AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
CMMC and Health Care Organizations: Applicability, Risk, and Readiness
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
The Cybersecurity Maturity Model Certification (CMMC) is gaining attention. Although CMMC originated within the Department of Defense, its reach is expanding into the health care ecosystem, often in ways that health care organizations don’t fully anticipate. Dave Bailey, Vice President of Consulting Solutions & Strategy, Clearwater, speaks with Jenifer McIntosh, Of Counsel, Stinson LLP, about when CMMC applies, how it differs from familiar health care compliance frameworks, and why third-party and supply chain risk are central to CMMC readiness. They also explore where health care organizations may be underestimating their CMMC exposure and what practical steps they can take to prepare. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=_uiJ0SGhtXk
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit ClearWatersecurity.com.
SPEAKER_01Welcome to the American Health Law Association's Speaking of Health Law podcast. I'm Dave Bailey, Vice President of Consulting Solutions and Strategy at Clearwater, and I'll be moderating today's discussion. Cybersecurity has become a core governance, legal, and enterprise risk issue for healthcare organizations. For years, much of the focus has centered on HIPAA and protecting patient data. But today, healthcare organizations are increasingly connected to federal agencies, research partners, and vendors that operate in highly regulated environments. And that intersection is bringing new cybersecurity requirements into the healthcare ecosystem. One framework that's grow that's getting growing attention is the Cybersecurity Maturity Model Certification, or CMMC. CMMC originated within the Department of Defense to strengthen protections around sensitive federal information, but its reach is expanding well beyond traditional defense contractors, and in many cases, healthcare organizations may be affected without fully realizing it. So today we're going to talk about what healthcare leaders, compliance officers, and legal teams should understand about CMMC, when it applies, how it differs from familiar healthcare compliance frameworks, and why third-party and supply chain risk play such a central role in CMMC readiness. Today, I'm joined by Jennifer McIntosh, an attorney with Stinson, who advises healthcare organizations on cybersecurity, regulatory compliance, and risk management. Together, we'll explore where healthcare organizations may be underestimating their CMMC exposure and what practical steps they can take to prepare. Jennifer, it's great to have you here. And before we dive in, could you start by telling us a bit about yourself and the work you're doing in this space?
SPEAKER_02Sure, sure. I yes, I'm Jennifer McIntosh and I am of counsel here at Stenson. And my practice covers everything that basically touches data. So I got thrown under the CNMC bus a while back and have been working to understand it and follow it, but also track and use aspects of it to help other organizations that are struggling with frameworks and understanding what the risk around possibly having access to FCI or CUI might have for them. But uh yeah, just anything that touches data, whether it's cybersecurity, data privacy, or AI, if you have to govern or use data, then I am probably in the mix somewhere in that, in that work.
SPEAKER_01Yeah, and I I know when I started on a CMMC journey many years ago, uh certainly helping uh defense contractors in the in the defense industrial base prepare for what it, you know, what it it takes in order to not only get CMMC certification, but really it's it's about protecting data. And and there's uh controlled and classified information that the government has a has an expectation that organizations be able to demonstrate that they can protect that data throughout its life cycle. And and there's, you know, I think obviously we know the the the reasons and and why the the defense industry, you know, yeah expects that. But in terms of healthcare, now, you know, to think that this would be a part of the healthcare ecosystem, I think, is starting to really gain attention. I know here at Clearwater, we we have you know many clients who have um already realized that uh CMMC needs to be a part of their journey. Uh so from what you see and knowing that this this isn't a defense, just a defense uh tractor issue, what's really making it a healthcare concern? What what what what is the what are the reasons why organizations need to need to be worried about CMMC?
