Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:14
Support for A HLA comes from Clearwater.
0:17
As the healthcare industry's largest pure
0:20
play provider of cybersecurity and compliance
0:22
solutions, Clearwater helps
0:24
organizations across the healthcare ecosystem
0:27
move to a more secure, compliant
0:29
and resilient state so they can achieve
0:31
their mission. The company provides
0:34
a deep pool of experts across a broad
0:36
range of cybersecurity, privacy,
0:39
and compliance domains. Purpose-built
0:41
software that enables efficient identification
0:44
and management of cybersecurity and compliance
0:46
risks. And the tech enabled twenty
0:51
four seven three hundred and sixty five security operation center with
0:54
managed threat detection and response
0:57
capabilities . For more information, visit
0:59
clearwater security.com.
1:02
Hello everyone, and welcome to this episode
1:05
of American Health Lawyer Association's
1:08
podcast. Speaking of health law. I'm
1:10
your host, Don Morgan Stern, senior Director
1:13
of Consulting Services and Chief
1:15
Privacy Officer for Clearwater, where
1:18
we advise and support our healthcare
1:20
clients on how to move their organizations
1:23
to a more secure, compliant and
1:25
resilient state. With me today
1:27
is Betsy Hodge, a partner with
1:30
a law firm of Ackerman and Chair of
1:33
ALA's Health IT Practice Group, and
1:36
Gina Bertolini , a partner with k and
1:38
l Gates, and a member of the Health IT
1:41
Practice Group. In this episode of
1:43
speaking of Health Law, we'll be discussing
1:45
what activities are driving the enforcement
1:48
trends and what that means for clients.
1:52
We're seeing a lot going on
1:54
that will, will and are
1:57
driving trends for OCR activity.
2:00
So let's jump right in , uh, to our
2:02
first topic, which
2:04
is enforcement drivers, the focus
2:06
on federal laws and regulations. So
2:09
the question I have for you first
2:11
, uh, Betsy, is , uh,
2:14
we've seen a flurry of activity recently
2:16
that appears to be setting the stage
2:18
for major changes , uh,
2:21
as it relates to privacy and security,
2:23
such as the , uh, reproductive
2:25
healthcare privacy, HITI
2:29
one, information blocking confidentiality
2:32
of substance abuse , uh,
2:34
and disorder , uh, patient records,
2:37
and even OCR bulletin and guidance
2:39
on the use of ai. Um, and
2:42
now that the HIPAA Audit Review
2:44
survey notice has been , uh, also
2:46
published, what are your
2:48
impressions of this activity and
2:51
how clients can prepare for
2:53
what appears to be big changes coming?
2:58
So , thank
2:58
You, Don , and I'm glad that you were
3:00
able to make it through that laundry list of
3:03
activities .
3:03
I know , and that's only part of it. That's only part
3:05
of it.
3:06
E exactly. And I can't
3:08
tell you how many things have come out since we first
3:11
started planning this podcast. Um,
3:13
so I think first
3:15
I would say , um, to entities
3:18
in the healthcare space , um, get
3:21
your reading glasses out and start
3:23
reviewing all of this material because
3:26
I think it does signal that, as
3:28
you said, Dawn , there are big changes coming
3:30
, um, down the pike.
3:33
Um, and so now is a
3:36
good time to, for organizations
3:38
to assess where they are , um,
3:41
and start
3:43
looking at some of these materials
3:46
that have come out. For example, the
3:48
, um, um, uh,
3:52
practice , uh, I'm sorry, the cybersecurity
3:54
performance goals , um, you
3:58
know, is a nice little checklist, easy
4:01
checklist to see where your organization
4:03
is. As far as best practices , uh,
4:06
for cybersecurity , um, I
4:08
would suggest continuing to read , um,
4:12
the resolution agreements that OCR
4:14
puts out , um, because those
4:17
are always a good checklist to
4:19
make sure that you are keeping up
4:21
with OCR R'S expectations,
4:24
especially in the cybersecurity space,
4:26
but also , um, with privacy generally.
4:31
You know, I would also suggest if you
4:33
haven't already take a look at your
4:36
organization's use of tracking technology
4:39
, um, there is some
4:41
litigation pending in Texas about
4:43
, um, ocr um,
4:47
bulletin or guidance
4:49
or proposed rule , depending on
4:52
your perspective regarding tracking technology.
4:54
But I think that issue will be around
4:56
, um, for a while and we're
4:59
seeing, you know, private litigation , um,
5:02
over that. So , um, again,
5:04
really get your reading glasses out and, you
5:07
know , um, start
5:10
reviewing , um, what the
5:13
agencies have been publishing because I think
5:18
they don't publish this material , um,
5:21
without a purpose. Um, and
5:23
so , and I think it's now harder for organizations to
5:26
say we did not know what to do if
5:28
something happens.
5:29
And I think we're also seeing a lot of these all
5:32
commingle too, with what we're reading,
5:34
at least in some of the final rules and the notice
5:37
of proposed rulemaking. So that's
5:40
another reason. Back to your point
5:42
of get out your reading glasses, <laugh> . Yeah ,
5:46
And I think this is Gina Bertini
5:48
. Um, I think we're going to see, you
5:50
know, to your point, Betsy, and I know we were discussing
5:52
this offline, you know, boy, we're
5:55
gonna need OCR to take a vacation so
5:57
we can catch up <laugh> . You know, and,
6:00
and really it feels that way. Um, the
6:02
concept paper that HHS
6:05
released, you know, you mentioned the CPGs,
6:07
which came outta that concept paper that
6:09
was released in Decem or the , uh, concept paper itself
6:11
was released in December. Also mentioned
6:14
updates to the security rule potentially
6:17
in this spring, which we know , um,
6:19
you know , we haven't seen in years. And I would just say
6:22
in tr to tack onto what you said in terms of
6:24
sort of all this content that
6:26
we're seeing, you know, both sort
6:28
of two major trends emerge. And Dawn , I know you'll
6:30
get into this in in a question, but sort of
6:33
the cyber cybersecurity trend , you know, focus
6:35
on cybersecurity, right ? As well as a
6:37
focus on sensitive records. And
6:40
you mentioned, you know, the substance use
6:42
disorder , um, update to part
6:44
two to align it with hipaa. We've
6:46
also got the reproductive healthcare proposed
6:49
rule pending, and it does seem that in
6:51
particular as we head into an election, you
6:53
know, the Biden administration's incredibly focused
6:56
on protecting sensitive records as
6:58
well as focusing on on security.
