Best Legal Practices Before, During, After A Cybersecurity Incident

November 20, 2023 - The healthcare sector is up against sophisticated cyber threats, from phishing to ransomware. From 2018 to 2022, there was a 239 percent increase in large breaches involving hacking reported to the HHS Office for Civil Rights (OCR), HHS data shows. A key element of combatting these increased threats is understanding and complying with the patchwork of state and federal cybersecurity regulations, such as HIPAA.  

Elizabeth Hodge, partner in the Healthcare Practice Group at Akerman, discusses the healthcare cybersecurity regulatory landscape and outlines best practices for maintaining compliance before, during, and after a cybersecurity incident.  

Jill McKeon:

Hello and welcome to Healthcare Strategies. I'm Jill McKeon, associate editor of HealthITSecurity.

Today, we'll be discussing data security and privacy challenges facing the healthcare sector and the regulations that aim to keep these challenges at bay. To explore this topic, we're welcoming Elizabeth Hodge, partner in the healthcare practice group at Akerman.

Elizabeth, thank you for joining us today.

Elizabeth Hodge:

Glad to be here, Jill.

Jill McKeon:

So to begin, it would be great to hear your perspective on just why healthcare is such a popular target for cyberattacks and what the current threat landscape looks like in healthcare.

Elizabeth Hodge:

I think healthcare is so attractive because of all the data they have, and the volume of sensitive data they have. So it's really a one-stop shop for bad actors, if you will, because not only do they have demographic data on individuals, but also a lot of financial information, credit card information, insurance information, and then of course, the actual medical information. And this information is very valuable on the dark web, and it can also be sliced and diced up by bad actors to monetize.

Additionally, the medical information of individuals can have, not necessarily monetary value, but other intrinsic value for, say, nation-state actors who may want to use that information to try to compromise individuals. And then, with respect to research facilities, pharmaceutical companies, device manufacturers, they have a lot of intellectual property data that also has a lot of value to bad actors. So, I think it's just a treasure trove of information.

Also, I think there's a perception that healthcare providers particularly are more likely to pay a ransom in the event of, say, a ransomware attack so that they can continue to stay open and provide quality care to patients. And then I think historically, the healthcare sector maybe has not focused on cybersecurity as much as other sectors and really has been using technology to focus on providing care and saving patient lives.

Plus, I think you also have some technology that's no longer in use that can't be retrofitted to become more secure. So those are some key reasons why I think the sector is such an attractive target.

Jill McKeon:

Definitely. And, considering just the complexity of the cyber threat landscape in healthcare, it makes sense that security and privacy regulations that protect patients and healthcare organizations would be equally complex. Of course, the most notable federal law in this space is the Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996. And that really serves as a compass for managing security and privacy. But all these years later, it seems that confusion remains about what HIPAA is and what it really covers.

So, with that in mind, what are some common misconceptions about HIPAA's coverage from your point of view?

Elizabeth Hodge:

I think a lot of laypeople think that HIPAA protects all health information everywhere and don't realize that the scope of the law is actually fairly narrow because it only applies to health plans, healthcare clearing houses, and healthcare providers who conduct standard transactions and then, of course, their business associates who receive PHI [protected health information]. So that's actually a pretty narrow band, especially in today's environment, when you look at how much health data is out there and how many different organizations that are not plans, clearing houses, or providers have access or have health data. We frequently get questions from clients who say, "My employer has this medical information and they did X, Y, Z with it. That violates HIPAA." And we have to come back and say, "No....Yes, they may have a lot of medical information, but employers are outside the scope of HIPAA."

Individuals also don't seem to understand that HIPAA does not protect them from how they choose to share their data. So if they post stuff on Facebook or put it out in the universe, that's not protected under HIPAA. We also see that many individuals, and even some providers don't understand that HIPAA does not provide a private right of action. A lot of people seem to think that it does, but currently, it does not. So an individual's recourse under HIPAA is really limited to filing a complaint with the Office for Civil Rights [OCR], or bringing an action alleging some other causes of action.

Jill McKeon:

So from both the patient and provider side, there are some lasting misconceptions over the years.

Elizabeth Hodge:

That's a great point, because we also see on the provider side--or, say, the covered entity side--some confusion about when they can release information and when they can't. And, sometimes, HIPAA is used as a shield or sometimes a sword. So yeah, there is still some confusion out there among those folks who--the regulations have been out 23 years now, and to your point, still some confusion.