SPEAKER_02Well, mostly it's contract driven. Um if you're a vendor somewhere in the chain of cust in the chain of custody for certain data uses, um then you might have signed a contract that obligates you to be compliant with all applicable law. And if that applicable law happens to be um federal standards around the management of data as a third-party service provider, let's say you um have a you know a data farm and there's data stored on your servers and there's certain expectations around the security for that data and your obligation for that, you might have clients who maintain um that federally regulated and DOD, sorry, DOD regulated data in your data center. And while that is a stretch uh that a data center wouldn't know that or be aware of that type of data in there, um stranger things have happened. Um and as far as it's concerned, you know, as far as it concerns healthcare, if you are in the if you are in the chain of any DOD provision or working with um other companies who have that requirement pushed down to them, what has happened with CMMC now is that there are there's real audits that have to occur, there's real approvals and requirements around um standards that companies have to meet and certify. And if you can't certify that your vendors downstream are also providing these safeguards, then you're on the hook for those vendors. And um nobody, especially primes, want to be on the hook for things they don't have control over. And and um, so more or less, if you are in the flow of of DOD regulated data, CUI, FCI, whatever it might be, um in the healthcare space, let's say you uh manufacture bandages. So, I mean, it can be as far downstream as that, but if you you're not paying attention to your contracts, that might, those requirements might be in there. Uh, hopefully you've noticed, but like I said, stranger things have happened. The other aspect of this too is we have a lot of healthcare organizations that are searching for standards and concrete guidance around um what security controls, what security implementation is required for AI use. And there's a lot of recommendations. There's a lot of you, you know, there's ISO certs and NIST uh frameworks, but as far as what is a a proving ground and an audible pro audit auditable proving ground, um CMMC um the DOD, the rubber hit the road with them a couple years ago when it came to AI. And this I I believe that the CMMC uh as it is today is a res is a result of the AI concerns. Um you just you can't have third-party vendors without certain controls and protections in their environment. And you certainly can't launch AI if your vendor doesn't understand what data they hold. And the thing that I have preached to not just my healthcare clients, but across the board is um your security controls and your data governance, the the side effects of those are a number of really good side effects. You have compliance that is a result of good data governance, you have a data awareness and a systems awareness. If you know where your data is, you know if it's on a server farm in Montana or if it's on a server farm in Virginia. You you happen to know where your your uh backups are, those types of things. And if you have that awareness, then your risk comes down, your cyber insurity costs come down. And if you know what data you hold and where it is, then you might actually be able to implement AI with some sort of um, I don't want to say awareness, but some sort of value, actual value coming from that implementation. So that if if the AI goes sideways, you actually understand why, because you understand what data went in. And I hate to be cliche, but garbage in, garbage out is a real thing, especially uh when it comes to this, you know, this type of data management and the use with artificial intelligence. Circling all the way back to your initial question is for healthcare um when asked, well, what what provides us with a solid proven roadmap for how this might work? And because I knew of CMMC from other work that we do here at Stinson, this popped up and it it was a great example of how at least the DOD has has set up, you know, these are the controls for certain classified certain sensitive data. And if you're dealing with HIPAA or if you're dealing with uh um genomic data and certain other things that we have new laws governing as well. Um there's you know, if you if you don't know you're exporting uh sensitive health information to China or Iran, you might want to check that because that's also a violation. So it all of this for me flows back to adequate data governance and adequate data governance, the the benefits of that is um uh security that you you can audit, which is CMMC, as well as data that you can use, which is the implementation of AI. So there's there's just a lot of benefits to actually having a roadmap and understanding where the boundaries are around the use and management of that data.
