Lynn Sessions of Baker & Hostetler (Courtesy photo) Lynn Sessions of Baker & Hostetler (Courtesy photo)

A recent study on data privacy and security revealed that health care companies, primarily hospitals, report one-fourth of all U.S. cyberattacks—making health care the No. 1 industry impacted by data breaches.

Health care attorney Lynn Sessions, a partner in the Houston office of Baker & Hostetler, wasn't surprised by the numbers in the fifth annual Data Security Incident Response Report by her law firm. In her 20-plus years of working with health care clients, Sessions has handled more than 550 industry data breaches, including several of the largest reported.

Sessions, a former in-house attorney at Texas Children's Hospital in Houston from 2004 to 2011, spoke with Corporate Counsel this week about the cybersecurity trends she is seeing and what general counsel can do about them. Here are excerpts from that interview, which has been edited for clarity and brevity.

Corporate Counsel: Tell us what trends you are seeing in the health care industry in terms of privacy and security.

Lynn Sessions: The answer is twofold. The first trend is that health care continues to be under attack, both from outside sources such as hackers, primarily through phishing emails sent to employees, as well as through some inside jobs. Because HIPAA [Health Insurance Portability and Accountability Act] is the overarching law in this space, it sets a low threshold for notification purposes. We find a lot of companies having to do breach assessments and notifications.

We handled more breach incidents last year across all industries—from 600 in 2017 to 750 in 2018—and the health care piece of that continues to grow year on year too.

What is the second key trend?

The other trend I see is health care organizations ramping up their cybersecurity efforts. As more of these organizations use electronic medical records, they are amassing large volumes of health care data for really good reasons and for a long time. So it has become a necessity to create a position high up in the organization to oversee the security function. When I was an in-house health attorney here in Houston, I didn't really see any chief information security officers. But we have seen the advent of that in last few years, and it's a good trend for the industry.

Are these officers hard to find, and to whom do they usually report?

Not necessarily. Hospitals compete for the talent with companies in all industries. It can be a sizable outlay to hire someone competent and good. A lot of them are lawyers who have compliance backgrounds.

There are a few models in in which the chief information security officer reports to the general counsel. But the most common model has the CISO reporting to the chief executive or the chief of information technology, which means competing for the IT dollars. When the CISO reports to the general counsel and the chief compliance officer, the organization has a very good, compliance focused program.

In your conversations with health care general counsel, what concerns do they voice most frequently about privacy and cybersecurity?

There is a concern about what appears to be uneven enforcement by the Office for Civil Rights [in the U.S. Department of Health and Human Services], which investigates HIPAA complaints. We're hearing from a lot of general counsel about it. They're saying, 'We have to have electronic health care records, we have to be able to communicate health information across our teams, we know we are under attack, and the Office for Civil Rights continues to enforce these multimillion-dollar penalties, even though we know there is little chance of harm coming to individuals due to a breach.”

The way HIPAA is written, the organization has to overcome a presumption of harm due to the breach. There is no reasonableness standard [for likelihood of harm]. Explaining that to nonlawyer executives and board members, and explaining why we have to notify patients, isn't easy. A breach hurts their reputation and their relationship with their community.

Is ransomware a problem in the health care industry?

Yes. Sometimes health care organizations have really good backups and do not pay the ransom. I had one call today from client who did that.

When the Office for Civil Rights looks at ransomware issues, they are not looking just at whether the data was acquired or not, but at whether a patient was impacted by the attack. So you need to look at the integrity of the data, and if it is intact—and at the availability of the data—how quickly did you get back up and running? How did it affect the patients? What are you doing to report that and to prevent it in future?

As in other industries, is email phishing a major problem?

Yes, phishing is the No. 1 way bad guys get into systems. The other thing you see in health care is employee snooping into medical records. The Office of Civil Rights takes employee snooping very seriously. I see about one case a month involving it. You have to educate your staff, and a bad acting employee has to be sanctioned, up to firing, depending on the case.

Why do you think the health care industry is the most attacked industry?

My question is are they attacked more or do they report it more? The answer is both. Again that's because of the broader requirements under HIPAA and under state breach notification laws. There are more scenarios—not just attacks—in health care where there is unauthorized access to or disclosure of data that triggers a notification obligation. While the incidents may be more frequent, the number of individuals involved is often lower than incidents affecting entities in other industries.

Is there anything you'd like to add?

I think the industry has really responded to obligations under HIPAA and state laws, as more state attorneys general, like Florida, California and Massachusetts, are coming in now. Breaches are what keep health care general counsel and their boards up at night. It's smart for general counsel to be engaged on this and to continue to make this a top priority.