August 26, 2025 • 37 mins
Data breaches in the health care sector can carry immense legal, financial, and reputational consequences. Jon Moore, Chief Risk Officer and Head of Consulting Services, Clearwater, speaks with Christine Moundas, Partner, Ropes & Gray LLP, about how health care organizations can mitigate risk through robust breach preparedness plans and ensure legally sound, compliant responses when incidents occur. They discuss how to operationalize breach readiness, key pitfalls to avoid during incident response, and the legal implications of internal decision-making. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=Lvo4EsiCK0Y
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitclearwatersecurity.com.
SPEAKER_01 (00:17):
Welcome to this episode of Speaking of Health
Law.
I'm John Moore, Chief RiskOfficer and Head of Consulting
Services at Clearwater.
At Clearwater, we helphealthcare organizations achieve
their missions by enabling moresecure, compliant, and resilient
operating environments.
Today's topic, healthcare databreach preparedness and response
best practices, is especiallycritical for legal and
(00:38):
compliance professionalsnavigating the high-stakes
environment of healthcareprivacy and security.
Data breaches in the healthcaresector can carry immense legal,
financial, and reputationalconsequences.
From HIPAA enforcement to statedata protection laws and class
action litigation, the legallandscape is unforgiving.
In this episode, we'll explorehow healthcare organizations can
(00:59):
mitigate risk through robustbreach preparedness plans and
ensure legally sound, compliantresponses when incidents occur.
Joining me for this episode isChristine Moundis, a partner in
Ropes and Gray's HealthcarePractice Group.
As part of her practice,Christine counsels clients on
privacy, security, and breachmatters and focuses on emerging
(01:20):
issues in the digital healthspace.
She and I will discuss how tooperationalize breach readiness,
key pitfalls to avoid duringincident response, and the legal
implications of internaldecision-making.
If you're responsible forprivacy, risk, or legal
oversight in a healthcareorganization, this is a
conversation for you.
Christine, it's great to speakwith you.
(01:41):
Before we get started, would youlike to tell us more about your
practice?
SPEAKER_03 (01:45):
Sure, happy to, John, and happy to be speaking
with you today.
My name is Christine Moundis.
I'm a partner in Ropes andGray's New York office.
I sit in our healthcarepractice, and I also participate
in our data group, and I co-leadour digital health initiative.
And really, I represent a widearray of healthcare providers,
(02:07):
health systems, pharmaceuticalmanufacturers, device
manufacturers, and digitalhealth companies.
So, I'm a partner in Ropes andGray's New York office.
And in terms of my practice, Ifocus on regulatory enforcement,
litigation matters, all in thehealthcare and data space.
And in particular, data andincident response is a large
(02:28):
part of my practice.
SPEAKER_01 (02:30):
Perfect.
So, I mean, as you're wellaware, Christine, lots of
parties potentially involvedwhen there's a breach.
So when a breach occurs, What'sthe optimal timeline for
involving someone like yourself,outside counsel and regulators,
law enforcement, and some ofthose other third parties?
SPEAKER_03 (02:47):
Sure.
So matters really varytremendously in terms of the
level of severity, the issuesthat we're really most worried
about, and the potentialimplications.
So I really think it's importantfor folks to readily assess
what's the level of severity orpotential implications of a
(03:09):
particular incident and thenrespond accordingly.
I think it's always important tohave legal counsel involved if
it's an incident that's gonna beof any significance.
When I say significance,probably impacting maybe either
critical programs,infrastructure, relationships,
or impacting the data, maybe,you know, 5000 or more,
(03:33):
something like that,
SPEAKER_00 (03:34):
that's
SPEAKER_03 (03:34):
really at the point where you should have legal
counsel involved, because it'sgoing to be a matter that's
going to have a significant tailin terms of
SPEAKER_02 (03:44):
doing
SPEAKER_03 (03:45):
the first forensic analysis, figure out what's
going on, doing the legalanalysis to figure out what
notification obligations youhave, and then potentially
dealing with any follow-oninvestigations or litigation.
In terms of when to get lawenforcement involved, I do think
that's really a matter ofknowing if you're dealing with a
(04:06):
bad actor that's particularlyaggressive, if you're dealing
with a unique sort of ransomcircumstance where you think
having law enforcement would bebetter beneficial.
There's other times in whichyou'd have to notify if you
think they're engaged in somecriminal conduct that would get
law enforcement's attention oryou need protection from them.
(04:27):
I've also had incidents wherelaw enforcement knows about the
incident before my client does.
And that's never a good place tobe, but it has happened.
It's been that the FBI walksinto you know, a client's doors
and say, you're being, you'reunder attack or, you know, the
(04:49):
FBI approaches a company andsay, we have information.
about your company that wasstolen and has ended up on the
dark web or something else andwe're bringing this to your
attention.
So there's different ways inwhich law enforcement will get
involved even before a clientrealizes.
And in terms of regulators,obviously there's regulatory
(05:09):
requirements about whenregulators need to be notified.
Here in New York, the New YorkState Department of Health is
requiring much earliernotification for certain
material security incidents thatmight impact hospitals and
Article 28 facilities.
There's also, for instance, inNew York, the New York State
Department of Financial Servicesthat's interested in cyber
(05:32):
attacks that might impactfinancial institutions or
insurance companies.
And they require notice a littleearlier than other more
traditional data breachregulators like the State
Attorneys General or the HIPAAregulator, the US Department of
Health and Human Services Officefor Civil Rights.
(05:53):
The regulators usually want tohave a good handle on your
investigation, the scope of theimpact, and what your
obligations are beforenotifying.
However, there are some lawsthat you should be aware of in
advance where you might have toprovide very early notice even
before you have a full handle onthe facts.
SPEAKER_01 (06:14):
And I assume this is even complicated more when you
have larger organizations thatspan multiple jurisdictions.
And it seems like at the statelevel in particular, we're
getting a lot more complexity inthe reporting requirements.
And I don't know whether youwould agree with this.
I mean, it seems to be there's alot, there's a move towards
shorter reporting periods.
time periods as well, both atthe state and the federal level.
SPEAKER_03 (06:38):
Yeah, there is.
And it's a real tension becauseobviously you want to provide
accurate reporting as well.
And sometimes those two thingsare in tension because you could
provide earlier notice, but youcouldn't physically get better
information at the time.
So you really have to use somejudgment when you know, looking
(06:58):
at those obligations and makingsure that you have a good sense
of what you can report when anduse judgment, depending on what
the nature of the investigationis and how much is involved.
SPEAKER_01 (07:10):
You bring up a very good point in terms of having
the information in order to beable to report.
And that brings up anotherquestion.
So what are the most commonlegal missteps organizations
make when responding to a breachand how can that be prevented,
do you think?
SPEAKER_03 (07:28):
Yeah, so I think number one, the common misstep
that I know some most is thatlegal compliance, privacy, and
IT security are not talking toeach other.
So I think that is sort ofnumber one misstep, because if
you have one team going off ontheir own and not in a
coordinated manner, that's goingto be not helpful regardless.
(07:51):
Because if you have a legal orcompliance team going off
notifying based on their partialunderstanding of the facts, it
could be wrong.
If you have an IT security teammaybe running with an
investigation with no legalcounsel involved, no potential
privilege over thatinvestigation, that could be
potentially problematic.
Number one, it's also not goodif folks are just meeting
(08:15):
themselves in the middle of abreach.
pre-established relationshipsacross those disciplines that
are already very wellestablished and well set up such
that when something does occur,those relationships are already
there, those points of contactsare already there to call upon.