7:01
Yeah , I would agree. Betsy,
7:06
any other thoughts around
7:09
that? Oh, I know one. Um, so the
7:11
other thing we haven't touched on yet is the
7:14
fact that they just announced , uh, or
7:16
they just published , um, HHS just
7:18
published their annual report to Congress on
7:20
breaches. Um, so that's another
7:23
interesting thing to focus on.
7:26
Um, not directly related to , uh,
7:29
the regulations as far as changes,
7:32
but I think there's some good insights
7:34
in that in their direction and what
7:37
they're seeing. What are your thoughts on that?
7:39
I thank
7:41
you for pointing that out, Dawn , be because I
7:44
think , um, those reports are helpful
7:47
in addition to the points you raised . They're
7:50
helpful for educating people about
7:52
the process that OOCR
7:55
goes through when it investigates , um,
7:58
either a report of a large breach or
8:00
a complaint , um, or , um,
8:04
it's compliance reviews. So I think
8:07
it , it's helpful background information
8:09
for those who are not that
8:11
familiar , um, with the OCR process.
8:14
And I think it , um, ties
8:18
into something I think that we may get to a little bit
8:20
later about , um, preparing to tell
8:22
your story, <laugh> , right? Um , so
8:24
sorry for that , uh, um, foreshadowing
8:27
, um, you know, but
8:29
I think that's helpful
8:31
information , um, in
8:34
there. Um, and again, it's also
8:36
helpful to see, you know, in
8:39
a relatively condensed view where OCR
8:41
is seeing the most activity, the types of breaches
8:43
, um, and also shortcomings
8:46
they may be seeing in certain
8:49
organizations. Um, and again,
8:51
that's a roadmap for organizations
8:54
, um, to , um, use
8:56
to make sure they're implementing
8:59
best practices. Yeah.
9:00
Especially since we see such a huge
9:02
focus on the resolution
9:05
agreements and the corrective action
9:07
plans. And I think what people lose sight
9:09
of is all the other stuff
9:12
that OCR is investigating
9:14
that may not rise to, to that
9:17
, uh, level and keep
9:19
being able to keep that in mind. Um,
9:22
when you're looking at your privacy or
9:24
your security program is , I always
9:27
say, you know, you can learn from others unfortunate
9:30
circumstances , uh, when it
9:32
comes to look , uh, improving
9:36
on and maturing your own program as
9:38
a , uh, covered entity or a business associate
9:40
for that matter.
9:43
Absolutely. So,
9:46
and then one other , um, development
9:50
, um, or
9:53
resource folks might wanna consider is
9:55
, um, the A HLA Health
9:57
Information and Technology Practice group is
10:00
going to be publishing an
10:02
update to our , um,
10:05
online enforcement tracker. Mm-Hmm. <affirmative>
10:07
, um, should be coming
10:09
out soon, <laugh> through , um, the end
10:11
of 2023. And then we'll be updating it again
10:14
this year , um, thanks to Gina
10:16
and her folks. Um, and
10:19
it's a great, that's
10:20
Kind of a perfect segue into our next topic,
10:23
actually, which is the enforcement trends
10:25
and the work that the , uh,
10:28
the HIT practice group has
10:30
done. So , um, you know,
10:32
as a privacy officer, I always found
10:34
it valuable to monitor the enforcement
10:37
and regulatory trends, as I said,
10:39
to learn from others. And
10:41
that's not just their
10:44
unfortunate circumstances, but it's also,
10:46
you can, you can glean best practices
10:49
from that to understand where
10:51
to focus time and resources,
10:53
which are usually very valuable. Um,
10:56
you both have been very engaged with
10:58
the A HLA Health and Information
11:00
Technology practice group and the development
11:02
of the tracker , um, for the enforcement
11:05
trends. Can you give us a quick preview of
11:07
that and the work that you've done and
11:09
are continuing to do and how
11:11
that can benefit clients, especially
11:14
based on some of the recent enforcement actions?
11:18
Sure. Yeah, this is Gina. I'll go into that. Thank
11:20
you, Dawn . Um, well, and I have the
11:22
privilege of being a member of this committee and
11:24
just am really loving working with
11:27
Betsy and Adam Green and others on the
11:29
committee. So I just wanna , you know, honestly, I
11:31
wanna thank the HLA for the opportunity because it's
11:33
really enhanced. Um, I
11:35
think it's enhanced my connection to other practitioners
11:38
in this area. Um, it's a fascinating,
11:40
and as , as we've been talking about, really evolving area,
11:43
the trackers, just so folks know if they're
11:45
not familiar with them, are really useful
11:48
tools that the H-L-A-A-H-L-A
11:50
produces. Um, we
11:52
release them, you know, multiple
11:55
times a year , um, three to four times
11:57
a year, just depending on the year and the level of
11:59
activity. But it's, it's more than an annual
12:02
update. And the trackers, there
12:04
are four of them. So there's the criminal tracker,
12:06
which focuses on any , um, data
12:08
privacy and in particular in the HIPAA space
12:10
activities , um, that are criminal
12:12
enforcement actions. And then of course, OCR
12:15
resolution agreements is another tracker. There's
12:18
an FTC tracker, so tracking FTC
12:20
, um, agree settlements or
12:22
enforcement activity. And of course, we
12:24
saw quite a, a few in 2023 relative
12:27
to previous years under FTCs
12:29
Health Breach Enforcement , um, noti
12:32
or Health Breach Notification Rule, as
12:34
well as , um, consumer fraud protection
12:37
laws. And , um, that FTC
12:39
enforces. And then the last tracker
12:42
is the state AG settlements, and we're
12:44
also seeing just a tremendous amount of activity there. So
12:47
those trackers, that's a hard
12:48
One to track. That's a hard one to track, I
12:50
imagine , you know,
12:51
Experie Yeah . Tell me about it . My experience ,
12:52
My own experience. Yeah . Trying to make
12:55
, trying to track all that, because
12:57
there are so many different sources there.
