The Anatomy of a Cyberattack: Hospitals Respond to Growing Threat from Hackers
The recent cyberattack on Change Healthcare exposed fissures in the American health care system that are still reverberating – impacting patients and providers alike months after it was exposed.
As hospitals, physicians, and other providers get back on their feet, they’re also improving their cyber defenses to stay one step ahead of increasingly persistent hackers.
This crisis also sparked conversations among policymakers weighing the implementation of new regulations on health care entities, including potential penalties for those who have been victimized.
In this episode, Lynn Sessions looks at the cyber-security issues facing hospitals and health care organizations, from evolving threats to how we need to think about mitigation and resiliency. Lynn is a partner at the law firm BakerHostetler and leads the Healthcare Privacy and Compliance practice, where she has handled more than 1,000 health care data breaches and ransomware attacks.
Topics discussed include:
- Evolving efforts of hospitals to increase cybersecurity protections
- The anatomy of a health care cyberattack – effects of ransomware vs. malware
- Vulnerability of 3rd party entities in health care – like Change Healthcare
- Role of the federal government – protecting hospitals, penalizing bad actors
- Moving forward – fighting the next generation of cybercriminals
More:
BakerHostetler has a diverse team with wide experience in counseling health systems, physician groups, insurers and employers across the country regarding risk assessments, developing comprehensive incident response plans, and responding in a timely and accurate manner to privacy and security incidents, from lost paper files and laptops to the largest cyber incident ever reported involving medical information.
Lynn Sessions (00:04):
You can put all of your data behind what I would call Fort Knox, but if you’ve got that one entry point in from one of your third party vendors that may not be as secure as you or is absolutely a target of a third party from some other place in the world, then they’re going to find a way in.
Speaker 2 (00:24):
Welcome to Hospitals In Focus, from the Federation of American Hospitals. Here’s your host, Chip Kahn.
Chip Kahn (00:34):
Hello and welcome to Hospitals In Focus. We so appreciate you listening. The recent unprecedented cyber attack on Change Healthcare exposed fissures in American healthcare that are still reverberating and impacting patients and providers alike. As hospitals, physicians and other providers work to get back on their feet, they’re also looking at ways to improve their cyber defenses so they can stay one step ahead of the bad guys.
(01:03):
In this episode, we will take a broader look at cybersecurity issues facing hospitals and healthcare organizations from evolving threats to how we need to assure mitigation and resiliency. And we have a perfect guest for this topic, Lynn Sessions, a partner at the law firm of BakerHostetler, who leads the healthcare privacy and compliance practice where she has handled more than a thousand healthcare data breaches and ransomware attacks.
(01:32):
Lynn, thank you for joining us today.
Lynn Sessions (01:35):
Thank you, Chip.
Chip Kahn (01:36):
Lynn, to get us started, can you give us some sense from your background and wealth of experience into what you have seen and your team has seen in this area of security cyber breaches?
Lynn Sessions (01:50):
Sure. So I’ve been at BakerHostetler for the last 13 years, and as you stated, I lead our healthcare privacy and compliance team. This is after a career of about 30 years of working with healthcare organizations through a variety of different roles. What we see today are a number of healthcare organizations being under attack, similar to what happened with Change. I have a team of about 15 devoted lawyers who are exclusively working in the healthcare space, whether it’s with hospitals, physician groups, health plans and healthcare-adjacent organizations. And we are busy. We see hospitals from really all over the country that are being under attack.
(02:29):
When I first started doing this about 13 years ago, we were worried about lost and stolen laptops, unencrypted Blackberry devices that were lost or stolen, left on an airplane, in a rental car, things like that, and never did I dream that we would fast-forward to over a decade later and we’d be dealing with these very sophisticated ransomware attacks that are coming from other parts of the country where we see our healthcare clients and just really the healthcare industry under constant endless attack by the CRAs that are trying to get into their systems.
Chip Kahn (03:00):
With this constant onslaught implied in your introduction there, Lynn, how can healthcare organizations even hope to protect themselves against these hackers that are supported by hostile nations or well-funded bad guys?
Lynn Sessions (03:19):
So what I tell clients is that they need to go back to the basics because it’s very similar to how you look at your house and you would secure your house. You want to make sure you’re locking the doors, you want to make sure that you’re locking your windows. You might even entertain putting a security system on your house to see people who are coming in and out of your house or people trying to break into your house.
