Cyberbreach Trends in Health Care: The Hardest Hit Industry Ramps Up Security Efforts
Baker & Hostetler health care attorney Lynn Sessions says she's handled more than 550 data breaches, including several of the largest reported.
April 10, 2019 at 05:26 PM
6 minute read
A recent study on data privacy and security revealed that health care companies, primarily hospitals, report one-fourth of all U.S. cyberattacks—making health care the No. 1 industry impacted by data breaches.
Health care attorney Lynn Sessions, a partner in the Houston office of Baker & Hostetler, wasn't surprised by the numbers in the fifth annual Data Security Incident Response Report by her law firm. In her 20-plus years of working with health care clients, Sessions has handled more than 550 industry data breaches, including several of the largest reported.
Sessions, a former in-house attorney at Texas Children's Hospital in Houston from 2004 to 2011, spoke with Corporate Counsel this week about the cybersecurity trends she is seeing and what general counsel can do about them. Here are excerpts from that interview, which has been edited for clarity and brevity.
Corporate Counsel: Tell us what trends you are seeing in the health care industry in terms of privacy and security.
Lynn Sessions: The answer is twofold. The first trend is that health care continues to be under attack, both from outside sources such as hackers, primarily through phishing emails sent to employees, as well as through some inside jobs. Because HIPAA [Health Insurance Portability and Accountability Act] is the overarching law in this space, it sets a low threshold for notification purposes. We find a lot of companies having to do breach assessments and notifications.
We handled more breach incidents last year across all industries—from 560 in 2017 to 750 in 2018—and the health care piece of that continues to grow year on year too.
What is the second key trend?
The other trend I see is health care organizations ramping up their cybersecurity efforts. As more of these organizations use electronic medical records, they are amassing large volumes of health care data for really good reasons and for a long time. So it has become a necessity to create a position high up in the organization to oversee the security function. When I was an in-house health attorney here in Houston, I didn't really see any chief information security officers. But we have seen the advent of that in last few years, and it's a good trend for the industry.
Are these officers hard to find, and to whom do they usually report?
Not necessarily. Hospitals compete for the talent with companies in all industries. It can be a sizable outlay to hire someone competent and good.
There are a few models in in which the chief information security officer reports to the general counsel. But the most common model has the CISO reporting to the chief executive or the chief of information technology, which means competing for the IT dollars. When the CISO reports to the general counsel and the chief compliance officer, the organization has a very good, compliance focused program.
In your conversations with health care general counsel, what concerns do they voice most frequently about privacy and cybersecurity?
There is a concern about what appears to be uneven enforcement by the Office for Civil Rights [in the U.S. Department of Health and Human Services], which investigates HIPAA complaints. We're hearing from a lot of general counsel about it. They're saying, 'We have to have electronic health care records, we have to be able to communicate health information across our teams, we know we are under attack, and the Office for Civil Rights continues to enforce these multimillion-dollar penalties, even though we know there is little chance of harm coming to individuals due to a breach.”
The way HIPAA is written, the organization has to overcome a presumption of harm due to the breach. There is no reasonableness standard [for likelihood of harm]. Explaining that to nonlawyer executives and board members, and explaining why we have to notify patients, isn't easy. A breach hurts their reputation and their relationship with their community.
Is ransomware a problem in the health care industry?
Yes. Sometimes health care organizations have really good backups and do not pay the ransom. I had one call today from client who did that.
When the Office for Civil Rights looks at ransomware issues, they are not looking just at whether the data was acquired or not, but at whether a patient was impacted by the attack. So you need to look at the integrity of the data, and if it is intact—and at the availability of the data—how quickly did you get back up and running? How did it affect the patients? What are you doing to report that and to prevent it in future?
As in other industries, is email phishing a major problem?
Yes, phishing is the No. 1 way bad guys get into systems. The other thing you see in health care is employee snooping into medical records. The Office of Civil Rights takes employee snooping very seriously. I see about one case a month involving it. You have to educate your staff, and a bad acting employee has to be sanctioned, up to firing, depending on the case.
Why do you think the health care industry is the most attacked industry?
My question is are they attacked more or do they report it more? The answer is both. Again that's because of the broader requirements under HIPAA and under state breach notification laws. There are more scenarios—not just attacks—in health care where there is unauthorized access to or disclosure of data that triggers a notification obligation. While the incidents may be more frequent, the number of individuals involved is often lower than incidents affecting entities in other industries.
Is there anything you'd like to add?
I think the industry has really responded to obligations under HIPAA and state laws, as more state attorneys general, like Florida, California and Massachusetts, are coming in now. Breaches are what keep health care general counsel and their boards up at night. It's smart for general counsel to be engaged on this and to continue to make this a top priority.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllBaker Botts' Biopharma Client Sues Former In-House Attorney, Others Alleging Extortion Scheme
Fatal Shooting of CEO Sets Off Scramble to Reassess Executive Security
5 minute readFTC Lauds Withdrawal of Proposed Indiana Hospitals Merger After Leaning on State Regulators
4 minute readHealth Care Giants Sue FTC, Allege Lina Khan Using Loaded Process to Vilify Pharmacy Benefit Managers
3 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250