Wild behavior is pulsing through the cybersecurity landscape.
In 2016, I was fortunate to attend the final game of the NCAA Tournament – the “buzzer beater” between Villanova and UNC. The energy was frenetic – regardless of where one’s loyalties lay. Not having ties to either school, my friend and I were still captured by the energy that pulsed through the arena.
As we are in the midst of March Madness 2023, a similar state of wild behavior is pulsing through the cybersecurity landscape. On March 3, 2023, the Federal Trade Commission (FTC) announced its settlement agreement with BetterHelp, which was the subject of my previous Physicians Practice article. This was an unexpected settlement because for the first time, the FTC required remuneration to customers who were harmed.
On March 14, the United States Department of Justice (DOJ) announced another settlement under its Cybersecurity Fraud Initiative against Jelly Bean Communications Design and its Manager (collectively “JellyBean”) for cybersecurity failures. It was almost a year ago, on March 8, 2022, that the DOJ announced its first settlement under its Cybersecurity Fraud Initiative – one in which my co-counsel and I were fortunate to represent the whistleblower. Some key take-aways from the JellyBean settlement include the following:
Turning to another “bracket”, on March 15, 2023, the Senate Veterans’ Affairs Committee held a hearing, Examining the Future Path of VA’s Electronic Health Record Modernization Program, after the deaths of Veteran patients at VA facilities were linked to failures with the Oracle-Cerner Electronic Health Record System. Committee Chairman stated that a new contract should be negotiated “following the revelation that the EHR system has resulted in the deaths of four veterans.” Hence underscoring the notion that “cybersecurity is patient safety.”
Whether it’s a jump-shot, lay-up or alley-oop, the best position for covered entities and business associates alike to find themselves in is to play offensive by implementing a culture that strives to meet the requisite technical, administrative, and physical safeguards required by HIPAA, the HITECH Act, and other laws in relation to PHI and sensitive personally identifiable information.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.