(03:40):
It’s the same thing when you’re looking at a cybersecurity framework. You want to go back to the basics. There are certain things that are required by [inaudible 00:03:46], there are certain things that I would call our standard of care that particularly our large health systems need to be implementing. And it goes back to some of those basic security safeguards that they need to put in place such that they can protect themselves from bad guys. But if a bad guy is really wanting to get into their systems, they’re going to find a way. And we see that these are basically these people’s jobs in other parts of the world, usually outside of US extradition that are spending eight hours a day, 16 hours a day, 24 hours a day attempting to get into our healthcare organizations and they’re going to figure out a way to get in to exploit some vulnerability such that they can get to what they perceive as being the crown jewels of that organization.
Chip Kahn (04:28):
Yeah. Talking about crown jewels, why are hospitals so popular?
Lynn Sessions (04:34):
Yeah, that’s another great question. We have definitely seen that our healthcare systems are certainly a target. We used to think they were just crimes of opportunity because maybe the security wasn’t very good. Now that is completely flipped. And it’s because they are a very, very data-rich environment, whether it’s looking for things like PHI, so names, social security numbers, other financial information that our clients may have on their patients or their health plan members, but they also have things like research information.
(05:04):
A lot of our academic medical centers are really leading the world in research, and so some of that information may be very valuable to organizations outside the United States. But it’s a very, very data-rich environment and there’s a need to keep information for a very long time, whether it’s because state laws may require you keep them in place for malpractice purposes, regulatory agencies may require that you keep them in place for regulatory purposes. But there’s a lot of reasons that healthcare organizations have to keep this information. And some of it may be like, “I’m curing cancer. We’ve got to keep a all of this information about our patients because we may need to make reference to it in the future.” So all good reasons in which it makes a data-rich environment, but they certainly do make it a target for those that are trying to obtain that information.
Chip Kahn (05:53):
You just talked about data. Hospitals also have a lot of medical devices and other kinds of machinery that depend on software and hook into records. Can you tell us the difference between attacks on data versus medical devices, what happens most often? And I guess, is this an issue of ransomware versus malware?
Lynn Sessions (06:17):
Well, it can be. We certainly have seen some attacks on medical devices over the years from outside the United States where the ideal was to implement some type of malware into those systems to either obtain data that they would then try to exploit later or to stop the use of those devices such that they could try to extort money from the victims there.
(06:39):
And so I don’t think you would say either or, I think you would say both. So health systems are injected with some type of ransomware that’s oftentimes a malware that then they’re then used to extort from, and we’ve certainly seen medical devices that have been exploited as well in a similar manner. And so what we worry about on the medical device side is could there be patient harm that results from that? And frankly, we worry about that also when a hospital network’s been impacted. Are there going to be Changes to some of the medical records, for example, if the bad guys are able to get into medical records such that they Change my blood type from type O to type AB or something along those lines that might be detrimental to the care that’s being provided to me?
(07:23):
We rarely, if ever, have seen something along those lines, but it is certainly one of the worst case scenarios that we talk with our clients about in preparation for these types of incidents.
Chip Kahn (07:32):
So is it mostly ransomware then that you see ultimately getting into hospital systems?
Lynn Sessions (07:39):
Yes. That’s where we see the most detrimental effect on our health systems is a ransomware attack that encrypts their systems such that they then need to make a decision to shut down all of their systems. As you can imagine in an environment today in a hospital, almost everything is done by electronic means. There’s very few things that are done manually anymore. And so whether it’s your radiology studies that are done, your labs that are run, or frankly just communicating with your employees and other fellow co-workers, it is the way in which the hospitals are run today. Certainly electronic medical records which have been around for the last decade or so on large scale. And so when you have to shut down your systems such that you don’t want to propagate any ransomware or malware that is in your systems, then it creates an environment in which it makes it difficult to care for patients.
(08:35):
And because most hospital and health systems are 24/7 operations, by having some type of ransomware in your systems, it then makes you more of a target or it makes it more desirable that you may decide to pay that ransom. We’ve also seen that threat actors have been acquiring data or taking data from their victims, and so then they in addition hold that for ransom. So oftentimes there’s a double extortion that takes place. One, let’s get the decryption key back. Two, let’s try to stop the publication of the data if it’s been obtained by the bad guys.
