February 28, 2025 • 21 mins
Based on AHLA's annual Health Law Connections article, this special series brings together thought leaders from across the health law field to discuss the top ten issues of 2025. In the sixth episode, Elizabeth Trende, Chief Legal Officer & General Counsel, United Network for Organ Sharing, speaks with Michelle Garvey Brennfleck, Shareholder, Buchanan Ingersoll & Rooney, about the current cyber threat environment for the health care industry and what health care entities can do to better protect themselves from cyberattacks. They discuss the proposed Health Infrastructure Security and Accountability Act, the importance of cyber risk assessments, and how the new administration may impact policies on protected health information. From AHLA’s Academic Medical Centers and Teaching Hospitals Practice Group.
Watch the conversation here.
AHLA's Health Law Daily Podcast Is Here!
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Speaker 2 (00:04):
A HLA is pleased to present this special series
highlighting the top 10 healthlaw issues of 2025, where we
bring together thought leadersfrom across the health law
field to discuss the majortrends and developments of the
year. To stay updated on allthe major health law news,
subscribe to ALA's New HealthLaw Daily podcast, available
exclusively for premiummembers@americanhealthlaw.org
(00:27):
slash daily podcast .
Speaker 3 (00:35):
Good morning. This is the a HLA speaking of Health
Law podcast. My name is EmmyTrendy , and I am the Chief
Legal Officer and GeneralCounsel of the United Network
for Organ Sharing . Today Ihave the pleasure of speaking
with Michelle Bren Fleck , whois chair of our A HLA Academic
Medical Centers and TeachingHospitals practice group, where
I'm also part of the leadershipgroup. And Michelle recently
(00:59):
authored the article,cybersecurity Developments in
2025. So, Michelle, when you'renot volunteering for a HLA,
tell us a little bit about yourpractice at Buchanan Ingersoll.
Speaker 4 (01:11):
Well, thanks Emmy so much for having me this
morning. It's great to be withyou . Uh , my practice is broad
ranging. I advise clientsincluding academic medical
centers, teaching hospitals,health systems, physician
practices on a variety ofissues ranging from strategic
transactions to thornyregulatory fraud abuse matters.
(01:33):
And I also have a subsetexpertise in data privacy and
cybersecurity, which is why I'mhere speaking with you today.
So thanks again for having me.
Speaker 3 (01:43):
Wonderful. Well, thank you so much for taking
the time and, and talking withus this morning. I wanted to
start with a question today inthe information economy and the
cyber world being what it is,information data's everywhere.
Why do you think that thehealthcare industry in
particular remains such a hightarget for threat actors?
Speaker 4 (02:07):
Thanks, Emmy . It , it really does. I think, you
know, we continue to hear inour day-to-day practice how
healthcare is a key target ofthreat actors and cyber
criminals. I think it really isfor three reasons. One is the
sensitive data at issue. Two isthe potential for operational
(02:27):
disruption of healthcareproviders and other
stakeholders. And then three isthe significant harm that can
be posed to individuals whentheir information is at risk.
So if we think about that firstitem, the sensitive data at
play , um, you know, healthcareis powered by data. Um, we saw
(02:47):
in the change healthcare attackthat occurred in early 2024
that estimated 190 millionindividuals were impacted. That
number is actually up from aprior estimate of 100 million.
Um, and that 190 million is twoand a half times the number of
(03:08):
people that were impacted bythe second largest data breach.
So that's a , a lot of data,and that's one incident. So we
of course, have the sensitivehealth information , um, you
know, in the form of medicalrecords at play. But then more
attractive to threat actors isthe social security numbers,
(03:29):
the financial information that,you know, may be housed within
those records. And threatactors know that they know that
that information may besellable on the black market.