13:00
That's right. And that is one I almost feel like
13:02
it, the , the , it takes a village sort of comment
13:05
applies because, you know , I'll, I'll
13:07
get emails from Betsy or Adam or others
13:09
saying, oh, there's this ag activity, and of course we
13:11
have some formal search processes
13:14
in place and some great associate
13:16
attorneys who are working on that. But you're right, it takes
13:19
quite a, a bit to really make sure
13:21
that you're, you're , um, getting the full landscape
13:23
nationally, and we've
13:26
seen, you know, increased activity
13:28
by state ags , um, in
13:30
data in general, you know, data privacy,
13:33
including in the healthcare space. Yeah
13:36
. Um, in terms of what we're seeing, Dawn
13:38
, you know, I think I'll focus a bit on the
13:40
OCR resolution agreements because
13:42
, um, we are seeing some
13:45
of the , um, continuing trend
13:47
that we had seen in particular with the
13:49
right of access cases. Um, there
13:51
was a right of access case that I believe was
13:53
about the 46th HIPA
13:56
right, of access case, and that was the end
13:58
of 2023. And just
14:00
for our listeners, in case they're not
14:03
tuned in , um, the right of
14:05
access initiative was , um,
14:07
really sort of formally implemented by OCRA
14:09
few years ago. Obviously, there's always been the
14:12
right of access under hipaa , um,
14:14
that allows , uh, patients to designate
14:16
third parties to receive their, their
14:19
protected health information. And
14:21
of course, they can make complaints. But
14:24
a couple of years ago, OCR really
14:27
began a , uh, a concentrated
14:29
effort in enforcing right
14:32
of access complaints, and we saw
14:34
a flurry of activity in, you know, 2021,
14:37
I believe it was 2022, and
14:39
then that sort of tapered off in 2023.
14:42
We did see the 46th one at
14:44
the end of the year. Um, but what we've
14:46
also seen , um, is a
14:48
couple of, I think, you know, fairly momentous
14:52
resolution agreements. Oh, yeah, yeah
14:54
. Including, you know, OCR, even acknowledging
14:56
the first and the second ransomware
15:00
related , um, resolution agreement . So
15:02
one involved doctors' management
15:04
services and , uh, that was late
15:06
last year, which involved
15:09
ransomware, that encrypted files, there
15:11
were about 200,000 affected individuals
15:14
that resulted in a $100,000
15:16
settlement and a three year corrective
15:18
action plan. And then the
15:21
other one , um, the
15:23
second ever ransomware attack we
15:25
just saw just in
15:27
this, this month in February, involving
15:29
greenridge Behavioral Health, that's another
15:32
ransomware attack. That one
15:34
affected 14,000 individuals , um,
15:37
and , uh, involved a network
15:39
server that had been infected and then patient
15:42
sensitive patient records , um, that had
15:44
been locked down encrypted through malware,
15:47
and that involved a $40,000
15:49
settlement. Also, a three year corrective action
15:52
plan. And what I'll comment there, you
15:54
know, 'cause folks can go in and read, read the
15:56
details, right? A couple of , of
15:58
, uh, what what I'm seeing , um,
16:02
in terms of trending, you know, and what
16:04
OCR is really focusing on are
16:06
the, the failures that
16:09
occurred leading up to those
16:11
ransomware attacks. So the lack of
16:13
a risk analysis, right? The lack
16:15
of a , you know, implementing a risk management
16:17
plan, the lack of policies and
16:20
procedures, lack of audits going
16:22
in and looking at your activity and
16:25
lack of workforce training are sort of the, the
16:27
four or five things off the top of my head
16:29
that we're seeing repeatedly, I
16:31
think in, in both comments by OCR
16:33
as well as in their, their settlements, and then in
16:36
where they're focusing in terms of the corrective action
16:38
plan. You know, Betsy, you mentioned
16:40
something I think really important that
16:43
our listeners and , and our, their , our
16:45
clients really need to pay attention to, which is, boy,
16:47
those corrective action plans are helpful,
16:49
right? If you go in and you read them and
16:52
you read what OCR is telling these entities
16:54
to do in the wake of a ransomware
16:56
attack step by step , that gives
16:58
you a sense of what you ought to be focusing on
17:01
now. So, and, and I always tell my
17:03
clients, you know, it's not whether you'll have
17:05
a breach, it's, it's when, and
17:08
I hope the same isn't true of ransomware, but
17:10
sure , it sure seems like it could be. Right. We've seen
17:13
a, the OCR says about a 260%
17:16
increase in ransomware in the last
17:18
five years. So it is a,
17:21
a very important focus for OCR
17:23
and, you know, I think our clients are well served
17:26
to, to understand , um,
17:28
what they need to be doing now to mid , not
17:30
only to mitigate the risk , right, and detect if and when
17:32
it happens, but mitigate then the
17:34
, uh, enforcement, right? The
17:36
,
17:37
Because I think I see, I see that a lot sometimes
17:39
too. You mentioned the risk analysis being
17:41
a big component of that, and, you
17:44
know, oftentimes organizations
17:47
think that it's a one and done and they don't
17:49
realize, and OCR has spoken on
17:51
this many times about, you
17:53
know, an accurate and thorough enterprise
17:56
wide risk analysis of all of your
17:58
EPHI. And so it's
18:01
an ongoing process, and that's, you know,
18:03
one of the things we advise our clients on
18:06
is it's not a one and done . We're
18:08
here to help and keep that as
18:10
an ongoing process. So as you bring
18:12
on new systems, applications, you
18:15
know, you're doing a thorough risk analysis
18:17
of those. Yeah . And with sun setting
18:19
those too. So,
18:20
Yeah. And Dawn , in fact, one of the, it
18:23
was either LaForce or doctors management,
18:26
those are the two ransomware, and I believe one
18:28
of them referenced the importance of
18:30
consistently monitoring and managing.