SPEAKER_01Yeah, no, I I I really echo the emphasis on data governance. I think um one of the extremely clear um understanding of CMMC is that organizations that that are required, and you know what what does it mean to be required? You're you're 100% spot on. It it has to do with a contract with the Department of Defense. If you have a contract with the Department of Defense or you're connected to it anyway within that supply chain, you may be subject um to the CMMC requirements if you are storing and processing and and have you know to demonstrate uh that that you can you know provide the right level of of security through a a very clear and I will say rigid audit process. There isn't any gray area in it. It's you know there's requirements that are laid out that uh that you have to be able to you know demonstrate through a third-party assessor, through evidence collection, through official attestation in order for you to achieve that that certification. And I I think you know, I know one of the biggest questions. I I remember you know not too long ago getting contacted by a healthcare organization that that you know felt, oh, you know what, we we um you know, we we have you know, this we we feel this requirement is is coming, but we've already done HIPAA and we already have a NIST CSF. So what do we need to do different? And unfortunately, in that uh in that conversation, while many of those things can help an organization along their journey, being able to you know demonstrate that, you know, if you were to ask, you know, the most simplistic thing, well, what do I need to do? Um look to NIST 800-171. I mean, I think that's that's really you know, uh that that particular framework is a is at a system level. It as you said, define the boundary. Where does the data define that boundary and you know hopefully be, you know, be able to uh be able to demonstrate that that someone can you know can can meet those you know those particular requirements. And they are very, very specific in what is is asked of and and how an organization you know needs to demonstrate that. I I really like your your help and connection with uh AI and and and with data governance. Um I I think what my experience and what I've seen with CMMC is while it's DOD today, that I think many of the federal agencies are going to adopt it. And uh as in healthcare, nothing happens very quickly, right? As we all know, supporting this ecosystem, that uh it it takes a while for um for things to be able, you know, to be implemented. Heck, we've been how how long have we been waiting for a new HIPAA security rule? Hopefully knock on wood. We can have a couple podcasts about that later on this year, knowing what's gonna be PRM. Um, you know, because that, you know, there's we're all we're all waiting on you know potential rules. Not to hit you know to HIPAA, but um, you know, really from so so what you're seeing in kind of the real war, you know, real world scenarios of organizations that need CMMC or or you know need to walk that journey, how are you advice? Like what are you seeing as as their, you know, how how how do you need to help those organizations?
SPEAKER_02Well, the first is convincing um the powers that be that they need to do a data audit. You know, that that is and that seems to be more palatable now that companies want to utilize AI, because if you can't identify, again, going back to data governance, if you can't identify the data that goes in and specifically monitor, but also account for, for instance, with just with the HIPAA standards, if if if you have a vendor that claims that the data that's going in is anonymized, but you don't have any true inventory of the data fields going in, then how in the heck do you know from your side, from but also the vendor side, if they're requiring these certain data, certain data fields to go in, if your team doesn't have a reasonable concept of what identifies an individual because they've never had to do any data governance or seen how that works in practice, then it is really hard to later go to a into a class action, much less to a regulator and claim that you did adequate due diligence or review of the system when you didn't even understand your data. So that and that sounds absolutely just fundamental, primary, and a no-brainer, but I can't tell you the number of times that discussion has to be had. So first identifying the lack, the technical debt basically, and then it's a term that I learned ages ago and was like, like seriously, people like the I had no, oh, the naive, the naivete a decade and a half ago. But they there's a ton of technical debt that has been amassed by just pulling in tons of data from marketing or from research or from um patient data logs. And it's all great, but if it's it's sort of like having a completely disorganized filing cabinet, you don't know what's in there, what's important, how to use it, how to get to it, and much less be able to share it knowledgeably without. I mean, you you have to go through every file one by one by one over and over and over again. Um so that's that's the first thing. But as far as CMMC goes, you know, uh helping clients understand, well, what is CUI? That's you know, that's the first fundamental effort there. And then from that point, you can segregate out. And with healthcare organizations, there's the overlay of, you know, or I guess the the dovetail of what is HIPAA data, what is CUI, what is not CUI, um, what might be classified, all that stuff. That all of those considerations have to occur in tandem because not only do you have to be compliant with DOD standards, but you also have to be compliant with privacy standards around the use of that data on behalf of patients. Whether, and it and it's it's funny how much civilian health data might be a part of a DOD project. That too is also quite, you know, it's frustrating, but it's also something that does happen. So there's that issue. And then you have, um, and this is this is an issue that's has become something of a thorn in the side of certain vendors. And that is where if let's say you do anonymize the data and it's no longer HIPAA data and it's just sensitive health information, is that enough to identify a person? And if so, and it's not considered PHI anymore because your vendor tells you it's been anonymized and is no longer PHI. Is it sufficient under state law to identify an individual and then be covered by state privacy law for sensitive data? Which there are certain states, including Colorado, that do not exempt the entire entity that has to be compliant with HEPA. So you're layering, and then you have AI laws like the CA, the Colorado AI Act, that overlays all of that. And there's layer upon layer. The cool thing about CMMC, in my opinion, is it forces that data analysis, it forces that data inventory. Um, because you have to segment out what is, you know, what is protectable, what is level two, and what isn't. And you're scoping that uh your risk around that. That's one aspect of it. But also if you have a certain layer of security controls already implemented because of your CMMC requirements, then it's almost a slam dunk that you've met your HIPAA security requirements. Now, like it, as you mentioned, the new HIPAA security rule is still you know in purgatory, and we'll figure out what it looks like when it comes out. But it's um having worked the data breach side of things, I am always amazed at how many healthcare entities, healthcare adjacent entities have no MFA. They don't encrypt in transit. It just, and those are things that having done some of the work that I've done, I am constantly just concerned with to an extent that it affects my own interactions with my own healthcare providers. So so you know, it's it's uh it's a thing. And CMMC, at least for the the partners that we work with in healthcare, it sort of shook that tree enough to where things are starting to rattle out. And teams are like, oh, we already, we know that this data is here, we know what anonymization really looks like, and we know that this we can take and plop into an AI model and let it run. And we can analyze and grade the model, but also understand the outputs to understand whether or not there's adequate review, or not adequate review, but the analysis is either working or it's not. And how do we weight the model to come to better outcomes?
