AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Health Care Data Breach Preparedness and Response Best Practices
Data breaches in the health care sector can carry immense legal, financial, and reputational consequences. Jon Moore, Chief Risk Officer and Head of Consulting Services, Clearwater, speaks with Christine Moundas, Partner, Ropes & Gray LLP, about how health care organizations can mitigate risk through robust breach preparedness plans and ensure legally sound, compliant responses when incidents occur. They discuss how to operationalize breach readiness, key pitfalls to avoid during incident response, and the legal implications of internal decision-making. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=Lvo4EsiCK0Y
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit clearwatersecurity.com.
SPEAKER_01:Welcome to this episode of Speaking of Health Law. I'm John Moore, Chief Risk Officer and Head of Consulting Services at Clearwater. At Clearwater, we help healthcare organizations achieve their missions by enabling more secure, compliant, and resilient operating environments. Today's topic, healthcare data breach preparedness and response best practices, is especially critical for legal and compliance professionals navigating the high-stakes environment of healthcare privacy and security. Data breaches in the healthcare sector can carry immense legal, financial, and reputational consequences. From HIPAA enforcement to state data protection laws and class action litigation, the legal landscape is unforgiving. In this episode, we'll explore how healthcare organizations can mitigate risk through robust breach preparedness plans and ensure legally sound, compliant responses when incidents occur. Joining me for this episode is Christine Moundis, a partner in Ropes and Gray's Healthcare Practice Group. As part of her practice, Christine counsels clients on privacy, security, and breach matters and focuses on emerging issues in the digital health space. She and I will discuss how to operationalize breach readiness, key pitfalls to avoid during incident response, and the legal implications of internal decision-making. If you're responsible for privacy, risk, or legal oversight in a healthcare organization, this is a conversation for you. Christine, it's great to speak with you. Before we get started, would you like to tell us more about your practice?
SPEAKER_03:Sure, happy to, John, and happy to be speaking with you today. My name is Christine Moundis. I'm a partner in Ropes and Gray's New York office. I sit in our healthcare practice, and I also participate in our data group, and I co-lead our digital health initiative. And really, I represent a wide array of healthcare providers, health systems, pharmaceutical manufacturers, device manufacturers, and digital health companies. So, I'm a partner in Ropes and Gray's New York office. And in terms of my practice, I focus on regulatory enforcement, litigation matters, all in the healthcare and data space. And in particular, data and incident response is a large part of my practice.
SPEAKER_01:Perfect. So, I mean, as you're well aware, Christine, lots of parties potentially involved when there's a breach. So when a breach occurs, What's the optimal timeline for involving someone like yourself, outside counsel and regulators, law enforcement, and some of those other third parties?
SPEAKER_03:Sure. So matters really vary tremendously in terms of the level of severity, the issues that we're really most worried about, and the potential implications. So I really think it's important for folks to readily assess what's the level of severity or potential implications of a particular incident and then respond accordingly. I think it's always important to have legal counsel involved if it's an incident that's gonna be of any significance. When I say significance, probably impacting maybe either critical programs, infrastructure, relationships, or impacting the data, maybe, you know, 5000 or more, something like that,
SPEAKER_00:that's
SPEAKER_03:really at the point where you should have legal counsel involved, because it's going to be a matter that's going to have a significant tail in terms of
SPEAKER_02:doing
SPEAKER_03:the first forensic analysis, figure out what's going on, doing the legal analysis to figure out what notification obligations you have, and then potentially dealing with any follow-on investigations or litigation. In terms of when to get law enforcement involved, I do think that's really a matter of knowing if you're dealing with a bad actor that's particularly aggressive, if you're dealing with a unique sort of ransom circumstance where you think having law enforcement would be better beneficial. There's other times in which you'd have to notify if you think they're engaged in some criminal conduct that would get law enforcement's attention or you need protection from them. I've also had incidents where law enforcement knows about the incident before my client does. And that's never a good place to be, but it has happened. It's been that the FBI walks into you know, a client's doors and say, you're being, you're under attack or, you know, the FBI approaches a company and say, we have information. about your company that was stolen and has ended up on the dark web or something else and we're bringing this to your attention. So there's different ways in which law enforcement will get involved even before a client realizes. And in terms of regulators, obviously there's regulatory requirements about when regulators need to be notified. Here in New York, the New York State Department of Health is requiring much earlier notification for certain material security incidents that might impact hospitals and Article 28 facilities. There's also, for instance, in New York, the New York State Department of Financial Services that's interested in cyber attacks that might impact financial institutions or insurance companies. And they require notice a little earlier than other more traditional data breach regulators like the State Attorneys General or the HIPAA regulator, the US Department of Health and Human Services Office for Civil Rights. The regulators usually want to have a good handle on your investigation, the scope of the impact, and what your obligations are before notifying. However, there are some laws that you should be aware of in advance where you might have to provide very early notice even before you have a full handle on the facts.