So that's number one, is just acoordinated interdisciplinary
(08:37):
response.
Two, I think lack of preparationin terms of having
pre-established relationshipswith counsel, pre-established
relationships with forensicconsultants, pre-established
relationships with documentreview vendors in some cases.
Having more in place firstbefore an incident occurs is
(09:01):
very, very helpful because it'svery hard to, if you need a big
forensic consulting firm to helpwith an incident, it's hard to
negotiate a master servicesagreement and an SOW in the
middle of an incident when youreally need them to be there
tomorrow.
So that is something that I tellpeople.
(09:22):
It seems like a pain.
You have to sort of negotiatesomething that isn't happening
yet.
But having an entity retained ora pre-established,
pre-negotiated agreement withsome of those subject matter
experts is a very valuable thingso that you're not scrambling
when something occurs.
terms of other steps, I thinkputting, I'd say pre-assuming
(09:50):
the results of an investigationbefore you have a full set of
facts can also be verydetrimental.
I see sometimes folks jump toeither a conclusion that an
incident is far worse than itactually is, or assume that it's
far more contained than itactually is.
So I think it's very importantto structure these forensic
(10:10):
investigations and these legalreviews in a way where you're
following the facts and you'rehaving appropriate judgment
applied to what really needs tobe analyzed and in what depth
and that you follow the facts.
Because if you assume too muchor too little, you're going to
get the wrong result and thenthose contrary facts will come
to haunt you because then you'llfind out too late that you
(10:32):
either over or under judge thesituation.
I
SPEAKER_01 (10:36):
want to get back to forensics in particular, but you
in, when you were talking aboutthe coordination between the
internal reporting parties whoare responding, I was already
also thinking about what we seesometimes is there's, there's
different stakeholder groupsthat need to be communicated to
like, internally, your staff,potentially the public and other
(10:58):
folks that need to becommunicated to.
And they all need to havepotentially a different message,
but those messages have to becoordinated.
Otherwise, you end up withissues as well, I would imagine.
SPEAKER_03 (11:10):
Yeah, absolutely.
An appropriate communicationsplan is key.
And things should be on a needto know basis, but you have to
be transparent in some cases.
So obviously, you know,unfortunately, God forbid, like
a large scale ransomware attackwhere a hospital's whole system
are down for a month, you're notgoing to get away with saying,
(11:32):
you know, we had a little bit ofan interruption, please hold on,
right?
There has to be a reallydifferent level of communication
from that.
Obviously, with the changehealthcare incident, that was a
huge, significant national scaleincident where the early
communications, you know, wereare now being scrutinized.
(11:53):
And now we see there was acommunication channel, but the
information wasn't always asclear as one would hope.
I'd say internal employees,again, you have to make sure
people know what they need toknow in terms of if a system's
not working, if you can't use asystem, if there's something
that's actively going on thatpeople need to be aware of.
But you also don't want toover-disclose information or do
(12:17):
things that would be otherwisenot wise.
So we also think about boardcommunications, if things need
to be reported up to a board,another governance committee.
And in some cases, you know,depending on the incident, we
stand up like daily morningcalls and we have a readout of
what's going on, who's doingwhat, what the progress has been
(12:40):
made.
And you use those calls so youcommunicate to all the key
stakeholders internally and thenyou keep the investigation
momentum moving.
Because in many of these cases,time's of the essence.
SPEAKER_01 (12:54):
Sure.
So going back to the forensicinvestigation again, what are
some best practices in your mindfor conducting forensic
investigations in the wake of abreach?
SPEAKER_03 (13:05):
I think different forensic consultants have
different expertise in differentareas.
So I think that's very importantfor folks to know.
I wouldn't necessarily berecommending the same forensic
consultant for a business emailcompromise review versus a
large-scale ransomware attack.
So I think it's important tomake sure that you have an
(13:26):
awareness and a familiarity withwhich companies do what types of
forensic reviews and that youhave appropriate relationships
with a couple.
So that's rule number one.
It's picking the right forensicconsultant for the nature of
what you know to be the root.
Two, it's actually identifyingthe impacted IT infrastructure
(13:51):
first that needs to be reviewedbecause you'd be surprised
people think, oh, it's just thisworkstation or it's just this
server.
And it turns out that theirassumptions of what just was
impacted were wrong.
And then you're behind the ballbecause they thought it was more
narrow.
So I think appropriate scopingand really pressure testing what
(14:11):
people think are sort ofbelieving to be the case and
what they're basing it on isreally important and having even
the forensic consultants helpingto probe that so that they're
not just set off to do a morenarrow review than what's
actually required.
Three, I think determining whatto document about a forensic
(14:32):
review.
and for what purpose is reallyimportant.
Sometimes you want a really nicefully fleshed out report
highlighting the entire scope ofthe review, the nature of what
was looked at, et cetera, etcetera.
Other times that's not reallyrecommended.
Sometimes you actually need todo certain extracts because law
(14:52):
enforcement is asking for thoseforensic artifacts.
So that's something to keep intoaccount.
So I do think early on levelsetting with the forensic
consultant about what you havein mind for their written
materials is really important.
And sometimes you don't know ifyou'll need written materials.
So you do sort of verbalreadouts early on until you get
(15:15):
a sense of what you're dealingwith.
So I think documentation and theplan around documentation is
very important.
Four, obviously, I do recommendputting those forensic reviews
under privilege through legalcounsel and the legal counsel
would provide some of the inputaround the documentation
(15:36):
concerns as well.
And then I think, you know, justoverall making sure that also
they're really well setexpectations for how long
different parts of theinvestigation will take because
I think sometimes there's eithermiscommunication or just
unknowns and it's important forthe teams to stay in touch
(15:57):
because also sometimes Sometimesit's going to take a very long
time to get 100% of the reviewdone, but it's going to take a
much shorter time to get 80% ofit done.
And it's important to get thereadout when the 80% is done.
So at least you know what the80% found.
So I do try to make sure thatfolks just sort of aren't going
(16:18):
off into their own corner,running with their forensic
review and then you don't hearback because depending what
their interim findings are, itmight really dictate what the
strategy is or the next step, ormaybe you have to do partial
breach notices, partialreporting, and then sort of
provide an update thereafter.
So it really depends, but Ithink those iterative updates
(16:41):
are important and not sort of,and setting the expectations
around timing and updates.
SPEAKER_01 (16:47):
in your experience, are folks looking toward their
cyber liability insurancecarriers and or counsel like you
to identify who the appropriateforensic consultants are?
How's that working for most of
SPEAKER_03 (17:02):
them?
Yes, I think they definitelyhave a role to play.
Larger organizations, I think,already have their sort of
preferences and their setrelationships.
It's really the smallerorganizations or the mid-size
where there might be lessclarity on who to go to.
So yeah, I think either going tolegal counsel, internal experts,
(17:26):
or your insurers, they canprovide very helpful information
on what resources are the rightresources given the scenario.
And I'll just say, you know,providing notice to insurers and
making the claim early on for apotential incident is important.
And there's definitely having,you know, risk management teams
(17:49):
or others involved in thatcommunication is really key.
SPEAKER_01 (17:53):
And certainly I would think that, you know,
having counsel like yourselfwho's been engaged in supporting
diverse organizations across thehealthcare sector and has a lot
of experience working with thesetypes of vendors certainly puts
you, I would believe, in a goodposition to weigh in on that and
advise, which is really helpfulfor particularly small
(18:15):
organizations that may not havea lot of experience with this
type of thing.
SPEAKER_03 (18:19):
And you'd be surprised.
