Picture by 123RF
By Andrea L. D’Ambra and Susana Medeiros at Norton Rose Fulbright US LLP
Cybersecurity and information safety points stay a prime litigation concern for healthcare organizations, in keeping with the lately launched 17th Annual Litigation Traits Survey by Norton Rose Fulbright, which surveys tons of of in-house litigation leaders from international companies.
Healthcare organizations report that they’re a prime goal for cyber risk actors in search of to use firms with giant volumes of delicate private information. In line with one vice chairman of danger, “we all know as a well being care group that we’re in one of many industries that’s a excessive goal trade for anyone making an attempt to try to get affected person info. We view it as a really high-risk publicity.”
The Division of Well being and Human Companies, which regulates healthcare firms and different healthcare-related entities in the USA, has reported 139 breaches in simply the primary three months of this yr, as in comparison with 92 breaches reported by this similar time in 2021. That is an nearly 50% improve in reported breaches for a similar interval. So it’s unsurprising that two thirds of healthcare respondents report feeling extra uncovered to cybersecurity and information safety dangers than they did in 2020.
Due to the character of the healthcare trade and the quantity of non-public well being info healthcare firms maintain on behalf of people, these organizations come below extra regulatory scrutiny with respect to information safety and safety points. For example, below the Well being Insurance coverage Portability and Accountability Act (HIPAA), regulated entities are required to report cybersecurity incidents that qualify as a “breach” in the event that they affect greater than 500 sufferers. This consists of not solely healthcare organizations which can be regulated below HIPAA as Lined Entities, but additionally distributors and third events that help such organizations and function as Enterprise Associates. Equally below the HITECH act, these entities are required to implement cybersecurity requirements, which can be monitored and enforced by HHS, to safeguard protected well being info.
Guaranteeing third social gathering compliance with HIPAA and HITECH regulatory requirements stays a essential a part of healthcare compliance program, in keeping with a number of healthcare respondents. This may occasionally embrace requiring third events to show compliance, and hiring third events to check whether or not they can break into exterior social gathering programs. Different firms have taken the method to restrict third social gathering entry to delicate info the place attainable and intention to slender the record of pre-approved third social gathering distributors to cut back danger publicity.
As a distinguished goal for cyber-attacks, it’s unsurprising that class actions pushed by cybersecurity litigation stay a prime concern for healthcare firms as in comparison with different industries. In line with the deputy normal counsel of a healthcare firm, “class actions have gotten highly regarded and customary in any kind of safety breach,” with many actions filed as a kneejerk response to a safety breach, even the place plaintiffs are unable to say damages ensuing from the breach or the place information safety legal guidelines are unlikely to help a explanation for motion. Quite a few healthcare respondents cited cybersecurity class actions as one of many greatest issues on the horizon as a result of they’re high-profile, pricey, and infrequently troublesome to defend.
Throughout all industries, the variety of respondents who cited class actions as amongst their most typical dispute sorts has doubled since 2020, with cybersecurity-related class actions trending upwards. Survey respondents reported that the elevated variety of cyber-related class actions is partially as a result of plaintiffs’ attorneys in the USA are more and more monitoring information safety breaches and the ensuing client notifications typically spawn class motion fits for each bigger and smaller incidents.
Healthcare firms report a number of components have elevated their publicity to cybersecurity disputes. These components embrace the storage of enormous volumes of delicate private info, Covid-19 and its affect on IT safety, challenges with vetting third social gathering information safety practices, the rising sophistication of cyber-attackers, the elevated quantity of cyber-attacks towards firms based mostly in the USA, and the altering authorized/regulatory panorama within the US and worldwide.
These organizations additionally report greater ranges of economic publicity within the cyber legal responsibility area because of what one normal counsel described because the “hardened” cyber insurance coverage market, as demonstrated by elevated premiums, greater deductibles or charges of insurance coverage retention (which, much like a deductible, requires the insured to cowl the price of a declare as much as a sure restrict), restricted protection choices, and a harder insurance coverage renewal course of. Different healthcare firms report they’ve additionally sought elevated insurance coverage protection up to now yr to deal with their elevated cyber dangers.
Considerations about reputational injury arising from a cybersecurity incident was one other widespread concern expressed by healthcare firms that would affect their skilled repute within the eyes of sufferers, insureds, regulators, and different third events.
Respondents reported that they employed various methods to cut back their cyber danger, together with further funding in IT and data safety to higher safeguard information, growing worker consciousness of phishing assaults, conducting desk prime workout routines to check the corporate’s cyber preparedness, and third social gathering due diligence. In line with the top of litigation of a US healthcare firm, citing the steps their firm is taking to cut back their danger round cybersecurity-related litigation, “clearly, one of the simplest ways to cut back litigation is to not have [cyber] incidents to start with.” All these methods, nonetheless, require vital further funding each by way of time and capital expenditures, that are ill-timed in view of the challenges healthcare firms are dealing with through the COVID pandemic.