They also know that providers,insurers clearing houses and
others may be more inclined topay ransomware in order to get
(03:50):
that data back , um, as bestthey can, or at least to, you
know, get operations back upand running. So, you know,
again, that that data is thedriver and, you know,
healthcare is just a hugesource, a , a goldmine of that
type of information. Uh, wealso then see that there is a
(04:10):
potential for operationaldisruption and impact mm-hmm
. So of course,if a health system has their
electronic medical recordsystem breached , that can
cause the system to delay orpause, suspend need to
reschedule procedures , um,which of course can put
(04:30):
patients at risk and can causeproviders to be less
productive. Um, and , andagain, threat actors know that
and seek to capitalize uponthat disruption again, in an
effort to , um, you know, forexample, have their ransomware
paid , um, with the changehealthcare breach. You know,
(04:50):
again, turning back to that, wesaw that for weeks there was
delay in revenue cyclemanagement and claims
processing, and we're still,yes , to see the ripple effects
of that today. Um, you know,that matter is still under
investigation, but moreimportantly, we're still, you
know , continuing to see thatthere is litigation and an
(05:12):
attempt to recover , um, again,from those whose claims payment
was significantly disrupted.
And then third, we see thatthere, you know, is significant
risk on an individual level.
Um, you know, first andforemost from a patient care
perspective, potentially , um,again, if there is a disruption
in the ability of a healthcareprovider to provide care or to
(05:36):
be paid for the care , um, youknow, but also you and I and,
and everyone mm-hmm . Who receives
healthcare , um, you know, we,we have so much of our data
that is out in the universe.
Um, and again, threat actorscan seek to access that
information and use it fortheir own gain. So there's risk
of, you know, identity theftand, you know, again, credit
(06:00):
monitoring and other , uh,methods of mitigating risks
are, are essential andimportant to safeguard that
information. But once it's lostand is in the hands of a bad
actor, you know, it , it inmany ways is , is not possible
to get it back . Um, so again,I think that, you know,
healthcare is just a treasuretrove of information for cyber
(06:24):
criminals, threat actors, and ,um, you know, organizations
really need to be mindful of,of how best to protect it.
Speaker 3 (06:32):
Excellent. Well, well, with that in mind, I
mean, it , the healthcare spaceis constantly innovating. And
the only innovators that are,that are keeping pace with that
I would say are the threatactors who are trying to come
up with new ways all the time.
They're , they're learning fromeach of these cyber attacks and
improving and getting ready forthe next wave of, of trying to
(06:54):
attack our vulnerabilities thatwe, that we won't anticipate.
And with all that in mind, itpaints a really intimidating
picture. The numbers that youjust talked about are really
heart stopping. What can we doand, and what can providers
and, and what can the attorneyswho are advising them right now
do to try to anticipate thatnext level of threat?
Speaker 4 (07:17):
And that's a great question, and it's a really
challenging one. I think firstand foremost, my recommendation
is for organizations to try toget a handle on what data it is
that they house . Um, andthat's a very easy, you know,
recommendation to state. Um ,and it's much more difficult
for organizations to implement.
(07:38):
So , uh, you know, wefrequently work with
organizations that are engagingin data mapping exercises to
see, you know, what data is, iscoming into their systems, what
is that data doing as it'sflowing through their various
systems, and then how is itleaving their systems ? So I
think that that data mappingexercise is key because
(08:00):
organizations can't adequatelyprotect data that they may not
know they have. Um, so, sothat's, you know, first and
foremost , uh, arecommendation. Second, we
often work with organizationsthat are developing policies
and procedures around datamanagement and risk assessment.
(08:20):
And it's, it's crucial thatthose policies and procedures
be living and breathingdocuments that are not, you
know, stuck up on a shelf or,you know, in this electronic
age sitting in a database. Um,so organizations need to not
only have those policies andprocedures, but know how to
implement them. So training andeducation is key with respect
(08:44):
to , um, you know, making thosepolicies and procedures really
live and breathe . Uh,organizations also can benefit
from security risk assessments.
Um, certainly that is , uh, youknow, again, one of those , um,
easier said than doneundertakings, we often see
(09:05):
success in organizations thathave penetration testing or
stress testing done. Um, youknow, so they may hire an
outside consultant that sort ofputs on the hat of the threat
actor or the cyber criminal andtries to access the systems of
the organization , um, and toidentify vulnerabilities within
(09:27):
that system. So, you know, inmy mind, what better , um, you
know, safeguard against thethreat actor, a cyber criminal,
then having, you know , uh,someone with IT expertise try
to act in that role andpenetrate the system and then
identify vulnerabilities. Wealso see that trainings in the
form of tabletop exercises arecrucial . Um , so those involve
(09:51):
organizations taking ahypothetical data security
incident or a breach andrunning through what to do in
the event that that occurswithin their organization. So
that may involve folks from theadministrative, legal, IT and
security teams, as well ascommunications that can work
(10:13):
together to go through a mockexercise and sort of learn
from, you know, what went well,what did not go well. Um, and
I've seen organizations a hugedifference in organizations
that have , um, worked throughan instant response plan and
performed a tabletop exerciseversus those that have not, and
perhaps when an event occursare not as coordinated as they
(10:37):
might be in real time .