I mean, some very largeorganizations, they've been
lucky enough to have noincidents right up until a
certain point.
So sometimes you're lucky and,you know, so yeah, it's
definitely something we try todo because the investigation and
the whole incident response willnot go well unless you have the
right team pulled together.
SPEAKER_01 (18:39):
So beyond that forensic investigation, what
else is involved in a legallydefensible breach notification
process, let's say?
SPEAKER_03 (18:47):
Yeah, so as you said, there's the communications
considerations early on.
So we're looking for first whowe're engaging and how we're
engaging, external consultants,legal counsel, others, making
sure all of that's put together.
Two, we're making sure thecross-disciplinary team is
pulled together and that they'reall communicating, updating each
(19:08):
other and or putting together anappropriate response given the
scale or size or severity of thesituation.
Three, once we have a prettygood idea of what we're dealing
with in terms of impactedsystems, scale of impacted data,
et cetera, we usually will thenbe looking in parallel to what
(19:31):
notice obligations we might belooking at.
And it's very important thatlegal counsel or in-house
counsel understand what's theregulatory posture of the entity
that was impacted.
Are they licensed in particularstates?
Did the data relate toindividuals in certain states?
(19:54):
Because most of the time, a lotof the data breach laws are
actually based on the residentsof the impacted individuals
data.
And then we're dealing with, youknow, if there's other regulars
and other particular states thathave heightened notice
obligations.
We also, depending on if it's avendor to other organizations,
(20:18):
looking at your contractualobligations to notify your
customers.
Obviously in healthcare, we havethe business associate construct
and the obligations to providenotice to come entities.
Again, there's a whole judgmentcall that needs to be made there
when you're dealing with acomplex incident and a business
associate might know that theyhave certain information
(20:40):
available, but not fullinformation when and how to
report that to covered entitiesand what your contractual
obligations are really importantto look at.
Then when we're looking at thestate laws.
In some cases, you will betriggering substitute notice
obligations where you eitherhave to post things on your
(21:01):
website or in different publicmedia publications.
And then separately, sometimesthere are media notices that
have to be issued in certainjurisdictions, depending on how
large the population is thatresides in a certain
jurisdiction.
So under HIPAA, there is a medianotice component that also needs
(21:23):
to be taken into account.
Let me think.
Now, besides that, I think weskipped over remediation, which
is really, really key.
Obviously, you have the legalobligations of who you have to
tell, who, what, where, when,for what purpose.
(21:44):
But remediation actually has tobe right after investigation and
forensics and all that.
The remediation has to be almostas soon as possible, right, to
stop the bleeding.
So it's really important thatthe IT security team has a very
good sense and the right expertsto know how to remediate things.
And if it's a smallerorganization, in some cases,
(22:06):
they might not know how toactually remediate a situation,
short of pulling things out ofthe wall, unplugging them, et
cetera.
So I think having theappropriate IT security
remediation is really key.
In some cases, you have to dothat while still preserving
certain forensic artifacts ofwhat occurred.
(22:28):
So you have to keep that inmind.
But the IT security remediationwill be key, not just to stop
the incident and reduce thescope of the impact, but then
also to be able to explain toimpacted individuals or to
regulators or others that theorganization did as much as they
could to stop the incident andremediate it.
(22:49):
And in some cases, there's ashort-term remediation, and then
there's a much longer-termremediation.
Because we do, in our forensicreviews, try to establish, you
know, what was the underlyingweakness that allowed a bad
actor or others to actuallyinfiltrate a system, etc.
So we...
(23:09):
sometimes they'll say, you know,it was a lack of multi-factor
authentication or something,right?
You're not going to be able toroll out multi-factor
authentication across a wholeorganization over a weekend
that's going to have to be, youknow, finding a vendor that can
do that, scoping it out, youknow, negotiating a contract,
making sure you have money to dothat, and then a whole long-term
(23:30):
plan.
So there are staging ofremediation that's It's really
key.
And sometimes there's acompliance oriented mitigation,
such as retraining individuals,having new policies, et cetera.
But that is really a corecomponent of the breach response
and then the subsequentreporting.
SPEAKER_01 (23:53):
You raised sort of two questions came to mind as
you were discussing that.
First was in terms of theforensic analysis and the breach
response itself.
My experience has been thattypically, for example, OCR will
come in and they'll want to knowthe story of what, what would
the breach and how did youremediate it?
Do you usually construct thatunder privilege for them then to
(24:16):
respond to OCR, but it goes toOCR.
So how do you recommend to folksin terms of documenting this?
Is it as they're going along inorder to be able to provide that
kind of Yeah,
SPEAKER_03 (24:27):
it's definitely tricky.
I would say at some level,there's some level of detail
that is going to get disclosedand it will no longer be
privileged, but there's reallyvarying levels of detail.
So I would say sometimes therehas to be, you know, internal or
with outside counsel or throughthe consultants engaged under
privilege, more detaileddocumentation about, you know,
(24:50):
all the various aspects or allthe super detailed documentation
about what all went on, what wasremediated.
But when you get to regulatorynotices, it really has to be
brought up to a level that'snecessary, comprehensible, and
sort of appropriate fordisclosure.
At some level, you're going tohave to provide that on breach
notices or other things too.
(25:10):
So for instance, if you'd say,you know, our hospital was
impacted by a cyber incident andone of our servers was impacted.
You know, you're not going toget into the detail of what
server, exactly what the numberis, you know, where it was.
What
SPEAKER_01 (25:26):
operating system was operating on it, what the
vulnerability was.
SPEAKER_03 (25:29):
Yeah.
So that's how I think about it.
You sort of keep as muchprivilege as possible during the
review process.
And then at some point when youget out of the sort of immediate
incident response and you'reinto the notification
obligations, then you'reproviding and disclosing a
higher level summary that'stransparent and truthful, but
(25:50):
also not overly detailed.
SPEAKER_01 (25:53):
Yeah.
And the second question is, AndI think you mentioned this a
little bit earlier in passing.
So oftentimes what I've seen isthe forensic folks will come in,
they'll do their forensicanalysis and they'll determine,
hey, here's how the breachoccurred and here's what they
had access to.
And it sort of stops there.
And then it's up to theorganization to figure out, who
the individuals were who arewithin that data that need to be
(26:16):
notified.
And in many cases, that's a verycomplex task in and of itself.
And I think you mentioned thatoftentimes you'll bring in other
expertise to do that.
Could you talk just a little bitquickly about that?
SPEAKER_03 (26:30):
Yeah, absolutely.
There's actually different setsof consultants.
That's why I say sometimes ifincidents are significant
enough, you have to bring inmultiple consultants.
There are certain externalconsultants that do more of a
document review type offunction.
And in some cases, it can be AIdriven.
(26:51):
It could be optical scans ofdocuments and extractions.
In some cases, it's more humandriven.
But essentially, first, you needto get a sense of, OK, what's
the bolus of documents or datathat we're dealing with?
extract it, get it to thesethird-party consultants, which
(27:12):
sometimes that is a wholehullabaloo in itself.
And then you need to figure out,okay, what are the categories of
documents and data?
And then what are the ones thatare potentially relevant to the
review?
And then what's the nature ofthe data that we need extracted?
And what's our review protocolfor coding that, et cetera?
There is sometimes an entirelyseparate work stream that we do
(27:33):
to then actually get to thebottom of what data was impacted
and what was the nature of itand who requires notice.
So we've done ones where, youknow, Sometimes it's a whole
database where it's just Excelspreadsheets and it's standard
data that's already kind ofpackaged.
(27:54):
You say, okay, well, we alreadyhave people's name and address
and everything else, so we canjust extract from that.
