March 25, 2025 • 33 mins
Security expectations for health tech vendors are rising significantly in the wake of last year’s Change Healthcare cyberattack. Hal Porter, Director of Consulting Services, Clearwater, speaks with Alexis Finkelberg Bortniker, Partner, Cooley LLP, about how the climate has changed for health tech vendors. They discuss changing contractual security requirements for vendors, key areas where potential vendors are being more vigorously evaluated, managing risk involving AI tools for vendor management, fundamentals of a strong Incident Response Plan, how vendors should respond to the changing regulatory environment, and security recommendations for technology companies and others selling products and services to health care providers. Sponsored by Clearwater.
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Speaker 2 (00:04):
Support for A HLA comes from Clearwater. As the
healthcare industry's largestpure play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant andresilient state so they can
achieve their mission. Thecompany provides a deep pool of
experts across a broad range ofcybersecurity, privacy, and
(00:28):
compliance domains.
Purpose-built software thatenables efficient
identification and managementof cybersecurity and compliance
risks. And a tech enabled 24 7365 security operations center
with managed threat detectionand response capabilities. For
more information, visitclearwater security.com.
Speaker 3 (00:53):
My name is Hal Porter, and I'm the director of
Clearwater's Consulting teamthat helps digital health
companies and other vendorsserving the healthcare industry
move their organization to amore secure, compliant and
resilient state to meetindustry requirements and
customer expectations. Securityexpectations for healthcare
vendors are risingsignificantly in the wake of
(01:13):
last year's change. Healthcarecyber attack with a greater
emphasis on robust dataprotection me measures thorough
vendor risk assessments,comprehensive incident response
plans, and increasedtransparency regarding security
practices, which is pushinghealthcare organizations to
prioritize vendors with strongcybersecurity posture and to
(01:36):
actively monitor their securitycontrols, to mitigate potential
risks across the healthcareecosystem. For further
perspective on how the climatehas changed for vendors and how
they're responding to theseheightened security
expectations, I'm pleased to bejoined by Alexis Borer, a
partner with the Vol FirmCooley , who represents digital
health and health techcompanies across the continuum
(01:58):
in establishing compliantcorporate structures. Alexis,
welcome.
Speaker 4 (02:03):
Thanks very much, Hal . It's great to be here.
Speaker 3 (02:07):
Well, it's great to be speaking with you, and I'm
excited to hear yourperspective on this. So let's
dive in. Um , how have you seen, how have you seen contractual
security requirements changingfor vendors in the wake of the
change healthcare attack?
Speaker 4 (02:21):
You know, I think the bottom line is that we've
seen an increase in contractualrequirements. Um, we're seeing
an increased , uh, use of, ofsecurity response , uh, sort of
diligence , uh, that has to bedone before you even enter the
(02:41):
contracting process. We'reseeing increased , uh,
contractual securityrequirements, increased
requirements for externalcertification, whether it's
high trusts or SOC two, and ifsomebody doesn't have it, then
a clear pathway or process toachieving , uh, one of the two
certification methods. Um, andwe're seeing , uh, and I I have
(03:05):
to say, we're seeing the mostcome out of larger
organizations, right? Healthplans, large health systems are
really taking security veryseriously. Um , and we're also
seeing sort of an increasednumber of vendors that people
are using , uh, for any numberof things. And so, you know, I
think that it, it really variesacross the spectrum as to sort
(03:26):
of who the client is. But, youknow, we're, we're also seeing
, uh, so again, we mentionedwe're , we're seeing like
actual technical specificationsfor what they wanna see in
security, which is notsomething that we used to see
before. We're seeing, you know,requirements for annual
independent audits done bythird parties, disaster
recovery , recovery testingspecifications for how quickly
(03:47):
you need to be, or the goal ofgetting up and running, you
know, is your plan allow ,would allow for, you know, 48
hour recovery time at the most.
Uh, we're seeing significantincreased scrutiny on where
data is stored and who istouching the data and, and
whether or not data's goingoffshore , uh, and requirements
for things like onsite reviewof facilities, even though so
(04:07):
much of this is sort of on thecloud, but to the extent there
is a facility, people wanna beable to come onsite and see
what things look like. Um, andso it's just, it is now a clear
and important part of thecontract, whereas before it was
maybe a rep , um, to compliancewith HIPAA or to having
industry standard, you know,security specifications. So
(04:28):
it's definitely , um, somethingthat people are sort of paying
more attention to.
Speaker 3 (04:35):
Absolutely. And , and we're seeing that too. You
know, you , you mentionedincreased security assessments,
not only the volume, but we'realso starting to see , uh,
many, many more questions thanwhat we used to see. The
average was anywhere from 30 to50, and now we're seeing well
over a hundred in some cases.
Speaker 4 (04:51):
Uh, right. And then, and every organization seems to
have their own, we're notseeing any sort of
standardization. Um, and a lotof that comes from, you know,
where people have been sort ofbit in the past, you know,
where they've had technicalfailings , um, uh, and so being
able to enter into some ofthese contracts when you're on
the, you know, digital healthcompany side just means a lot
(05:13):
more time and effort intomaking your client comfortable
with your processes and franklyhaving to be more transparent
about your processes.
Speaker 3 (05:24):
Absolutely. And, and with this stricter vendor , uh,
vetting environment , uh, it it, it seems to be becoming the
norm for many healthcareproviders. So what are some of
the key areas that you've seenin hospitals and physician
groups , uh, who are conductingmore rigorous evaluations of
potential vendors?
Speaker 4 (05:41):
Yeah, I think , uh, there's a few places that this
has come up. I think we'reseeing , and I , and I said
this already, I think we'reseeing a lot more concerted
effort over the larger players,which makes sense 'cause they
have sort of more to lose. But, uh, large health plans in
particular as they interactwith vendors, have very strict,
very robust sort of securityand privacy departments and,
(06:03):
and , and build outs and wantyou to be able to meet their
requirements. Same with largehealth hospital systems. You
know, I think we've seen likeprovider groups are still not
necessarily asking of theirvendors what they should be.
Um, so things that we're, we'reseeing , uh, I think I I noted
earlier, we're seeing securitytesting , uh, and, and , um,
(06:27):
more stringent securityobligations. We're also seeing,
you know, the requirement thatpeople I mentioned are used
third party audits and thendeliver the response, you know,
have to give on an annualbasis, either a certification
that they've passed an audit oridentify, you know, providing
the responses to those auditsto vendors so they can see
where the, the weak points are.
Um, we are seeing , uh, i I,offshore is really big for a
(06:54):
lot of folks. And, and , and Ithink there's just sort of this
concern that data will gooffshore and then we can't
touch it and we can't, inaddition, there's sort of
Medicare medicaid requirementsthat require that, but where,
where is the data going? Who'saccessing it? We're seeing an
increased , uh, requirement tofurther vet subcontractors. So
more and more we're seeingpeople require , um, either
(07:15):
approval of subcontractors or aflat out , you know , the other
, other way around, which isthe flat out , you can't use
subcontractors, not consent .
Um , we're , so we're seeingpeople have to provide lists of
subcontractors. We're seeingpeople have to provide copies
of their downstream agreementsso that , uh, folks can see
(07:36):
that there's flow down , right?
That the , the ultimates ofcontractor. And, and I actually
think that this is a big painpoint for a lot of our digital
health companies, which is thatas, especially for some of the
smaller players as , as theysort of got started and had to
rely on subcontractors, whetherit's, you know, Amazon web
(07:57):
services for hosting or, youknow, at any other
subcontractors that you usealong the way is not
necessarily paying as muchattention to what those
contracts look like. And thenbeing a position where your
upstream , uh, customers aresaying, well , we wanna see
everything. Um, and so that issomething that we're seeing
more time and attention putinto and, and just having more
(08:18):
discussions around. Um, youknow, there's also, we've been
having things like debates orarguments and contracts over
what is a subcontractor andwhat is just a vendor and, and
things like that just becausethe , the , the obligations for
disclosure , um, are justgetting really broad. And then
the other thing sort of to theother end. So that's what we
(08:40):
tend to see out of largerorganizations. What we're
seeing out of smallerorganizations, which is not
necessarily a good thing. Um,and is, is people just think
that a negotiated businessassociate is good enough. So if
we have a business associate inplace and it says everybody
will, will agree with hipaa,will comply with hipaa, that
that sort of should be enough.
