, performance
42:11
goals. What, what do you think, what
42:16
do you think the , the, the
42:18
answer is if , uh, or which
42:21
of these things you think would be most effective
42:24
in achieving the goal? If we say the
42:26
real goal is to, to better
42:30
protect the patients
42:32
and patient data and businesses
42:35
within the critical infrastructure
42:37
sector of healthcare? It's
42:42
a big question, <laugh> . Yeah.
42:43
That is a really, yeah, that is a
42:45
really hard question, <laugh> . Um,
42:48
uh, and tomorrow I will be queen of the world and
42:50
solve all the problems. Yeah,
42:52
That's a <laugh> I wish I
42:53
Could. That's , so that's a really
42:55
hard question. Um, I do
42:57
think it's a really good question though, and I think that's
42:59
the question that, you know, we
43:02
should be having this conversation with our state and
43:04
federal regulators for sure, because I
43:07
do think there are ways to get that to that. I
43:09
mean, the regional extension centers from medi
43:11
Medicare and Medicaid perspective have
43:14
really been a center of,
43:16
of , um, assistance for
43:19
a lot of entities for
43:21
a very long time. And, you
43:23
know, maybe there are ways to
43:26
leverage that kind of , um,
43:28
infrastructure to
43:31
help educate better , um,
43:33
those, you know, those types of entities
43:36
, uh, about their responsibilities
43:38
and to push resources to those entities.
43:40
So I don't think this needle is
43:43
going to move until we actually
43:45
start providing additional resources.
43:48
Um, and that's, you know, that's
43:50
already hard as, as a , a
43:52
, a national issue because there's just not
43:55
enough people that do this work. There's
43:57
not enough people that do this work well. Uh,
43:59
there's not enough money in these entities for
44:02
this work to be done. It's
44:04
arguably pretty expensive work to do. So
44:07
I definitely think that there will need
44:09
to be additional resources, particularly
44:12
for certain types of entities, because there
44:14
are a lot of entities in the healthcare
44:16
sector that are operating
44:18
, um, with, with no margins
44:21
that are, you know, providing charity
44:23
care , uh, that are doing really critical
44:25
access work. And they don't
44:27
have the funds to do this. I mean , they
44:30
just don't . So I , I
44:32
don't think there is going to be a lot
44:34
of movement , um, unless there
44:36
are additional resources, and that those
44:39
resources are pushed to
44:41
those entities in the right way, in
44:43
ways they can , um, leverage
44:45
them . Um, and so , uh, that's
44:47
always a very difficult conversation, you
44:49
know, how do we, how do we give people money
44:53
potentially, or , um,
44:55
other types of technology resources
44:58
and, and at the same time make sure that,
45:01
you know, it gets to them in the right way and they're
45:03
implementing it in the right way and they're using it for the
45:05
right things and all of that. Very, very hard
45:08
question , very hard . Um, and I think on
45:10
top of that, we still to
45:12
our, our , um, conversation
45:15
just now, we still need to
45:17
, uh, make the stick
45:19
better. So if we're gonna make the carrot better, we
45:21
also need to make the stick better, and the
45:23
stick right now is not working. Um,
45:26
so I do think that there needs
45:28
to be a reevaluation of
45:31
how we do this enforcement work and
45:34
what that really needs to look like in
45:36
terms of trying to get to
45:39
entities that aren't doing anything. Um,
45:42
you know, something is arguably better than nothing
45:44
if , even if it's not perfect. Um,
45:47
but there are a lot of entities out there that aren't
45:49
doing anything. Um, and we know, we
45:52
know that they have really, really
45:55
terrible controls or lack thereof. And
45:58
so, you know, I think those are the two
46:00
pieces that I'm sure I'm
46:03
absolutely sure folks at HHS and
46:06
that are in the state agencies are
46:08
struggling with is really how
46:11
do we get the carrot
46:13
right, but also how do we
46:15
improve on the stick at this point? Because
46:18
until we do both, I think
46:20
it's gonna be very hard to get
46:22
to where we need to be. Um,
46:25
and, you know, again, that's, that
46:27
continues to be a really hard question.
46:31
Yeah , I, I mean, I think, I
46:33
think one could make the argument, I know I've, I've
46:36
thought about this argument that, that
46:39
cyber reliability insurance carriers
46:41
move the needle more in the last two
46:43
years with the increasing requirements
46:46
for coverage for healthcare organizations
46:49
than, than the
46:52
federal government has done through their enforcement
46:54
actions in the last probably
46:57
decade. Uh, you know, you, you,
47:00
if you really wanna , depending on how you
47:02
look at it, and the , um,
47:05
certainly from a, from a demonstrable
47:10
implementation of additional controls
47:13
and, and , uh, improved
47:16
maturity of practice that the
47:18
cyber liability insurance carriers made
47:20
a significant , um, drove
47:22
significant progress in those areas, particularly
47:25
in the last two years. And I , you know , there's, I
47:27
think there's a couple reasons for that. Uh , and,
47:29
and , and it's not all intended to be critical
47:32
of OCR or other , uh,
47:35
you know , state level enforcement. I, I think that
47:37
, um, it , it became very,
47:39
it becomes very real at a
47:41
very high level within the organization when
47:44
, uh, when someone
47:46
comes to the board or comes to the leadership
47:48
team and says, Hey , uh, we're not gonna have cyber
47:50
liability insurance coverage at all if we
47:52
don't do the following. Uh, you know, suddenly then
47:54
there's, there's money for MFA and there's
47:56
money for , um, for
47:59
, um, you know, some of the other
48:01
required controls that that insurance , uh,
48:04
companies we're expecting to see. So, you know, I
48:06
think there's something to be learned from that to
48:08
, to your point in regard to the, the
48:11
carrots , um, the proposed
48:13
New York regulations come with potential
48:16
grants to be made to facilitate
48:18
enforcement, and the HHS concept
48:20
paper included mention of the federal
48:23
support resources and this idea of
48:25
the administration for strategic preparedness
48:28
and response. So Asper , um, serving
48:30
as a one-stop shop , that
48:33
, that was a , I guess , a bit new
48:36
to me. How do you think HHS
48:39
might use Asper and, and, and is that,
48:41
would that be an effective way to, to
48:43
perhaps ensure
48:47
that, that the
48:49
carrots that are provided are deployed
48:53
in a way that's most efficient and
48:55
effective for the overall industry?