And other times it's thousandsof scanned documents from a
decade ago, and that's a totallydifferent thing.
So it's really important to sortof then strategically analyze
what you're gonna do.
In other cases, sometimes peopleknow hey, wait a second, it was
(28:15):
this entire database that hasall of our patients' data for a
particular service line orsomething.
Or sometimes you just have tomake assumptions about what was
impacted or be over-inclusive.
But hopefully the goal is to besort of make sure that the
notice is fit for purpose andyou're notifying people just
about exactly what was impacted.
SPEAKER_01 (28:36):
From your experience, what...
parts of the breach response orthe breach itself are regulators
currently most interested inright now?
I
SPEAKER_03 (28:49):
would say for the US Department of Health and Human
Services Office for CivilRights, which I dealt with most
frequently on the HIPAAbreaches, They're always
interested and they investigateany incident that's above
impacting 500 individuals, whichthat used to be a very high
(29:11):
number for breaches.
So 15 years ago, most breacheswere a few hundred people and
that was sort of what you weredealing with.
And if you ever got over 500,that was a really big deal.
And now, unfortunately, just thenature of how electronic
information is and how much moresophisticated these incidents
are, incidents over 500individuals are very routine.
But HHS OCR is, I'd say, alwaysinterested in when they're
(29:36):
seeing a lot of breaches at thesame entity over time, because
that to them is an indicationthat there is a systemic issue
or an insufficient riskmanagement program in place at
that organization.
They also, when they are sendingrequest letters these days, I am
seeing them focus a lot on therisk analysis function, which
(30:00):
you know a lot about, wherethey're asking for the entity's
latest risk analysis and toprovide the information about
it.
They're also asking aboutinformation system activity
review plan and protocols, whichis a very tricky area where
they're actually asking forinformation about You know, what
are all your IT, your ePHIassets, for instance, all your
(30:24):
assets that have electronicprotected health information.
What review do you do of them?
What cadence do you do review?
What's the logging that youhave?
What are the sort of thresholdsfor knowing whether something
accesses aberrant or not?
Those super detailed questions.
And then definitely the regularshave a heightened interest in
(30:45):
data backup protocols.
And I think probably the changehealthcare breach and other
recent very large breaches haveput the regulators attention on
making sure that there's, youknow, redundancy in these
systems.
And if you're dealing with amajor cyber attack that you're
not also dealing with a massivedata loss right on top of
everything else.
So I think those key topic areasare really important for
(31:10):
entities to focus in on.
And I don't think the regularsare wrong for focusing on them
because they're sort ofindicative of strong IT security
and cybersecurity programs.
SPEAKER_01 (31:21):
Right.
I think to your point, I thinkthey're just responding to what
we're seeing in the world todayand with ransomware and assorted
other types of breaches havingsignificant impacts and
incidents like change where itjust cascades across the
industry as a whole certainlygets folks' attention.
What strategies can in-housecounsel and compliance officers
(31:43):
use to secure leadership buy-infor breach preparedness?
I mean, we see this all thetime.
We wanna do tabletop exercisesand practice these things and
executives are busy and theydon't have the time.
So how does someone like anin-house counsel or a compliance
officer get buy-in from thosefolks that should be in the room
(32:06):
when you are having these kindsof discussions?
SPEAKER_03 (32:09):
Yeah, I mean, I really do think, one, I think an
annual discussion and annualrefreshing of what are the
organization's protocols for anincident and having that sort of
brought up to a leadership levelannually is quite important.
Some of the new laws that Italked about earlier,
particularly in New York,actually changed.
(32:30):
specifically require annualdiscussions and annual trainings
on these topics and actuallyreports up to the board on it.
But I do think also sometimes ittakes just pulling things from
the headlines and saying, ifthis happened to us, what would
we be doing, right?
And also not talking about justas a data or a legal issue,
(32:53):
because really these things canbecome huge operational issues,
right?
It's not a legal or complianceissue.
exercise.
It's not just about data.
It's about all of our lives noware completely digital and there
needs to be redundancy aroundthose digital systems.
There needs to be expertsin-house that know how to
safeguard, you know, remediateand stand back up systems that
(33:17):
might be impacted.
And they need to know that Ithink every business is very
different.
Every organization is verydifferent in terms of what the
fallout would be if systems weredown or if there was a major
incident.
But basically, there's nobusiness in the world right now,
no organization in the worldright now that if there weren't
a significant incident, itwouldn't be significant to the
(33:39):
business.
So I think it's important forbusiness executives to address
them with the business impactthat an incident might have.
cause and also the reputationalharm, right?
No one wants to be dealing withany of this.
So trying to tell people, youknow, prevention is really the
best thing that you can do,trying to strengthen and harden
(34:00):
your systems because it'sessential.
And then to have a strongresponse team and a response
plan is really just goodbusiness.
It's not just a good legal orcompliance practice.
SPEAKER_01 (34:13):
Yeah, I think that from...
From your perspective, andcertainly from the perspective
of compliance officers, they'resimilar to what we see from a
cybersecurity perspective.
I can go in and talk about cyberrisks to people, but in some
sense, it's not meaningful tothem unless I translate what
that means from businessperspective.
(34:34):
perspective.
What are you going to do and howmuch is it going to cost you if
you lose access to yourelectronic health record?
What would that mean for you andyour business?
And when they start to thinkthrough the implications of all
that, then it becomes very real.
I think similar to, I can say,well, you need to do this for
HIPAA.
And they're like, eh.
(34:55):
But if I start to lay that outof what that picture looks like
and continue to draw that, nowyou've had the breach, now
you're reporting, now you're notin compliance, now you have you
know, potential fines andpenalties and potential cap and
really paint that picture forfolks.
And it's not, you know, not tonecessarily use fear and
(35:16):
certainty and doubt to motivate,but But it's fair to translate
it into terms that theyunderstand from a business
perspective.
And they're business people.
So I think it's helpful to themto do that.
And we certainly encourage ourconsultants to do more of that
and are trying to work withtheir clients to help them
(35:36):
understand in the terms thatthey understand.
I think we're running short oftime, Christine.
Otherwise, I would sit andprobably talk to you about this
kind of stuff.
I think just the implications ofsome of the reporting and data
analysis would be a wholeconversation of days in and of
itself.
But I think we're going to needto wrap up our conversation
(35:56):
around data preparedness andresponse.
Thank you for everything, yourinsight and your experience in
this area.
Any final thoughts that youhave?
want to share?
I
SPEAKER_03 (36:09):
guess I always tell my clients, don't make perfect
the enemy of good.
So if you're feeling worriedabout your IT security posture
or your breach response posture,If you can move the needle in
your organization to get from aD to a B, that is a win.
So I think just trying to makesure that folks are trying to
(36:29):
move the ball forward to improvecontinuously is really the name
of the game.
No one is perfect.
There's no A-plus cybersecurityprogram that's going to deal
with every single issue, but Ido think trying to move the ball
forward on a continuous basis isreally important.
I
SPEAKER_01 (36:45):
think that's really good advice.
Just want to say thanks to ouraudience as well for listening.
We hope you found this episodehelpful in advancing your
thinking around steps to takeshould an incident occur.
And we hope that you have agreat rest of your day.
SPEAKER_03 (37:00):
Thank you.
SPEAKER_00 (37:06):
If you enjoyed this episode, be sure to subscribe to
AHLA's Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit
americanhealthlaw.org.
And stay updated on breakinghealthcare industry news from
the major media outlets withAHLA's Health Law Daily Podcast,
(37:27):
exclusively for AHLA Premiummembers.