18:33
And so, to your point, you may do
18:35
a risk assessment or risk analysis,
18:38
but as your systems grow and change,
18:40
you need to go back in and do it again.
18:43
Right, right.
18:44
Yeah . And I think it's
18:49
probably not a coincidence that recently
18:51
NIST released guidance on
18:54
, um, implementing the HIPAA
18:56
security role . It's , um, NIST
18:58
special publication 800 dash
19:01
66 for those. Um , another
19:03
Good catch, you know ,
19:04
<laugh> , we wanna look it up for our
19:06
List,
19:07
And it was with , um, I believe OCR
19:09
partnered with NIST on that guidance
19:12
document. So again, that's another
19:14
resource that's available to help those organizations
19:16
that perhaps have not fully , um,
19:19
developed , um, they're
19:22
, um, their , um, security compliance program
19:24
or just want to do
19:26
a gut check to make sure
19:28
they're implementing , um, right . All
19:31
of the security requirements appropriately.
19:33
It's a great list of, it's a great list of questions if
19:36
you read through that Yeah . With each of the requirements.
19:38
So it does, as you said, Betsy,
19:41
it , it, it really helps focus.
19:44
And I, one other point, I know
19:47
historically the
19:50
, um, resolution OCR
19:52
has looked at , um, compliance
19:55
with privacy and the security rule as a
19:58
data privacy , um,
20:02
or from the lens of the
20:04
data and whether it's remaining
20:07
confidential, the integrity there, and
20:10
it's also available, I think we're
20:12
seeing a
20:15
greater understanding that, you
20:18
know, if there's a ransomware attack or
20:20
some other cyber event, it's
20:22
not just a data issue or
20:25
a patient privacy issue, it's a patient
20:27
safety issue, potentially it's
20:30
a , uh, revenue issue
20:32
for the organization. Um, and
20:35
I think, you know, there's , um,
20:38
a rather large incident occurring
20:41
now that's been in the news a lot , um,
20:44
you know, with change Healthcare. And I
20:46
think it showing that, you
20:48
know, that this is,
20:51
if you have a large cyber incident,
20:54
you know, it's a multifaceted incident
20:56
and you need a whole of organization
20:58
response. And I think OCR now seems
21:03
to be looking at , um,
21:05
these incidents more holistically too.
21:08
And that brings up, oh , sorry,
21:10
Gina, did you No, I was just gonna say, Betsy, I
21:12
think that's a great point there. There's a
21:14
, the Hospital Cyber Resiliency
21:16
Initiative, which was a sort of a joint,
21:18
you know, study and report issued by
21:21
HHS and CMS and others,
21:23
and they really focused on that
21:25
point that , um, these,
21:27
these cyber attacks are,
21:30
are patient safety issues. And
21:33
there's a , a tagline, and it was, you
21:35
know, something like data safety is patient safety.
21:37
It's not exactly that. But I think that's a really
21:39
great point as well, that as we, we
21:42
continue to evolve into this era of
21:44
really very , um, uh,
21:47
significant cybersecurity events
21:50
that we will see a greater
21:53
risk to patient safety. Yeah
21:55
. Um, so that's a great point. I, and
21:57
I wanted to clarify, sorry if I could, because
21:59
I misspoke earlier, the , the two ransomware
22:02
, um, settlement agreements, just
22:04
in case folks are tracking it's doctor's management
22:07
in Greenridge, and then , then
22:09
laforge actually is the first phishing
22:12
phishing , right? Yeah. Phishing, which, you know, Betsy, Don
22:14
we've talked about previously, which is , um,
22:16
was a settlement , um, that OCR
22:19
entered into with laforge Medical Group,
22:22
where there was actually, you
22:24
know, the threat actor entered through the phishing
22:26
scheme through email, which of course is
22:28
another concern of ocr.
22:30
So , and I think , oh , I'm sorry, Dawn . I
22:32
was just going mention briefly a
22:34
couple other , um, themes
22:37
that we've seen this year in the
22:39
resolution agreements are, I
22:42
would say what's old is
22:44
new again , um, <laugh> , for example
22:46
, um, the St . Joseph's
22:48
Medical Center case where there
22:51
was the impermissible disclosure of PHI
22:53
to the media. Oh, right,
22:55
yeah . During the , um,
22:58
early days of Covid when, you
23:00
know, film crews were coming in to
23:03
show, you know, the tremendous
23:06
strain on hospitals and the heroic
23:08
work that healthcare workers
23:10
were doing. Um, and , um,
23:13
you know, proper authorizations
23:16
may not have been obtained, you know, so we've
23:18
seen those types of , um, situations
23:22
occur every so often over the years.
