Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
A HIPAA risk assessment can help your practice put safeguards in place to protect against both cyberthreats and cyberliability.
Recently, I came across two articles in legal publications that are as pertinent to medicine as they are to law. Both articles focused on cybersecurity and cyberliability. The Dallas Bar Association's "Cyberliability: Considerations for Mitigating Risk Through Insurance" article proffered the following quote by FBI Director, Robert Mueller, "There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again."
Building upon this sentiment is the distinction between extrusion and external sources of cyberthreats. Although the name may sound like a misnomer, a recent American Bar Association article, "Inside-Out Threat," indicated that, "Law firms face an array of cyberthreats from foreign governments, competitors, and hackers. And then there's the threat that has always existed in the offline world, but has migrated online: inside jobs - or what cybersecurity experts call extrusion." These threats - being hacked and being mindful of insiders heisting data - are commonalities for both law firms and medical practices.
While there is no way to fully guarantee protection from extrusion and external sources, there are steps that can be taken. For medical practices, many of these are required as part of a HIPAA risk assessment and implementation. Some areas to focus on include:
• Background checks;
• Comprehensive policies and procedures;
• Vigilance (i.e., computer audit trail monitoring, access logs, and data-leakage prevention tools), and, most importantly;
• Employee education.
"It's extremely important for firms to provide education to their user base," says Andrew Jurczyk, chief information officer at Seyfarth Shaw in Chicago. "They need to know what encryption is, and what possible sources [of data leakage] are." (ABA Journal, p. 29 (July 2014)).
One way to mitigate risk is through insurance. Cyber insurance is one option; however, coverage under traditional policies may cover cyber-related loss. As with anything, it is important to read the terms and the fine print to determine what is covered. Exclusions may apply and typically "regulatory fines, government investigations and criminal penalties are not covered." (Dallas Bar Association, Headnotes, p. 13 (July 2014)). In sum, commercial general liability policies and cyber-insurance policies should be read together. And, who knows, through HIPAA, perhaps lawyers may learn from doctors, too!