To subscribe and add thisprivate podcast feed to your
podcast app, go toAmericanHealthLaw.org slash
Daily Podcast.
This episode of AHLA Speaking of Health Law is
sponsored by Clearwater.
For more information, visitclearwatersecurity.com.
SPEAKER_01 (00:17):
Welcome to this episode of Speaking of Health
Law.
I'm John Moore, Chief RiskOfficer and Head of Consulting
Services at Clearwater.
At Clearwater, we helphealthcare organizations achieve
their missions by enabling moresecure, compliant, and resilient
operating environments.
Today's topic, healthcare databreach preparedness and response
best practices, is especiallycritical for legal and
(00:38):
compliance professionalsnavigating the high-stakes
environment of healthcareprivacy and security.
Data breaches in the healthcaresector can carry immense legal,
financial, and reputationalconsequences.
From HIPAA enforcement to statedata protection laws and class
action litigation, the legallandscape is unforgiving.
In this episode, we'll explorehow healthcare organizations can
(00:59):
mitigate risk through robustbreach preparedness plans and
ensure legally sound, compliantresponses when incidents occur.
Joining me for this episode isChristine Moundis, a partner in
Ropes and Gray's HealthcarePractice Group.
As part of her practice,Christine counsels clients on
privacy, security, and breachmatters and focuses on emerging
(01:20):
issues in the digital healthspace.
She and I will discuss how tooperationalize breach readiness,
key pitfalls to avoid duringincident response, and the legal
implications of internaldecision-making.
If you're responsible forprivacy, risk, or legal
oversight in a healthcareorganization, this is a
conversation for you.
Christine, it's great to speakwith you.
(01:41):
Before we get started, would youlike to tell us more about your
practice?
SPEAKER_03 (01:45):
Sure, happy to, John, and happy to be speaking
with you today.
My name is Christine Moundis.
I'm a partner in Ropes andGray's New York office.
I sit in our healthcarepractice, and I also participate
in our data group, and I co-leadour digital health initiative.
And really, I represent a widearray of healthcare providers,
(02:07):
health systems, pharmaceuticalmanufacturers, device
manufacturers, and digitalhealth companies.
So, I'm a partner in Ropes andGray's New York office.
And in terms of my practice, Ifocus on regulatory enforcement,
litigation matters, all in thehealthcare and data space.
And in particular, data andincident response is a large
(02:28):
part of my practice.
SPEAKER_01 (02:30):
Perfect.
So, I mean, as you're wellaware, Christine, lots of
parties potentially involvedwhen there's a breach.
So when a breach occurs, What'sthe optimal timeline for
involving someone like yourself,outside counsel and regulators,
law enforcement, and some ofthose other third parties?
SPEAKER_03 (02:47):
Sure.
So matters really varytremendously in terms of the
level of severity, the issuesthat we're really most worried
about, and the potentialimplications.
So I really think it's importantfor folks to readily assess
what's the level of severity orpotential implications of a
(03:09):
particular incident and thenrespond accordingly.
I think it's always important tohave legal counsel involved if
it's an incident that's gonna beof any significance.
When I say significance,probably impacting maybe either
critical programs,infrastructure, relationships,
or impacting the data, maybe,you know, 5000 or more,
(03:33):
something like that,
SPEAKER_00 (03:34):
that's
SPEAKER_03 (03:34):
really at the point where you should have legal
counsel involved, because it'sgoing to be a matter that's
going to have a significant tailin terms of
SPEAKER_02 (03:44):
doing
SPEAKER_03 (03:45):
the first forensic analysis, figure out what's
going on, doing the legalanalysis to figure out what
notification obligations youhave, and then potentially
dealing with any follow-oninvestigations or litigation.
In terms of when to get lawenforcement involved, I do think
that's really a matter ofknowing if you're dealing with a
(04:06):
bad actor that's particularlyaggressive, if you're dealing
with a unique sort of ransomcircumstance where you think
having law enforcement would bebetter beneficial.
There's other times in whichyou'd have to notify if you
think they're engaged in somecriminal conduct that would get
law enforcement's attention oryou need protection from them.
(04:27):
I've also had incidents wherelaw enforcement knows about the
incident before my client does.
And that's never a good place tobe, but it has happened.
It's been that the FBI walksinto you know, a client's doors
and say, you're being, you'reunder attack or, you know, the
(04:49):
FBI approaches a company andsay, we have information.
about your company that wasstolen and has ended up on the
dark web or something else andwe're bringing this to your
attention.
So there's different ways inwhich law enforcement will get
involved even before a clientrealizes.
And in terms of regulators,obviously there's regulatory
(05:09):
requirements about whenregulators need to be notified.
Here in New York, the New YorkState Department of Health is
requiring much earliernotification for certain
material security incidents thatmight impact hospitals and
Article 28 facilities.
There's also, for instance, inNew York, the New York State
Department of Financial Servicesthat's interested in cyber
(05:32):
attacks that might impactfinancial institutions or
insurance companies.
And they require notice a littleearlier than other more
traditional data breachregulators like the State
Attorneys General or the HIPAAregulator, the US Department of
Health and Human Services Officefor Civil Rights.
(05:53):
The regulators usually want tohave a good handle on your
investigation, the scope of theimpact, and what your
obligations are beforenotifying.
However, there are some lawsthat you should be aware of in
advance where you might have toprovide very early notice even
before you have a full handle onthe facts.
SPEAKER_01 (06:14):
And I assume this is even complicated more when you
have larger organizations thatspan multiple jurisdictions.
And it seems like at the statelevel in particular, we're
getting a lot more complexity inthe reporting requirements.
And I don't know whether youwould agree with this.
I mean, it seems to be there's alot, there's a move towards
shorter reporting periods.
time periods as well, both atthe state and the federal level.
SPEAKER_03 (06:38):
Yeah, there is.
And it's a real tension becauseobviously you want to provide
accurate reporting as well.
And sometimes those two thingsare in tension because you could
provide earlier notice, but youcouldn't physically get better
information at the time.
So you really have to use somejudgment when you know, looking
(06:58):
at those obligations and makingsure that you have a good sense
of what you can report when anduse judgment, depending on what
the nature of the investigationis and how much is involved.
SPEAKER_01 (07:10):
You bring up a very good point in terms of having
the information in order to beable to report.
And that brings up anotherquestion.
So what are the most commonlegal missteps organizations
make when responding to a breachand how can that be prevented,
do you think?
SPEAKER_03 (07:28):
Yeah, so I think number one, the common misstep
that I know some most is thatlegal compliance, privacy, and
IT security are not talking toeach other.
So I think that is sort ofnumber one misstep, because if
you have one team going off ontheir own and not in a
coordinated manner, that's goingto be not helpful regardless.
(07:51):
Because if you have a legal orcompliance team going off
notifying based on their partialunderstanding of the facts, it
could be wrong.
If you have an IT security teammaybe running with an
investigation with no legalcounsel involved, no potential
privilege over thatinvestigation, that could be
potentially problematic.
Number one, it's also not goodif folks are just meeting
(08:15):
themselves in the middle of abreach.
pre-established relationshipsacross those disciplines that
are already very wellestablished and well set up such
that when something does occur,those relationships are already
there, those points of contactsare already there to call upon.
So that's number one, is just acoordinated interdisciplinary
(08:37):
response.
Two, I think lack of preparationin terms of having
pre-established relationshipswith counsel, pre-established
relationships with forensicconsultants, pre-established
relationships with documentreview vendors in some cases.