SPEAKER_01Yeah, and and my experience in this, um, I think probably the best word I would want to say is the ambiguity part of part. Um I think that organizations that are potentially challenged with the data governance side. I agree with you 100%. They will need to do that exercise in the event that they have to demonstrate CMMC compliance on some secure enclave that they're protecting data that has been classified by the Department of Defense as you know, uh controlled but unclassified.
SPEAKER_02Right.
SPEAKER_01There there really isn't gray area. It it it's uh you know, helping uh helping a healthcare organization understand that, you know what, you're gonna have, you know, you have data that's been classified underneath, you have an obligation or you know, because of some contractual agreement that that uh that are you're either directly or indirectly involved in. That's you know, that's that's the aspect there. And and then, you know. Talking to them about what it looks like in order to set up that secure enclave because they may already have it set up, or they may have something that they that they have in place, but but realize that that it you know it may be too challenging in order to demonstrate CMMC compliance because it's included in this larger ecosystem. Maybe I do need to separate this enclave out and only demonstrate compliance in this smaller enclave. I probably the best analogy I could put together is you know what happens when organizations had to demonstrate PCI compliance. They're like, well, we already do this on our networks. But if you try to demonstrate PCI compliance on a large network, I think folks learned how challenging that was because of the very specific requirements that that uh are are going to be assessed. I I put that, you know, CMMC with that, you know, with that same analogy. I I like the data governance um perspective that you put on this because you know, this is not just a compliance exercise for an healthcare organization, like this is very thoughtful implementation of security and compliance, uh, and then be able to demonstrate that to a third-party assessor that is going through a very rigorous and and um assessment process that in the end will, you know, anybody that is ever prepared for a CMMC assessment or have done it or is now living it will tell you that um it is not, you don't just show up and be able to get through it. Like there is there is preparation, there is um readiness that that that is required, and you don't really get a second chance, you get a little bit of a reprieve during you know during during a CMMC assessment, but it's really sorry, you either pass or fail. And if you fail, you know what what you have to do to go back to you know back to the start lines. So yeah, I don't know what your experience has been with with that CNMC readiness side, but but I know for for you know from my perspective, um really it's been a lot of hand holding and kind of walking someone on that 800-171 journey and trying to convince them that yes, you've done a lot of great things and yes, you have a lot of great security in place, but it doesn't automatically translate that you are CMMC ready. I think that's probably some of the, you know, some of the biggest uh no 100%.