23:25
Um, and , um, then
23:28
also , um, healthcare providers
23:30
responding to online reviews , um,
23:33
and , um, not
23:37
realizing perhaps that by responding
23:40
they are inappropriately disclosing
23:42
PHI. And so , um, you
23:45
know, I, it seems every couple
23:47
years OCR has a
23:50
settlement, you know, involving
23:52
one or more <laugh> of those , um, topics.
23:55
So I think, you know, those are not
23:57
, um, you
23:59
know, cyber incidents, but still things
24:01
to keep in mind. Um,
24:04
And Betsy, as, as the, our health
24:06
system continues to evolve and we
24:08
see more sort of, you know, non-traditional
24:11
healthcare providers in the telemedicine
24:13
space, which then moves,
24:16
affects our more traditional healthcare providers who need
24:18
to keep up and compete. You know, we
24:21
are seeing these kinds of issues
24:23
like responses to comments and the
24:25
desire to post patient reviews
24:28
is a pretty significant issue,
24:30
and I think will continue to be, you know, in terms
24:32
of, of it being needed for
24:35
competitive purposes. But then this
24:37
question of, well, how do we handle it in
24:39
terms of, you know, compliance, right ? So it's
24:41
a great, great one to bring up.
24:44
And Betsy, you brought up a good comment that
24:46
takes us into another question, which is as
24:49
far as, you know, trends related
24:51
to business associates. And what
24:54
would you recommend to those organizations
24:57
to be more rigorous and thorough
24:59
in their programs that they've implemented,
25:02
especially when it comes to business
25:04
associates or third parties, vendors?
25:08
And you brought up a perfect example
25:11
of what we're seeing with the , uh, change healthcare
25:13
, uh, situation right now. Um,
25:17
what are your thoughts on, on
25:19
that topic?
25:21
Well, I would say what you just said,
25:23
Dawn , to be more rigorous and thorough. Um,
25:27
but as we know, you know, there
25:29
are only so many hours in a day and
25:32
so many resources to do that. So I think
25:34
it's important for
25:36
organizations to prioritize
25:39
, um, their
25:42
business , business associates , um,
25:44
which means first you have to understand and
25:47
know all of your business
25:49
associates, you know, and who is handling
25:51
your PHI. Um,
25:54
so once you get your arms around that, then
25:56
, um, triaging
26:00
who, which of those
26:03
entities pose the greatest risk to
26:05
your organization, and then devote
26:09
more resources to those organizations
26:12
doing a deeper dive , um,
26:14
when you're vetting those , um, business
26:17
associates, making sure you
26:19
get , um, security questionnaires
26:22
completed , um, exactly . Um,
26:25
and , um, you
26:27
know, vetting them more carefully
26:30
and then periodically revisiting
26:33
them , um, to make sure that
26:36
what they told you when you first contracted
26:38
with them is still the case. Um, you
26:41
know, are they still , um, you
26:43
know, if they have their SOC
26:46
two or if they're high trusts certified,
26:48
you know, is that still the case? You know, have
26:50
they evolved , um, over the
26:52
years? So I think , um, that's
26:55
important to do, but I think it's also important to
26:57
understand that , um, some
27:00
of these large cyber
27:02
incidents that we're seeing are not even
27:05
at the business associate level. They're
27:07
lower down the chain. Um,
27:10
you know, earlier this, no
27:12
, last year <laugh> , it was last year , um,
27:14
with the MoveIt , um, software
27:18
incident that affected , um, a
27:21
number of organizations. Um,
27:24
and it, what we found in
27:26
our experience was it was not , um,
27:29
the covered entity that was necessarily
27:31
using , um, that software,
27:33
but it was, you know, a
27:35
couple subcontractors down the
27:38
chain, you know , and that's
27:40
hard to monitor because you're not obligated
27:43
to go that , uh, far down the
27:45
chain. But I think maybe with those high priority
27:48
business associates there, you may want
27:51
to , um, see
27:54
if they are in what processes
27:58
and procedures they're implementing to
28:00
monitor their subcontractors.
28:02
I would say it goes, it goes beyond the
28:04
days of all you need is a business associate
28:07
agreement, and it really supports
28:09
what we're, what we've been talking about, which
28:12
is having a good vendor or a third party risk
28:14
management program that goes,
28:17
you may not go to that, that, in
28:19
that, that ninth degree subcontractor
28:22
level, but it's about
28:24
informing yourself of what
28:26
those, what those downstream vendors,
28:29
contractors , subcontractors are doing too.
28:33
And we have seen multiple instances
28:35
where, you know, the entry into
28:38
the health system is through the
28:40
vendor account. Mm-Hmm . <affirmative> . And in some instances,
28:43
an outdated vendor account, you
28:45
know , of a vendor, an individual who's
28:47
no longer there, or, you
28:49
know, vendor access rights that should have been , um,
28:52
terminated. And that goes back
28:54
to your right . I think that's a , a great point,
28:56
which is your third party management
28:58
risk management system, or your
29:00
vendor management system. And, and what
29:03
we see OCR talking about as
29:05
it's describing the importance of a risk
29:07
analysis, of course the security rule requires, you
29:10
know, the, the , um, physical
29:12
and the admin , the administrative and
29:15
the security, you know, analysis , um, yeah,
29:17
the technical piece , right. But , um,
29:20
we're also, you know, we're also seeing them focusing
29:22
on looking at your , um,
29:24
relationships with your third parties, your business
29:27
associates, as Betsy just said, and, and assessing
29:29
those and inventorying them and
29:31
understanding the risk , uh, there
29:34
and managing that risk.
29:35
So let me ask this, you know, many of
29:37
the recent enforcement actions, you
29:40
know, some of those, when you start reading through the resolution
29:42
agreements, they date back to like 2015,
29:45
2017, 2019,
29:47
and they're just now being , uh, resolved
29:50
now in 2020, late 2023,
29:52
early 2024. Um, is
29:54
there a perception that organizations are maybe
29:56
penalized based on today's
29:58
cybersecurity landscape versus
30:01
at the actual time of
30:03
the security incident?
