AHLA's Speaking of Health Law
AHLA's Speaking of Health Law
Legal Liabilities of Enterprise Cyber Risk Management
Bob Chaput, Founder and Executive Chairman, Clearwater, speaks with Iliana Peters, Shareholder, Polsinelli, about the evolution of enterprise cyber risk management and the legal liabilities that health care executives and legal counsel must consider. Bob and Iliana authored an article for the February 2021 issue of Health Law Connections magazine entitled, “The Legal Liabilities of Enterprise Cyber Risk Management.” They discuss the two trends that are highlighted in the article: (1) Emerging Standards of Care for Cybersecurity and Enterprise Cyber Risk Management; and (2) Executive and Director Liability for Enterprise Cyber Risk Management Failures. Sponsored by Clearwater.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for AHLA comes from Clearwater, the leading provider of enterprise cyber risk management and HIPAA compliance software and services for healthcare organizations, including health systems, physician groups, and health. It companies, our solutions include our proprietary software as a service based platform, IRM pro, which helps organizations manage cyber risk and HIPAA compliance across the enterprise and advisory support from our deep team of information security experts for more information, visit Clearwater compliance.com.
Speaker 2:Well, good day Eliana. It's great to be speaking with you and working with you again.
Speaker 3:Thanks Bob. Always great to talk with you too. I'm looking forward to our discussion.
Speaker 2:Terrific. Um, you know, many attorneys probably know who you are, but for those who do not, would you mind sharing a little bit about your background?
Speaker 3:Sure. I'm happy to, um, thanks for the introduction. Um, I'm Eliana Peters. I'm currently a shareholder at Polsinelli law firm, which is an AmLaw 100 law firm. We have offices all over the country. We have a very robust data, privacy and security practice, including in the healthcare sector until about three and a half years ago. When I joined the firm, I was the acting deputy director for data privacy and security in the office for civil rights at the department of health and human services. That's a very long winded way of saying I was in charge of the HIPAA program and other data privacy and security related, um, legal requirements. Um, I spent my career with OCR up to when I joined Polsinelli, uh, including as a senior advisor for HIPAA enforcement. Um, I wrote regulations and guidance trained state attorneys, general worked very closely with other federal state agencies and the white house on data privacy and security issues. And so I'm happy, always happy to talk with you about those issues.
Speaker 2:All right, well, great. Um, you know, it's interesting. Uh, it was about three and a half years ago that, um, I sold the portion of our business at Clearwater and moved into the role of executive chairman. So I think we've both been in different roles over that period of time, but going back even further, I think it's interesting. Um, we've worked going way back, uh, on several of the same enforcement matters, although, so to speak, we might've been on different sides of the table, but it's been great since 2018, uh, to be able to collaborate with you and work for, and support some of the same clients. Um, quickly, my background includes work in compliance and privacy and security and risk management, uh, as an executive and as you cater and an entrepreneur, and I've had the good fortune of working with some great teams over the span of 40 years. I know that makes me sound like a candidate for the Smithsonian. Um, so let's dive in what we'd like to talk about today and what I'd like to, um, uh, ask you questions about actually goes back to an article that we co-authored earlier this year entitled the legal liabilities of enterprise cyber risk management. It was published by AHLA. My questions for you too today are going to be based on that. And also what I've observed over the years, a couple of decades working with healthcare organizations on the treatment of cyber risks. And so in a nutshell, um, here's how I've seen it then. And I'm going to ask you to comment on it from your perspective. So, uh, you know, obviously HIPAA is not a news flash, uh, privacy rules, security rule published in the federal register in 2001 in 2003 respectively. Um, it I've seen an evolution. There was a period of, um, maybe the dark ages when enforcement was, uh, reactionary and complaint driven. And then all of a sudden, uh, we entered what I call the era of compliance, uh, circuit 2009 with the high-tech act being passed. Then fast forward the tape a little bit, we get into the two T 2015 era. Um, I dubbed that year, the, uh, the year of the mega breaches with, among others, uh, Anthem and a number of other large payers. Um, I, I may not have the exact count off the top of my head, but I think it might've been like 178 million records breach that year go fast forward a little bit further to 2018, a big concern arose about patient safety as a result of all the biomedical devices that were being attached to our patients and planet in our patients and simultaneously being connected, being connected to networks and ultimately the internet. And then last but not least, I've seen a move into an increasingly greater amount of concern when it comes to cyber risk management around medical professional liability, and ultimately leading to personal liability issues for some of the C-suite members and board members. So, um, what's your sense is, is, is that how you've seen it evolve when it comes to enterprise cyber risk management?