SPEAKER_02And and not to be too too callous here, but if somebody says that they have a HIPAA certification from uh a certifying third-party entity, you know, one of my first questions is who is it? And then second is how much did you pay for it? Because it they it sure yeah, um, and I I I don't know some organizations do a meaningful review and provide meaningful insight and guidance. Others provide what I just they just hit print and send out forms and and put you know uh reprintable and formattable policies that a customer could use, but there's no real oversight or no real auditing of what their actual security posture is, what their actual controls are, what what framework have they have they modeled after? Are they looking at you know the the the what I call a SANS 20, but is apparently called SIS, some, you know, and or or ISO or NIST or what are what frameworks have you looked at? And if you haven't categorized data or done a data inventory, then I can pretty much guarantee that you're never you're not you're not HIPAA compliant if you don't know the difference between PHI and regular data in your in your system. If you haven't, if you haven't um limited access to those with a need to know, then you're not going to hit the HIPAA mark and you're certainly not going to be CMMC compliant. So or or be able to pass an audit. So that I and like I said, I've I think I've grown a little jaded as time goes on because there's been very few clients who've showed up with certain questions and we, you know, we've gotten their certificates and we've gotten you know they have things on their website. And the more the more it almost seems like the more virtual they are, the less protected they they have, you know, they've the less protections they've implemented around their data. Um, and that doesn't seem to I that that's very for me, that doesn't make any sense. But that seems to be the trend is that the more removed you are for the in-person connection with clients, the less protections have been established internally to set up, you know, set up segregation, uh, limited access uh uh credentials around who has access to what admin privileges are handed out, you know, with Marty Robbie's, and it just it's it's not helpful. So those are things where uh the CMMC aspect of it. If somebody has has done the homework and worked to implement the first those first major controls of the the CIS20, then they're on they're on their way. And they if if they're thoughtful about it and if they are working through um any aspect of NIST that is not just a risk-based assessment. Um but the other the other aspect of this too, uh Dave, is that everybody's environment is so bespoke, everybody's environment is distinct and different according to you know how they are how they began. Um I like to get I like to get embedded with startups and push this agenda around data governance. Because if you want to set up an e-commerce site and you already know what what the problem what the issues are, setting up those, you know, those toggles and those configurations around your website or your or your you know your marketing is going to be a lot less problematic, especially if you're doing business in places like Connecticut, California, Oregon, and and and Delaware, where privacy laws cover a host of zins. So there's you know, there's a lot of there's a lot of I guess uh of issues that don't just affect your DOD process, but um those who have implemented CMMC are going to be far ahead of the game and I think more able to see a real return on their investment, not only in the security, but uh their investment around the the data inventory and understanding what they hold and how do they take, how do they get value out of the data they hold? Um, and how do they anticipate or prevent uh a class action for failing to notify or using AI in a way that infringes on the rights of their patients?
SPEAKER_01Sure.
SPEAKER_02Yeah.
SPEAKER_01Yeah. And I, you know, I think um having folks walk a journey why in healthcare is challenging. I think some of if you look at what are some of the things that uh make CMMC certification successful, these are things like a demonstration that you've you're able to do things like network segmentation or you're able to patch your critical systems and and do some security foundational aspects that we all know healthcare struggles struggles with. Like they're yeah, those are things that that in in in healthcare environments today, I think we have been talking about patching and network segmentation for decades. Like it's you know, it this is a a repeat you know topic. And and I know that uh convincing organizations that you know moving beyond CMMC is not an exercise, right? Some of the you know, data governance is not just an exercise, it's yeah, building a a behavior, a rigor, a a um expectation into an organization that they have to, if they have data, that they have to protect it through its life cycle. And uh, you know, what what I think makes CNMC um clear while not easy, and there's a lot of people trying to make things easy out there. I don't think it's easy, because it's a demonstration. You have to demonstrate life cycle behavior, not that you can you can pass a compliance exercise or a test. Like this is CMC is not a test. It's you have to implement things and demonstrate it throughout its life cycle. And you know, what does it take? It takes, as you said, very good data governance, good good inventory, you have to know exactly what you have, what you're protecting, and and then be able to to show that, you know, to to uh you know, it's not just about passing the assessment, but you know, you know, demonstrate it throughout throughout its life cycle. And uh good data governance practices will will really help you a long way in in this CMMC world, that is for sure.