30:06
Yeah, that's a really good question, and I'll
30:08
be interested, Betsy, in your thoughts on this. I'm,
30:10
I'm not sure. So I think there
30:13
are a number of threads here that we could pull
30:15
. When we look at, you know, the dates of
30:17
the activity versus ocr,
30:19
R'S enforcement , um, action, which
30:22
in many instances have just occurred in the last
30:24
handful of months. I think one
30:27
contributing factor is OCR R'S resources.
30:30
And, you know, when you report a breach, how
30:32
long does it take until you get
30:34
an RFI, if you get one from OCR,
30:37
how long does it take to sort of get through that? One
30:39
of the settlements was from May
30:42
of the activity was May
30:44
of 2015, and that's a recent one
30:46
involving Montefiore Medical Center.
30:49
And , um, that one, you
30:51
know, I think involved , um, a
30:54
, a bad actor within the organization
30:57
who is selling PHI. And so
31:00
that I think is somewhat unique. That's,
31:02
you know, called that malicious activity sort
31:04
of resolution.
31:05
Insider threat, yeah.
31:06
Yeah. And insider threat. And I, I just think, you
31:09
know, that's a unique, that's,
31:11
that's fairly egregious behavior
31:13
by, you know, an employee of the health system.
31:16
And it, it went on for some time, you
31:18
know, without being , um, identified.
31:20
And, and it's unfortunate, right, for that health
31:23
system. But I think that that to
31:25
me feels unique. Um, some of the other ones
31:27
that are recent as well involving ransomware,
31:30
you know , certainly , um, there
31:33
is a, a, a
31:35
focus on cybersecurity
31:38
incidents, as we talked about at the beginning of our session,
31:40
you know, that that is , um, peaked
31:42
because of the increase in these
31:45
incidents that are, that are happening, you know, in almost 300%
31:47
increase in five years. Um, we
31:49
just didn't see them before. But
31:52
I, I think that , um, that,
31:55
that it is in part due to
31:58
ocr r's lack of resources and,
32:00
and just the timeline there, protracted
32:02
timelines. I think it's also in
32:04
, like I said, you know, the one case is sort of
32:06
an outlier. Betsy, I'm curious your
32:09
thoughts. I, I think that OCR is,
32:12
is focusing on ransomware and cybersecurity,
32:14
and they're going to look carefully at
32:17
what organizations did leading
32:19
up to the attack, and, and
32:21
if they were in a good situation
32:23
to protect themselves, you know, if
32:25
they were taking measures, taking steps to protect themselves
32:28
and where they weren't, they're gonna get hit. I
32:30
think that's the reality.
32:34
I, I agree with what you say, Gina,
32:36
about the focus on ransomware
32:38
and other , other cyber threats leading
32:41
to , um, data breaches.
32:43
Um, and OCR focusing on that. I
32:47
think there may
32:49
be some , um,
32:54
I , I don't know that it , there
33:00
may be some , um, justification
33:04
for thinking that
33:07
if I had an event in
33:09
2015 and , and say
33:12
it was a ransomware event because
33:14
they were occurring back then, they just weren't as
33:16
prevalent. We , um, right. They
33:19
were not as well , um, publicized
33:21
, um, depending
33:24
on how long it takes for the investigation
33:26
to occur. Right ? If , if someone's
33:29
investigating it in
33:32
20
33:34
19, 20 20, 20 21, the landscape has shifted
33:38
significantly, say, in that five
33:40
or six year span. So it may
33:42
be a case of , um,
33:45
you know, hindsight is always 2020. And
33:48
so without intending
33:51
to impose say, 2021
33:53
standards, you know, on what happened
33:56
in 2015, that
33:58
may unconsciously, you
34:01
know, happen , um, y
34:04
you know, but again, it's hard to remember. I
34:06
, yeah , 2015 seems to, I know
34:09
<laugh> ,
34:09
But I think what you're saying, in fact , I think what
34:11
you're saying is we're looking at what happened
34:14
several years ago through the lens of what we
34:16
know today, right? And we've seen
34:18
how much these attacks have
34:20
increased in terms of affected individuals
34:23
and, you know, the percentage of them being reported.
34:26
Um, so that's a , and I don't know how
34:28
you can, though I don't, you know, I'm not
34:30
sure how you can't look at these
34:32
attacks through the lens of today. What I do know
34:34
is not every ransomware attack results
34:37
in a resolution agreement
34:39
.
34:39
Right. That's a good point. 'cause that was my next question
34:42
I was gonna ask is, you know, how
34:44
does that correlate to the breaches that were
34:46
resolved through technical assistance? You know, could
34:49
enforcement be based on how the ransomware
34:51
occurred, meaning how the bad actor was let
34:53
in and, or how the organization
34:56
responded? Thoughts
34:58
on that?
34:59
I think how the organization responded
35:03
makes a big difference
35:05
, um, in the investigation
35:07
process. Um, I think OCR
35:10
has always said they do
35:12
not expect perfection , um,
35:15
in complying with , um, the
35:18
privacy rule or , um,
35:20
the security rule. They understand that things
35:22
are going to happen, but it's
35:24
really, I think, how the organization responds.