(09:01):
And, and it really isn't,right? A business associate is
agreement is an agreement thatwe put in place 'cause we're
we're required by law. Um, itdoes have some technical
specifications for what you do,like in the event of a breach.
It talks about data use, butBAAs don't have to include, nor
do they include securitystandards. Um, and oftentimes,
frankly, people think thatthey're protected 'cause they
(09:23):
have a BA in place. But justbecause there is a HIPAA breach
doesn't mean you have a breachof your BAA . So it doesn't
also, doesn't necessarily meanthat you have , um, sort of the
right to indemnification or,or, or even termination of a
contract if there is a HIPAAbreach just because you have a
BAA . So, you know, you need tohave good reps and warranties.
(09:43):
You need to have something toenforce, you potentially need
to have, you know, we'restarting to see folks that are
being a little more explicit onwhat sort of remedies are gonna
be covered by a contractor. Youknow, whether it's , um, you
know, explicit statement sayingthat you'll have to pay for the
notices and you'll have to payfor , um, credit monitoring and
(10:03):
you'll have to pay any finesthat come outta the government.
Things like that, that are justsort of a lot more explicit and
in what needs to be covered.
Um, but , but generally peoplethink because they have a BA in
place, they're covered. And,and fundamentally we don't
think that's good enough that aBAA is not actually diligence
on your vendors . Sowe're seeing that dichotomy,
which is the larger players arebeing very deliberate , uh, and
(10:26):
some of the smaller playersjust assume that a BA is good
enough . I'm curious if you'veseen the same thing or if
you're seeing it come out alittle bit differently.
Speaker 3 (10:33):
We , we, we have , um, and you know, one of the
things I wanted to ask is , um,you know, with the smaller
organizations, a lot of timeswhat will happen is the vendors
that they're going to, that ,that , or , or potential
partners or , or keystakeholders that they're,
they're looking to do businesswith , um, will already have a
BAA that's predefined and theyreally have very little
negotiation capabilities in ,in making any changes. Um, but
(10:56):
you know, that being said,that's, I think that's where ,
uh, you bring up a good pointwhere that's not good enough.
So what, what can they do tosupplement that, you know ,
well , that could be a , a , asecurity question that goes
back to that particularpartner. Um, are there any
other, you know , uh, maybestrategic , uh, uh, focus that
they could have on, you know,okay, the BAA's not good
(11:16):
enough. What can I do to helpsupplement that and ensure that
we're protecting ourselves aswell?
Speaker 4 (11:22):
Yeah, I think to that end, I think, you know,
acting a little bit more likesome of the larger players is,
right? Like, do you have adiligence list? Do you have a
series of questions that you'reasking when you're talking to a
potential vendor to make surethat they are, that their
security measures sort of areup to par? So it's, it's a
little bit more diligence onthe front end is always
(11:43):
helpful. You know, auditrights, for example, these are
things that you can giveyourself in an MSA that you
don't, most people don'tnecessarily balk at, because
it's hard for a vendor to lookyou in the eye and tell you,
no, we're not gonna let youaudit our systems if they're
telling you that they'recompliant. So it's a harder,
some of those things are, areharder to , um, to sort of push
back on , um, you know,reliance on certification. So
(12:06):
asking for high trust or SOCtwo, you know, we're seeing a
lot of people right now , um,rely on sort of HIPAA
certifications. And that may ormay not mean anything because
there is not a HIPAAcertification. So it can be
helpful that somebody's gone inand said, you're compliant with
hipaa. But again, at least inthe current version, HIPAA
doesn't necessarily explicitlystate exactly what you need to
(12:27):
do from a security perspective.
So some of the othercertifications are actually
better for that. Um, and then ,uh, so I , I think it , it , it
comes down to sort of vendorvetting. Uh, and it comes down
to there's also a little bit ofa risk analysis, right? Like,
what data will they have? Howwill they use it ? So the
reliance on the data use pieceis the other piece where you
(12:50):
have some leverage, which is tosay, okay, fine, we all agree
to the business associateagreement, but how are you
actually gonna use my data and,and what, you know, who's gonna
access it ? Things like that,that will often be done
separately is also another keypoint, because again, A BAA
will say you can use it to theextent that you're allowed to
by law. And , and it might talkabout whether you can ident ,
(13:11):
de-identify or aggregate, butgoing one step further to sort
of have a little bit more meaton what data is gonna be
accessed and how it's gonna beused can be really important as
well.
Speaker 3 (13:22):
Absolutely. Um, yes, and, and, you know, managing
that risk across the extendedsupply chain , um, you know,
many organizations now are, arelooking to take advantage of
artificial intelligence or AIto improve the process of
managing these relationshipsand that oversight. Um, what,
what are some keyconsiderations that
organizations should focus onwhen considering AI tools or
(13:43):
models?
Speaker 4 (13:45):
You know, you can't have a conversation in, in
digital health or health techor really probably any space
today without talking about ai.
Um, and I've had, I've beenvery lucky , uh, that I not
only represent a number ofcompanies who have, you know,
products that, that sort ofwork with and in around ai, but
also have the pleasure ofsitting on a group of , uh, uh,
(14:08):
an organization that's sort ofa group of, of CTOs and CIOs
for local hospitals in theNortheast. And so hearing sort
of how they've approached ai ,um, but I think, I think ai,
like we've said before, youknow, is something that, that
people just need to have ontheir radar and need to be
aware of. And I think, youknow, there's some key basic
(14:28):
questions that everybody talksabout when they talk about ai,
right? I think it's importantto understand what AI is
actually being used, right? Arewe talking machine learning?
Are we talking large languagemodels? 'cause AI really,
everybody has defined itdifferently. And so
understanding what tech isbeing used , uh, is really
important as you sort of vetyour, your vendors. Um, you
know, in the HIPAA con context,understanding how your PHI will
(14:55):
be used by a vendor , um, youknow, will it be going into,
you know, for, you know, , will it be going into
their will to train theirmodels? Uh , will they be using
PHI to do that? Will they beusing de-identified data to do
that? Um, will the, will thetraining just be for sort of
your own use case, or will itbe broader for their platform?
(15:17):
Um, just generallyunderstanding, again, like what
also what, where, what platformthey're built on, right? Is it
a model that was builtinternally that's proprietary
to the company? Are theyworking off of, you know, open
ai ? Just understanding again,and this goes the same
questions we've had all overagain, right? So who is the
company? What are they doing?
Who are there some contractorsI think is really important.