Speaker 3 (10:40):
Uh , you know, we just went through a tabletop
and in my organization at unos, and it was absolutely an
invaluable experience. It's onething to have the plan on
paper, right ? But to haveeveryone really testing it in
an environment of live dialoguewhere you have everyone active
and present and committed toissue spotting up front , I can
(11:02):
see how it's just such atremendous asset for anyone. So
full , fully agree with you on,on those pieces of advice.
Speaker 4 (11:09):
And I would, I would just also chime in to say, you
know, often in the heat of themoment, so you'll have the
incident response that's sortof the, you know, heat of the
moment, what to do perhaps tooperationalize, get back up and
running after an incident or abreach, but then the dust does
settle. And we frequentlyencourage organizations in that
(11:31):
period where perhaps the, youknow, immediate threat has been
resolved, perhaps lawenforcement has been contacted
and is assisting in aninvestigation or is, is running
an investigation of its own.
There's often a period of time,again, when the dust has
settled and an organization islooking to assess, you know,
what happened here, whatindividuals were impacted, what
(11:54):
data do we have at issue? Youknow, looking through perhaps
with a forensic firm, you know,what, what happened here? What,
what's going on? And I oftenencourage organizations really
to try to pause , um, duringthat investigation that
follows, you know , theimmediate incident and to
determine, you know, has thereactually been a breach? And we,
(12:18):
we have this conversation withorganization time and time
again where, you know, there'sbeen this bad event and
everyone assumes that, thatthat event is a, you know, a
breach that is a, you know,HIPAA defined breach that will
lead to individualnotifications. And I do
encourage, you know, workingwith council , working with the
(12:39):
IT folks to really get at whathappened here, what's going on,
because there may be a lowprobability of compromise to
the information at issue. Andyou know, HIPAA doesn't allow
many graces, but it does havethe low probability of
compromise get out of Dodge inthe event that there's been an
(12:59):
incident that doesn't rise tothe level of a breach. So I
really encourage organizationsto take a beat and work with
counsel to go through thatanalysis , um, because it may
end up safeguarding them frommaking notifications to
individuals and then dealingwith the, you know, often
fallout of those notificationsin the form of class action
(13:22):
lawsuits and, you know , um,even just the bad press that
may come from notifications tomany individuals.
Speaker 3 (13:32):
Absolutely. Those, those are well-known side
effects, unfortunately andfully agree with, with
consulting with counsel to seehow extensive your response has
to be in the event that you doexperience one of these
attacks. Um , I wanted tocircle back a minute. You , you
talked , uh, you touched for,for a moment on the change
healthcare ransomware attack.
(13:52):
And in response to that, the,the Health Infrastructure
Security and Accountability Actor hisa was introduced as
proposed legislation toincrease the government
oversight and cybersecurityover covered entities and
business associates, thosecategories that are subject to
hipaa. Now, looking at thatlegislation, it emphasizes the
(14:13):
importance of an annual cyberrisk assessment and to a lot of
folks who are impacted, thatmight be a new term. Can you
just give an overview of what acyber risk assessment is and
what would a typical cyber riskassessment look like?
Speaker 4 (14:31):
Of course. So, so hsa , um, is, is sort of a
modernization of hipaa, and itis still in its proposed form.
And, you know, I would cautionall the folks who may be
listening to keep an eye on itbecause we'll see what appetite
legislators and the regulatoryagencies have to , to , um, you
(14:52):
know, move, move ahead with HSAunder this new administration.