SPEAKER_02Well, and and from the legal risk perspective, if you know what you've established, and it's it's a number of things, it's building awareness, it's educating your workforce, it's educating everyone around the risk, but from from my standpoint as well, I can draft or negotiate a better contract. If I if you are certain about your thresholds and your abilities when it comes to CMMC, we there's a there's a level of of there's not leverage, but there is a when you can instead of having to go back and check with your team on every single point that's being asked in a contract, if I have your um, I mean, then this started back with GDPR and the international transfer of data and the this the standard standard contractual clauses around those extra controls for security. If I if you have established those security controls, and let's say that you're ISO 270101 compliant, then I know that these standard controls are in place and I can commit you with with um with via the contract language to certain obligations, but that also makes you more appealing to certain customers because they can validate and authenticate and they will audit you and certain, like in pharma, they will you will get audited. You will have that person up your up your tree, you know, for a week, once a quarter sometimes, once a year, just depends on the sensitivity and the nature of the services you're providing. But uh as far as your contractual obligations, if I know what you are able to commit to with confidence and and a level of resilience, then that makes that makes you much more attractive to customers, but it also makes the contractual, the those negotiations a little bit more beneficial to the to the vendor because you have, if you're the only one in this space that has been through an audit and received, you know, your your approval or certification for CMMC, like that, that if you're the only one in there or you're at the front of the line for those for those new audits, then then these are things that you can commit to with confidence. And you don't have to go chasing down every single control. Um it's just it's it's a level, it's I think it's leverage. You have more leverage if you're able to say, yes, we do these things, or what what some organizations have done is say we can commit to these, we can commit through A through F. We're gonna get through uh G through W in this in this in on this timeline. And you may not get the entire DOD contract, but there may be services that if you can be clear and transparent about your processes with your potential client, there's at least a ramp to what you might be able to commit to and and be able to ramp up to uh a full contract once you've established you know your ability to meet these controls.
SPEAKER_01Yeah. And I, you know, if I if I had if I could give any advice to to to anybody listening today that that is gonna start this particular journey, um my first part of advice is don't assume, like that's the first thing. Yeah, don't assume what you have in place is gonna work, but but also don't don't assume that you're gonna have to start over either, but it is gonna require expertise. And and I would ask anybody to reach out, you know, to uh folks in the CMMC world. I I know here at Clearwater we we have Red Spin, who's uh was the first certified C3 PAO, and you know, our we're we're doing CMMC certifications, we're we're helping organizations prepare for CMMC, you know, come in with an open mind uh and and know that uh you know you may have to do some work. There may be some legwork that's required in order for you to be able to demonstrate, even if you have mature security practices in place, um, and you're and you're protecting PHI data today, doesn't necessarily mean everything is just going to directly translate into the CMMC world. And and I think that's some of the biggest things that we've seen with with clients is just they assume, oh, we've already done this, all we got to do is, you know, it's a it's a mapping exercise or it's a compliance exercise. It's like, no, it's a little bit more than that. And that's the that's the preparation. I I that's what what I see is I think some of the biggest challenges for the healthcare ecosystem today is to know that they may have some homework to do. And uh that can be very daunting. So I don't know what your advice would be if someone listening to say, okay, what do I do? What's the first thing I should do? I'd love to hear hear your thoughts on that.
SPEAKER_02Uh the if you are being asked to sign a contract that has you commit to CMMC is is to take a step back and reach out. I think the first place you reach out is to your, I mean, your, I don't want to say your IT team, but your your development team, whoever is managing your data. And if nobody is managing your data, then you I think there's a long road ahead.
SPEAKER_01Yeah.