35:28
Well , one, can the organization
35:30
detect that something has
35:33
happened, and then once it detects what happened,
35:36
how are they responding? So I think
35:38
those organizations that have in place
35:40
, um, you
35:43
know, policies and procedures around reporting
35:45
, um, if you see
35:47
something that's wrong, and then understanding
35:51
the chain of command to implement
35:53
your incident response plan , um,
35:56
your business continuity plan if needed,
35:59
and then documenting everything
36:01
that you're doing, because when
36:04
it comes time
36:06
, uh, you know, to respond
36:08
to a request for information from OCR
36:10
, um, they
36:14
want to see the documents that you , it's
36:16
not enough for you to tell OCR what
36:18
you have done. Um, but
36:21
also to be able to show OCR
36:23
what you've done, to have the policies, the
36:26
procedures , um, and to be able , um,
36:29
as we've talked about before, to tell your story,
36:32
you know, in a way , um, you
36:35
know, that makes sense and is supported
36:37
, um, by , um,
36:40
your policies, procedures, and the
36:42
steps you took to address
36:44
the situation when it arose. So,
36:47
Gina, do you have some thought ? Yeah,
36:48
Thank you. I was just gonna say, Dawn , if I
36:51
could add to that, 'cause I know <crosstalk> Oh , definitely. Go
36:53
ahead. Time and content. But one
36:55
thing I will say, and I, Betsy, I,
36:57
I agree wholeheartedly with everything you said, and,
36:59
and this is a message really to,
37:01
I think, you know, healthcare entities that may
37:04
be dealing with an attack or will in the future. And
37:06
in particular to executive leadership, the
37:08
, the role of, you
37:11
know, the , the approach of transparency is
37:13
really a key here. Um,
37:15
so really approaching how
37:18
you report , um,
37:21
and message, tell your story. As you just
37:23
said, Betsy , um, a ransomware
37:25
attack to federal and state regulators
37:29
is really different than
37:31
an approach you take in defending
37:34
a lawsuit, for example. Right? And
37:36
I appreciate that many of these are turning
37:38
into class action lawsuits, and that
37:41
might be a topic for another day, because that's,
37:43
you know, that's a whole nother a whole different subject, but
37:47
they're not different subject, it's related, but it's, it
37:49
really is a can of worms. But what
37:51
I will say is, I've, I've had to work
37:53
with executives in dealing with breaches
37:56
and how to handle with federal and state regulators quite
37:58
a bit to help them understand that we
38:00
really wanna be able to tell our story
38:03
and, you know, and put our organization the best possible
38:05
light. That means taking steps
38:07
to mitigate immediately, even before
38:10
we hear from those regulators, even before we've
38:12
reported, so that once we report and
38:14
we answer all the questions that you have to answer
38:17
in the OCR portal, and then we get
38:19
the RFI, if we do, which we're
38:21
likely to, you know , we can answer those
38:23
questions in the best possible way
38:25
to say, these are the steps we've taken to
38:28
address, you know, to initially mitigate
38:30
the, the risk and the breach, and then
38:32
address the, the source of the risk
38:35
or the breach, and then, you
38:37
know, take steps to prevent this from occurring
38:39
again in the future. And when we can tell
38:41
that story in a way that demonstrates
38:44
that we recognize the importance
38:46
of compliance, the risk to patient safety,
38:48
as you said, Betsy, not just to data
38:51
that really is meaningful to the, to
38:53
the state regulators and the federal regulators, and to
38:55
your point, they, they don't expect,
38:58
you know, that you'll be perfect or
39:00
that you won't have a breach. The question is when,
39:02
and so this idea of transparency,
39:05
and I know it's a fine line, but
39:07
it really takes, I think, working
39:09
with the team that has,
39:11
has been through the trenches with, with, in
39:14
particular with OCR before, to, to
39:16
help you understand that some
39:18
level, this level of transparency that may feel
39:20
uncomfortable, for example, in a litigation environment,
39:23
is really important to, to demonstrate
39:26
to OCR that you know what you're doing and
39:28
to avoid potential, you know, significant
39:31
penalties. Um, so that's one takeaway
39:34
I would say, or one message I would give to
39:36
our healthcare clients is, is really
39:38
, um, thinking about that, that
39:40
story that you're telling and how to put yourself in the best
39:42
possible light.
39:43
And Gina , you brought up a good point about , uh,
39:46
involving leadership. So, you
39:48
know, with the organization's competing
39:51
challenges for resources and funding and
39:53
trying to either implement or update
39:55
those existing programs , um,
39:58
how would you recommend privacy and
40:00
security officers educate
40:02
leadership and the workforce to that
40:05
extent on the importance of, or
40:07
the impact that these types of
40:09
things have on the organization, such as
40:11
patient safety, interoperability, and
40:14
information blocking, you know, and
40:16
how, how do they balance all of those?
40:18
Oh , that is a, a great question lot .
40:20
It's a loaded question. Yeah, it's
40:21
A lot . It's a loaded question. Yeah . Because, and as you throw
40:23
in, and I'm so glad you brought up interoperability
40:26
and information blocking, because one
40:29
of the things we're talking a lot about within,
40:31
you know, those of us who practice in this area is
40:33
this balance of, you know, the , the government
40:36
really wanting health systems to
40:38
implement the systems that will facilitate
40:41
, um, complete interoperability,
40:44
and in fact, mandating that, right? Mandating
40:46
that through CMSs promoting interoperability
40:48
program and through ONC certified
40:51
, you know, health IT and requiring
40:53
the use of that and all of that, and then the information blocking
40:55
rule, right? So there's all these things where the government's
40:57
saying, you need to make your data open
41:00
and available where it's otherwise permissible
41:02
under HIPAA or other federal state laws.
41:04
That's great, but it also increases
41:07
the vulnerability of the organization. So
41:09
to your question of how do you educate
41:12
leadership, I think it's,
41:14
it's really important, you know, one, i
41:16
I , I think sometimes the fear tactics
41:18
work. And so pulling
41:21
out these OCR resolution agreements,
41:23
you know, the, the one , um, I'm
41:26
trying to remember which one was just
41:28
4.75
41:30
million , um, one of the recent settlement
41:33
OCR resolution agreements and, you
41:35
know, and then, and any number of hundreds
41:37
of thousands of dollars that they range from,
41:40
I think pulling those out and showing your leadership
41:42
the impact, but there's also this
41:44
, um, element of trust, right? That
41:47
it , it , so the, the pr you
41:49
know, and, and what, what you don't wanna
41:51
see on the headlines of the morning news is that your,
41:54
your health system has suffered a major breach.