SPEAKER_01:And I assume this is even complicated more when you have larger organizations that span multiple jurisdictions. And it seems like at the state level in particular, we're getting a lot more complexity in the reporting requirements. And I don't know whether you would agree with this. I mean, it seems to be there's a lot, there's a move towards shorter reporting periods. time periods as well, both at the state and the federal level.
SPEAKER_03:Yeah, there is. And it's a real tension because obviously you want to provide accurate reporting as well. And sometimes those two things are in tension because you could provide earlier notice, but you couldn't physically get better information at the time. So you really have to use some judgment when you know, looking at those obligations and making sure that you have a good sense of what you can report when and use judgment, depending on what the nature of the investigation is and how much is involved.
SPEAKER_01:You bring up a very good point in terms of having the information in order to be able to report. And that brings up another question. So what are the most common legal missteps organizations make when responding to a breach and how can that be prevented, do you think?
SPEAKER_03:Yeah, so I think number one, the common misstep that I know some most is that legal compliance, privacy, and IT security are not talking to each other. So I think that is sort of number one misstep, because if you have one team going off on their own and not in a coordinated manner, that's going to be not helpful regardless. Because if you have a legal or compliance team going off notifying based on their partial understanding of the facts, it could be wrong. If you have an IT security team maybe running with an investigation with no legal counsel involved, no potential privilege over that investigation, that could be potentially problematic. Number one, it's also not good if folks are just meeting themselves in the middle of a breach. pre-established relationships across those disciplines that are already very well established and well set up such that when something does occur, those relationships are already there, those points of contacts are already there to call upon. So that's number one, is just a coordinated interdisciplinary response. Two, I think lack of preparation in terms of having pre-established relationships with counsel, pre-established relationships with forensic consultants, pre-established relationships with document review vendors in some cases. Having more in place first before an incident occurs is very, very helpful because it's very hard to, if you need a big forensic consulting firm to help with an incident, it's hard to negotiate a master services agreement and an SOW in the middle of an incident when you really need them to be there tomorrow. So that is something that I tell people. It seems like a pain. You have to sort of negotiate something that isn't happening yet. But having an entity retained or a pre-established, pre-negotiated agreement with some of those subject matter experts is a very valuable thing so that you're not scrambling when something occurs. terms of other steps, I think putting, I'd say pre-assuming the results of an investigation before you have a full set of facts can also be very detrimental. I see sometimes folks jump to either a conclusion that an incident is far worse than it actually is, or assume that it's far more contained than it actually is. So I think it's very important to structure these forensic investigations and these legal reviews in a way where you're following the facts and you're having appropriate judgment applied to what really needs to be analyzed and in what depth and that you follow the facts. Because if you assume too much or too little, you're going to get the wrong result and then those contrary facts will come to haunt you because then you'll find out too late that you either over or under judge the situation. I
SPEAKER_01:want to get back to forensics in particular, but you in, when you were talking about the coordination between the internal reporting parties who are responding, I was already also thinking about what we see sometimes is there's, there's different stakeholder groups that need to be communicated to like, internally, your staff, potentially the public and other folks that need to be communicated to. And they all need to have potentially a different message, but those messages have to be coordinated. Otherwise, you end up with issues as well, I would imagine.
