Recent lessons in cyber incident response and preparedness
The health care sector’s growing cybersecurity risks provide insight into responding to and mitigating risk as well as avoiding litigation.
The health care sector has seen an onslaught of data breaches in recent years, with more than 700 data breaches involving 500 or more records in each of the past three years.
In the first quarter of 2024 alone, the Department of Health and Human Services (HHS) received 212 formal data breach notifications. As HHS aptly suggests, health care organizations are frequently considered “one-stop shops” that contain identity, financial and health information.
Cyberattacks can paralyze an organization’s operations and be tremendously costly and detrimental to operations. In response, many legislative bodies and regulators have updated laws and issued guidance to better protect sensitive patient or customer information.
For example, Congress is considering a bipartisan bill to establish comprehensive data privacy rights and standards for data security, HHS released guidance on cybersecurity actions and plans to propose cybersecurity requirements this spring (through the Centers for Medicare & Medicaid Services (CMS) and the Office for Civil Rights (OCR)), and the Federal Trade Commission (FTC) has updated and is enforcing its Health Breach Notification Rule against digital health companies.
Recent developments especially underscore the increasing importance of cybersecurity in health care. What follows is an overview of the health care sector’s growing cybersecurity risks, best practices for helping prevent or mitigate cyberattacks, and best practices for responding to incidents and mitigating cyber risk.
See also: Senators blast UnitedHealth CEO for lackluster cybersecurity, monopoly
Health care sector cyber risks
Given the growing dependence on digital systems and electronic health records (EHRs), health care entities are subject to increasing cybersecurity risks, including the deployment of malware, sophisticated ransomware attacks and more subtle forms of unauthorized access, such as those due to phishing emails or human error.
Furthermore, many health care entities rely on third parties to provide essential digital tools, from telehealth platforms to secured file transfer solutions and advertising tools, and these third-party services can become prime targets for cyberattacks, given their vast customer base and possession of voluminous health data.
Additionally, as the health care industry has experienced a surge in mergers and acquisitions, companies often overlook the potential vulnerabilities resulting from legacy and/or un-integrated IT systems.
It is prudent for entities of all sizes to proactively prepare for cybersecurity threats and implement appropriate incident response plans.
Preparing for cybersecurity threats
Health care entities should not wait for a cyberattack to occur at their organization or for regulatory requirements to further develop before thinking about enhancing their cybersecurity posture. The following practices may help prevent or mitigate cyberattacks and reduce the impact of potential breaches.
- Implement high-value security measures: Ideally, companies would be able to fully align their security programs with industry best practices, such as those outlined by NIST or ISO 270001. However, many companies find that their breaches are caused by a lack of cybersecurity basics, such as multifactor authentication (MFA), strong passwords, publicly inaccessible cloud storage systems and regular patching and/or updating of systems.
- Conduct security assessments: Regular security assessments help proactively identify gaps and vulnerabilities so that an organization can allocate resources to address such risks. Such assessments may focus on compliance with the HIPAA Security Rule or alignment with the NIST framework, focusing on the organization’s needs and obligations. It is prudent to address risk assessment findings without delay, as these are often the first documents scrutinized by regulators and sought by plaintiffs in discovery.
- Evaluate stored data: Regular evaluations of patient data can help identify information that requires additional security measures. Data audits can also help organizations spot redundant or nonessential data that may pose cybersecurity risks and provide organizations with an opportunity to delete such unneeded data.
- Segregate sensitive data: Storing sensitive data sets, such as patient records, alongside less-sensitive data, like marketing information, can lead to trouble for some organizations. For efficiency, organizations want certain data to be easily accessible to many employees; however, sensitive patient data requires heightened security protocols (g., encryption and strict access controls), which can help mitigate risks arising from security incidents and breaches.
- Tabletop exercises: Tabletop exercises can reinforce education materials and policies and procedures, reducing potential error. Effective tabletops usually involve realistic scenarios tailored to a particular organization. Additionally, tabletop exercises tend to be more effective when they include participation by key decisionmakers who would be involved in a live incident.