Having more in place firstbefore an incident occurs is
(09:01):
very, very helpful because it'svery hard to, if you need a big
forensic consulting firm to helpwith an incident, it's hard to
negotiate a master servicesagreement and an SOW in the
middle of an incident when youreally need them to be there
tomorrow.
So that is something that I tellpeople.
(09:22):
It seems like a pain.
You have to sort of negotiatesomething that isn't happening
yet.
But having an entity retained ora pre-established,
pre-negotiated agreement withsome of those subject matter
experts is a very valuable thingso that you're not scrambling
when something occurs.
terms of other steps, I thinkputting, I'd say pre-assuming
(09:50):
the results of an investigationbefore you have a full set of
facts can also be verydetrimental.
I see sometimes folks jump toeither a conclusion that an
incident is far worse than itactually is, or assume that it's
far more contained than itactually is.
So I think it's very importantto structure these forensic
(10:10):
investigations and these legalreviews in a way where you're
following the facts and you'rehaving appropriate judgment
applied to what really needs tobe analyzed and in what depth
and that you follow the facts.
Because if you assume too muchor too little, you're going to
get the wrong result and thenthose contrary facts will come
to haunt you because then you'llfind out too late that you
(10:32):
either over or under judge thesituation.
I
SPEAKER_01 (10:36):
want to get back to forensics in particular, but you
in, when you were talking aboutthe coordination between the
internal reporting parties whoare responding, I was already
also thinking about what we seesometimes is there's, there's
different stakeholder groupsthat need to be communicated to
like, internally, your staff,potentially the public and other
(10:58):
folks that need to becommunicated to.
And they all need to havepotentially a different message,
but those messages have to becoordinated.
Otherwise, you end up withissues as well, I would imagine.
SPEAKER_03 (11:10):
Yeah, absolutely.
An appropriate communicationsplan is key.
And things should be on a needto know basis, but you have to
be transparent in some cases.
So obviously, you know,unfortunately, God forbid, like
a large scale ransomware attackwhere a hospital's whole system
are down for a month, you're notgoing to get away with saying,
(11:32):
you know, we had a little bit ofan interruption, please hold on,
right?
There has to be a reallydifferent level of communication
from that.
Obviously, with the changehealthcare incident, that was a
huge, significant national scaleincident where the early
communications, you know, wereare now being scrutinized.
(11:53):
And now we see there was acommunication channel, but the
information wasn't always asclear as one would hope.
I'd say internal employees,again, you have to make sure
people know what they need toknow in terms of if a system's
not working, if you can't use asystem, if there's something
that's actively going on thatpeople need to be aware of.
But you also don't want toover-disclose information or do
(12:17):
things that would be otherwisenot wise.
So we also think about boardcommunications, if things need
to be reported up to a board,another governance committee.
And in some cases, you know,depending on the incident, we
stand up like daily morningcalls and we have a readout of
what's going on, who's doingwhat, what the progress has been
(12:40):
made.
And you use those calls so youcommunicate to all the key
stakeholders internally and thenyou keep the investigation
momentum moving.
Because in many of these cases,time's of the essence.
SPEAKER_01 (12:54):
Sure.
So going back to the forensicinvestigation again, what are
some best practices in your mindfor conducting forensic
investigations in the wake of abreach?
SPEAKER_03 (13:05):
I think different forensic consultants have
different expertise in differentareas.
So I think that's very importantfor folks to know.
I wouldn't necessarily berecommending the same forensic
consultant for a business emailcompromise review versus a
large-scale ransomware attack.
So I think it's important tomake sure that you have an
(13:26):
awareness and a familiarity withwhich companies do what types of
forensic reviews and that youhave appropriate relationships
with a couple.
So that's rule number one.
It's picking the right forensicconsultant for the nature of
what you know to be the root.
Two, it's actually identifyingthe impacted IT infrastructure
(13:51):
first that needs to be reviewedbecause you'd be surprised
people think, oh, it's just thisworkstation or it's just this
server.
And it turns out that theirassumptions of what just was
impacted were wrong.
And then you're behind the ballbecause they thought it was more
narrow.
So I think appropriate scopingand really pressure testing what
(14:11):
people think are sort ofbelieving to be the case and
what they're basing it on isreally important and having even
the forensic consultants helpingto probe that so that they're
not just set off to do a morenarrow review than what's
actually required.
Three, I think determining whatto document about a forensic
(14:32):
review.
and for what purpose is reallyimportant.
Sometimes you want a really nicefully fleshed out report
highlighting the entire scope ofthe review, the nature of what
was looked at, et cetera, etcetera.
Other times that's not reallyrecommended.
Sometimes you actually need todo certain extracts because law
(14:52):
enforcement is asking for thoseforensic artifacts.
So that's something to keep intoaccount.
So I do think early on levelsetting with the forensic
consultant about what you havein mind for their written
materials is really important.
And sometimes you don't know ifyou'll need written materials.
So you do sort of verbalreadouts early on until you get
(15:15):
a sense of what you're dealingwith.
So I think documentation and theplan around documentation is
very important.
Four, obviously, I do recommendputting those forensic reviews
under privilege through legalcounsel and the legal counsel
would provide some of the inputaround the documentation
(15:36):
concerns as well.
And then I think, you know, justoverall making sure that also
they're really well setexpectations for how long
different parts of theinvestigation will take because
I think sometimes there's eithermiscommunication or just
unknowns and it's important forthe teams to stay in touch
(15:57):
because also sometimes Sometimesit's going to take a very long
time to get 100% of the reviewdone, but it's going to take a
much shorter time to get 80% ofit done.
And it's important to get thereadout when the 80% is done.
So at least you know what the80% found.
So I do try to make sure thatfolks just sort of aren't going
(16:18):
off into their own corner,running with their forensic
review and then you don't hearback because depending what
their interim findings are, itmight really dictate what the
strategy is or the next step, ormaybe you have to do partial
breach notices, partialreporting, and then sort of
provide an update thereafter.
So it really depends, but Ithink those iterative updates
(16:41):
are important and not sort of,and setting the expectations
around timing and updates.
SPEAKER_01 (16:47):
in your experience, are folks looking toward their
cyber liability insurancecarriers and or counsel like you
to identify who the appropriateforensic consultants are?
How's that working for most of
SPEAKER_03 (17:02):
them?
Yes, I think they definitelyhave a role to play.
Larger organizations, I think,already have their sort of
preferences and their setrelationships.
It's really the smallerorganizations or the mid-size
where there might be lessclarity on who to go to.
So yeah, I think either going tolegal counsel, internal experts,
(17:26):
or your insurers, they canprovide very helpful information
on what resources are the rightresources given the scenario.
And I'll just say, you know,providing notice to insurers and
making the claim early on for apotential incident is important.
And there's definitely having,you know, risk management teams
(17:49):
or others involved in thatcommunication is really key.
SPEAKER_01 (17:53):
And certainly I would think that, you know,
having counsel like yourselfwho's been engaged in supporting
diverse organizations across thehealthcare sector and has a lot
of experience working with thesetypes of vendors certainly puts
you, I would believe, in a goodposition to weigh in on that and
advise, which is really helpfulfor particularly small
(18:15):
organizations that may not havea lot of experience with this
type of thing.
SPEAKER_03 (18:19):
And you'd be surprised.
I mean, some very largeorganizations, they've been
lucky enough to have noincidents right up until a
certain point.
So sometimes you're lucky and,you know, so yeah, it's
definitely something we try todo because the investigation and
the whole incident response willnot go well unless you have the
right team pulled together.
SPEAKER_01 (18:39):
So beyond that forensic investigation, what
else is involved in a legallydefensible breach notification
process, let's say?