You know, given that there maybe priorities , um, you know,
in, in different areas, butagain, HSA would seek to
modernize HIPAA and toformalize much of what we've
talked about already. So we'vetalked about, you know, these
security risk assessmentslooking at, you know , um,
(15:13):
stress testing and penetrationtesting and identifying where
an organization may havevulnerabilities, PISA would,
would essentially formalizethose processes. So these, you
know, annual cyber audits wouldbe , um, again , sort of a
formalization of what wealready are seeing in this
space as best practices withnow under hisa , potentially I
(15:36):
should say, with regulatoryoversight with the support of
the government and, you know,ultimately with an eye not only
to protect individualinformation, but also national
security. Um, and, and youknow, I would anticipate that
that would continue to be afocus , um, you know, under
this administration, given ourrelations with other countries
(15:58):
and threats that, you know, maybe coming from abroad. Um, so,
you know , again, what we wouldsee under Hessa if it moves
forward is essentially aformalization and additional
regulatory oversight under overwhat many organizations are
already doing , um, from a bestpractice perspective. But I say
(16:18):
that and, you know, acknowledgethat there are many
organizations that are underresourced , um, you know, that
may not have the capitalrequired , um, to really get
behind a security campaign ,um, and, you know, to engage in
the significant upgrade to ,um, what they may have in , in
(16:38):
the way of security safeguard.
So with that, you know, the HSAas proposed did , um, account
for funding opportunities forrural organizations and others
that may not have, you know,the deep pockets that would be
required to move intocompliance with hsa . And
again, we'll see, you know,where that funding, you know,
(17:01):
where those funding sources maybe , um, under the new
administration if Hessa doesmove forward.
Speaker 3 (17:06):
Great. Very , very good advice. And tha thank you
for that overview also, you ,you also mentioned the, the
recent administration changecausing a , uh, causing a few,
few ripples and some, someanticipatory anxiety probably.
Uh , now that President Trumphas taken office, have you seen
any recent developments inreproductive healthcare or
(17:28):
protection of , uh, ofprotected health information
PHI or do you have anypredictions of what might be
coming down the pike in thoseareas?
Speaker 4 (17:37):
That's, that's a great question and you know,
sort of a , a real time answeris that we're, we're continuing
to work with our clients on howto best approach these issues.
So you may be aware that in thesummer of 2024, really in
response to the Dobbs decision,which overturned Roe v Wade,
(17:59):
there was an update to hipaa,to the privacy rule that would
seek to protect reproductivehealth information and
essentially to prohibit the useor the disclosure of HIPAA
protective health informationor PHI in furtherance of an
investigation dealing with areproductive health issue and,
(18:19):
you know, an individualaccessing a reproductive health
care provision of reproductivehealthcare payment for
reproductive healthcare . Andagain, it was , um, sort of
HIPAA's angle at protectingthat information in those
settings. So the final rule didgo into effect , um, and we
have been counselingorganizations on compliance
(18:42):
with the final rule,particularly from a policies
and procedures perspective. Oneaspect of the final rule that
does not become effective untilFebruary, 2026 at this point ,
um, is a required update toorganizations, notices of
privacy practices , um, wherethey would be required to
include, you know, informationabout the use and disclosure of
(19:05):
reproductive healthinformation. So what we've done
in that setting, again, becausethat portion of the final rule
doesn't become effective untilFebruary of 2026, and, you
know, may under this newadministration undergo change,
we've worked with organizationsto put that updated language in
their NPPs, but also to includesome language that would allow
(19:29):
it to be, you know, strickenwithout impacting other
components of the NPP in theevent that there is a change in
the, you know, in the guidancethat the , uh, you know, in
connection with the newadministration. So we've, we've
sort of been working withclients , um, to, to approach
these changes in a reasonableway to sort of get ahead of
(19:53):
them, but also to acknowledgethat these, you know, that the
new administration and itspriorities may shift the, the
way that these NPPs inparticular are structured.
Speaker 3 (20:05):
Great. So time for everyone to dust off those NPPs
if you have not done soalready. That's a great place
to start. Well, thank you verymuch, Michelle, for taking the
time this morning to give agreat , uh, high level sneak
peek of the detailed article.
If you, if you'd like to followup , please take the time and
read , uh, Michelle's article,cybersecurity Developments in
(20:27):
2025, where you can get agreater glimpse into sort of
those top 10 hot button issues.
There were probably 10 morethat , uh, that occurred just
since we've , uh, we've beenrecording this, but , uh,
certainly a, a very attractiveand interesting area to
practice in right now. SoMichelle, thank you for taking
(20:48):
the time with us and everyonehave a great day.
Speaker 4 (20:52):
Thanks so much, Emmy. Great to be with you this
morning. Take care.