(15:38):
You know, in addition to thesort of all the other things
that we talk about when we talkabout ai, which is sort of data
bias. Like are they addressingwith things like , uh, bias and
, and how they, you know, howthey train their models, what
their models are getting at. Um, all these questions are
really important to use. Um,you know, things like, do I
have the right to putin certain data? I had this
(16:00):
discussion recently with the ,with is, you know, if a
clinician is going onto a modeland saying, I have a patient
with X symptoms, you know, whatare some possible outcomes or ,
or, you know, is that giving itPHI or, or have I given them a
little enough information thatthey, that's not PHI , you
know, is your clinical team orare your users giving data that
(16:24):
you, you shouldn't be given asan organization? And so I think
what AI has also brought up isa little bit of just sort of
like corporate compliance andthe importance of some
centralized functions andmaking sure that we know sort
of , you know, where it's beingimplemented across the
platform, who's using it, howit's being used. And I think
that becomes really importantas we're starting to see state
laws related to use of ai,right? So as a, you know, if
(16:49):
you're like a telehealthcompany and your vendors are
using ai, you know, the classicexample is I had a client who
was going to use AI to, to dolike a con consum , uh,
customer satisfaction , patientsatisfaction sort of chat post
service , um, to meet their ,some of their quality
requirements. And, you know,certain states have
(17:11):
requirements about making surethat your people who are
interacting with AI chat botsknow that they're interacting
with ai. And so as the personwho's , you know, as the, as
the healthcare provider who'slaunching that, that because
their obligation, not just thevendor. And so if you, if an
organization doesn't know whattechnology is being used and
(17:31):
the services they're buying, itbecomes harder for them to
comply with laws also. So it'simportant. Um, and, and so what
we're seeing to that end ispeople, or at least people
trying to see, is also a lot oftimes the AI is not there yet,
right? Like it's, we hope thatwe'll be able to integrate AI
later, or how we will integrateAI changes. And so we're seeing
people starting to require orat least ask for notice of the
(17:55):
use of ai. Um , so that, again,as the customer, the purchaser
of technology, I know what'sbeing used and where it's being
used so that I can meet my ownrequirements. But also , um,
, something thatsomebody mentioned on, on a
call recently was that some oftheir vendors are integrating
AI sort of without lettinganybody know. And it is ,
(18:16):
becomes, they're sort oftesting it live, and then it
becomes something that you getused to using. And then a year
later they say, oh, now thatyou're using the AI supported
function, that we're gonna haveto charge you double and you
didn't even know that you werethere. And so what are you
paying for? Which is, you know,that's a business issue. It's
not necessarily a legal issue.
Um, but these are all thingsthat we need to be thought
about. And so what we'reseeing, again, is more
centralized decision makingaround how AI is being used
(18:39):
within organizations. And, youknow, folks who are doing this
in a thoughtful manner are,again, asking more questions
upfront about the, the, in thecompanies that they're working
with, because, you know,there's a lot more technology
out there, there's a lot moreopportunity out there. And ,
and understanding, again, and ,and this all flows back to like
(19:00):
what data using, how are theyusing your data data , um, you
know, it's just important tosort of be able to track and
manage.
Speaker 3 (19:08):
Absolutely. And curious
Speaker 4 (19:09):
If you've seen anything different on that end.
Speaker 3 (19:13):
Absolutely. And, and, you know, you mentioned
thoughtful organizations movingforward with it, we're, we're
seeing, you know, in thatregard, we're seeing , uh,
formal AI governance, you know, being established questions
within them around, you know,what AI technologies are you
utilizing, what tools, whatmodels , um, you know, very
specific questions around arethere model cards or, or model
diagrams , uh, that outline thecapabilities that it has and
(19:35):
that you're utilizing in yourplatform. You know, if you're
using something that is opensource or , um, you know , uh,
uh, through a different vendor.
So absolutely, we're seeingthat as well. Yeah .
Speaker 4 (19:45):
And I guess one thing I should have added is
we're also seeing it on theother end on the , uh, right.
I'm here at Cooley. Cooley doesa lot of , uh, transactional
work, and we're , we're seeingit come up in diligence and
we're seeing it come up as, youknow, reps and warranties in ,
in, in deals because purchasersand investors wanna know what
their risk is, if there's risk,and how it's being used and
(20:06):
hasn't been thoughtfullymanaged. And so , um, you know,
a lot of this comes up to likewhere the next round of funding
is and if investors are askingquestions, and you have to be
more mindful of how you manageit.
Speaker 3 (20:14):
Most definitely. All right . Um, one issue , uh,
changing gears a little bithere. Uh , one issue of
particular concern , uh, thatcame out of the change
healthcare , uh, incident , uh,was that , uh, uh, concern
around incident responseplanning. Uh, so what are some
of the fundamentals of a strongincident response plan?
Speaker 4 (20:35):
You know, incident response plans tend to be very
technical. And, and as alawyer, we tend to advise folks
that it's really important thatthey have one, right? That ,
that it be , uh, reviewedperiodically so that it's, it
makes sense within theorganization that it can be
used properly. Um, but one ofthe things that we find on our
end as council is that there isa , a huge divide between a
(20:59):
good incident response plansand actual implementation , uh,
or an execution. And it has alot to do with, a lot of people
are putting a lot of time andeffort into developing this
response plans, which can bedone really well, but then not
necessarily training theirteams on on what it means or
how to use it or how to accessit, or who the right, right ,
the right time to, to sort ofinitiate it is. And so , um,
(21:20):
to, to us, you know, from,again, from, from the legal
perspective, in addition tosort of what are the elements
are, it's just making sure your, your team is properly trained
and un to speed on who'sresponsible and what would
trigger the need, for instance, response. Um, you know,
because great policies don'tmean anything , uh, if, if
employees don't know how toaccess 'em or use them. And ,
um, we're seeing that, youknow, I I , I mentioned to you,
(21:44):
we're seeing that come up , uh,in, in things happening, like
an issue was identified, butthe call center , um, I didn't
flagged it or identified it aslike a technical issue that an
app wasn't working as insupposed to a , uh, possible
security or, or breach , uh, orpossible, right? Like misuse of
data. Um, and so it never madeits way to the privacy team
(22:05):
and, and this wonderfulincident response plan that
they have couldn't beactivated. And now you have
delays in notifying customers,you have delays in potentially
notifying the harmedindividuals , uh, and all of
this can, can really impact theorganization. And so, you know,
so many people rely ontraining, you know, through
like modules that you clickthrough and, and really we need
(22:27):
to see a little more of that.
But I guess I would put it backto you 'cause you do a lot more
of this on the ground workingwith people to develop IR plans
. So what are you seeing isimportant and, and , um, again,
how are you helping to managethat divide between a great
plan and , and how people useit?
Speaker 3 (22:43):
Absolutely. And yeah , so we're absolutely seeing
that as well where they're ,you know, they may have a very
good incident response plan,but yet they don't do any
tabletop exercises or theydon't , uh, communicate it out
and have training on it withtheir staff and their
employees. So , um, you know,we, we work with our clients to
help develop , uh, and testrobust incident response plans,
but also , uh, conduct incidentresponse tabletop exercises in
(23:06):
order to validate and testthese plans and to ensure that
they're communicated out andthat the , the staff are
trained on it. Um, you know,and, and this is all part of an
overall business resiliencyprogram , uh, that we work with
our clients on. Uh, so, youknow, you're absolutely correct
in the event of an incident, ifa team isn't properly trained
on what to do, how to do it,and with whom to do it with ,
(23:28):
um, you know, the organizationand its critical business
processes can definitelysustain financial or
reputational damage in additionto any damage that might be
caused by the incident itself.
Speaker 4 (23:40):
Yeah , no , that makes a lot of sense.
Speaker 3 (23:43):
So with o's proposed updates to the HIPAA security
rule , uh, and new legislationthat's been introduced over the
past six months , uh,regulators seem to be applying
greater focus towards vendors ,uh, as well. So how should
healthcare vendors beresponding to the changing
regulatory environment?