Speaker 3:Yeah. Great question. So I think generally, yes. Um, I, you know, I, I see it a little bit differently, but I think that's because of where I sit. Um, I've seen, um, evolve, uh, I've seen these issues evolve, as you say, to include, you know, regulatory actions first at the federal level. Um, so HHS for FTC, the federal trade commission, um, really getting increasingly involved in enforcement of data privacy and security issues over the past decade or so, um, you know, really beefing up, um, enforcement initiatives related to data privacy and security concerns at the federal level. Um, I've also seen DOJ, for example, become more involved in the criminal side of that as well. So, you know, simultaneously with the FTC and HHS, um, sort of ramping up civil enforcement, the DOJ department of justice has ramped up criminal enforcement as well. And then simultaneously, you know, the state AGS, the state attorneys general who have concurrent jurisdiction over many of these issues either because they have HIPPA jurisdiction or because there are state consumer protection requirements that they have jurisdiction for enforcing, um, have become also increasingly involved. And we see, you know, multi-state action by state attorneys general over the past few years, which we didn't see initially. So I think, you know, state and federal regulators are getting increasingly involved as well as plaintiff's attorneys. So, um, you know, there are, there are attorneys in the private sector that are very interested in data breach issues, which I think is really, um, to your point, that is, um, there are many different causes of action that, uh, aggressive attorneys are pursuing in many different states, whether those are single plaintiff option, um, or class action lawsuits or shareholder suits. So, um, we've seen a significant uptick in these types of litigation issues for entities that do have security incidents or data breaches. Um, any time an entity sends out a letter of some kind associated with a data breach, there is a risk that they will, um, get, uh, um, an inquiry from an attorney on behalf of a particular affected class of individuals or arguably affected class of individuals. And again, that includes, you know, single individuals and includes classes of individuals. And it certainly would include, uh, you know, shareholders or other effected individuals like employees, um, related to, um, a particular data breach situation. So there are many different varieties of legal risk here from a litigation perspective and from a regulatory,
Speaker 2:We get into it a little bit further, but just to peek around the corner a little bit, are any of the boards or the executives with whom your work beginning to see this as a personal liability issue?
Speaker 3:I think they are, um, in, in several different ways. So we're seeing more and more privacy officers and security officers, um, uh, thankfully, uh, receiving more, um, how do I put this? They, they're more likely nowadays to be part of the C-suite conversations. So thankfully our privacy officers and security officers are starting to get the bandwidth that they really need to do their jobs. Um, but also I think that's a reflection of the fact that, you know, many of these folks are in fact now at the leadership level in organizations as they should be in my opinion. Um, and they have liability associated with their jobs given what they do. So, um, not only are, um, you know, boards being, um, implicated in different types of, uh, action by, uh, dissatisfied shareholders, for example, but, um, you know, individuals like the privacy officer and the security officer can be held liable as well, depending on their role in the organization and what it looks like from a responsibility perspective in terms of the data privacy and security controls that have been implemented in that organization. So, you know, so thankfully we are seeing an increased, um, involvement of these types of leadership roles in enterprise decision-making, but at the same time, we are seeing increased liability for those roles, um, as well, when something goes wrong,
Speaker 2:I ask you obviously, um, we've had a lot of ransomware attacks, the, uh, the threat does your, I call at numerous other attacks have demonstrated that when there is a compromise of the triad, as it's called confidentiality integrity and or availability of any other data systems and devices, these, these compromises can have adverse effects on quality of care and access care, timely care, all of which in turn affect patient's safety, how should the trustees or the directors and executives think about the connection between patient safety and the compromises of confidentiality, integrity, and availability.