Speaker 2 (21:00):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health
law, wherever you get yourpodcasts. To learn more about a
HLA and the educationalresources available to the
health law community, visitAmerican health law.org.
Speaker 2 (00:04):
A HLA is pleased to present this special series
highlighting the top 10 healthlaw issues of 2025, where we
bring together thought leadersfrom across the health law
field to discuss the majortrends and developments of the
year. To stay updated on allthe major health law news,
subscribe to ALA's New HealthLaw Daily podcast, available
exclusively for premiummembers@americanhealthlaw.org
(00:27):
slash daily podcast .
Speaker 3 (00:35):
Good morning. This is the a HLA speaking of Health
Law podcast. My name is EmmyTrendy , and I am the Chief
Legal Officer and GeneralCounsel of the United Network
for Organ Sharing . Today Ihave the pleasure of speaking
with Michelle Bren Fleck , whois chair of our A HLA Academic
Medical Centers and TeachingHospitals practice group, where
I'm also part of the leadershipgroup. And Michelle recently
(00:59):
authored the article,cybersecurity Developments in
2025. So, Michelle, when you'renot volunteering for a HLA,
tell us a little bit about yourpractice at Buchanan Ingersoll.
Speaker 4 (01:11):
Well, thanks Emmy so much for having me this
morning. It's great to be withyou . Uh , my practice is broad
ranging. I advise clientsincluding academic medical
centers, teaching hospitals,health systems, physician
practices on a variety ofissues ranging from strategic
transactions to thornyregulatory fraud abuse matters.
(01:33):
And I also have a subsetexpertise in data privacy and
cybersecurity, which is why I'mhere speaking with you today.
So thanks again for having me.
Speaker 3 (01:43):
Wonderful. Well, thank you so much for taking
the time and, and talking withus this morning. I wanted to
start with a question today inthe information economy and the
cyber world being what it is,information data's everywhere.
Why do you think that thehealthcare industry in
particular remains such a hightarget for threat actors?
Speaker 4 (02:07):
Thanks, Emmy . It , it really does. I think, you
know, we continue to hear inour day-to-day practice how
healthcare is a key target ofthreat actors and cyber
criminals. I think it really isfor three reasons. One is the
sensitive data at issue. Two isthe potential for operational
(02:27):
disruption of healthcareproviders and other
stakeholders. And then three isthe significant harm that can
be posed to individuals whentheir information is at risk.
So if we think about that firstitem, the sensitive data at
play , um, you know, healthcareis powered by data. Um, we saw
(02:47):
in the change healthcare attackthat occurred in early 2024
that estimated 190 millionindividuals were impacted. That
number is actually up from aprior estimate of 100 million.
Um, and that 190 million is twoand a half times the number of
(03:08):
people that were impacted bythe second largest data breach.
So that's a , a lot of data,and that's one incident. So we
of course, have the sensitivehealth information , um, you
know, in the form of medicalrecords at play. But then more
attractive to threat actors isthe social security numbers,
(03:29):
the financial information that,you know, may be housed within
those records. And threatactors know that they know that
that information may besellable on the black market.
They also know that providers,insurers clearing houses and
others may be more inclined topay ransomware in order to get
(03:50):
that data back , um, as bestthey can, or at least to, you
know, get operations back upand running. So, you know,
again, that that data is thedriver and, you know,
healthcare is just a hugesource, a , a goldmine of that
type of information. Uh, wealso then see that there is a
(04:10):
potential for operationaldisruption and impact mm-hmm
electronic medical recordsystem breached , that can
cause the system to delay orpause, suspend need to
reschedule procedures , um,which of course can put
(04:30):
patients at risk and can causeproviders to be less
productive. Um, and , andagain, threat actors know that
and seek to capitalize uponthat disruption again, in an
effort to , um, you know, forexample, have their ransomware
paid , um, with the changehealthcare breach. You know,
(04:50):
again, turning back to that, wesaw that for weeks there was
delay in revenue cyclemanagement and claims
processing, and we're still,yes , to see the ripple effects
of that today. Um, you know,that matter is still under
investigation, but moreimportantly, we're still, you
know , continuing to see thatthere is litigation and an
(05:12):
attempt to recover , um, again,from those whose claims payment
was significantly disrupted.
And then third, we see thatthere, you know, is significant
risk on an individual level.