Jill McKeon:

Yeah. And I know in addition to the misconceptions, there's been a lot of talk about just gaps in HIPAA and the ways that technology has evolved, but HIPAA has not necessarily. I know that lawmakers have proposed numerous updates to HIPAA over the years and the quest to modernize it and acknowledge how much it's changed since 1996. So what are some common points of contention when it comes to HIPAA and how might future changes to HIPAA impact covered entities?

Elizabeth Hodge:

Senator Cassidy--who released a letter in, I think it was September, asking interested stakeholders for updates on HIPAA--he asked a series of questions, again, raising the issues that you did about how can we modernize HIPAA, what's working, what's not, where are the gaps.

And in my practice, I see a lot of tension with respect to HIPAA and the privacy regulations surrounding the confidentiality of substance use disorder treatment records, the Part 2 regulations. And we know that OCR and SAMHSA--the agency that promulgates the Part 2 regulations--they are trying to close the gap between HIPAA and Part 2. But for those providers that are subject to both HIPAA and Part 2, it's still a struggle to really comply with both in a way that allows them to provide timely care to patients with substance use disorders. So that's one area that I think people are hoping that gap will close even more.

There's a proposed rule sitting with HHS now, and hopefully that gap closes more. But part of the problem is the regulations can only go as far as the statutory authority allows them to go. It's nice that Senator Cassidy is perhaps signaling some activity at the congressional level to help that.

Also, there's some interesting push pull between HIPAA and the information blocking rule that is out there now which is encouraging the sharing of information, which is antithetical to HIPAA. At least as many of us who grew up with it--HIPAA--over the years, it is a change in your mindset as far as letting all that data go out into the world and sometimes not knowing where it's going and whether it's going to entities that are somehow regulated with respect to their use of that data. I know representing providers, they have concerns about when patients come to them saying, "Send my data here," what happens to that data afterwards? And will either provider be blamed by the patient if the recipient uses the data in a way that the patient didn't expect or didn't approve of? So trying to, I think, harmonize some of those gaps between HIPAA and information blocking would be helpful.

And then of course, there's always talk about having a national privacy law, and there have been several efforts at that. None of them have been successful so far and--because there are still some tensions, for example, would you have a private right of action? That's always a big sticking point, both at the federal level and even at the state level when states have been passing their consumer privacy laws. Do you allow that? How do you address state laws that are more restrictive or protective of individual's rights than HIPAA or a national law might be? California would have something to say about what they might perceive as a watered-down national law, given all the efforts they've put in place to develop a pretty stringent privacy framework. So there's a lot of opportunity but a lot of challenges trying to plug the gaps. And then, of course, we're seeing the Federal Trade Commission [FTC] really step in and try to plug some of those gaps in existing law as well.

Jill McKeon:

Definitely. Yeah, as you said, a lot of opportunity and a lot of challenges. So it'll be interesting to see how these newly proposed rules unfold.

Elizabeth Hodge:

And there's a lot of competing interest. I think people are excited, say, by the prospect of getting access to a lot of data to enable AI, train AI, and the opportunities that can offer, say, in healthcare. But along with those opportunities, there's also a lot of risk for that data being misused. And so I think people are struggling with how you balance the two. And then giving individuals more control over how their information is used, but then making sure that those recipients of the information are using it in a way that individuals expect and understand.

Jill McKeon:

Definitely.

And going beyond HIPAA, I know that digital health companies also present a unique challenge for regulators since they maintain sensitive data, but are often not covered by HIPAA. And we've seen recent enforcement actions from the Federal Trade Commission that really exemplify those challenges.

So from your perspective, what does that regulatory landscape look like right now for digital health companies?

Elizabeth Hodge:

Well, Jill, I think you teed that up very well. I think the FTC is the big player in that space because, as you noted, very few digital health apps are subject to HIPAA. That's a very small number. Most are not, and so would fall under the FTC's jurisdiction. And the FTC has been, as you said, very aggressive in going after those app developers that are not using the information that their apps collect in the way that their privacy policies might say they are using it or using it in other ways that the FTC may find to be unfair, deceptive practices. Again, the FTC is the big player, where also there are some state consumer privacy laws coming online too, for example, the Washington My Health, My Data Act, where we're seeing states try to step in and regulate how health data that may not be subject to HIPAA is used as well.

But, really, I think the FTC is currently the leader in that area. Although the FTC is also teaming up with OCR, especially with respect to the use of tracking technology by health apps and health providers, either on their websites or on their apps. Recently, the two agencies sent letters to, I think, 130 organizations asking them to revisit their use of tracking technologies to see if it complies with the prior guidance that OCR and FTC have issued, and to perhaps consider changing their practices around that. So I think we may see some more joint efforts by the FTC and OCR going forward in that space.