Speaker 3:Yeah, really, really good question, Bob. And it's a question that I'm talking with a lot of clients about, so that, that does, um, reflect the nature of the environment that we're living in every day from a data security perspective, to your point, we are doing a lot of tabletop exercises with customers, and we are seeing that, um, our clients are becoming increasingly interested in involving senior leadership and board members in those tabletop exercises, because it's incredibly important for those leadership folks to understand what the potential fall out of one of these events could be. Um, we spend a lot of time talking about of course reputation, but more importantly, for healthcare entities, we spend a lot of time talking about downtime procedures and what that might look like. How do we continue to function as a healthcare entity and how do we continue to provide services to our patients when all of our systems and devices are offline for one reason or another either they were taken offline by a threat actor, or they were taken offline in response to actions by a threat actor. So, you know, it's increasingly part of the conversation, the reality of what it looks like to go down in response to a really scary type of attack, like a ransomware attack in these circumstances, how quickly can we respond with downtime procedures? How quickly can we bring critical systems back up? What does that mean for patient safety? And what does that mean, um, for how we can move forward in an efficient and effective way as an organization? Um, so, you know, these conversations were obviously being had at some level in, in many, if not most of my clients prior to, you know, sort of the last year or so, but in the last year, we've truly seen an increase in interest and thankfully really robust discussions with leadership and the C-suite and the board about what that looks like in terms of organizational impact.
Speaker 2:That's a very, very positive trend and, and something to be optimistic about. I'm really glad to hear that. That's what you're seeing. So the, um, in the AHLA article that I mentioned a moment ago, we cited two trends that, uh, merit, the attention of health, healthcare leaders. One, we just spoke about the increasing possibility of personal liability around the, any failures in this area. The other was around, uh, the emergence of a defacto standard of care when it comes to cyber risk management. And I want to drill into the standard of care for a moment, you know, obviously in healthcare, there's great appreciation of, uh, healthcare standards of care. There they're outlined in among other places, the equity guidelines trust when it comes to acceptable medical care. How do you think about standard of care in the context of enterprise cyber risk management, and then a related question, are there any analogous, cyber risk management standards of care that are emerging that healthcare leaders should be thinking about and paying attention to?
Speaker 3:Right, right. Um, very important issue. And as we've talked about before, I know you and I both have a lot of thoughts about this. And so I appreciate the discussion here. Increasingly we are seeing for many reasons, um, different data privacy and security requirements at the federal and state level, depending on the state becomes sort of a defacto standard of care. So, um, you know, as I said, there are regulatory actions at the state and federal level, and obviously those require compliance with those requirements. But if we're talking about these other litigation methods that are being used again in, in relation to data privacy and security incidents and breaches by plaintiff's attorneys on behalf of again, single plaintiff classes of different effected individuals, which again may be, you know, uh, employees, consumers, patients, shareholders, whoever that is. Um, and they are increasingly attempting to use HIPAA as a standard of care, um, because it is fairly specific in terms of what the requirements may be. And because there are a lot of entities that are familiar with HIPAA requirements now, arguably there's no private right of action under HIPAA, as you know, and arguably, um, the HIPAA requirements do not apply in, in many of these other industries. Um, and even in the healthcare industry to many healthcare entities that are not regulated by HIPAA. So it's not a particularly good fit in all situations. And, you know, a lot of our time in, in dealing with plaintiff's attorneys nowadays is talking with them about why HIPAA is not applicable to a particular state action, but because again, those requirements are very straightforward. Um, and in fact, you know, can be argued in a very persuasive way, um, that plaintiff's attorneys are increasingly using HIPAA as a, again, defacto standard of care related to these types of incidents. Um, I think, you know, there are other pieces that are being used as well by creative attorneys in certain circumstances. Um, you know, whether that's reference to some kind of industry best practice, um, certainly misguidance or some other, uh, PCI compliance requirements, for example. So there's different flavors of this, depending on the type of incident or breach we're talking about. But again, you know, many of these standards are not meant to be standards of care. They were not written in that way. There were meant to be specific legal requirements for specific types of entities, but to your point, they really are being sort of, um, co-opted a way that, uh, you know, makes them, uh, a defacto standard and something that I think many attorneys and arguably many judges are starting to look at as, you know, kind of the, um, the baseline of requirements for purposes of data privacy and security issues.
Speaker 2:Yeah. Well, as you know, um, from our previous work together, uh, among my favorite, uh, guidance from, uh, from nest as the guidance around doing risk assessments, special publication, 800 dash 30, and that, of course, OCR published the guidance on risk analysis requirements back in July of 2010. Um, do you think the risk analysis guidance that came out of OCR could serve as a standard of care hypothetically, and some future case?