SPEAKER_02Um and that's that's why I said it ideally you start at the beginning to separate and understand not just the data, but where it goes, who has access to it, um, how how it's being utilized, um, who it's being shared with. Um that you know, how long do you keep it? You know, um retention schedules, especially in large organizations, it's it's like, you know, the negotiation of whose house do we go through to to for Christmas between in-laws. It's it's nobody's ever happy, but it has to happen. You cannot, especially in healthcare, uh, you cannot just have data hanging out. And I I can't tell you, and this is beyond healthcare, but how many clients we sit down to go through some sort of assessment, and my favorite question to ask is when was the last time you deleted employee data, former employee data? And usually somebody at the table turns very, very white because they're like, uh so those retention schedules, I mean, that that's almost like the first I try to hit that point head on because it takes so much work to get an organization together. But um if you as an organization, if you're looking to become part of whether it's dod or to utilize AI, there's there you can move fast and break things, but just remember that AI at scale and the dod, they're very unforgiving. And when things go wrong, it's wrong at scale. It's wrong, it's yeah, it is it's not a good place to be, and it's not a good, it's not a good feeling to have to answer questions where you where the organization made no real effort. It's it's um and I don't think most people stepping into the DOD space have that attitude whatsoever. But I do think there's a lot of health adjacent services that do step into the health space thinking, oh, well, we don't really collect a whole lot of sensitive data when in fact most of what you're collecting is sensitive data. Um there's a lot of health tracking apps that are figuring that are finding out right now that you know they're they're probably you know subject to, and that's why I've had so many clients try and shelter under HIPAA because because the state privacy laws are so much more uh enforceable, rigid, and consequential. So um, but yeah, it's it's a very interesting journey, it's a very interesting time. But like I I I did a lot of work for a company that that was in pharma, and pharma lover or hate them, I mean, they have done, they have to do the data analysis because that's the whole basis for the business. And the data governance management's uh protection, limitation of access, all of that, the the the just the rigorous chain of uh chain of custody in in pharma, the reason they can predict outcomes or understand outcomes is because they know they know what goes into that. And um it's it's just an incredible, it was it was an incredible process uh part of my career to be part of that process because it was insight into one of the most rigorous data management economies on the planet is is is clinical trials. Um and if other if other fields which I think certain AI companies are doing, uh if you understand the data, then you can understand the outcomes, you can understand what goes wrong in the middle, you can understand where the model needs um review management or to or or weights that need to be adjusted. Those are things that and and then you understand your risk of your vendors who what they have access to. And it's it's data governance is in my opinion, is almost automatic risk management. And then it's then there's a layer after that where you have ROI that occurs by mere virtue of knowing what you have and knowing what you can leverage and what you can't and what the risks are. And this is something I started doing way back when, is in like 2019, I started tracking litigation around data privacy violations and data breach. And 2024 was a banner year. It like it and a part of it was the Google uh uh incognito trials, but they were filing 100 cases a day for about three weeks in California. Um, and those the data breach now has caught up to the privacy violations. So there's I and I I have this I see them every day, but there's three or four data breach cases every single day. And I want to say one out of every three is against a healthcare corporate company. So um, yeah, it's it's nothing to sniff at.
SPEAKER_01No, that is for sure. Well, Jennifer, thank you for sharing your insights today. Uh, I know we've covered a lot of ground uh from understanding how and when CMMC applies in healthcare, the legal and contractual challenges that that arise when cybersecurity obligations extend across this complex vendor, uh, you know, all of our complex vendor relationships. A few themes that uh stand out from our discussion today. Uh first, CMMC exposure for healthcare organizations is broader uh than many realize, um, and you know, can be driven by indirect relationships rather than just direct relationships with federal contracts. So please, please, please look at your contracts and understand their your obligations when you're about to sign them. Um, second, third party, and downstream risk management is not optional. Um, you know, when it comes to CMMC, organizations just can't assume responsibility stops at at any kind of prime contractor level. And that's once again goes back to understanding, you know, the contracts you're signing and the obligations that you're signing up for. And then readiness is much a legal and governance issue as it is a technical one. So, you know, early involvement from your legal and compliance teams can can really make a meaningful difference. I go back to don't assume, don't, don't assume you're gonna be okay. Like, you know, make sure you're you're having those discussions and you know, understand how to take a lot of the great things that organizations are doing, but understand that there may be work involved in order to in order to get there. And you know, date, you can never go wrong with good gated good data governance. On on behalf of American Health Law Association, thank you for joining us for this episode of speaking of health law, and thank you to our listeners for for tuning in. Until next time, I'm Dave Bailey from Clearwater, and I look forward to continuing these important conversations.
SPEAKER_02Thanks. Thanks for the opportunity.
SPEAKER_00If you enjoyed this episode, be sure to subscribe to AHLA's Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit American Health Law.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org slash daily podcast.