Chip Kahn (09:06):
So most hospitals now are working incredibly hard to really secure those four walls like you described earlier a few minutes ago, the four walls of the house from someone piercing in. But in this case, and in all cases, you’re only as strong as your weakest link, and I assume the weakest link is usually one that breathes rather than computers that don’t, that it’s the human factor. Let’s go to the movies for a moment and can you give us a visual scenario of what usually happens when someone breaks in?
Lynn Sessions (09:44):
Yeah, it’s not really like the movies, right? We have this idea that there’s some kind of underground mission impossible that’s going on in another part of the world and that Jason Bourne’s going to jump out or Tom Cruise is going to jump out and take care of things. That might be happening at the FBI level. I don’t get too much inquiry into that. But we do see it being a little more mundane than that. It oftentimes will start off as some type of a… someone on the front end is noticing that their computer is not running as quickly as it normally would. They make a call to the help desk. Through the call to the help desk, they didn’t discover that there’s some type of text file that’s been left on their system such that a ransom demand is being made.
(10:26):
When that is noted by the IT department, there’s usually a determination that we have to shut down all of our systems so that it doesn’t spread throughout all of our network. And then that’s where the fun really begins. And I say it’s fun, it’s fun for me because I get a little adrenaline rush in getting to healthcare organizations through this, but it is absolutely not fun for them. To make the decision on shutting down your network means that you will have an absolute impact patient care, you will be the headlines of your local news and perhaps even larger than that, and that you’re going to be probably down days if not weeks in dealing with these types of attacks. We typically would see a healthcare system that doesn’t pay ransom down three to six weeks. And so they’re doing workarounds in which they have to use their downtime procedures in making decisions in how it is that they’re going to treat patients.
(11:18):
They’re also at the highest levels of the organization making determinations on whether they’re going to pay ransom. You are paying bad guys, you are paying criminals in other parts of the world in making these types of decisions, and it can go up to the highest levels, not just the CEO and CFO, but even to the board in making the determination on whether or not you’re going to pay the ransom.
(11:38):
And then dealing with the publicity around that as well. And this is something that you will need to use the media as one of your communications tools because you’re having to get out to whether it’s your 30,000 employees, if you’re a large healthcare system in a particular large city, or if you’re having to get out to your patients that you care for on a daily basis as to what it is that’s going on with your organization. Are we going to be able to treat outpatients? How is it going to impact our emergency department? Do we need to go on diversion? How’s it going to impact our elective surgeries? There’s a lot in different operational issues that do arise when a hospital system’s under attack.
Chip Kahn (12:16):
You described that it would take three to six weeks, I think you said, to rebuild your system if that’s what you decide to do. From your experience, I’m just curious if you do pay the ransom and get the key or whatever they give you digitally to turn your system back on, how often does that work and how comfortable can you be at even starting up the engine once somebody has placed that ransomware on top of your computer, your machine?
Lynn Sessions (12:56):
Yeah, I get asked that question all the time. How can we trust this? Does it actually work? You are dealing with criminals and it’s not like you can file a lawsuit against them if the decryption key doesn’t work, or somehow take some other retaliatory action against them. But what we do find, at least in talking with FBI and certainly in our experience and other consultants that work in this space is that for the most part, these bad guys treat this like it’s a business. They want to have a, quote, good reputation for doing what it is they say that they’re going to do. And that goes both ways. So if you pay for a decryption key, then they usually deliver on the decryption key. Now, if you’re paying for the suppression of data, I don’t believe for one second that they’re actually deleting that data, but they will give you some representation that they will not publish that data.
(13:46):
And as we talk a little bit more later about the Change Healthcare and what may have gone down there, I think it’s a perfect example of part of the reasons we talk with our clients about, “Are you sure you want to pay for the suppression of data?” I think the FBI recently as they took down LockBit earlier this year, they noted that there was data that was paid for to be suppressed that the bad guys had held onto. So that’s part of it.
(14:11):
We do find that they do typically deliver. We require that they do what’s called proof of life. Prove to us that you can decrypt it, prove to us that you actually do have data within your systems. But by the same token, it’s not an easy button. So you get the decryption key. It’s not like you just turn the lights back on and your systems are back up and running. And we work with a number of forensic firms that help the client go through and ensure that even with the decryption key that there’s no malware that’s been left behind. There’s no lying in weight type, booby traps is what I would probably call them that may have been left behind such that you could find yourself in the situation again two or three weeks later.