Speaker 3:I think it's certainly possible. Um, I think so that, you know, what, um, many of the plaintiff's attorneys are looking at as, you know, at least initially, and to your point, you know, this can change and, and you, and I both know that that really, that process, that risk analysis or risk assessment enterprise risk assessment process is really the cornerstone for Eddie good security program. But what I am seeing more often is plaintiff's attorneys referencing, um, standards related to specific controls. So in the vast majority of these cases, what we are seeing is, you know, reference to the encryption requirements under both HIPAA and a special publications guided, or, um, access controls of one type or another, um, or malware detection requirements, you know, sort of those more concrete, technical safeguards that, uh, you know, uh, an attorney can point to as either implemented or not, um, resulting in, uh, an incident or a breach. So I think from my perspective, everything's on the table in terms of where a creative attorney may go with pointing to a regulatory requirement as a defacto standard of care. Um, but at least for now we are seeing, you know, reference to more specific requirements because I think those are easier to explain in certain circumstances. Um, but, but who knows?
Speaker 2:Sure. Well, just one last point on the standard of care. Um, as you know, in January, um, HR, the bill called HR 78 98 mislabeled, in my opinion, by some as the HIPAA safe Harbor law, uh, was passed to amend the high-tech act and included a number of things, including the secretary consider certain recognized security practices, uh, when they're pursuing a case and it may result in reduce fines and reduced length of audits and lesson remedies. And, and then it went on to site, uh, to recognize security practices basically. And though number one, those that are spelled out in the guidance and standards and best practices developed by an under the NIST act. And then secondarily, uh, the approaches that have been promulgated under the cybersecurity act of 2015, which it comes out as a result of the terrific work done by the 4 0 5 work groups. So, first thing, can you comment on HR 78 98 being called a HIPAA safe Harbor bill? Isn't a safe Harbor bill?
Speaker 3:Um, it depends on what you mean by safe Harbor. I mean, I don't think it, um, well, it remains to be seen. So just to be clear, we are getting questions from office for civil rights about recognized security practices in investigations for clients, um, that are being investigated by OCR at HHS. So just to be clear, um, even without a rulemaking, which I would have expected in terms of implementing statutory requirements, um, HHS is moving forward with requesting information related to the statute itself now how it will actually work in practice we have yet to see. So I don't know if this means that it will, um, be sort of a reduction in potential penalties or settlement amounts, or if it would potentially knock certain violations out of consideration for settlement or civil money penalties. We just don't have a good idea of what that looks like yet in terms of how HHS will move forward with using the information that clients, um, uh, submit, uh, related to their recognized security practices in terms of the impact on a settlement or civil money penalty, because we just haven't seen any of those cases yet. So I think it will be very, it will be very interesting to see how this plays out, um, including with regard to whether atrium tasks will undertake a will making that will clarify whether this actually is a safe Harbor or not. Um, and what that means in terms of investigations related to breaches, for example.
Speaker 2:Sure. What, what are some of the common types of lawsuits involving HIPAA as a standard of care? Can you give us a couple of examples?
Speaker 3:Oh, absolutely. So the most common, I think is, um, class action litigation related to data breaches. So very often we see in the news all different types of class actions in the health care sector. Um, many, uh, attorneys that are cross class attorneys, you know, for, for, to plaintiffs for the class are including, uh, references to different HIPAA requirements in those, um, in, in those pleadings. So essentially referencing HIPAA requirements, um, mostly in the healthcare sector, but occasionally not. Um, you know, but that basically try and create, um, as you say, a standard by which an entity who had a breach should be held for purposes of, you know, pleading negligence issues or harm to individuals or whatever, they may need to plead number one, to get class certification, and then obviously to actually maintain an action once they've, once the class has been certified. So it it's sort of on two separate levels with class action litigation, first are all of the individuals affected in the same way. And then second, you know, exactly how were they affected? How were they, how were they hurt? How were they harmed? And so, you know, sort of deferring to HIPAA as, as this standard, um, arguably because it is a federal standard, um, you know, even attempt to arguably wrap in, uh, additional potential violations that could result in harm to individuals at the end of the day. Now, again, harm is a very difficult thing to prove, and there are a lot of class action litigation, uh, lawsuits ongoing out there, even as we are speaking now where there is a question about harm to individuals as a result of a breach. So still, still an open question. Um, the other type of litigation that we see very often is single plaintiff litigation. So, um, as you can imagine, there are disclosures of information, um, about, you know, one individual here or one individual there. Uh, you know, when, uh, when a physician may, um, disclose information and properly or hospital may disclose information and properly. Um, and then again, HIPAA is used as a defacto standard by a plaintiff's attorney who is representing a single individual related to potential harms as a result of that single disclosure of information about an individual, whatever the circumstances may be, whether it was inappropriately to, um, an employer or to law enforcement or, you know, really, um, any similar situation, um, could include potential HIPAA violation. So we see it again and in many different situations. Um, and, uh, you know, I think whether or not we'll see it more is good question, but I think we will.