Um, you know, first andforemost from a patient care
perspective, potentially , um,again, if there is a disruption
in the ability of a healthcareprovider to provide care or to
(05:36):
be paid for the care , um, youknow, but also you and I and,
and everyone mm-hmm
healthcare , um, you know, we,we have so much of our data
that is out in the universe.
Um, and again, threat actorscan seek to access that
information and use it fortheir own gain. So there's risk
of, you know, identity theftand, you know, again, credit
(06:00):
monitoring and other , uh,methods of mitigating risks
are, are essential andimportant to safeguard that
information. But once it's lostand is in the hands of a bad
actor, you know, it , it inmany ways is , is not possible
to get it back . Um, so again,I think that, you know,
healthcare is just a treasuretrove of information for cyber
(06:24):
criminals, threat actors, and ,um, you know, organizations
really need to be mindful of,of how best to protect it.
Speaker 3 (06:32):
Excellent. Well, well, with that in mind, I
mean, it , the healthcare spaceis constantly innovating. And
the only innovators that are,that are keeping pace with that
I would say are the threatactors who are trying to come
up with new ways all the time.
They're , they're learning fromeach of these cyber attacks and
improving and getting ready forthe next wave of, of trying to
(06:54):
attack our vulnerabilities thatwe, that we won't anticipate.
And with all that in mind, itpaints a really intimidating
picture. The numbers that youjust talked about are really
heart stopping. What can we doand, and what can providers
and, and what can the attorneyswho are advising them right now
do to try to anticipate thatnext level of threat?
Speaker 4 (07:17):
And that's a great question, and it's a really
challenging one. I think firstand foremost, my recommendation
is for organizations to try toget a handle on what data it is
that they house . Um, andthat's a very easy, you know,
recommendation to state. Um ,and it's much more difficult
for organizations to implement.
(07:38):
So , uh, you know, wefrequently work with
organizations that are engagingin data mapping exercises to
see, you know, what data is, iscoming into their systems, what
is that data doing as it'sflowing through their various
systems, and then how is itleaving their systems ? So I
think that that data mappingexercise is key because
(08:00):
organizations can't adequatelyprotect data that they may not
know they have. Um, so, sothat's, you know, first and
foremost , uh, arecommendation. Second, we
often work with organizationsthat are developing policies
and procedures around datamanagement and risk assessment.
(08:20):
And it's, it's crucial thatthose policies and procedures
be living and breathingdocuments that are not, you
know, stuck up on a shelf or,you know, in this electronic
age sitting in a database. Um,so organizations need to not
only have those policies andprocedures, but know how to
implement them. So training andeducation is key with respect
(08:44):
to , um, you know, making thosepolicies and procedures really
live and breathe . Uh,organizations also can benefit
from security risk assessments.
Um, certainly that is , uh, youknow, again, one of those , um,
easier said than doneundertakings, we often see
(09:05):
success in organizations thathave penetration testing or
stress testing done. Um, youknow, so they may hire an
outside consultant that sort ofputs on the hat of the threat
actor or the cyber criminal andtries to access the systems of
the organization , um, and toidentify vulnerabilities within
(09:27):
that system. So, you know, inmy mind, what better , um, you
know, safeguard against thethreat actor, a cyber criminal,
then having, you know , uh,someone with IT expertise try
to act in that role andpenetrate the system and then
identify vulnerabilities. Wealso see that trainings in the
form of tabletop exercises arecrucial . Um , so those involve
(09:51):
organizations taking ahypothetical data security
incident or a breach andrunning through what to do in
the event that that occurswithin their organization. So
that may involve folks from theadministrative, legal, IT and
security teams, as well ascommunications that can work
(10:13):
together to go through a mockexercise and sort of learn
from, you know, what went well,what did not go well. Um, and
I've seen organizations a hugedifference in organizations
that have , um, worked throughan instant response plan and
performed a tabletop exerciseversus those that have not, and
perhaps when an event occursare not as coordinated as they
(10:37):
might be in real time .
Speaker 3 (10:40):
Uh , you know, we just went through a tabletop
and in my organization at unos, and it was absolutely an
invaluable experience. It's onething to have the plan on
paper, right ? But to haveeveryone really testing it in
an environment of live dialoguewhere you have everyone active
and present and committed toissue spotting up front , I can
(11:02):
see how it's just such atremendous asset for anyone. So
full , fully agree with you on,on those pieces of advice.