Speaker 4 (24:01):
Yeah, look, historically, OCR, who's always
been notoriously understaffed ,uh, has really focused on
covered entities, right? Theentities themselves. Um,
there's been a few moves overtime. For example, you know, it
used to be that a coveredentity was responsible for
ensuring that everybody had theaas, suddenly business
associates became responsibleon their own. Um, I, I do
(24:22):
think, especially given changehealthcare last year, that
there is an inevitable shiftthat business associates have
as much sort of obligation orresponsibility here as they're
covered at any partners and,and not just from a contractual
basis, but under the law. Um,and so I do, I I do expect that
we'll see , um, more , uh,direct oversight of vendors and
(24:44):
not just of covered entities. Ialso think that covered
entities, just given the thestate of the state are more
likely to sort of report ontheir vendors when they find
issues to OCR. Again, not, notone because they're vulnerable
to their vendors, especially'cause of the ven you know, how
reliant like change healthcare,for example, right? Like how
reliant everybody is on thesevendors. And so there's a
(25:06):
little bit of, of protectingthemselves and of trying to
police the industry in thehopes of, you know, keeping
data , uh, secure. Um, so I dothink that we're gonna see more
of it. I think , um, the , uh,you know , I do think OCR is
still short staff and, andthere's a lot going on. And so
(25:27):
I , you know, whether ithappens this year or in three
years, I think it's inevitablethat it's coming. Um, and then
I do think that, you know, the, what the, the new proposed
rule did, frankly, it is sortof a lot of what we started
talking about at the beginning,which is Pippa had
recommendations, they had sortof addressable issues. Uh, the
proposed rule would really takemore of the security
(25:49):
requirements and make themrequired the requirements, not
just something you could dealwith. Um, and really, frankly,
it's just a lot more technicalin what you'd expect to see, so
that if there's a lot lessdiscretion , um, that impacts
vendors because vendors now aregonna have to comply with,
right, these more specifiedwith these new specifications
(26:09):
and, and you know, it's a goodthing 'cause it means it'll be
a little more uniform. 'causeright now every customer could
have their own specspecifications , uh, and
hopefully a lot of this isstuff that people are already
doing, but not necessarily. Um,but it , it is clear, I guess
that just because of sort ofthe nature of the, of how the
new proposed rule, again isvery tip tech technical, that
(26:31):
there will be a lot of impacton vendors because vendors are
the ones who are sort ofexecuting and managing these
things. Um, so a again, Ithink, you know, I I I think if
it is inevitable that therewill be more of a focus on
vendors and, and, and, youknow, continued focus on CEEs,
but more of a focus on vendorsand, you know, the proposed
(26:51):
rule, I said did a lot ofthings in , in just putting in
place more will would ifpassed. And then , you know,
comments closed I think lastweek. So we, we had to see
where it's gonna go. Um, but,you know, stricter change, man
, uh, protocols , um, more riskmanagement, pla prac , uh,
planning, you know, betteractual security policies,
(27:14):
, um, and again, and,and new specifications , uh,
actual security specificationsthat would create some
uniformity. Um, and justthere'd be more to, to, to
answer to because there's lesssort of flexibility in how you
can implement the rule. Um ,you know, I think to note it
isn't a , uh, it isn't newlegislation, but if you look at
(27:36):
the, the audits that we havebeen seeing out of OCR, they
are all touching on and askingquestions about tracking
technologies. You know, it'ssort of a , here's 15 questions
we need you to answer 'causewe're doing an audit , um,
related to a breach. But whilebasically while we have you,
we're gonna ask you questions'cause we can , uh,
and, and they're all askingabout data tracking. And so I
(27:57):
think, you know, we , there'sbeen a lot of talk about
tracking technologies. We'veseen , um, guidance come out on
tracking technologies. I thinkit's still at the forefront is
something that people areconcerned or that the OCR is
concerned about mm-hmm . Um , and so ,
uh, we'll see where it goes.
You know, we've heard somegrumblings, right ? It's funny,
I have, I have some partnerswho say that, that we're sort
(28:18):
of headed for a sort of a , abroad national data privacy
law. Um, I'm not sure that I'veseen any indication of that,
especially not under thisadministration. But, you know,
I think to a certain extent, alittle bit of wishful thinking.
'cause we are still in such a,a sort of a, you know, is
slightly piecemeal , uh,regulatory , uh, environment.
And, and a lot of the statestook up things like AI last
(28:41):
year and we think we'llcontinue to do that. And so,
you know, for now, complianceis just continuing to get
harder. Um , but hopefully willhelp in terms of keeping
privacy secure data secure ,not privacy secure. Sorry.
Okay.
Speaker 3 (28:56):
Yep . Well, we've covered several different
topics. Um, what, what summaryrecommendations do you have for
technology companies and, andothers that are selling
products and services tohealthcare providers on how to
ensure that the securityconcerns don't derail their
growth plans? Yeah.
Speaker 4 (29:13):
Um, start early and start bright deep, I think ,
um, plan for the future statenow. Uh, so we talk to a lot of
folks who, for example, they'relike, oh, initially we won't
have to be HIPAA compliant, butwe expect that one day we will
be, and if you're heading thatdirection, just do it. And ,
and again, it starts from thebuilding blocks, right? Like
(29:33):
your vendors , yoursubcontractors, like all the
things that are harder tochange as you get up and
running . And so I think thereis a little bit of , of , of
building a complianceinfrastructure or, or a plan
for, for, for compliance in thespace , uh, early, whether
it's, it's gonna be, you know,some of these things are
expensive, high trust SOC two ,and so figuring out like how
(29:53):
you're gonna get there , um, assooner the better. Um, and then
building a culture ofcompliance. I think to the
extent that you're, you'redeveloping products upfront as
a, as a partner with yourcustomers in compliance, I
think it's, it's helpful. Um,you know, one of the things
that we haven't talked aboutyet is is cyber , uh,
(30:14):
insurance. So, you know, havinga plan for that, that can get
really expensive and I thinkwe'll only continue to be more
expensive. And so understandingthe, the state of the market
and what you need now and whatyou'll need as you grow , um,
but fundamentally, you know,you need to be smart in this
space and you need to be answer, able to answer questions. So
deliberately building your,your security infrastructure, I
think is really important. I'mcurious how, what your , your
(30:37):
advice would be.
Speaker 3 (30:38):
No, I, I completely agree and, and you're
absolutely right. You know,with cyber liability insurance,
we've seen such drastic changesover the last, you know, even
the last just couple of years ,um, with regard to how, you
know, the, the, the insurance ,uh, industry itself approaches
it. And, and you know, it usedto be that you would, you know,
go in and apply for a , a , apolicy. It would be reviewed
(31:01):
by, you know, someone, one, oneperson maybe , uh, you know ,
uh, an agent and then, youknow, you would either be
approved or not. And now we'reseeing their teams of security
experts that are reviewing yourresponses. Um, and, you know,
the vetting process has gonefrom one questionnaire to, you
know, multiple stagequestionnaires,. So it
(31:22):
, it's, it's really changingquite a bit. Um, so yeah,
absolutely. We're definitelyseeing , uh, some, some very
distinct changes in thatenvironment as well. And it's,
it's definitely on the, theprovider , uh, who is looking,
you know, seeking to get thatinsurance to understand, you
know, what their first partyand third party requirements
are and, and what meets theirbusiness needs, and then
(31:44):
working with the provider toensure that, that they're going
to be covered in, in anysituation that they needed .
Speaker 4 (31:50):
Yeah, and I guess the last thing that I would add
to that is just having goodpartners in this, whether it's
a clear water or a coolee,right? Your lawyers can help
tell you when you, when tostart thinking about things,
what the risk is , uh, and agood team that understands the
space to help you build it out, uh, is also really important.
Um, and, you know, it's alwaysbetter to bring us in earlier
(32:11):
than later because, you know,the, the , the early expense
saves so much later headache ,uh, that ends up being a lot
more sort of expensive and, anddifficult to deal with and, and
can impact like productdevelopment and actual sort of
use of, of your, of your toolsand your technology. So
Speaker 3 (32:27):
Yep . Completely, completely agree. So definitely
on the same page there,.
Speaker 4 (32:32):
Yeah , ,
it's like , uh, it's
self-serving, but I swear it'snot, it really makes a
difference .
Speaker 3 (32:37):
Indeed . Indeed .
Well , Alexis , um, those were, uh, really the topics , uh,
for discussion today. Uh , Ireally appreciate your time
and, and your , uh, your, yourvision here and, and , uh, the
, the comments that you've hadand, and the great information
you provided. Um, is there anyother questions or thoughts
that you'd like to leave uswith?
Speaker 4 (32:57):
No, I really appreciate your time and thank
you for having me. I enjoyedthe conversation and as I said,
it's always good to know sortof what's happening in a very
practical implementationstandpoint. Um, you know, as ,
as the lawyers, we see one side, um, and, and getting to talk
to somebody who's sort ofhelping folks as they build is,
is always super helpful. Sothank you .