Speaker 2:So let me, um, in that regard, let me tee up a, uh, we're not going to talk about specific cases. So this is a scenario teed up as a hypothetical, uh, hospitals suffers a ransomware attack, and we know those are happening, uh, by the dozens, if not hundreds, a patient is admitted to a hospital, uh, while it's under attack and is not told about the attack, critical data systems, devices are unavailable. We have a compromise of availability classic with ransomware patient suffers injury, um, and dies the lawsuit, uh, alleged as inability to access critical monitoring data and devices in the midst of that attack. And, um, let's say there are multiple causes of action cited, uh, in the law suit asserts that there are departures from accepted standard of care, uh, and among other things, um, a failure to conduct appropriate assessments and risk analysis and identification of potential hazards, uh, and, uh, or taking action regarding patients who are at risk when the hospital electronic systems are not operational long-winded scenario. I know you're familiar with it could such a scenario constitute a first successful cyber driven medical professional liability lawsuit, or negligent homicide lawsuit.
Speaker 3:I think, you know, from my perspective, I think the answer is certainly yes, it could. I mean, you know, at the end of the day, um, we are seeing lawsuits being filed for arguably much less severe impact to individuals as a result of a data breach. So in the vast majority of cases, and just to be clear, at least to date in the vast majority of cases, you have the, an attack, um, that while it may take systems offline does not necessarily result in, in direct adverse events to patient. Now, again, to your point, Bob, there have been a few and they're very scary. Um, so, but we are seeing of course lawsuits in, in all of those circumstances. So whether it's an individual who, um, may have identity theft as a result of a particular type of cyber attack, or an individual who may have a serious adverse outcome as a result of a cyber attack while they were receiving treatment, um, you know, so there are different sort of, um, you know, the harm that can be associated with these types of events is on a spectrum. And we certainly see a litigation associated with potential harms anywhere on that spectrum. So, um, just because something is less serious doesn't mean we won't see litigate litigation and I'm using those words in quotation marks. And certainly if something results in a more serious outcome, I would expect to see litigation as well.
Speaker 2:So w you know, jumping outside of healthcare for a moment for the purposes of, uh, maybe finding some lessons learned, um, these cases again about which we won't speak in any detail outside of healthcare, the class, the famous target case, the Yahoo case Equifax in all three situations, derivative lawsuits were filed claiming that the respective C-suites and boards violated their fiduciary duties. And, um, I know in healthcare, we have a certain number when it comes to large systems. We have a certain number of publicly traded, uh, very gigantic companies. We also have a lot of non-profits, so we don't typically see a derivative lawsuit and a nonprofit situation. All of that said, just thinking about what happened in target and Yahoo and Equifax. And again, without commenting on the specific cases, are there some lessons learned here for healthcare directors and trustees and executives?
