It’s a tall order considering the constantly confusing changing landscape to healthcare privacy rules, but hospitals and health systems should adopt a more proactive approach to regulatory compliance, said Michelle Garvey Brennfleck, shareholder of healthcare and regulator at Buchanan Ingersoll & Rooney PC.
Garvey Brennfleck has developed some useful insights into how providers can better manage their own regulatory challenges while protecting patient data through his work supporting healthcare organizations “when compliance efforts fail”.
She suggested Healthcare IT News readers some recommendations on how healthcare organizations can respond appropriately and quickly to reduce risk.
Q. In the event of a potential privacy and security issue, many health systems will turn to their playbooks. However, some may not take the necessary steps to ensure processes can be followed or skip process updates to keep up with emerging threats. What are some of the most common areas or pitfalls you see where vendors fall short?
A. Having an organization-appropriate handbook is the first step.
Many organizations adopt “off-the-shelf” sample manuals that are not specific to their organization. Organizations with the best manuals have drawn on resources – both internal and external – to prepare powerful, relevant, practical, understandable and widely disseminated manuals to the organization’s workforce through education and training initiatives.
Q. In your job, you recommend doing tabletop exercises to practice responding to a cybersecurity incident. For clients just starting to develop training programs, what resources do you point them to and what is your advice for setting up effective programs?
D. Because desk exercises can be time- and resource-intensive, we generally recommend that organizations work with outside resources, such as legal counsel or consultants, to develop pilot desk exercises that are, again, tailored to a particular organization.
Involving an organization’s chief information security officer, chief privacy officer, chief legal counsel, and other key personnel allows the option of “train the trainer” where the internal team then conducts future desk exercises for other members of the workforce, reducing the need to use external resources for each and every desk assignment.
Q. When it comes to insurance, insured entities need to have multiple mitigations in order to be covered. But what should hospitals and health systems look at to make sure they have the right cybersecurity coverage for their needs, and how can they make sure they get it?
A. Contractual and other third-party arrangements often require hospitals, health systems, and other organizations to maintain an appropriate level of cybersecurity coverage. These organizations can work with their insurance brokers to assess the appropriate level of cybersecurity coverage based on the organization’s activities.
In addition, we recommend that organizations work with their insurers to identify legal counsel who are on the approved legal advisory board of a particular insurance company to ensure appropriate legal assistance in the event of a cyber event or incident.
Q. What can healthcare organizations do to prepare to work with insurance companies and their business partners in the event of an incident? How can they best prepare for exposure to potential third-party vulnerabilities?
A. Healthcare organizations with relationships with third-party providers often promote the use of their “sample” data usage agreements or business association agreements containing healthcare-friendly terms.
For example, require notification in the event of a vendor-related security “issue”, rather than just notification in the event of a “breach”. This allows the organization to have more access to information in the event of a security incident involving a third-party vendor.
On the other hand, we recommend that providers maintain a log of key terms of data use agreements and business association agreements so that they can respond quickly and make necessary notifications when a security-related event occurs.
From an insurance perspective, as suggested above, healthcare organizations should consider a legal advisory board approved by their insurer to ensure the seamless involvement of legal expertise, if needed.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