Chip Kahn (14:52):
So you brought up Change Healthcare and it really presents a different kind of problem I think for hospitals and physicians and others. Going back to our analog here, even if your house is secure, if you’ve trained your staff and they’re not going to touch that e-mail that has some phishing lure in it for you, you still have to, whether it’s determining eligibility, whether it’s going all the way through the revenue cycle and going to the claim itself for patient services, you’re going to have to deal with third parties with critical data. And that’s what happened with Change Healthcare. You had all these physicians and providers and hospitals and others work through Change Healthcare, and when something happened to the clearinghouse, the ransomware appeared, it affected 60% probably of our system.
(15:58):
To sort of start this discussion, I know it’s our responsibility to make sure that these third party entities are certified. Are the certifications good enough? How do you assess whether or not you can trust a third party when you have to use them for important parts of operating your healthcare system?
Lynn Sessions (16:24):
It’s a terrific question. I can tell you this, that one of the things we certainly see in healthcare, because healthcare is a real specialty area in my view, I’m a healthcare lawyer that specializes in privacy. I have worked in healthcare alone for the last 30 years and I’m just a lawyer. We see a lot of these third party vendors are specialists in the healthcare space, which then means that they contract with multiple organizations across the country. So we noted that the first time we heard about a Change Healthcare issue, which was the morning after the incident was discovered by Change, we knew it was going to impact a large number of our clients, and that’s exactly what happened here. So how do you protect yourselves? This is where you start talking about what I would call the weakest link.
(17:13):
And I’m not suggesting that Change did not have good security in place. I think that’s going to be borne out as their investigation goes on and as we get more information from them and from the regulators that are looking into this. But having said that, you can put all of your data behind what I would call Fort Knox, but if you’ve got that one entry point in from one of your third party vendors that may not be as secure as you or is absolutely a target of a third party from some other place in the world, then they’re going to find a way in. And while my systems may still be secure, Change has got all of my data. And that’s what we noted here. So there’s two things that impacted healthcare organizations here. Yes, the data, and I think that’s still being vetted through.
(17:56):
We’re going to find out in the coming weeks and months as to the number of Americans that were impacted by this on the Change Healthcare side. But it also really brought, at least on the payment side of things, healthcare organizations almost to their knees. So we were hearing from clients early on that they were going to have to liquidate assets so that they can continue to pay payroll until Change stepped up and said, “Okay, we’re going to provide y’all with some relief if you want to apply for essentially a no interest loan. And we can true up later on when the claims go through.” But if you think about the way that our system works in the sense that you’ve got to get eligibility checks on the front end or you can’t treat the patients. Because guess what? [inaudible 00:18:35] is a hospital or physician, I’m not going to get paid by that.
(18:37):
Then number two, you have to process claims in a certain way, which includes things like backup information about the care that was provided. And so if that’s not done in appropriate, and I’m going to put parenthetically, timely way, then you may not get paid. So now we’re almost what? Almost eight weeks into the incident itself, not quite, but getting close to that. And there are some of our clients who have still not yet been paid. There is a queue of claims that need to be processed, some that predated the incident, some that need to be processed post-incident.
(19:14):
A number of healthcare entities have attempted to find other means in which they can process their claims so that they can at least get paid in some form or fashion. And then they’re worried about specific contract language that may have been contained in their contracts with Change and others. So it really did shine a light on not only how integrated all of healthcare is, even though Change is not a healthcare provider, but it also demonstrated just how vulnerable healthcare is to you when a third party has access to either that much information or that big of a process in which patient care is needed to be provided.
Chip Kahn (19:52):
We’ve talked about all the operations impacts. What about the liability impact of this breach where it’s a third party, but it’s your data, it’s your information about your patients?
Lynn Sessions (20:08):
Yeah, I think we’re still going to wait to see how that bears out. I do know within, I would say, a week to 10 days of the matter being announced, I understood that there were class action lawsuits that were filed against Change. If you really think about though, individuals who citizens of the United States have relationships with, it’s with providers and it’s with their health plans directly. It’s not with Change Healthcare. They’re not going to probably even know who Change Healthcare is or that, I, as a healthcare provider have to do business with them. And so I think it’s going to be interesting to see, depending on the number of Americans that get notified as a result of this data breach, whether or not the providers get pulled into it, it’s the class action lawsuits, whether or not the health plans get pulled into class action lawsuits or if it’s going to be relegated to Change because they frankly do have a lot of money, at least we believe that they do.