Speaker 3:Certainly, certainly. Um, and I think it goes back to what we've talked about already. Um, Bob, and that is that, you know, um, the fact that we live in the world that we live in today that is data driven and that, um, data is so important to everything we do every day, whether it's a healthcare entity or an education entity, or a retail entity, uh, or financial entity, whatever the case may be, um, you know, data drives everything. And as a result, um, when we have an incident that affects our data, um, it can have serious fallout. Um, and so I think, again, what I'm seeing more and more, and in response to that new reality, or I wouldn't say new quality, it's been a reality we've been limiting for a while, but, um, the, the really involvement by corporate leadership I think is fairly new, to be honest. And I think it's an improvement upon a previous situation, because I think given that corporate leadership that the C-suite that the board is now understanding how crucial the availability of data is to what we do every day, no matter what kind of, um, entity we work for, um, they are now rightfully paying more attention to what it means when that data is affected. So whether it's it's affected by some kind of insider threat or it's affected by an external threat, um, they are paying more attention to what it means for their organization. And whether that, as you say, um, an impact to operations, such that there are significant business losses, um, or from healthcare perspective, we already talked about impact that results in loss of life. Um, and so again, while they are certainly not the same thing, um, they do of course create risk from a legal perspective for entities, um, whether or not it's a business loss or it's, um, identity theft or loss of life. And so, thankfully again, I think what we're seeing as a result of, you know, all of the seriousness in terms of the incidents themselves, but also the legal fallout as a result of those incidents is an increasing involvement of these leadership teams and understanding, um, both what the incident means for their organization. Um, that is if this happened, how would we be affected, um, from a day-to-day work level, but also from a legal perspective, that is okay, what do our regulatory risks look like? What do our litigation risks look like? Um, how do we prepare for both an incident, but also for the fallout from the incident?
Speaker 2:No implicit in, uh, all of our discussion up to this point is even though we've not technically defined it as this concept of duty of care and within HIPAA, as, you know, a big part of your wheelhouse and, you know, forgotten more about it than I know there's a, there are definitions around, uh, reasonable diligence, a reasonable cause willful neglect. Can you briefly summarize some of these terms and con a common, uh, how they might be applied in a legal action from, uh, a duty of care perspective?
Speaker 3:I think it's a great, it's a great point to make that because, you know, um, I think some of the disconnect between, uh, you know, what we're seeing in litigation and what these standards actually provide for is based on the fact that what is reasonable for an enterprise changes. So, um, you know, under HIPAA, as well as under, you know, these other kind of in quotation marks, standards of care, whether it's federal, uh, guidance or contractual guidance like PCI or state requirements, whatever the case may be, um, implicit in many of these, as well, as explicit as you say, in many of these, like HIPAA is reasonable and appropriate, that is we cannot expect any entity to be perfect. No entity ever can be perfect and we can't legally them to be perfect. But what we do expect is that they take all reasonable and appropriate actions based on the size and type of the enterprise and the data they hold and the risk to that data. So at the end of the day, it is a sliding scale, if you will. Um, and it really, truly depends on what type of entity we're talking about, what kind of data it holds and what kind of risks there are to that data and locking an enterprise down, um, is not a reasonable response. So at the end of the day, you know, while some plaintiff's attorneys may argue that an entity must implement this control or this control, um, that may not in fact be appropriate for that particular type of entity. And what we have to understand is that these standards, um, include an analysis of whether or not any particular implementation of a safeguard or control is reasonable for the organization. That's a hard argument to make, particularly if something very scary or bad has happened. So at the end of the day, we need to always keep in mind both, uh, you know, from my perspective as a former regulator, but also from my perspective now in advising on legal risks, that at the end of the day, we have to take reasonable and appropriate actions. And what that means is we have to take those actions, but we also don't have to be perfect. So it's really about finding the balance in terms of taking those reasonable steps, to protect the data and to ultimately protect our customers while at the same time, understanding that the data has to flow, um, for our businesses to work properly. And no one can be perfect at the end of the day.
Speaker 2:I smiled when you said reasonable and appropriate. I was so intrigued in my early days of being a student of HIPAA, that I actually counted the instances of the use of reasonable and appropriate and the adverb version reasonably and appropriately. And I think I counted at 22 times and the HIPAA security rule. Um, so, uh, that, that concept certainly, uh, uh, is present all the way through. Um, I was recently reading, uh, something published by Gartner, uh, last month in, in a document, they called their key takeaways from their board of directors survey for 2022. It says in the past five years, the percentage of boards that consider cybersecurity a business risk as risen from 58% to 88%. Yay to that I say in light of this, you need to think more strategically about presenting cybersecurity, terms of business risks and not technology that last sentence, the advice to CEOs and CSOs out there. Um, how much do you translate this into advice for healthcare executives and board members and, and again, seeking what we can provide to our listeners that they can take back into their organization.