SPEAKER_03 (18:47):
Yeah, so as you said, there's the communications
considerations early on.
So we're looking for first whowe're engaging and how we're
engaging, external consultants,legal counsel, others, making
sure all of that's put together.
Two, we're making sure thecross-disciplinary team is
pulled together and that they'reall communicating, updating each
(19:08):
other and or putting together anappropriate response given the
scale or size or severity of thesituation.
Three, once we have a prettygood idea of what we're dealing
with in terms of impactedsystems, scale of impacted data,
et cetera, we usually will thenbe looking in parallel to what
(19:31):
notice obligations we might belooking at.
And it's very important thatlegal counsel or in-house
counsel understand what's theregulatory posture of the entity
that was impacted.
Are they licensed in particularstates?
Did the data relate toindividuals in certain states?
(19:54):
Because most of the time, a lotof the data breach laws are
actually based on the residentsof the impacted individuals
data.
And then we're dealing with, youknow, if there's other regulars
and other particular states thathave heightened notice
obligations.
We also, depending on if it's avendor to other organizations,
(20:18):
looking at your contractualobligations to notify your
customers.
Obviously in healthcare, we havethe business associate construct
and the obligations to providenotice to come entities.
Again, there's a whole judgmentcall that needs to be made there
when you're dealing with acomplex incident and a business
associate might know that theyhave certain information
(20:40):
available, but not fullinformation when and how to
report that to covered entitiesand what your contractual
obligations are really importantto look at.
Then when we're looking at thestate laws.
In some cases, you will betriggering substitute notice
obligations where you eitherhave to post things on your
(21:01):
website or in different publicmedia publications.
And then separately, sometimesthere are media notices that
have to be issued in certainjurisdictions, depending on how
large the population is thatresides in a certain
jurisdiction.
So under HIPAA, there is a medianotice component that also needs
(21:23):
to be taken into account.
Let me think.
Now, besides that, I think weskipped over remediation, which
is really, really key.
Obviously, you have the legalobligations of who you have to
tell, who, what, where, when,for what purpose.
(21:44):
But remediation actually has tobe right after investigation and
forensics and all that.
The remediation has to be almostas soon as possible, right, to
stop the bleeding.
So it's really important thatthe IT security team has a very
good sense and the right expertsto know how to remediate things.
And if it's a smallerorganization, in some cases,
(22:06):
they might not know how toactually remediate a situation,
short of pulling things out ofthe wall, unplugging them, et
cetera.
So I think having theappropriate IT security
remediation is really key.
In some cases, you have to dothat while still preserving
certain forensic artifacts ofwhat occurred.
(22:28):
So you have to keep that inmind.
But the IT security remediationwill be key, not just to stop
the incident and reduce thescope of the impact, but then
also to be able to explain toimpacted individuals or to
regulators or others that theorganization did as much as they
could to stop the incident andremediate it.
(22:49):
And in some cases, there's ashort-term remediation, and then
there's a much longer-termremediation.
Because we do, in our forensicreviews, try to establish, you
know, what was the underlyingweakness that allowed a bad
actor or others to actuallyinfiltrate a system, etc.
So we...
(23:09):
sometimes they'll say, you know,it was a lack of multi-factor
authentication or something,right?
You're not going to be able toroll out multi-factor
authentication across a wholeorganization over a weekend
that's going to have to be, youknow, finding a vendor that can
do that, scoping it out, youknow, negotiating a contract,
making sure you have money to dothat, and then a whole long-term
(23:30):
plan.
So there are staging ofremediation that's It's really
key.
And sometimes there's acompliance oriented mitigation,
such as retraining individuals,having new policies, et cetera.
But that is really a corecomponent of the breach response
and then the subsequentreporting.
SPEAKER_01 (23:53):
You raised sort of two questions came to mind as
you were discussing that.
First was in terms of theforensic analysis and the breach
response itself.
My experience has been thattypically, for example, OCR will
come in and they'll want to knowthe story of what, what would
the breach and how did youremediate it?
Do you usually construct thatunder privilege for them then to
(24:16):
respond to OCR, but it goes toOCR.
So how do you recommend to folksin terms of documenting this?
Is it as they're going along inorder to be able to provide that
kind of Yeah,
SPEAKER_03 (24:27):
it's definitely tricky.
I would say at some level,there's some level of detail
that is going to get disclosedand it will no longer be
privileged, but there's reallyvarying levels of detail.
So I would say sometimes therehas to be, you know, internal or
with outside counsel or throughthe consultants engaged under
privilege, more detaileddocumentation about, you know,
(24:50):
all the various aspects or allthe super detailed documentation
about what all went on, what wasremediated.
But when you get to regulatorynotices, it really has to be
brought up to a level that'snecessary, comprehensible, and
sort of appropriate fordisclosure.
At some level, you're going tohave to provide that on breach
notices or other things too.
(25:10):
So for instance, if you'd say,you know, our hospital was
impacted by a cyber incident andone of our servers was impacted.
You know, you're not going toget into the detail of what
server, exactly what the numberis, you know, where it was.
What
SPEAKER_01 (25:26):
operating system was operating on it, what the
vulnerability was.
SPEAKER_03 (25:29):
Yeah.
So that's how I think about it.
You sort of keep as muchprivilege as possible during the
review process.
And then at some point when youget out of the sort of immediate
incident response and you'reinto the notification
obligations, then you'reproviding and disclosing a
higher level summary that'stransparent and truthful, but
(25:50):
also not overly detailed.
SPEAKER_01 (25:53):
Yeah.
And the second question is, AndI think you mentioned this a
little bit earlier in passing.
So oftentimes what I've seen isthe forensic folks will come in,
they'll do their forensicanalysis and they'll determine,
hey, here's how the breachoccurred and here's what they
had access to.
And it sort of stops there.
And then it's up to theorganization to figure out, who
the individuals were who arewithin that data that need to be
(26:16):
notified.
And in many cases, that's a verycomplex task in and of itself.
And I think you mentioned thatoftentimes you'll bring in other
expertise to do that.
Could you talk just a little bitquickly about that?
SPEAKER_03 (26:30):
Yeah, absolutely.
There's actually different setsof consultants.
That's why I say sometimes ifincidents are significant
enough, you have to bring inmultiple consultants.
There are certain externalconsultants that do more of a
document review type offunction.
And in some cases, it can be AIdriven.
(26:51):
It could be optical scans ofdocuments and extractions.
In some cases, it's more humandriven.
But essentially, first, you needto get a sense of, OK, what's
the bolus of documents or datathat we're dealing with?
extract it, get it to thesethird-party consultants, which
(27:12):
sometimes that is a wholehullabaloo in itself.
And then you need to figure out,okay, what are the categories of
documents and data?
And then what are the ones thatare potentially relevant to the
review?
And then what's the nature ofthe data that we need extracted?
And what's our review protocolfor coding that, et cetera?
There is sometimes an entirelyseparate work stream that we do
(27:33):
to then actually get to thebottom of what data was impacted
and what was the nature of itand who requires notice.
So we've done ones where, youknow, Sometimes it's a whole
database where it's just Excelspreadsheets and it's standard
data that's already kind ofpackaged.
(27:54):
You say, okay, well, we alreadyhave people's name and address
and everything else, so we canjust extract from that.
And other times it's thousandsof scanned documents from a
decade ago, and that's a totallydifferent thing.
So it's really important to sortof then strategically analyze
what you're gonna do.
In other cases, sometimes peopleknow hey, wait a second, it was
(28:15):
this entire database that hasall of our patients' data for a
particular service line orsomething.
