The greatest gift to give your board: Cyber awareness

According to the American Hospital Association’s 2022 Hospital Statistics, there are 6,093 hospitals in the United States with investor-owned (i.e., for-profit) hospitals accounting for 1,228 facilities. While most hospitals have boards of directors, perhaps except for government facilities, those facilities that are part of a health system that is publicly traded, such as Tenet Healthcare Corp. (NYSE: THC), HCA Healthcare Inc. (NYSE: HCA), and Community Health Systems, Inc. (NYSE: CYH), have additional obligations imposed by securities laws and related U.S. Securities and Exchange Commission (SEC) requirements.

All persons with boards should be making sure that the individual board members are meeting their common law fiduciary duties, including those of loyalty and care. Arguably, since a board of directors always has a duty to act for the good of an organization, that duty should extend to the knowledge of board members to evaluate cybersecurity risk as part of the entity’s strategic plan and enterprise risk management strategy. It is imprudent for the board of directors to be involved in the day-to-day operations of an entity – it’s not their role and it could increase their liability.

For publicly traded companies, including the aforementioned health systems, appreciating current obligations under the Exchange Act of 1934, the Sarbanes-Oxley Act of 2002 (SOX), and previous guidance issued by the SEC regarding cybersecurity, it is imperative to appreciate the SEC’s proposed rules, which relate to public companies and cybersecurity. Specifically, the proposed rules both build on existing requirements and add some new obligations, as follows:

• Require current reporting about material cybersecurity incidents on Form 8-K;
• Require periodic disclosures regarding, among other things:
  • A registrant’s policies and procedures to identify and manage cybersecurity risks;
  • Management’s role in implementing cybersecurity policies and procedures;
  • Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk; and
  • Updates about previously reported material cybersecurity incidents; and
• Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL).

A couple of notable observations: (1) the board of directors is specifically mentioned; (2) policies and procedures (NOTE: an organization should have two sets - one that is comprehensive and one that provides enough substance for most employees and the public without putting an organization at risk); and (3) Inline XBRL has been around for a while and “is a freely available global framework of accounting standards used for exchanging business information.” Public companies and registrants (those persons who are registered with the SEC), should have already integrated XBRL with SOX Sections 302 and 404.

For those in the healthcare sector, here are a few key areas that boards and companies alike should be focused on in relation to cybersecurity, risk mitigation, and liability for both individuals and companies:

1. Cybersecurity is patient safety – whether it is a medical device, a ransomware attack on a hospital, or having a request to send patient information to TikTok, organizations need to be proactive and implement a protection, detection, and correction strategy;
2. HHS Proposed Rule – on November 28, 2022, HHS released a proposed rule to address Substance Use Disorder (SUD) under 42 CFR Part 2 and HIPAA, to ensure that these two laws are more aligned in terms of patient protections to avoid treatment discrimination;
3. December 2022 HHS Guidance - Data tracking technologies are becoming more of a focus for a variety of government agencies, including the Federal Trade Commission and the U.S. Department of Health and Human Services. Making sure your IT department knows how different software, such as Pixel, is integrating with an EHR and/or website to collect and use patient data and personally identifiable information is critical; and
4. Biometrics – certain states, including Illinois through its Biometric Information Privacy Act (BIPA), have very robust laws, which expressly state that a private cause of action exists in relation to potential violations of biometric information. Importantly, biometric information is also an “identifiable factor” on the list of personally identifiable information as it relates to HIPAA. On April 25, 2022, the U.S. District Court for the Northern District of Illinois in Sosa v. Onfido, Inc., Case No. 20-cv-4247, held that “faceprints derived from photographs are biometric identifiers and should be regulated under BIPA.” Notably, the court parsed out normal photographic images from facial geometric scans. Pursuant to BIPA Section 15(a), an individual must provide consent for an entity to collect or obtain their biometrics or the entity must provide notice that biometrics are being collected. Organizations/Persons must also have written policies and procedures.

In putting the final “bow” on this gift, placing qualified individuals on publicly traded companies’ boards in particular, may lead to reduced risk, lessened legal liability, and greater peace-of-mind. Government investigations, individual lawsuits, and class actions are unequivocally more expensive than an annual risk analysis and adequate due diligence when acquiring or merging with companies. Yet, many persons choose to ignore this and end up paying a much large price – financially, legally, and reputationally, later.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.