Speaker 3:Right, right. Um, you know, again, I absolutely agree that it is a very positive development, in my opinion, that more leadership, um, uh, involvement is, is really becoming the norm. So again, you know, we really do want to see leadership involvement in these issues because we want to make sure that the privacy teams, the security teams, the legal teams that deal with these issues have the resources that they need to appropriately protect that we're going to vacation. Um, and that as you know, Bob probably better than most people, um, hasn't been the trend. Um, in many cases, these it teams and privacy teams, um, are consistently having to do more with less money, um, less resources. And, um, and it, it is difficult. It makes their jobs very difficult. So at the end of the day, first we want w we want to make sure that leadership is aware of what's necessary. So there has to be a certain level of involvement. That's that is to some extent, somewhat detailed, because we have to have robust conversations with the C-suite and with the board as applicable, um, about what is necessary from a safeguards and controls perspective in order to protect our business, to protect our consumers, to protect our data in order to get those resources devoted to those efforts. Um, and not just once or not just twice, but over time, because again, we need to be doing all of these activities over a period of years, and what's reasonable for our organization changes over that time. So, so it's about, you know, when we're implementing these types of controls to protect our data, ensuring that, uh, leadership and the board really understand what that means and what's involved there. And then of course, when a bad thing happens, we need it to be a situation in which this is not the first time that leadership and the board has heard about, you know, what this bad thing is or how it can affect the organization. So in no circumstance, do we want the first time a significant ransomware attack occurs to be the first time that the board has to make a decision about, you know, how to move forward, both in terms of taking systems offline to protect consumers, uh, downtime, procedures, uh, business losses, ransomware payments. We don't want that to happen. That is, that is in my mind the worst case scenario. Um, you do not want to have to be having those conversations while a really terrible and scary thing is ongoing for your organization. So, uh, as I said previously, we are seeing much more, uh, many more situations in which thankfully those conversations are occurring ahead of time as part of tabletop exercises or, um, you know, discussions of new policies and procedures in organizations. And I think that's really key to ensuring that everybody is on the same page about what kind of, um, circumstances we might be dealing with in the future, um, and how that will affect the enterprise again, from an incident perspective. And then of course from a litigation risk perspective, not just from consumers, but, um, you know, from shareholders and, um, you know, understanding what the regulatory risk looks like as well.
Speaker 2:It makes the world of sense. Um, is there anything you'd add from, uh, you know, w w a bottom line point of view at this point
Speaker 3:Bottom line, um, you know, I think Bob is, as you know, you and I have talked over the years for many years about regulatory risk in this, um, in this sector in terms of data privacy and security. And I think folks for a long time have understood at least on some level that there is significant regulatory risk, um, certainly from a federal level. And as we've talked about increasingly from state attorneys general, um, but I think to your point here, what we are really seeing is, is kind of a whole new world with regard to litigation risks, um, and arguably the risks associated with litigation law previously, not as serious as the risks associated with regulatory action. I don't think that's the case anymore. And I think that, um, you know, entities have to be very cognizant of what it means, um, to have litigation resulting from a particular security of the data breach, um, and all the types of litigation that can result. So I think that's why hopefully this conversation we've just had, has been helpful, um, in terms of thinking through those issues before they happen.
Speaker 2:Well, I think that's great. And if I may, uh, end with this thought, given all the great advice that you provided, um, I come back to risk management as risk management and health care organizations have been doing risk management for a long, long time, as it relates to cyber risk management, I would just urge organizations to just stop throwing controls things and the latest, shiny new gadgets that are out there. And from the point of view of the board trustees, directors, as well as the executive team, if you say focus on three things, I think you're going to get this right. Number one, make sure your organization is identifying and prioritizing all of your unique risks. By, as I always say, if you've seen one hospital's risk, you've seen one hospital's risk, secondarily discuss the bait, settle on your appetite for risk. That is determined what level your organization is prepared to accept. And then last but not least, once you understand your risks in such a rapid type manage each risk, make informed decisions about which ones you're going to accept and which ones you're going to treat. I think that goes a long way to put an organization in the place that you described earlier of being reasonable and appropriate about it. It's a serious growing. In fact, it's become an ESG and social responsibility issue, given all the critical work performed by healthcare organizations. So I'll end with those three things. And, um, and with that Eliana, unless you have any final thoughts, I'll say we've, uh, we've done our work here today.
Speaker 3:Uh, great, great conversation. Thank you so much, Bob.
Speaker 1:Thank you for listening. If you enjoy this episode, be sure to subscribe to AHLA. Speaking of health law, wherever you get your podcasts to learn more about AHLA and the educational resources available to the health community, visit American health law.org.