So, for health app developers out there who are listening to this, I strongly recommend checking out the FTC's website where they have a lot of guidance documents on whether you might be subject to the FTC regulations and steps you can take to stay on the right side of things, at least in the eyes of the FTC.

Jill McKeon:

So really, across the healthcare industry as a whole, you have HIPAA, you have the FTC's Health Breach Notification Rule, there's the substance use disorder confidentiality laws, and then also a patchwork of state laws, and all of those compliance complexities that come along with that. So with all of these regulations in mind, in your experience advising healthcare organizations through incident response and data breaches, what are some of the biggest compliance challenges that healthcare organizations face during the incident response process?

Elizabeth Hodge:

One is, once they identify that they've had an incident, trying to figure out all the laws, breach notification laws that might be in play--because as you note, depending on the type of entity, you may be subject to HIPAA, you may be under the FTC's jurisdiction and then the patchwork of states. All 50 states have breach notification laws. Some apply to health information, some exclude that. We're seeing more states include health information in their definition of personal information, subject to breach notification laws. And then we're seeing consumer privacy laws, specific consumer privacy laws at the state level rolling out too. So you have to look at that.

But apart from trying to navigate the patchwork of notification laws, we didn't even talk about international laws, which are for those entities operating outside the US, you also need to look at that. So quite challenging to navigate that. Always good to have counsel on hand to help you with that.

But shifting away from notification compliance challenges, other challenges we see are organizations not having in place incident response plans that really look at the full impact of an incident, especially if you're talking about something like a ransomware incident, where not only might your data be compromised, but also your operations. It's a little different if you have a scenario where someone loses a spreadsheet with patient data on it. That's not good, but that's not going to affect your operations. Whereas, a ransomware incident or a denial of service attack, something like that, not only is your data not available, but then that has ripple effects as to whether you can actually operate in a safe manner.

Can you continue to provide patient care and can you continue to bill for services that you do provide? You have to have revenue. You have to bill so you can have revenue coming in. How do you capture all of that and how do you provide care when you have to switch to paper records? So thinking through that cascade of--how do we have to change our operations in a worst case scenario? And we see that a lot of organizations don't keep peeling back the onion to think through all those scenarios and what that actually means, operationally.

Jill McKeon:

Definitely. And to tackle all of those challenges effectively, what are some of the most important best practices, from your point of view, that healthcare organizations should follow? Not only to maintain compliance before, during, and after a breach, but also just during daily operations?

Elizabeth Hodge:

I would say, one, have an incident response plan and then test it periodically.

It's not enough to just have a policy or to have a plan, but you actually have to pressure test it periodically to make sure that it works and people understand what their roles are and how to function or operate when there is an incident.

Also, keep your backups offline and test to make sure you can recover your backups. Because if you do have good backups of your data, you can recover a lot more quickly than if you don't. And you also want to test to make sure that your backups, you really can recover them.

And then I would obviously invest in administrative, technical and physical safeguards. And also, train and educate your workforce about being vigilant against cyber threats. Do the phishing email tests and encourage people if they see something, to say something, to question emails that look suspicious and know who to report to, having those clear lines of reporting.

And then trying to learn from the experience of others. You cover a lot of data incidents, and there are a lot of lessons that people can learn from those. I meet with a group of healthcare compliance officers periodically, and during those sessions they will talk about, "We had this and we learned this." And everybody in the room will say, "Oh my goodness, hadn't even thought that might happen." So make a note, take it back, and incorporate that into your plan.

And then, make sure you have your breach response team identified in advance. Especially your outside vendors, because you do not want to be negotiating contracts with them in the midst of dealing with a crisis. And I think planning to be offline longer than you think you will be, and again, going back to figuring out how you are going to operate in that kind of environment and how you're going to guarantee patient safety and make a call. Do we think we can safely care for patients, or do we think we need to divert them somewhere else and have a procedure in place to make that call? Those would be some quick, not necessarily easy tasks to do, but some things that I would recommend for folks to consider.

Jill McKeon:

Definitely. And that's good advice for any organization really training your workforce, investing in safeguards, learning from your organizations, as you said.

So thank you so much, Elizabeth, for joining us and sharing your expertise.

Elizabeth Hodge:

I've enjoyed it very much, Jill. Thank you.

Jill McKeon:

And for our listeners, we'd love to hear your thoughts on this episode. Feel free to reach out to me at JMcKeon@xtelligentmedia.com. That's J-M-c-K-e-o-n@xtelligentmedia.com to share your thoughts or to suggest stories you'd like us to consider covering in the future.