(21:01):
So I think that’s going to continue to get worn out. I think the regulatory agencies are probably in a little bit different position. There is a recognition that this was a Change Healthcare issue and probably not at the provider level, but we did see a Dear Colleagues letter that went out from the Office for Civil Rights, which is the enforcers of HIPAA probably about a month ago, that reminded covered entities which would be health plans and healthcare providers, that they too had regulatory obligations relative to this incident and that they should have business associate agreements in place with Change and that they may have notification obligations depending on what happens with the data analysis on the Change front.
(21:42):
So I think there’s going to be more to come on that. We’re not quite to our 60 days, which is a magic number in the HIPAA world where we would expect providers and others to start getting notified by Change about their involved data. But there is a large volume of data to go through. We understood Change participates in 15 billion transactions every year. That’s a lot of transactions impacting a lot of people on an annual basis. And if you do that year-on-year, depending on how long it is that they retain their data, there could be tens of millions, hundreds of millions of Americans impacted by this.
Chip Kahn (22:16):
I’d like to get into that part of the government role, but before we do that, I’m sure you’ve been following this closely. Where is the data from this hack and what’s its status? Because I understand there’s some drama going on just with the data that all the providers and the insurers had in this clearinghouse.
Lynn Sessions (22:40):
Yeah. So a lot of what we’re getting is not directly from Change. It’s from what shows up on the dark web and then gets reported out among some of the usual suspects, not the traditional media, but some of the blogging that we see from those that follow the dark web postings of these criminal groups. And early on there was an indication, some bragging if you will, by ALPHV, BlackCat that they had taken data, it was protected health information, and they listed a number of healthcare entities, usually what I would call big names here in the US of the data that they claim to have taken. And they tagged it with that. They said they had six terabytes of data. In the world of Change, that doesn’t sound like a lot of data, 15 billion transactions, six terabytes doesn’t sound like a lot of data. But I can tell you in my world in dealing with healthcare systems, six terabytes is a ton of data.
(23:30):
Since then after what we believe the ransomware payment that was made sometime after that, there again was some communications, the drama as she described on the dark web that the BlackCat, ALPHV folks at the top got paid $22 million and apparently ran off with that money without paying the affiliate who retained the data.
(23:55):
And so just in the last, I guess week or so, we was noted that there was potentially a re-extortion of Change for the suppression of the data, whether it’s likely from this affiliated with a new group and called Ransom Hub that may very well be re-extorting for the suppression of the data. So where is the data? That’s a really good question. Again, it goes back to, I don’t believe for a second that these bad guys delete the data. And so I don’t know whether or not Change would make another payment, assuming that they made an earlier payment, make another payment for this data because all of these people are still going to have to be notified, assuming that there’s protected health information in there regardless of whether Ransom is paid.
Chip Kahn (24:37):
Now let’s continue this talking about the government and the Office of Civil Rights. Before we get to the overall regulation, what does the Office of Civil Rights and the FBI do in these incidents and what do they consider their mandate? And before we get to the regulation, since we’re talking about the incident itself?
Lynn Sessions (24:59):
Well, they definitely have two distinct roles and we deal with both of them anytime we’re dealing with a ransomware matter involving a healthcare entity. So the FBI is a law enforcement agency and they serve the role of getting crimes reported to them and then helping the victim out as much as they can. And again, telling you the 13 years that I’ve done this, I’ve definitely seen a change in how the FBI approaches these in the sense that they are very victim-focused and they help out as much as they can. And so generally when I’m working with a healthcare entity or any entity for that matter that has a ransomware attack or a significant attack that appears to be of a criminal nature, then we recommend reporting to the FBI. In a ransomware incident, the FBI can help provide you with things like statistics. Sometimes they do. Meaning, statistics in how it is that this particular criminal group may behave.
(25:54):
It is so pervasive now that the FBI has task force and in which focus on specific threat actor groups. And so we report to that particular group. We provide them with evidence to the extent that our client agrees to do that, which most of the time they do. And then the FBI takes that information and then over the course of what typically would be several years, uses that along with evidence that they collect, I’m sure in many, many other sources to help bring down these groups. Just this year alone, we were working with an FBI task force that was able to take down a threat actor group over the President’s Day weekend. So you applaud them because they’re the good guys wearing the white hats, but by the same token, you may be in the middle of a negotiation and find yourself, “Okay, I can’t pay these people now.”