41:56
That's all really important, but what does that really
41:59
mean for trust, patient trust? And
42:01
so some of these pretty egregious
42:03
cases that have settled recently, you know, involved
42:05
very sensitive records and entire medical
42:08
records that were shut down. So I think
42:10
helping leadership understand
42:12
the monetary risks, the,
42:15
the reputational and trust
42:17
risks, and then the really
42:19
concrete steps that you can take to
42:22
mitigate those risks. It doesn't mean you will, you
42:24
will rid them forever, but
42:26
you can mitigate them. And then as
42:28
we've been talking this whole time, demonstrating
42:31
that you took those steps before
42:33
the breach happens, which will then mitigate
42:36
any penalties with, with the office for civil rights.
42:40
Betsy, how about, I , I know , what do you think? I
42:42
know we're short on time, but I think it's a great question of,
42:45
you know, how do we, how do our
42:47
clients educate leadership to
42:50
make sure that organizations are in a
42:52
good position when these things occur or
42:54
in the best position they can be anyway?
42:56
Well, and I think you
42:59
bring up a good point, Gina.
43:02
Um, and this also ties back to what we were talking
43:04
about before the , um, the
43:07
reports that OCR recently
43:09
released , um, about their activities
43:11
in 2022. Um,
43:14
and one of the comments in there , um,
43:17
that OCR made
43:19
was about the length of time it
43:22
takes to , um, conduct
43:24
an investigation and how that timeframe
43:27
has gotten longer now because of
43:29
a change in the High Tech Act in
43:31
2021, where now OCR
43:34
is , um, required
43:38
to consider whether an organization
43:40
has implemented recognized security practices
43:43
in the 12 months before
43:46
the incident. Um, that's
43:48
being reported to OCR. And
43:50
so I think this
43:54
ties in with your point about educating
43:56
leadership about , um, the
43:58
importance of, you know , having
44:01
in place policies and procedures.
44:04
And to your point about transparency,
44:08
you get rewarded with OCR if
44:10
you can demonstrate, you know, that you
44:13
invested in these recognized security practices,
44:15
had them in place , um, and
44:18
, um, you know, can document
44:21
that you had these security
44:23
practices in place. Um, you
44:27
know, and it benefits you , um,
44:30
in the OCR investigation. And , um,
44:32
obviously you would be encouraged to disclose
44:35
that information , um, to
44:37
OCR. Um, so I
44:39
, um, but again,
44:41
that also means that you would
44:43
have conducted a risk analysis and implemented
44:46
a risk management plan to address
44:49
the threats that you've identified. So
44:51
it all really sort of comes full
44:53
circle, I think. Um,
44:57
And also I think another , um, key
44:59
, uh, thing that you can leverage, and it , this
45:01
doesn't apply to all entities, but
45:03
to certain entities is the , um,
45:06
the cyber , uh, the reporting
45:08
, um, uh, to the SEC
45:11
in your filings. Uh , so
45:13
if you know you're an organization that falls
45:16
into that category for compliance, that
45:18
can be another driver too that, that can
45:20
really push that message up to leadership
45:22
, um, where they may directly
45:25
be impacted.
45:27
That's an excellent point. And we just saw
45:29
that with Change Healthcare , you know, that breach occurred
45:32
within less than a week, I think, before
45:34
the recording of this podcast. And within
45:36
days they reported to the cc
45:38
, right ? Yeah. Just a high level report of what they
45:40
know, and they don't, it sounds like they don't know a lot yet,
45:42
but that's a great point. And that ought
45:45
to get, you know, in an organization that's
45:47
required to report to file those 10 Ks,
45:50
you know, that ought to get leadership's attention, right? Yeah.
45:53
All right . So I really wanna thank you both , uh,
45:56
for your, your excellent insights
45:58
and you know, we've had many conversations
46:00
not just today, so I've really enjoyed our conversations,
46:03
but before we end the podcast, do
46:06
, uh, I'm gonna give you each an opportunity
46:08
for some final thoughts or takeaways that
46:10
you have for our listeners. So we'll go Betsy
46:12
first with you , uh, for some final
46:14
thoughts,
46:19
Document the good work that you are doing
46:21
within your organization , um,
46:24
so to protect
46:27
not just patient data, but patient safety.
46:29
So you are ready to tell your story,
46:33
not if, but when you need to do
46:35
so.
46:36
Okay, Gina, how about you?
46:38
Yeah, I'll say , um, and I'm actually
46:40
gonna steal from , uh,
46:43
some comments that our OCR director
46:45
made , uh, in relation to a recent
46:47
, uh, resolution agreement that
46:49
, um, organizations should regularly
46:52
review risks, regularly,
46:54
review policies, and update them and
46:57
do that enterprise wide . And as
46:59
your systems change and
47:01
, uh, grow re-review
47:04
those risks. So, redo your risk assessment, look
47:06
at your risk management plan, look at your policies,
47:08
and train your workforce.
47:10
Big one. Yeah . All right . Thank
47:13
you both very much. And I also wanna thank our
47:15
audience for listening today, and we hope that you have
47:17
a great day.
47:25
Thank you for listening. If you enjoyed
47:27
this episode, be sure to subscribe
47:29
to a HLA speaking of health law wherever
47:32
you get your podcasts. To
47:34
learn more about a HLA and the educational
47:37
resources available to the health law community,
47:39
visit american health law.org
47:41
.
47:47
<silence> .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More