SPEAKER_03:Yeah, absolutely. An appropriate communications plan is key. And things should be on a need to know basis, but you have to be transparent in some cases. So obviously, you know, unfortunately, God forbid, like a large scale ransomware attack where a hospital's whole system are down for a month, you're not going to get away with saying, you know, we had a little bit of an interruption, please hold on, right? There has to be a really different level of communication from that. Obviously, with the change healthcare incident, that was a huge, significant national scale incident where the early communications, you know, were are now being scrutinized. And now we see there was a communication channel, but the information wasn't always as clear as one would hope. I'd say internal employees, again, you have to make sure people know what they need to know in terms of if a system's not working, if you can't use a system, if there's something that's actively going on that people need to be aware of. But you also don't want to over-disclose information or do things that would be otherwise not wise. So we also think about board communications, if things need to be reported up to a board, another governance committee. And in some cases, you know, depending on the incident, we stand up like daily morning calls and we have a readout of what's going on, who's doing what, what the progress has been made. And you use those calls so you communicate to all the key stakeholders internally and then you keep the investigation momentum moving. Because in many of these cases, time's of the essence.
SPEAKER_01:Sure. So going back to the forensic investigation again, what are some best practices in your mind for conducting forensic investigations in the wake of a breach?
SPEAKER_03:I think different forensic consultants have different expertise in different areas. So I think that's very important for folks to know. I wouldn't necessarily be recommending the same forensic consultant for a business email compromise review versus a large-scale ransomware attack. So I think it's important to make sure that you have an awareness and a familiarity with which companies do what types of forensic reviews and that you have appropriate relationships with a couple. So that's rule number one. It's picking the right forensic consultant for the nature of what you know to be the root. Two, it's actually identifying the impacted IT infrastructure first that needs to be reviewed because you'd be surprised people think, oh, it's just this workstation or it's just this server. And it turns out that their assumptions of what just was impacted were wrong. And then you're behind the ball because they thought it was more narrow. So I think appropriate scoping and really pressure testing what people think are sort of believing to be the case and what they're basing it on is really important and having even the forensic consultants helping to probe that so that they're not just set off to do a more narrow review than what's actually required. Three, I think determining what to document about a forensic review. and for what purpose is really important. Sometimes you want a really nice fully fleshed out report highlighting the entire scope of the review, the nature of what was looked at, et cetera, et cetera. Other times that's not really recommended. Sometimes you actually need to do certain extracts because law enforcement is asking for those forensic artifacts. So that's something to keep into account. So I do think early on level setting with the forensic consultant about what you have in mind for their written materials is really important. And sometimes you don't know if you'll need written materials. So you do sort of verbal readouts early on until you get a sense of what you're dealing with. So I think documentation and the plan around documentation is very important. Four, obviously, I do recommend putting those forensic reviews under privilege through legal counsel and the legal counsel would provide some of the input around the documentation concerns as well. And then I think, you know, just overall making sure that also they're really well set expectations for how long different parts of the investigation will take because I think sometimes there's either miscommunication or just unknowns and it's important for the teams to stay in touch because also sometimes Sometimes it's going to take a very long time to get 100% of the review done, but it's going to take a much shorter time to get 80% of it done. And it's important to get the readout when the 80% is done. So at least you know what the 80% found. So I do try to make sure that folks just sort of aren't going off into their own corner, running with their forensic review and then you don't hear back because depending what their interim findings are, it might really dictate what the strategy is or the next step, or maybe you have to do partial breach notices, partial reporting, and then sort of provide an update thereafter. So it really depends, but I think those iterative updates are important and not sort of, and setting the expectations around timing and updates.
SPEAKER_01:in your experience, are folks looking toward their cyber liability insurance carriers and or counsel like you to identify who the appropriate forensic consultants are? How's that working for most of
SPEAKER_03:them? Yes, I think they definitely have a role to play. Larger organizations, I think, already have their sort of preferences and their set relationships. It's really the smaller organizations or the mid-size where there might be less clarity on who to go to. So yeah, I think either going to legal counsel, internal experts, or your insurers, they can provide very helpful information on what resources are the right resources given the scenario. And I'll just say, you know, providing notice to insurers and making the claim early on for a potential incident is important. And there's definitely having, you know, risk management teams or others involved in that communication is really key.
SPEAKER_01:And certainly I would think that, you know, having counsel like yourself who's been engaged in supporting diverse organizations across the healthcare sector and has a lot of experience working with these types of vendors certainly puts you, I would believe, in a good position to weigh in on that and advise, which is really helpful for particularly small organizations that may not have a lot of experience with this type of thing.