- Implement contingency plans: Contingency plans are key to help ensure continuity, including uninterrupted care delivery and electronic claims submission in the event of a security incident. Such efforts may include plans for maintaining operations when computer systems and networks are down, including establishing manual processes for patient care when certain software and email systems are inaccessible. Contingency planning may also involve the development of alternative communication protocols, such as a text tree or temporary use of non-work email systems (g., Gmail, Outlook.com), if a company’s email and/or telephone systems are interrupted or offline; however, such alternatives should be secure and compliant with legal requirements (e.g., HIPAA) for dealing with sensitive patient data. Organizations may develop situation-specific response plans that are regularly updated to address the latest threats and regulatory obligations.
Responding to a security incident
Ideally, when a cybersecurity incident occurs, the impacted entity has already established a response plan that it regularly tests, practices and updates.
In practice, though, cyberattacks too often affect companies that are unprepared to deal with them. A company that falls victim to a cyberattack should act fast and appropriately to manage the regulatory, legal, reputational and business consequences. Organizations should consider taking proactive measures after a cyberattack, including the following steps to mitigate enforcement and litigation risks.
- Involve senior executives: An organization’s IT staff cannot solely fix the far-reaching implications of cyber incidents — the involvement of senior executives is crucial to pulling a company through the crisis. Senior executives, including the CEO and those responsible for communications, technology, legal and compliance, should be ready to take the lead on crisis management. With the assistance of external counsel and other professional service providers, they can make effective strategic decisions and coordinate internal and external resources to execute them.
- Isolate the system and fix vulnerabilities: After experiencing a cyberattack, an entity should act fast to take the affected system offline to prevent further damage to itself or its customers. As forensic investigators and lawyers examine the cause of the incident, the IT team should focus on identifying and fixing vulnerabilities so that the organization can bring its systems back online as soon as possible.
- Engage experienced outside counsel: Outside counsel can offer experience in dealing with breaches, including overseeing a forensic investigation, determining whether notification obligations are triggered and the requisite timing, and litigating such matters when necessary. Effective outside counsel can also explain complex technical and legal concepts to patients, customers, regulators and even Congress. Lawyers also routinely develop and oversee breach-related communications with the public, customers, employees and affected parties. In appropriate circumstances, involving outside counsel may help facilitate more open discussions with employees due to attorney-client privilege.
- Communicate promptly and accurately: Customers, regulators and other parties potentially affected by a breach often expect immediate responses to inquiries about a breach. Such communications should be carefully crafted, as such parties have sought to hold organizations liable for inaccuracies in communications related to a breach. Moreover, certain federal and state laws and regulations require breach notifications, but not every incident triggers such obligations. Careful legal analysis, informed by forensic investigation results, can determine when, whom, and how to notify. In some cases, it may even be prudent to initiate a dialogue with regulators before submitting a formal notice.
- Coordinate with third parties: Before a breach occurs, a health care organization may consider establishing relationships with third-party cybersecurity experts, outside counsel, law enforcement, and other relevant organizations. Such practices help health care organizations quickly tap into additional expertise and assistance during a cybersecurity event.
Cyber risk is here to stay
Health care organizations will continue to face sophisticated cyber threats, which necessitates both safeguarding systems and staying up to date with the latest regulations. However, comprehensive risk management is critical and goes beyond implementing technical solutions. It also consists of updating policies, training staff, segregating sensitive data, implementing robust contingency plans and conducting proactive security assessments.
As cyber threats evolve, health care organizations should implement measures to bolster defenses and ensure that if an incident does occur, they are prepared to respond effectively and mitigate potential legal and regulatory exposure, and most importantly protect patients’ data and limit compromising care.
Robert Kantrowitz is a corporate health care partner at Kirkland & Ellis and Sunil Shenoi is a partner in the firm’s Government and Internal Investigations Group. Micah Desaire is a corporate health care associate and Xiaorui Yang is a litigation associate at the firm.
See also: