Cybersecurity is patient safety

In November 2022, Senator Mark R. Warner released an important policy paper entitled, Cybersecurity is Patient Safety. As an attorney with federal government experience, as well as focusing my practice on healthcare, cybersecurity, securities law, Dodd Frank, and False Claims Act compliance, transactions, litigation, and representing individuals on certain matters before government agencies post-reportable cybersecurity incidents, there are a couple of important items that stood out to me as already being available. The critical question is why persons are not reading what is out there and utilizing the National Institute of Standards and Technology (“NIST”)’s general framework for approaching cybersecurity, which I have distilled from five (5) words to three (3) words: prevention, detection, and correction. (emphasis added).

In my experience handling these issues from different vantage pointsfor over a decade, persons either ignore the risks and costs of non-compliance with fraud, waste, and abuse laws and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related Rules and laws, gamble on not having a government action brought against them either organically by a government agency or through the False Claims Act’s qui tam provision, and/or view the monetary fines as a cost of doing business.

In order to address some of the items in the Cybersecurity is Patient Safety, I suggest the following:

1. Reading the FBI and CISA releases in particular on certain cybercriminals overt statements about targeting hospitals and the healthcare system in order to put pressure on the hospitals to pay the ransom demand because of the threat of adverse patient outcomes, including a patient death;
2. Appreciating what has been in the HIPAA Security Rule since its effective date in 2005 – the fundamental purpose of the security rule is to protect electronic protected health information by ensuring that the confidentiality, integrity, and availability of the data remain intact. Hence, privacy and security go hand in hand;
3. Understanding that there are already laws in place, including the Cybersecurity Act of 2015 and the subsequent efforts under §405(d) which leveraged a public-private partnership to provide resources that now available through HHS and ONC;
4. Evaluating compliance with recognized security practices (i.e., NIST standards, §405(d) guidelines and best practices, and HIPAA Security Rule) as expressed in HR 7898 (Pub. L. 116-321 (Jan. 5, 2021)), which are factors the government will consider when assessing fines and conducting an investigation; and
5. Ensuring that False Claims Act liability is mitigated using the new Anti-Kickback Statute’s safe harbors and Stark Law exceptions, most of which became effective on January 19, 2021. In particular, those that relate to cybersecurity.

Incentives or “carrots” are important. Equally as important is the appreciation that where there are incentives, there are also those who allegedly will exploit or attempt to exploit a government incentive program or government procurement contract. In other words, commit fraud by not following the laws. One example is the U.S. Department of Justice’s first False Claims Act settlement under its Civil Division Cyber-Fraud Initiative. Another follows a line of cases and settlements stemming back at least five (5) years – electronic health record companies both falsifying their own compliance with HIPAA and the HITECH Act under the Meaningful Use and Interoperability Program, which providers detrimentally relied upon and placed their patients and systems at risk, as well as the illegal payment of kickbacks and the causing of false claims to be submitted. A recent example is Modernizing Medicine agreeing to pay $45 million to resolve these types of allegations.

In order to cultivate a culture of compliance organizations need to take a “patient safety first” approach, whether the person is a covered entity, business associate, or subcontractor because of the connectivity between these different entities. Coordination between government agencies ia always beneficial. I would argue that HIPAA is not outdated. To the contrary, it has continued to evolve since its inception. The question is whether persons utilize the resources and refer to the laws, which have been available for years.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.