SPEAKER_03:And you'd be surprised. I mean, some very large organizations, they've been lucky enough to have no incidents right up until a certain point. So sometimes you're lucky and, you know, so yeah, it's definitely something we try to do because the investigation and the whole incident response will not go well unless you have the right team pulled together.
SPEAKER_01:So beyond that forensic investigation, what else is involved in a legally defensible breach notification process, let's say?
SPEAKER_03:Yeah, so as you said, there's the communications considerations early on. So we're looking for first who we're engaging and how we're engaging, external consultants, legal counsel, others, making sure all of that's put together. Two, we're making sure the cross-disciplinary team is pulled together and that they're all communicating, updating each other and or putting together an appropriate response given the scale or size or severity of the situation. Three, once we have a pretty good idea of what we're dealing with in terms of impacted systems, scale of impacted data, et cetera, we usually will then be looking in parallel to what notice obligations we might be looking at. And it's very important that legal counsel or in-house counsel understand what's the regulatory posture of the entity that was impacted. Are they licensed in particular states? Did the data relate to individuals in certain states? Because most of the time, a lot of the data breach laws are actually based on the residents of the impacted individuals data. And then we're dealing with, you know, if there's other regulars and other particular states that have heightened notice obligations. We also, depending on if it's a vendor to other organizations, looking at your contractual obligations to notify your customers. Obviously in healthcare, we have the business associate construct and the obligations to provide notice to come entities. Again, there's a whole judgment call that needs to be made there when you're dealing with a complex incident and a business associate might know that they have certain information available, but not full information when and how to report that to covered entities and what your contractual obligations are really important to look at. Then when we're looking at the state laws. In some cases, you will be triggering substitute notice obligations where you either have to post things on your website or in different public media publications. And then separately, sometimes there are media notices that have to be issued in certain jurisdictions, depending on how large the population is that resides in a certain jurisdiction. So under HIPAA, there is a media notice component that also needs to be taken into account. Let me think. Now, besides that, I think we skipped over remediation, which is really, really key. Obviously, you have the legal obligations of who you have to tell, who, what, where, when, for what purpose. But remediation actually has to be right after investigation and forensics and all that. The remediation has to be almost as soon as possible, right, to stop the bleeding. So it's really important that the IT security team has a very good sense and the right experts to know how to remediate things. And if it's a smaller organization, in some cases, they might not know how to actually remediate a situation, short of pulling things out of the wall, unplugging them, et cetera. So I think having the appropriate IT security remediation is really key. In some cases, you have to do that while still preserving certain forensic artifacts of what occurred. So you have to keep that in mind. But the IT security remediation will be key, not just to stop the incident and reduce the scope of the impact, but then also to be able to explain to impacted individuals or to regulators or others that the organization did as much as they could to stop the incident and remediate it. And in some cases, there's a short-term remediation, and then there's a much longer-term remediation. Because we do, in our forensic reviews, try to establish, you know, what was the underlying weakness that allowed a bad actor or others to actually infiltrate a system, etc. So we... sometimes they'll say, you know, it was a lack of multi-factor authentication or something, right? You're not going to be able to roll out multi-factor authentication across a whole organization over a weekend that's going to have to be, you know, finding a vendor that can do that, scoping it out, you know, negotiating a contract, making sure you have money to do that, and then a whole long-term plan. So there are staging of remediation that's It's really key. And sometimes there's a compliance oriented mitigation, such as retraining individuals, having new policies, et cetera. But that is really a core component of the breach response and then the subsequent reporting.
SPEAKER_01:You raised sort of two questions came to mind as you were discussing that. First was in terms of the forensic analysis and the breach response itself. My experience has been that typically, for example, OCR will come in and they'll want to know the story of what, what would the breach and how did you remediate it? Do you usually construct that under privilege for them then to respond to OCR, but it goes to OCR. So how do you recommend to folks in terms of documenting this? Is it as they're going along in order to be able to provide that kind of Yeah,
SPEAKER_03:it's definitely tricky. I would say at some level, there's some level of detail that is going to get disclosed and it will no longer be privileged, but there's really varying levels of detail. So I would say sometimes there has to be, you know, internal or with outside counsel or through the consultants engaged under privilege, more detailed documentation about, you know, all the various aspects or all the super detailed documentation about what all went on, what was remediated. But when you get to regulatory notices, it really has to be brought up to a level that's necessary, comprehensible, and sort of appropriate for disclosure. At some level, you're going to have to provide that on breach notices or other things too. So for instance, if you'd say, you know, our hospital was impacted by a cyber incident and one of our servers was impacted. You know, you're not going to get into the detail of what server, exactly what the number is, you know, where it was. What
SPEAKER_01:operating system was operating on it, what the vulnerability was.
SPEAKER_03:Yeah. So that's how I think about it. You sort of keep as much privilege as possible during the review process. And then at some point when you get out of the sort of immediate incident response and you're into the notification obligations, then you're providing and disclosing a higher level summary that's transparent and truthful, but also not overly detailed.
SPEAKER_01:Yeah. And the second question is, And I think you mentioned this a little bit earlier in passing. So oftentimes what I've seen is the forensic folks will come in, they'll do their forensic analysis and they'll determine, hey, here's how the breach occurred and here's what they had access to. And it sort of stops there. And then it's up to the organization to figure out, who the individuals were who are within that data that need to be notified. And in many cases, that's a very complex task in and of itself. And I think you mentioned that oftentimes you'll bring in other expertise to do that. Could you talk just a little bit quickly about that?
SPEAKER_03:Yeah, absolutely. There's actually different sets of consultants. That's why I say sometimes if incidents are significant enough, you have to bring in multiple consultants. There are certain external consultants that do more of a document review type of function. And in some cases, it can be AI driven. It could be optical scans of documents and extractions. In some cases, it's more human driven. But essentially, first, you need to get a sense of, OK, what's the bolus of documents or data that we're dealing with? extract it, get it to these third-party consultants, which sometimes that is a whole hullabaloo in itself. And then you need to figure out, okay, what are the categories of documents and data? And then what are the ones that are potentially relevant to the review? And then what's the nature of the data that we need extracted? And what's our review protocol for coding that, et cetera? There is sometimes an entirely separate work stream that we do to then actually get to the bottom of what data was impacted and what was the nature of it and who requires notice. So we've done ones where, you know, Sometimes it's a whole database where it's just Excel spreadsheets and it's standard data that's already kind of packaged. You say, okay, well, we already have people's name and address and everything else, so we can just extract from that. And other times it's thousands of scanned documents from a decade ago, and that's a totally different thing. So it's really important to sort of then strategically analyze what you're gonna do. In other cases, sometimes people know hey, wait a second, it was this entire database that has all of our patients' data for a particular service line or something. Or sometimes you just have to make assumptions about what was impacted or be over-inclusive. But hopefully the goal is to be sort of make sure that the notice is fit for purpose and you're notifying people just about exactly what was impacted.
SPEAKER_01:From your experience, what... parts of the breach response or the breach itself are regulators currently most interested in right now? I
SPEAKER_03:would say for the US Department of Health and Human Services Office for Civil Rights, which I dealt with most frequently on the HIPAA breaches, They're always interested and they investigate any incident that's above impacting 500 individuals, which that used to be a very high number for breaches. So 15 years ago, most breaches were a few hundred people and that was sort of what you were dealing with. And if you ever got over 500, that was a really big deal. And now, unfortunately, just the nature of how electronic information is and how much more sophisticated these incidents are, incidents over 500 individuals are very routine. But HHS OCR is, I'd say, always interested in when they're seeing a lot of breaches at the same entity over time, because that to them is an indication that there is a systemic issue or an insufficient risk management program in place at that organization. They also, when they are sending request letters these days, I am seeing them focus a lot on the risk analysis function, which you know a lot about, where they're asking for the entity's latest risk analysis and to provide the information about it. They're also asking about information system activity review plan and protocols, which is a very tricky area where they're actually asking for information about You know, what are all your IT, your ePHI assets, for instance, all your assets that have electronic protected health information. What review do you do of them? What cadence do you do review? What's the logging that you have? What are the sort of thresholds for knowing whether something accesses aberrant or not? Those super detailed questions. And then definitely the regulars have a heightened interest in data backup protocols. And I think probably the change healthcare breach and other recent very large breaches have put the regulators attention on making sure that there's, you know, redundancy in these systems. And if you're dealing with a major cyber attack that you're not also dealing with a massive data loss right on top of everything else. So I think those key topic areas are really important for entities to focus in on. And I don't think the regulars are wrong for focusing on them because they're sort of indicative of strong IT security and cybersecurity programs.
SPEAKER_01:Right. I think to your point, I think they're just responding to what we're seeing in the world today and with ransomware and assorted other types of breaches having significant impacts and incidents like change where it just cascades across the industry as a whole certainly gets folks' attention. What strategies can in-house counsel and compliance officers use to secure leadership buy-in for breach preparedness? I mean, we see this all the time. We wanna do tabletop exercises and practice these things and executives are busy and they don't have the time. So how does someone like an in-house counsel or a compliance officer get buy-in from those folks that should be in the room when you are having these kinds of discussions?
SPEAKER_03:Yeah, I mean, I really do think, one, I think an annual discussion and annual refreshing of what are the organization's protocols for an incident and having that sort of brought up to a leadership level annually is quite important. Some of the new laws that I talked about earlier, particularly in New York, actually changed. specifically require annual discussions and annual trainings on these topics and actually reports up to the board on it. But I do think also sometimes it takes just pulling things from the headlines and saying, if this happened to us, what would we be doing, right? And also not talking about just as a data or a legal issue, because really these things can become huge operational issues, right? It's not a legal or compliance issue. exercise. It's not just about data. It's about all of our lives now are completely digital and there needs to be redundancy around those digital systems. There needs to be experts in-house that know how to safeguard, you know, remediate and stand back up systems that might be impacted. And they need to know that I think every business is very different. Every organization is very different in terms of what the fallout would be if systems were down or if there was a major incident. But basically, there's no business in the world right now, no organization in the world right now that if there weren't a significant incident, it wouldn't be significant to the business. So I think it's important for business executives to address them with the business impact that an incident might have. cause and also the reputational harm, right? No one wants to be dealing with any of this. So trying to tell people, you know, prevention is really the best thing that you can do, trying to strengthen and harden your systems because it's essential. And then to have a strong response team and a response plan is really just good business. It's not just a good legal or compliance practice.
SPEAKER_01:Yeah, I think that from... From your perspective, and certainly from the perspective of compliance officers, they're similar to what we see from a cybersecurity perspective. I can go in and talk about cyber risks to people, but in some sense, it's not meaningful to them unless I translate what that means from business perspective. perspective. What are you going to do and how much is it going to cost you if you lose access to your electronic health record? What would that mean for you and your business? And when they start to think through the implications of all that, then it becomes very real. I think similar to, I can say, well, you need to do this for HIPAA. And they're like, eh. But if I start to lay that out of what that picture looks like and continue to draw that, now you've had the breach, now you're reporting, now you're not in compliance, now you have you know, potential fines and penalties and potential cap and really paint that picture for folks. And it's not, you know, not to necessarily use fear and certainty and doubt to motivate, but But it's fair to translate it into terms that they understand from a business perspective. And they're business people. So I think it's helpful to them to do that. And we certainly encourage our consultants to do more of that and are trying to work with their clients to help them understand in the terms that they understand. I think we're running short of time, Christine. Otherwise, I would sit and probably talk to you about this kind of stuff. I think just the implications of some of the reporting and data analysis would be a whole conversation of days in and of itself. But I think we're going to need to wrap up our conversation around data preparedness and response. Thank you for everything, your insight and your experience in this area. Any final thoughts that you have? want to share? I
SPEAKER_03:guess I always tell my clients, don't make perfect the enemy of good. So if you're feeling worried about your IT security posture or your breach response posture, If you can move the needle in your organization to get from a D to a B, that is a win. So I think just trying to make sure that folks are trying to move the ball forward to improve continuously is really the name of the game. No one is perfect. There's no A-plus cybersecurity program that's going to deal with every single issue, but I do think trying to move the ball forward on a continuous basis is really important. I
SPEAKER_01:think that's really good advice. Just want to say thanks to our audience as well for listening. We hope you found this episode helpful in advancing your thinking around steps to take should an incident occur. And we hope that you have a great rest of your day.
SPEAKER_03:Thank you.
SPEAKER_00:If you enjoyed this episode, be sure to subscribe to AHLA's Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org. And stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA Premium members. To subscribe and add this private podcast feed to your podcast app, go to AmericanHealthLaw.org slash Daily Podcast.