Speaker 2 (33:21):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health
law, wherever you get yourpodcasts. To learn more about a
HLA and the educationalresources available to the
health law community, visitAmerican health law.org .
Speaker 2 (00:04):
Support for A HLA comes from Clearwater. As the
healthcare industry's largestpure play provider of
cybersecurity and compliancesolutions, Clearwater helps
organizations across thehealthcare ecosystem move to a
more secure, compliant andresilient state so they can
achieve their mission. Thecompany provides a deep pool of
experts across a broad range ofcybersecurity, privacy, and
(00:28):
compliance domains.
Purpose-built software thatenables efficient
identification and managementof cybersecurity and compliance
risks. And a tech enabled 24 7365 security operations center
with managed threat detectionand response capabilities. For
more information, visitclearwater security.com.
Speaker 3 (00:53):
My name is Hal Porter, and I'm the director of
Clearwater's Consulting teamthat helps digital health
companies and other vendorsserving the healthcare industry
move their organization to amore secure, compliant and
resilient state to meetindustry requirements and
customer expectations. Securityexpectations for healthcare
vendors are risingsignificantly in the wake of
(01:13):
last year's change. Healthcarecyber attack with a greater
emphasis on robust dataprotection me measures thorough
vendor risk assessments,comprehensive incident response
plans, and increasedtransparency regarding security
practices, which is pushinghealthcare organizations to
prioritize vendors with strongcybersecurity posture and to
(01:36):
actively monitor their securitycontrols, to mitigate potential
risks across the healthcareecosystem. For further
perspective on how the climatehas changed for vendors and how
they're responding to theseheightened security
expectations, I'm pleased to bejoined by Alexis Borer, a
partner with the Vol FirmCooley , who represents digital
health and health techcompanies across the continuum
(01:58):
in establishing compliantcorporate structures. Alexis,
welcome.
Speaker 4 (02:03):
Thanks very much, Hal . It's great to be here.
Speaker 3 (02:07):
Well, it's great to be speaking with you, and I'm
excited to hear yourperspective on this. So let's
dive in. Um , how have you seen, how have you seen contractual
security requirements changingfor vendors in the wake of the
change healthcare attack?
Speaker 4 (02:21):
You know, I think the bottom line is that we've
seen an increase in contractualrequirements. Um, we're seeing
an increased , uh, use of, ofsecurity response , uh, sort of
diligence , uh, that has to bedone before you even enter the
(02:41):
contracting process. We'reseeing increased , uh,
contractual securityrequirements, increased
requirements for externalcertification, whether it's
high trusts or SOC two, and ifsomebody doesn't have it, then
a clear pathway or process toachieving , uh, one of the two
certification methods. Um, andwe're seeing , uh, and I I have
(03:05):
to say, we're seeing the mostcome out of larger
organizations, right? Healthplans, large health systems are
really taking security veryseriously. Um , and we're also
seeing sort of an increasednumber of vendors that people
are using , uh, for any numberof things. And so, you know, I
think that it, it really variesacross the spectrum as to sort
(03:26):
of who the client is. But, youknow, we're, we're also seeing
, uh, so again, we mentionedwe're , we're seeing like
actual technical specificationsfor what they wanna see in
security, which is notsomething that we used to see
before. We're seeing, you know,requirements for annual
independent audits done bythird parties, disaster
recovery , recovery testingspecifications for how quickly
(03:47):
you need to be, or the goal ofgetting up and running, you
know, is your plan allow ,would allow for, you know, 48
hour recovery time at the most.
Uh, we're seeing significantincreased scrutiny on where
data is stored and who istouching the data and, and
whether or not data's goingoffshore , uh, and requirements
for things like onsite reviewof facilities, even though so
(04:07):
much of this is sort of on thecloud, but to the extent there
is a facility, people wanna beable to come onsite and see
what things look like. Um, andso it's just, it is now a clear
and important part of thecontract, whereas before it was
maybe a rep , um, to compliancewith HIPAA or to having
industry standard, you know,security specifications. So
(04:28):
it's definitely , um, somethingthat people are sort of paying
more attention to.
Speaker 3 (04:35):
Absolutely. And , and we're seeing that too. You
know, you , you mentionedincreased security assessments,
not only the volume, but we'realso starting to see , uh,
many, many more questions thanwhat we used to see. The
average was anywhere from 30 to50, and now we're seeing well
over a hundred in some cases.
Speaker 4 (04:51):
Uh, right. And then, and every organization seems to
have their own, we're notseeing any sort of
standardization. Um, and a lotof that comes from, you know,
where people have been sort ofbit in the past, you know,
where they've had technicalfailings , um, uh, and so being
able to enter into some ofthese contracts when you're on
the, you know, digital healthcompany side just means a lot
(05:13):
more time and effort intomaking your client comfortable
with your processes and franklyhaving to be more transparent
about your processes.
Speaker 3 (05:24):
Absolutely. And, and with this stricter vendor , uh,
vetting environment , uh, it it, it seems to be becoming the
norm for many healthcareproviders. So what are some of
the key areas that you've seenin hospitals and physician
groups , uh, who are conductingmore rigorous evaluations of
potential vendors?
Speaker 4 (05:41):
Yeah, I think , uh, there's a few places that this
has come up. I think we'reseeing , and I , and I said
this already, I think we'reseeing a lot more concerted
effort over the larger players,which makes sense 'cause they
have sort of more to lose. But, uh, large health plans in
particular as they interactwith vendors, have very strict,
very robust sort of securityand privacy departments and,
(06:03):
and , and build outs and wantyou to be able to meet their
requirements. Same with largehealth hospital systems. You
know, I think we've seen likeprovider groups are still not
necessarily asking of theirvendors what they should be.
Um, so things that we're, we'reseeing , uh, I think I I noted
earlier, we're seeing securitytesting , uh, and, and , um,
(06:27):
more stringent securityobligations. We're also seeing,
you know, the requirement thatpeople I mentioned are used
third party audits and thendeliver the response, you know,
have to give on an annualbasis, either a certification
that they've passed an audit oridentify, you know, providing
the responses to those auditsto vendors so they can see
where the, the weak points are.
Um, we are seeing , uh, i I,offshore is really big for a
(06:54):
lot of folks. And, and , and Ithink there's just sort of this
concern that data will gooffshore and then we can't
touch it and we can't, inaddition, there's sort of
Medicare medicaid requirementsthat require that, but where,
where is the data going? Who'saccessing it? We're seeing an
increased , uh, requirement tofurther vet subcontractors. So
more and more we're seeingpeople require , um, either
(07:15):
approval of subcontractors or aflat out , you know , the other
, other way around, which isthe flat out , you can't use
subcontractors, not consent .
Um , we're , so we're seeingpeople have to provide lists of
subcontractors. We're seeingpeople have to provide copies
of their downstream agreementsso that , uh, folks can see
(07:36):
that there's flow down , right?
That the , the ultimates ofcontractor. And, and I actually
think that this is a big painpoint for a lot of our digital
health companies, which is thatas, especially for some of the
smaller players as , as theysort of got started and had to
rely on subcontractors, whetherit's, you know, Amazon web
(07:57):
services for hosting or, youknow, at any other
subcontractors that you usealong the way is not
necessarily paying as muchattention to what those
contracts look like. And thenbeing a position where your
upstream , uh, customers aresaying, well , we wanna see
everything. Um, and so that issomething that we're seeing
more time and attention putinto and, and just having more
(08:18):
discussions around. Um, youknow, there's also, we've been
having things like debates orarguments and contracts over
what is a subcontractor andwhat is just a vendor and, and
things like that just becausethe , the , the obligations for
disclosure , um, are justgetting really broad. And then
the other thing sort of to theother end. So that's what we
(08:40):
tend to see out of largerorganizations. What we're
seeing out of smallerorganizations, which is not
necessarily a good thing. Um,and is, is people just think
that a negotiated businessassociate is good enough. So if
we have a business associate inplace and it says everybody
will, will agree with hipaa,will comply with hipaa, that
that sort of should be enough.
(09:01):
And, and it really isn't,right? A business associate is
agreement is an agreement thatwe put in place 'cause we're
we're required by law. Um, itdoes have some technical
specifications for what you do,like in the event of a breach.
It talks about data use, butBAAs don't have to include, nor
do they include securitystandards. Um, and oftentimes,
frankly, people think thatthey're protected 'cause they
(09:23):
have a BA in place. But justbecause there is a HIPAA breach
doesn't mean you have a breachof your BAA . So it doesn't
also, doesn't necessarily meanthat you have , um, sort of the
right to indemnification or,or, or even termination of a
contract if there is a HIPAAbreach just because you have a
BAA . So, you know, you need tohave good reps and warranties.
(09:43):
You need to have something toenforce, you potentially need
to have, you know, we'restarting to see folks that are
being a little more explicit onwhat sort of remedies are gonna
be covered by a contractor. Youknow, whether it's , um, you
know, explicit statement sayingthat you'll have to pay for the
notices and you'll have to payfor , um, credit monitoring and
(10:03):
you'll have to pay any finesthat come outta the government.
Things like that, that are justsort of a lot more explicit and
in what needs to be covered.
Um, but , but generally peoplethink because they have a BA in
place, they're covered. And,and fundamentally we don't
think that's good enough that aBAA is not actually diligence
on your vendors
which is the larger players arebeing very deliberate , uh, and
(10:26):
some of the smaller playersjust assume that a BA is good
enough . I'm curious if you'veseen the same thing or if
you're seeing it come out alittle bit differently.
Speaker 3 (10:33):
We , we, we have , um, and you know, one of the
things I wanted to ask is , um,you know, with the smaller
organizations, a lot of timeswhat will happen is the vendors
that they're going to, that ,that , or , or potential
partners or , or keystakeholders that they're,
they're looking to do businesswith , um, will already have a
BAA that's predefined and theyreally have very little
negotiation capabilities in ,in making any changes. Um, but
(10:56):
you know, that being said,that's, I think that's where ,
uh, you bring up a good pointwhere that's not good enough.
So what, what can they do tosupplement that, you know ,
well , that could be a , a , asecurity question that goes
back to that particularpartner. Um, are there any
other, you know , uh, maybestrategic , uh, uh, focus that
they could have on, you know,okay, the BAA's not good
(11:16):
enough. What can I do to helpsupplement that and ensure that
we're protecting ourselves aswell?
Speaker 4 (11:22):
Yeah, I think to that end, I think, you know,
acting a little bit more likesome of the larger players is,
right? Like, do you have adiligence list? Do you have a
series of questions that you'reasking when you're talking to a
potential vendor to make surethat they are, that their
security measures sort of areup to par? So it's, it's a
little bit more diligence onthe front end is always
(11:43):
helpful. You know, auditrights, for example, these are
things that you can giveyourself in an MSA that you
don't, most people don'tnecessarily balk at, because
it's hard for a vendor to lookyou in the eye and tell you,
no, we're not gonna let youaudit our systems if they're
telling you that they'recompliant. So it's a harder,
some of those things are, areharder to , um, to sort of push
back on , um, you know,reliance on certification. So
(12:06):
asking for high trust or SOCtwo, you know, we're seeing a
lot of people right now , um,rely on sort of HIPAA
certifications. And that may ormay not mean anything because
there is not a HIPAAcertification. So it can be
helpful that somebody's gone inand said, you're compliant with
hipaa. But again, at least inthe current version, HIPAA
doesn't necessarily explicitlystate exactly what you need to
(12:27):
do from a security perspective.
So some of the othercertifications are actually
better for that. Um, and then ,uh, so I , I think it , it , it
comes down to sort of vendorvetting. Uh, and it comes down
to there's also a little bit ofa risk analysis, right? Like,
what data will they have? Howwill they use it ? So the
reliance on the data use pieceis the other piece where you
(12:50):
have some leverage, which is tosay, okay, fine, we all agree
to the business associateagreement, but how are you
actually gonna use my data and,and what, you know, who's gonna
access it ? Things like that,that will often be done
separately is also another keypoint, because again, A BAA
will say you can use it to theextent that you're allowed to
by law. And , and it might talkabout whether you can ident ,
(13:11):
de-identify or aggregate, butgoing one step further to sort
of have a little bit more meaton what data is gonna be
accessed and how it's gonna beused can be really important as
well.
Speaker 3 (13:22):
Absolutely. Um, yes, and, and, you know, managing
that risk across the extendedsupply chain , um, you know,
many organizations now are, arelooking to take advantage of
artificial intelligence or AIto improve the process of
managing these relationshipsand that oversight. Um, what,
what are some keyconsiderations that
organizations should focus onwhen considering AI tools or
(13:43):
models?
Speaker 4 (13:45):
You know, you can't have a conversation in, in
digital health or health techor really probably any space
today without talking about ai.
Um, and I've had, I've beenvery lucky , uh, that I not
only represent a number ofcompanies who have, you know,
products that, that sort ofwork with and in around ai, but
also have the pleasure ofsitting on a group of , uh, uh,
(14:08):
an organization that's sort ofa group of, of CTOs and CIOs
for local hospitals in theNortheast. And so hearing sort
of how they've approached ai ,um, but I think, I think ai,
like we've said before, youknow, is something that, that
people just need to have ontheir radar and need to be
aware of. And I think, youknow, there's some key basic
(14:28):
questions that everybody talksabout when they talk about ai,
right? I think it's importantto understand what AI is
actually being used, right? Arewe talking machine learning?
Are we talking large languagemodels? 'cause AI really,
everybody has defined itdifferently. And so
understanding what tech isbeing used , uh, is really
important as you sort of vetyour, your vendors. Um, you
know, in the HIPAA con context,understanding how your PHI will
(14:55):
be used by a vendor , um, youknow, will it be going into,
you know, for, you know,
their will to train theirmodels? Uh , will they be using
PHI to do that? Will they beusing de-identified data to do
that? Um, will the, will thetraining just be for sort of
your own use case, or will itbe broader for their platform?
(15:17):
Um, just generallyunderstanding, again, like what
also what, where, what platformthey're built on, right? Is it
a model that was builtinternally that's proprietary
to the company? Are theyworking off of, you know, open
ai ? Just understanding again,and this goes the same
questions we've had all overagain, right? So who is the
company? What are they doing?
Who are there some contractorsI think is really important.
(15:38):
You know, in addition to thesort of all the other things
that we talk about when we talkabout ai, which is sort of data
bias. Like are they addressingwith things like , uh, bias and
, and how they, you know, howthey train their models, what
their models are getting at. Um, all these questions are
really important to use. Um,you know, things like, do I
have the right
(16:00):
discussion recently with the ,with is, you know, if a
clinician is going onto a modeland saying, I have a patient
with X symptoms, you know, whatare some possible outcomes or ,
or, you know, is that giving itPHI or, or have I given them a
little enough information thatthey, that's not PHI , you
know, is your clinical team orare your users giving data that
(16:24):
you, you shouldn't be given asan organization? And so I think
what AI has also brought up isa little bit of just sort of
like corporate compliance andthe importance of some
centralized functions andmaking sure that we know sort
of , you know, where it's beingimplemented across the
platform, who's using it, howit's being used. And I think
that becomes really importantas we're starting to see state
laws related to use of ai,right? So as a, you know, if
(16:49):
you're like a telehealthcompany and your vendors are
using ai, you know, the classicexample is I had a client who
was going to use AI to, to dolike a con consum , uh,
customer satisfaction , patientsatisfaction sort of chat post
service , um, to meet their ,some of their quality
requirements. And, you know,certain states have
(17:11):
requirements about making surethat your people who are
interacting with AI chat botsknow that they're interacting
with ai. And so as the personwho's , you know, as the, as
the healthcare provider who'slaunching that, that because
their obligation, not just thevendor. And so if you, if an
organization doesn't know whattechnology is being used and
(17:31):
the services they're buying, itbecomes harder for them to
comply with laws also. So it'simportant. Um, and, and so what
we're seeing to that end ispeople, or at least people
trying to see, is also a lot oftimes the AI is not there yet,
right? Like it's, we hope thatwe'll be able to integrate AI
later, or how we will integrateAI changes. And so we're seeing
people starting to require orat least ask for notice of the
(17:55):
use of ai. Um , so that, again,as the customer, the purchaser
of technology, I know what'sbeing used and where it's being
used so that I can meet my ownrequirements. But also , um,
call recently was that some oftheir vendors are integrating
AI sort of without lettinganybody know. And it is ,
(18:16):
becomes, they're sort oftesting it live, and then it
becomes something that you getused to using. And then a year
later they say, oh, now thatyou're using the AI supported
function, that we're gonna haveto charge you double and you
didn't even know that you werethere. And so what are you
paying for? Which is, you know,that's a business issue. It's
not necessarily a legal issue.
Um, but these are all thingsthat we need to be thought
about. And so what we'reseeing, again, is more
centralized decision makingaround how AI is being used
(18:39):
within organizations. And, youknow, folks who are doing this
in a thoughtful manner are,again, asking more questions
upfront about the, the, in thecompanies that they're working
with, because, you know,there's a lot more technology
out there, there's a lot moreopportunity out there. And ,
and understanding, again, and ,and this all flows back to like
(19:00):
what data using, how are theyusing your data data , um, you
know, it's just important tosort of be able to track and
manage.
Speaker 3 (19:08):
Absolutely. And curious
Speaker 4 (19:09):
If you've seen anything different on that end.
Speaker 3 (19:13):
Absolutely. And, and, you know, you mentioned
thoughtful organizations movingforward with it, we're, we're
seeing, you know, in thatregard, we're seeing , uh,
formal AI governance, you know, being established questions
within them around, you know,what AI technologies are you
utilizing, what tools, whatmodels , um, you know, very
specific questions around arethere model cards or, or model
diagrams , uh, that outline thecapabilities that it has and
(19:35):
that you're utilizing in yourplatform. You know, if you're
using something that is opensource or , um, you know , uh,
uh, through a different vendor.
So absolutely, we're seeingthat as well. Yeah .
Speaker 4 (19:45):
And I guess one thing I should have added is
we're also seeing it on theother end on the , uh, right.
I'm here at Cooley. Cooley doesa lot of , uh, transactional
work, and we're , we're seeingit come up in diligence and
we're seeing it come up as, youknow, reps and warranties in ,
in, in deals because purchasersand investors wanna know what
their risk is, if there's risk,and how it's being used and
(20:06):
hasn't been thoughtfullymanaged. And so , um, you know,
a lot of this comes up to likewhere the next round of funding
is and if investors are askingquestions, and you have to be
more mindful of how you manageit.
Speaker 3 (20:14):
Most definitely. All right . Um, one issue , uh,
changing gears a little bithere. Uh , one issue of
particular concern , uh, thatcame out of the change
healthcare , uh, incident , uh,was that , uh, uh, concern
around incident responseplanning. Uh, so what are some
of the fundamentals of a strongincident response plan?
Speaker 4 (20:35):
You know, incident response plans tend to be very
technical. And, and as alawyer, we tend to advise folks
that it's really important thatthey have one, right? That ,
that it be , uh, reviewedperiodically so that it's, it
makes sense within theorganization that it can be
used properly. Um, but one ofthe things that we find on our
end as council is that there isa , a huge divide between a
(20:59):
good incident response plansand actual implementation , uh,
or an execution. And it has alot to do with, a lot of people
are putting a lot of time andeffort into developing this
response plans, which can bedone really well, but then not
necessarily training theirteams on on what it means or
how to use it or how to accessit, or who the right, right ,
the right time to, to sort ofinitiate it is. And so , um,
(21:20):
to, to us, you know, from,again, from, from the legal
perspective, in addition tosort of what are the elements
are, it's just making sure your, your team is properly trained
and un to speed on who'sresponsible and what would
trigger the need, for instance, response. Um, you know,
because great policies don'tmean anything , uh, if, if
employees don't know how toaccess 'em or use them. And ,
um, we're seeing that, youknow, I I , I mentioned to you,
(21:44):
we're seeing that come up , uh,in, in things happening, like
an issue was identified, butthe call center , um, I didn't
flagged it or identified it aslike a technical issue that an
app wasn't working as insupposed to a , uh, possible
security or, or breach , uh, orpossible, right? Like misuse of
data. Um, and so it never madeits way to the privacy team
(22:05):
and, and this wonderfulincident response plan that
they have couldn't beactivated. And now you have
delays in notifying customers,you have delays in potentially
notifying the harmedindividuals , uh, and all of
this can, can really impact theorganization. And so, you know,
so many people rely ontraining, you know, through
like modules that you clickthrough and, and really we need
(22:27):
to see a little more of that.
But I guess I would put it backto you 'cause you do a lot more
of this on the ground workingwith people to develop IR plans
. So what are you seeing isimportant and, and , um, again,
how are you helping to managethat divide between a great
plan and , and how people useit?
Speaker 3 (22:43):
Absolutely. And yeah , so we're absolutely seeing
that as well where they're ,you know, they may have a very
good incident response plan,but yet they don't do any
tabletop exercises or theydon't , uh, communicate it out
and have training on it withtheir staff and their
employees. So , um, you know,we, we work with our clients to
help develop , uh, and testrobust incident response plans,
but also , uh, conduct incidentresponse tabletop exercises in
(23:06):
order to validate and testthese plans and to ensure that
they're communicated out andthat the , the staff are
trained on it. Um, you know,and, and this is all part of an
overall business resiliencyprogram , uh, that we work with
our clients on. Uh, so, youknow, you're absolutely correct
in the event of an incident, ifa team isn't properly trained
on what to do, how to do it,and with whom to do it with ,
(23:28):
um, you know, the organizationand its critical business
processes can definitelysustain financial or
reputational damage in additionto any damage that might be
caused by the incident itself.
Speaker 4 (23:40):
Yeah , no , that makes a lot of sense.
Speaker 3 (23:43):
So with o's proposed updates to the HIPAA security
rule , uh, and new legislationthat's been introduced over the
past six months , uh,regulators seem to be applying
greater focus towards vendors ,uh, as well. So how should
healthcare vendors beresponding to the changing
regulatory environment?