Or sometimes you just have tomake assumptions about what was
impacted or be over-inclusive.
But hopefully the goal is to besort of make sure that the
notice is fit for purpose andyou're notifying people just
about exactly what was impacted.
SPEAKER_01 (28:36):
From your experience, what...
parts of the breach response orthe breach itself are regulators
currently most interested inright now?
I
SPEAKER_03 (28:49):
would say for the US Department of Health and Human
Services Office for CivilRights, which I dealt with most
frequently on the HIPAAbreaches, They're always
interested and they investigateany incident that's above
impacting 500 individuals, whichthat used to be a very high
(29:11):
number for breaches.
So 15 years ago, most breacheswere a few hundred people and
that was sort of what you weredealing with.
And if you ever got over 500,that was a really big deal.
And now, unfortunately, just thenature of how electronic
information is and how much moresophisticated these incidents
are, incidents over 500individuals are very routine.
But HHS OCR is, I'd say, alwaysinterested in when they're
(29:36):
seeing a lot of breaches at thesame entity over time, because
that to them is an indicationthat there is a systemic issue
or an insufficient riskmanagement program in place at
that organization.
They also, when they are sendingrequest letters these days, I am
seeing them focus a lot on therisk analysis function, which
(30:00):
you know a lot about, wherethey're asking for the entity's
latest risk analysis and toprovide the information about
it.
They're also asking aboutinformation system activity
review plan and protocols, whichis a very tricky area where
they're actually asking forinformation about You know, what
are all your IT, your ePHIassets, for instance, all your
(30:24):
assets that have electronicprotected health information.
What review do you do of them?
What cadence do you do review?
What's the logging that youhave?
What are the sort of thresholdsfor knowing whether something
accesses aberrant or not?
Those super detailed questions.
And then definitely the regularshave a heightened interest in
(30:45):
data backup protocols.
And I think probably the changehealthcare breach and other
recent very large breaches haveput the regulators attention on
making sure that there's, youknow, redundancy in these
systems.
And if you're dealing with amajor cyber attack that you're
not also dealing with a massivedata loss right on top of
everything else.
So I think those key topic areasare really important for
(31:10):
entities to focus in on.
And I don't think the regularsare wrong for focusing on them
because they're sort ofindicative of strong IT security
and cybersecurity programs.
SPEAKER_01 (31:21):
Right.
I think to your point, I thinkthey're just responding to what
we're seeing in the world todayand with ransomware and assorted
other types of breaches havingsignificant impacts and
incidents like change where itjust cascades across the
industry as a whole certainlygets folks' attention.
What strategies can in-housecounsel and compliance officers
(31:43):
use to secure leadership buy-infor breach preparedness?
I mean, we see this all thetime.
We wanna do tabletop exercisesand practice these things and
executives are busy and theydon't have the time.
So how does someone like anin-house counsel or a compliance
officer get buy-in from thosefolks that should be in the room
(32:06):
when you are having these kindsof discussions?
SPEAKER_03 (32:09):
Yeah, I mean, I really do think, one, I think an
annual discussion and annualrefreshing of what are the
organization's protocols for anincident and having that sort of
brought up to a leadership levelannually is quite important.
Some of the new laws that Italked about earlier,
particularly in New York,actually changed.
(32:30):
specifically require annualdiscussions and annual trainings
on these topics and actuallyreports up to the board on it.
But I do think also sometimes ittakes just pulling things from
the headlines and saying, ifthis happened to us, what would
we be doing, right?
And also not talking about justas a data or a legal issue,
(32:53):
because really these things canbecome huge operational issues,
right?
It's not a legal or complianceissue.
exercise.
It's not just about data.
It's about all of our lives noware completely digital and there
needs to be redundancy aroundthose digital systems.
There needs to be expertsin-house that know how to
safeguard, you know, remediateand stand back up systems that
(33:17):
might be impacted.
And they need to know that Ithink every business is very
different.
Every organization is verydifferent in terms of what the
fallout would be if systems weredown or if there was a major
incident.
But basically, there's nobusiness in the world right now,
no organization in the worldright now that if there weren't
a significant incident, itwouldn't be significant to the
(33:39):
business.
So I think it's important forbusiness executives to address
them with the business impactthat an incident might have.
cause and also the reputationalharm, right?
No one wants to be dealing withany of this.
So trying to tell people, youknow, prevention is really the
best thing that you can do,trying to strengthen and harden
(34:00):
your systems because it'sessential.
And then to have a strongresponse team and a response
plan is really just goodbusiness.
It's not just a good legal orcompliance practice.
SPEAKER_01 (34:13):
Yeah, I think that from...
From your perspective, andcertainly from the perspective
of compliance officers, they'resimilar to what we see from a
cybersecurity perspective.
I can go in and talk about cyberrisks to people, but in some
sense, it's not meaningful tothem unless I translate what
that means from businessperspective.
(34:34):
perspective.
What are you going to do and howmuch is it going to cost you if
you lose access to yourelectronic health record?
What would that mean for you andyour business?
And when they start to thinkthrough the implications of all
that, then it becomes very real.
I think similar to, I can say,well, you need to do this for
HIPAA.
And they're like, eh.
(34:55):
But if I start to lay that outof what that picture looks like
and continue to draw that, nowyou've had the breach, now
you're reporting, now you're notin compliance, now you have you
know, potential fines andpenalties and potential cap and
really paint that picture forfolks.
And it's not, you know, not tonecessarily use fear and
(35:16):
certainty and doubt to motivate,but But it's fair to translate
it into terms that theyunderstand from a business
perspective.
And they're business people.
So I think it's helpful to themto do that.
And we certainly encourage ourconsultants to do more of that
and are trying to work withtheir clients to help them
(35:36):
understand in the terms thatthey understand.
I think we're running short oftime, Christine.
Otherwise, I would sit andprobably talk to you about this
kind of stuff.
I think just the implications ofsome of the reporting and data
analysis would be a wholeconversation of days in and of
itself.
But I think we're going to needto wrap up our conversation
(35:56):
around data preparedness andresponse.
Thank you for everything, yourinsight and your experience in
this area.
Any final thoughts that youhave?
want to share?
I
SPEAKER_03 (36:09):
guess I always tell my clients, don't make perfect
the enemy of good.
So if you're feeling worriedabout your IT security posture
or your breach response posture,If you can move the needle in
your organization to get from aD to a B, that is a win.
So I think just trying to makesure that folks are trying to
(36:29):
move the ball forward to improvecontinuously is really the name
of the game.
No one is perfect.
There's no A-plus cybersecurityprogram that's going to deal
with every single issue, but Ido think trying to move the ball
forward on a continuous basis isreally important.
I
SPEAKER_01 (36:45):
think that's really good advice.
Just want to say thanks to ouraudience as well for listening.
We hope you found this episodehelpful in advancing your
thinking around steps to takeshould an incident occur.
And we hope that you have agreat rest of your day.
SPEAKER_03 (37:00):
Thank you.
SPEAKER_00 (37:06):
If you enjoyed this episode, be sure to subscribe to
AHLA's Speaking of Health Lawwherever you get your podcasts.
For more information about AHLAand the educational resources
available to the health lawcommunity, visit
americanhealthlaw.org.
And stay updated on breakinghealthcare industry news from
the major media outlets withAHLA's Health Law Daily Podcast,
(37:27):
exclusively for AHLA Premiummembers.
To subscribe and add thisprivate podcast feed to your
podcast app, go toAmericanHealthLaw.org slash
Daily Podcast.
Popular Podcasts
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com