Speaker 4 (11:09):
And I would, I would just also chime in to say, you
know, often in the heat of themoment, so you'll have the
incident response that's sortof the, you know, heat of the
moment, what to do perhaps tooperationalize, get back up and
running after an incident or abreach, but then the dust does
settle. And we frequentlyencourage organizations in that
(11:31):
period where perhaps the, youknow, immediate threat has been
resolved, perhaps lawenforcement has been contacted
and is assisting in aninvestigation or is, is running
an investigation of its own.
There's often a period of time,again, when the dust has
settled and an organization islooking to assess, you know,
what happened here, whatindividuals were impacted, what
(11:54):
data do we have at issue? Youknow, looking through perhaps
with a forensic firm, you know,what, what happened here? What,
what's going on? And I oftenencourage organizations really
to try to pause , um, duringthat investigation that
follows, you know , theimmediate incident and to
determine, you know, has thereactually been a breach? And we,
(12:18):
we have this conversation withorganization time and time
again where, you know, there'sbeen this bad event and
everyone assumes that, thatthat event is a, you know, a
breach that is a, you know,HIPAA defined breach that will
lead to individualnotifications. And I do
encourage, you know, workingwith council , working with the
(12:39):
IT folks to really get at whathappened here, what's going on,
because there may be a lowprobability of compromise to
the information at issue. Andyou know, HIPAA doesn't allow
many graces, but it does havethe low probability of
compromise get out of Dodge inthe event that there's been an
(12:59):
incident that doesn't rise tothe level of a breach. So I
really encourage organizationsto take a beat and work with
counsel to go through thatanalysis , um, because it may
end up safeguarding them frommaking notifications to
individuals and then dealingwith the, you know, often
fallout of those notificationsin the form of class action
(13:22):
lawsuits and, you know , um,even just the bad press that
may come from notifications tomany individuals.
Speaker 3 (13:32):
Absolutely. Those, those are well-known side
effects, unfortunately andfully agree with, with
consulting with counsel to seehow extensive your response has
to be in the event that you doexperience one of these
attacks. Um , I wanted tocircle back a minute. You , you
talked , uh, you touched for,for a moment on the change
healthcare ransomware attack.
(13:52):
And in response to that, the,the Health Infrastructure
Security and Accountability Actor hisa was introduced as
proposed legislation toincrease the government
oversight and cybersecurityover covered entities and
business associates, thosecategories that are subject to
hipaa. Now, looking at thatlegislation, it emphasizes the
(14:13):
importance of an annual cyberrisk assessment and to a lot of
folks who are impacted, thatmight be a new term. Can you
just give an overview of what acyber risk assessment is and
what would a typical cyber riskassessment look like?
Speaker 4 (14:31):
Of course. So, so hsa , um, is, is sort of a
modernization of hipaa, and itis still in its proposed form.
And, you know, I would cautionall the folks who may be
listening to keep an eye on itbecause we'll see what appetite
legislators and the regulatoryagencies have to , to , um, you
(14:52):
know, move, move ahead with HSAunder this new administration.
You know, given that there maybe priorities , um, you know,
in, in different areas, butagain, HSA would seek to
modernize HIPAA and toformalize much of what we've
talked about already. So we'vetalked about, you know, these
security risk assessmentslooking at, you know , um,
(15:13):
stress testing and penetrationtesting and identifying where
an organization may havevulnerabilities, PISA would,
would essentially formalizethose processes. So these, you
know, annual cyber audits wouldbe , um, again , sort of a
formalization of what wealready are seeing in this
space as best practices withnow under hisa , potentially I
(15:36):
should say, with regulatoryoversight with the support of
the government and, you know,ultimately with an eye not only
to protect individualinformation, but also national
security. Um, and, and youknow, I would anticipate that
that would continue to be afocus , um, you know, under
this administration, given ourrelations with other countries
(15:58):
and threats that, you know, maybe coming from abroad. Um, so,
you know , again, what we wouldsee under Hessa if it moves
forward is essentially aformalization and additional
regulatory oversight under overwhat many organizations are
already doing , um, from a bestpractice perspective. But I say
(16:18):
that and, you know, acknowledgethat there are many
organizations that are underresourced , um, you know, that
may not have the capitalrequired , um, to really get
behind a security campaign ,um, and, you know, to engage in
the significant upgrade to ,um, what they may have in , in
(16:38):
the way of security safeguard.