Speaker 4 (24:01):
Yeah, look, historically, OCR, who's always
been notoriously understaffed ,uh, has really focused on
covered entities, right? Theentities themselves. Um,
there's been a few moves overtime. For example, you know, it
used to be that a coveredentity was responsible for
ensuring that everybody had theaas, suddenly business
associates became responsibleon their own. Um, I, I do
(24:22):
think, especially given changehealthcare last year, that
there is an inevitable shiftthat business associates have
as much sort of obligation orresponsibility here as they're
covered at any partners and,and not just from a contractual
basis, but under the law. Um,and so I do, I I do expect that
we'll see , um, more , uh,direct oversight of vendors and
(24:44):
not just of covered entities. Ialso think that covered
entities, just given the thestate of the state are more
likely to sort of report ontheir vendors when they find
issues to OCR. Again, not, notone because they're vulnerable
to their vendors, especially'cause of the ven you know, how
reliant like change healthcare,for example, right? Like how
reliant everybody is on thesevendors. And so there's a
(25:06):
little bit of, of protectingthemselves and of trying to
police the industry in thehopes of, you know, keeping
data , uh, secure. Um, so I dothink that we're gonna see more
of it. I think , um, the , uh,you know , I do think OCR is
still short staff and, andthere's a lot going on. And so
(25:27):
I , you know, whether ithappens this year or in three
years, I think it's inevitablethat it's coming. Um, and then
I do think that, you know, the, what the, the new proposed
rule did, frankly, it is sortof a lot of what we started
talking about at the beginning,which is Pippa had
recommendations, they had sortof addressable issues. Uh, the
proposed rule would really takemore of the security
(25:49):
requirements and make themrequired the requirements, not
just something you could dealwith. Um, and really, frankly,
it's just a lot more technicalin what you'd expect to see, so
that if there's a lot lessdiscretion , um, that impacts
vendors because vendors now aregonna have to comply with,
right, these more specifiedwith these new specifications
(26:09):
and, and you know, it's a goodthing 'cause it means it'll be
a little more uniform. 'causeright now every customer could
have their own specspecifications , uh, and
hopefully a lot of this isstuff that people are already
doing, but not necessarily. Um,but it , it is clear, I guess
that just because of sort ofthe nature of the, of how the
new proposed rule, again isvery tip tech technical, that
(26:31):
there will be a lot of impacton vendors because vendors are
the ones who are sort ofexecuting and managing these
things. Um, so a again, Ithink, you know, I I I think if
it is inevitable that therewill be more of a focus on
vendors and, and, and, youknow, continued focus on CEEs,
but more of a focus on vendorsand, you know, the proposed
(26:51):
rule, I said did a lot ofthings in , in just putting in
place more will would ifpassed. And then , you know,
comments closed I think lastweek. So we, we had to see
where it's gonna go. Um, but,you know, stricter change, man
, uh, protocols , um, more riskmanagement, pla prac , uh,
planning, you know, betteractual security policies,
(27:14):
actual security specificationsthat would create some
uniformity. Um, and justthere'd be more to, to, to
answer to because there's lesssort of flexibility in how you
can implement the rule. Um ,you know, I think to note it
isn't a , uh, it isn't newlegislation, but if you look at
(27:36):
the, the audits that we havebeen seeing out of OCR, they
are all touching on and askingquestions about tracking
technologies. You know, it'ssort of a , here's 15 questions
we need you to answer 'causewe're doing an audit , um,
related to a breach. But whilebasically while we have you,
we're gonna ask you questions'cause we can
and, and they're all askingabout data tracking. And so I
(27:57):
think, you know, we , there'sbeen a lot of talk about
tracking technologies. We'veseen , um, guidance come out on
tracking technologies. I thinkit's still at the forefront is
something that people areconcerned or that the OCR is
concerned about mm-hmm
uh, we'll see where it goes.
You know, we've heard somegrumblings, right ? It's funny,
I have, I have some partnerswho say that, that we're sort
(28:18):
of headed for a sort of a , abroad national data privacy
law. Um, I'm not sure that I'veseen any indication of that,
especially not under thisadministration. But, you know,
I think to a certain extent, alittle bit of wishful thinking.
'cause we are still in such a,a sort of a, you know, is
slightly piecemeal , uh,regulatory , uh, environment.
And, and a lot of the statestook up things like AI last
(28:41):
year and we think we'llcontinue to do that. And so,
you know, for now, complianceis just continuing to get
harder. Um , but hopefully willhelp in terms of keeping
privacy secure data secure ,not privacy secure. Sorry.
Okay.
Speaker 3 (28:56):
Yep . Well, we've covered several different
topics. Um, what, what summaryrecommendations do you have for
technology companies and, andothers that are selling
products and services tohealthcare providers on how to
ensure that the securityconcerns don't derail their
growth plans? Yeah.
Speaker 4 (29:13):
Um, start early and start bright deep, I think ,
um, plan for the future statenow. Uh, so we talk to a lot of
folks who, for example, they'relike, oh, initially we won't
have to be HIPAA compliant, butwe expect that one day we will
be, and if you're heading thatdirection, just do it. And ,
and again, it starts from thebuilding blocks, right? Like
(29:33):
your vendors , yoursubcontractors, like all the
things that are harder tochange as you get up and
running . And so I think thereis a little bit of , of , of
building a complianceinfrastructure or, or a plan
for, for, for compliance in thespace , uh, early, whether
it's, it's gonna be, you know,some of these things are
expensive, high trust SOC two ,and so figuring out like how
(29:53):
you're gonna get there , um, assooner the better. Um, and then
building a culture ofcompliance. I think to the
extent that you're, you'redeveloping products upfront as
a, as a partner with yourcustomers in compliance, I
think it's, it's helpful. Um,you know, one of the things
that we haven't talked aboutyet is
(30:14):
insurance. So, you know, havinga plan for that, that can get
really expensive and I thinkwe'll only continue to be more
expensive. And so understandingthe, the state of the market
and what you need now and whatyou'll need as you grow , um,
but fundamentally, you know,you need to be smart in this
space and you need to be answer, able to answer questions. So
deliberately building your,your security infrastructure, I
think is really important. I'mcurious how, what your , your
(30:37):
advice would be.
Speaker 3 (30:38):
No, I, I completely agree and, and you're
absolutely right. You know,with cyber liability insurance,
we've seen such drastic changesover the last, you know, even
the last just couple of years ,um, with regard to how, you
know, the, the, the insurance ,uh, industry itself approaches
it. And, and you know, it usedto be that you would, you know,
go in and apply for a , a , apolicy. It would be reviewed
(31:01):
by, you know, someone, one, oneperson maybe , uh, you know ,
uh, an agent and then, youknow, you would either be
approved or not. And now we'reseeing their teams of security
experts that are reviewing yourresponses. Um, and, you know,
the vetting process has gonefrom one questionnaire to, you
know, multiple stagequestionnaires,
(31:22):
, it's, it's really changingquite a bit. Um, so yeah,
absolutely. We're definitelyseeing , uh, some, some very
distinct changes in thatenvironment as well. And it's,
it's definitely on the, theprovider , uh, who is looking,
you know, seeking to get thatinsurance to understand, you
know, what their first partyand third party requirements
are and, and what meets theirbusiness needs, and then
(31:44):
working with the provider toensure that, that they're going
to be covered in, in anysituation that they needed .
Speaker 4 (31:50):
Yeah, and I guess the last thing that I would add
to that is just having goodpartners in this, whether it's
a clear water or a coolee,right? Your lawyers can help
tell you when you, when tostart thinking about things,
what the risk is , uh, and agood team that understands the
space to help you build it out, uh, is also really important.
Um, and, you know, it's alwaysbetter to bring us in earlier
(32:11):
than later because, you know,the, the , the early expense
saves so much later headache ,uh, that ends up being a lot
more sort of expensive and, anddifficult to deal with and, and
can impact like productdevelopment and actual sort of
use of, of your, of your toolsand your technology. So
Speaker 3 (32:27):
Yep . Completely, completely agree. So definitely
on the same page there,
Speaker 4 (32:32):
Yeah ,
self-serving, but I swear it'snot, it really makes a
difference .
Speaker 3 (32:37):
Indeed . Indeed .
Well , Alexis , um, those were, uh, really the topics , uh,
for discussion today. Uh , Ireally appreciate your time
and, and your , uh, your, yourvision here and, and , uh, the
, the comments that you've hadand, and the great information
you provided. Um, is there anyother questions or thoughts
that you'd like to leave uswith?
Speaker 4 (32:57):
No, I really appreciate your time and thank
you for having me. I enjoyedthe conversation and as I said,
it's always good to know sortof what's happening in a very
practical implementationstandpoint. Um, you know, as ,
as the lawyers, we see one side, um, and, and getting to talk
to somebody who's sort ofhelping folks as they build is,
is always super helpful. Sothank you .
Speaker 2 (33:21):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health
law, wherever you get yourpodcasts. To learn more about a
HLA and the educationalresources available to the
health law community, visitAmerican health law.org .
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Law & Order: Criminal Justice System - Season 1 & Season 2
Season Two Out Now! Law & Order: Criminal Justice System tells the real stories behind the landmark cases that have shaped how the most dangerous and influential criminals in America are prosecuted. In its second season, the series tackles the threat of terrorism in the United States. From the rise of extremist political groups in the 60s to domestic lone wolves in the modern day, we explore how organizations like the FBI and Joint Terrorism Take Force have evolved to fight back against a multitude of terrorist threats.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com