By David Harlow, JD MPH, Principal, The Harlow Group LLC
Twitter: @healthblawg
Host: HIPAA Chat! Register for the next broadcast.
I recently moderated the Second Annual Cybersecurity and Healthcare panel discussion, produced by HITECH Answers, with some all-star panelists: Mac McMillan, Lee Barrett, Bridget Wahlstrom and Iliana Peters. We discussed a range of current issues, and prognosticated about the future. Check out the video, below.
Here’s the introduction that I offered to set the stage for our conversation:
It seems that almost every day we read news of a new significant breach, a new ransomware attack, a new settlement with the HHS Office of Civil Rights. There are also other areas of concern for those of us who are employed by or who represent health care providers and their business associates in the health data realm – Federal Trade Commission enforcement, class action lawsuits, state attorney general actions and individual lawsuits based on state privacy laws.
But to get started today, let’s step back from these endpoints – the attacks, the exploits, the lawsuits, the enforcement actions, the fines, the compliance agreements, and talk about how we, collectively, can put our best foot forward, how we can do the right thing.
Yes, we need to be looking over our shoulders, metaphorically speaking, but for virtually my entire career, my mantra has been the practice of preventive law – as an attorney and advisor, I always seek to help my clients put systems and agreements in place that anticipate what might go wrong, thereby preventing at least most of the things that are likely to go wrong. I am sure that our panelists today have a similar mindset as well. I came across a reference to Donald Rumsfeld’s memorable phrase “unknown unknowns” earlier today, and this category of risks exists in healthcare cybersecurity as it does in military planning, but most of the significant risks out there are known. Even though these risks are known, we, collectively, the healthcare community, are not doing what we need to do, at the level we need to do it, in order to mitigate these risks.
For me, high on this list of insufficiently addressed risks are what I’ll call collectively “human factors” – staff who are taken in by social engineering of sophisticated hackers and click on those darn links in those darn phishing emails. Also: ransomware and other exploits enabled through the absence or improper configuration of security tools. These human factors bleed into apparent institutional indifference. How many academic medical centers must be hit with multi-million dollar penalties before all AMCs devote the attention – and the resources – necessary to close the gaps in their cybersecurity programs? Why aren’t other covered entities and business associates doing everything they need to do to maintain full compliance?
I hope you enjoy the webinar — get a cup of coffee, make yourself comfortable, and have a listen. Feel free to contact me with any questions you may have about HIPAA compliance and related cybersecurity issues.
This article was originally published on HealthBlawg and is republished here with permission.