So with that, you know, the HSAas proposed did , um, account
for funding opportunities forrural organizations and others
that may not have, you know,the deep pockets that would be
required to move intocompliance with hsa . And
again, we'll see, you know,where that funding, you know,
(17:01):
where those funding sources maybe , um, under the new
administration if Hessa doesmove forward.
Speaker 3 (17:06):
Great. Very , very good advice. And tha thank you
for that overview also, you ,you also mentioned the, the
recent administration changecausing a , uh, causing a few,
few ripples and some, someanticipatory anxiety probably.
Uh , now that President Trumphas taken office, have you seen
any recent developments inreproductive healthcare or
(17:28):
protection of , uh, ofprotected health information
PHI or do you have anypredictions of what might be
coming down the pike in thoseareas?
Speaker 4 (17:37):
That's, that's a great question and you know,
sort of a , a real time answeris that we're, we're continuing
to work with our clients on howto best approach these issues.
So you may be aware that in thesummer of 2024, really in
response to the Dobbs decision,which overturned Roe v Wade,
(17:59):
there was an update to hipaa,to the privacy rule that would
seek to protect reproductivehealth information and
essentially to prohibit the useor the disclosure of HIPAA
protective health informationor PHI in furtherance of an
investigation dealing with areproductive health issue and,
(18:19):
you know, an individualaccessing a reproductive health
care provision of reproductivehealthcare payment for
reproductive healthcare . Andagain, it was , um, sort of
HIPAA's angle at protectingthat information in those
settings. So the final rule didgo into effect , um, and we
have been counselingorganizations on compliance
(18:42):
with the final rule,particularly from a policies
and procedures perspective. Oneaspect of the final rule that
does not become effective untilFebruary, 2026 at this point ,
um, is a required update toorganizations, notices of
privacy practices , um, wherethey would be required to
include, you know, informationabout the use and disclosure of
(19:05):
reproductive healthinformation. So what we've done
in that setting, again, becausethat portion of the final rule
doesn't become effective untilFebruary of 2026, and, you
know, may under this newadministration undergo change,
we've worked with organizationsto put that updated language in
their NPPs, but also to includesome language that would allow
(19:29):
it to be, you know, strickenwithout impacting other
components of the NPP in theevent that there is a change in
the, you know, in the guidancethat the , uh, you know, in
connection with the newadministration. So we've, we've
sort of been working withclients , um, to, to approach
these changes in a reasonableway to sort of get ahead of
(19:53):
them, but also to acknowledgethat these, you know, that the
new administration and itspriorities may shift the, the
way that these NPPs inparticular are structured.
Speaker 3 (20:05):
Great. So time for everyone to dust off those NPPs
if you have not done soalready. That's a great place
to start. Well, thank you verymuch, Michelle, for taking the
time this morning to give agreat , uh, high level sneak
peek of the detailed article.
If you, if you'd like to followup , please take the time and
read , uh, Michelle's article,cybersecurity Developments in
(20:27):
2025, where you can get agreater glimpse into sort of
those top 10 hot button issues.
There were probably 10 morethat , uh, that occurred just
since we've , uh, we've beenrecording this, but , uh,
certainly a, a very attractiveand interesting area to
practice in right now. SoMichelle, thank you for taking
(20:48):
the time with us and everyonehave a great day.
Speaker 4 (20:52):
Thanks so much, Emmy. Great to be with you this
morning. Take care.
Speaker 2 (21:00):
Thank you for listening. If you enjoyed this
episode, be sure to subscribeto ALA's speaking of health
law, wherever you get yourpodcasts. To learn more about a
HLA and the educationalresources available to the
health law community, visitAmerican health law.org.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Intentionally Disturbing
Join me on this podcast as I navigate the murky waters of human behavior, current events, and personal anecdotes through in-depth interviews with incredible people—all served with a generous helping of sarcasm and satire. After years as a forensic and clinical psychologist, I offer a unique interview style and a low tolerance for bullshit, quickly steering conversations toward depth and darkness. I honor the seriousness while also appreciating wit. I’m your guide through the twisted labyrinth of the human psyche, armed with dark humor and biting wit.