49:01
Yeah, no, great question. And I, I really appreciate
49:04
your point about the cyber insurance
49:06
piece of this, because I think you're absolutely
49:08
right. Um, I think, you
49:11
know, we have gotten more questions from
49:13
, um, clients
49:16
in the last year, I would say
49:18
, um, about how to do this better
49:20
, uh, about how to do tabletops, about
49:22
how to get their
49:24
incident response plans in shape , all
49:26
of that as a result of their , uh,
49:29
the requirements they're trying to meet from , um,
49:32
from their cyber insurers. Um,
49:34
so I do absolutely agree with you that
49:36
that is a really powerful lever.
49:39
Um, and, you know, maybe that's
49:41
exactly what Asper should
49:44
consider. Um, you know, I think there's been
49:46
talk for a long time about
49:49
some kind of, you know, effort
49:51
to address , uh,
49:53
insurance issues because as you
49:55
well know, cyber insurance is getting much and much
49:57
harder to get. Um, and
50:00
whether or not we need a government effort
50:02
to address that , um, that
50:04
comes with those same types of requirements. Um,
50:07
so if we're going to, you know,
50:09
help ensure you as part of a,
50:11
you know, a government type program for
50:14
this type of insurance, you are
50:16
going to have to provide the documentation on
50:18
these following, you know, 12
50:21
items or whatever that looks like. Um,
50:24
otherwise, I think Asper has,
50:27
you know, the experience to , um,
50:30
really be boots on the
50:32
ground here. That's what they do. You
50:34
know, they do that. I mean, HHS parts
50:37
of HHS certainly do that, you know, other parts
50:39
of HHS certainly are boots
50:41
on the ground in , in many circumstances. But I think
50:44
Asper really , really
50:46
has that reputation. Um, they're,
50:49
you know, they're seen as helpful. They're
50:51
seen as , uh, you know, a really
50:54
great resource , um, and
50:56
they can get out there and, and get , um,
50:58
you know, get the conversation moving,
51:01
I think in a way that maybe the
51:04
regulators can't. Um, so
51:06
if, if Asper comes knocking on your door,
51:08
it looks much more like they're trying to help. Uh
51:11
, whereas if ONC or OCR
51:13
comes, or OIG comes knocking at your
51:15
door, maybe you're more reluctant
51:17
to open the door. So I do
51:19
think, you know, there are, there are some really powerful
51:22
levers that you've emphasized
51:25
that could be really helpful
51:27
, um, in this , um,
51:30
you know, in this problem. And , um,
51:32
I am hopeful that , uh,
51:35
HHS will try and, you
51:37
know, exercise those levers in a
51:39
productive way , um, um,
51:42
you know, moving forward. But, but again,
51:44
really hard questions.
51:47
Yeah. C certainly that , and , uh,
51:49
we're, we're coming up to the end of our time, Eliana
51:52
. I know we could probably continue to
51:54
discuss this for hours, if not days, and,
51:56
and maybe we'll be lucky enough to continue our
51:58
conversation , uh, you know, at
52:00
some other time. And, and I'm sure we'll be
52:02
certainly be talking again about this,
52:05
but I think we're gonna have to call it , uh,
52:07
a day here. So thank you very much for your excellent
52:09
insights , uh, that you shared. You know, as, as always,
52:12
I, I always , um, appreciate
52:14
your thoughts and, and your insight from
52:16
your experience, both, you know, working within
52:19
the government and, and trying to , uh,
52:21
interpret and enforce some of the , uh,
52:23
regulations that do exist as
52:25
well as your work in, in the private sector,
52:28
helping organizations come into compliance
52:30
and address , um, cybersecurity risk.
52:32
I, I really enjoyed our conversation, as I always
52:34
do. Uh, and I want to just thank
52:36
our audience for listening today, and I hope
52:39
everyone has a great day.
52:41
Yeah, likewise. Thank you so much. I
52:43
always enjoyed talking with you. And I, I
52:45
likewise, so appreciate your insights. I
52:47
I really think that you , um,
52:50
you and your team have a wonderful handle on
52:52
this stuff and, and appreciate working with
52:54
you at every opportunity. So , um,
52:56
also wanna thank our audience and , um,
52:59
I hope we'll , uh, see all of
53:01
you soon.
53:08
Thank you for listening. If you enjoy
53:11
this episode, be sure to subscribe to
53:13
a HLA speaking of health law wherever
53:15
you get your podcasts. To
53:17
learn more about a HLA and the educational
53:20
resources available to the health law community,
53:22
visit American health law org
53:25
.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More