(26:40):
So we have found the FBI to be incredibly helpful. They are, I think doing such diligence around trying to stay one step ahead or at least bring down these threat actor groups so they can’t do other attacks.
(26:54):
The Office for Civil Rights serves the role as enforcers of HIPAA, and that has been true since 2009 when we saw the High Tech Act come in. And we also find the OCR to be knowledgeable in this space based on what gets reported to them. They have certainly been helpful in the Change Healthcare matter in the sense that they have served a role of investigating Change, putting pressure on Change, we believe. And then again, reminding my covered entities that they have a role to play here. I’m usually on the opposite side of the OCR, I can tell you that. And we work with them quite frequently in investigations when following data breaches that get reported to them, but we do certainly see them coming in and advising clients on ways in which they can be more secure and referring them to the regulations under HIPAA such that they would be following those as the basic minimum standard of care.
Chip Kahn (27:51):
CMS and other agencies have fundamental requirements regarding cyber. What do you think about those? What do you think about that construct? Is it hard to live up to? Is it helpful? Does it protect the patients? Is it something that works for hospitals and other providers and physicians?
Lynn Sessions (28:16):
Yeah, so I think that with HIPAA being in place, it really provides the broader regulatory structure for which healthcare organizations need to comply with. Generally, if you’re complying with HIPAA, you’re going to be in compliance with CMS. We do see CMS depending on the relationship that it has with the healthcare organizations, impose perhaps some stricter requirements. And those are additive, in my view, to what HIPAA already has in place.
(28:42):
But I think collectively, does it protect patients? I think it does, and that’s one of the reasons we have a really good working relationship with the OCR and with CMS when these issues do pop up because they recognize that while we may be on the opposite side of it, that we are doing everything we can to ensure that our clients are compliant with HIPAA and conditions of participation in the cyberspace such that they’re meeting those compliance requirements. And the reason behind that is because it does protect patients, but it’s not perfect. If a bad guy really wants to get into your system, they’re going to find a way to get in.
Chip Kahn (29:20):
That leads to the budget that the White House recently came out with that has incentives and new penalties. Are adding penalties going to do anything? Right now I think every provider, physician’s office, hospital is looking at what happened with Change if they were a client. And I can’t imagine anyone would ever want to go through that unless they were forced to and they know they have to protect themselves.
Lynn Sessions (29:49):
I suspect they always felt like they’d been penalized, right? So I agree with you. I don’t know that that incentive is going to be there. But what we’ve traditionally seen with Washington, whether it goes back to High Tech in 2008 and the meaningful use around that same time, 2008, 2010 timeframe, and then following up with some other incentives that have come into place recently with interoperability and the 21st Century Cures Act, is that what the government giveth the government also taketh away. So there is incentives for you to implement various technologies. And I would venture to say that what we got out of high-tech was very, very good for patient care and very, very good for patient access to their medical records. And we’re seeing the fruition of that really come into play today with patient portals, access to electronic medical records, health information exchanges, such that I sit here in Houston, Texas and can fly to Los Angeles tomorrow.
(30:50):
And if I needed access to my medical records, in all likelihood, my provider in LA would be able to get access to my records here in Houston if needed. So I think that is a great thing for patient care. It’s a great thing for patients knowledge of their medical records. Right?
(31:06):
The flip side of that is though, that there were penalties that were put in place. So while the federal government gave a lot of money to healthcare providers to set up this electronic medical record system and to empower them such that smaller providers in the area could also receive access to medical records that they may not otherwise be able to afford. The penalties to that is what we see with High Tech and the Office for Civil Rights Enforcement piece of it. That’s the same thing that I would anticipate would be coming out of these budget incentives is that we would have incentives, yes, we would also have penalties that are put in place. There are already some really good penalties that are put in place relative to cybersecurity, whether it’s with the Office for Civil Rights, the FTC, or even at the state level that we see even really, really good healthcare organizations unfortunately come up just a little bit short, at least in the eyes of the government and they get penalized for it.
Chip Kahn (32:03):
I guess incidents like the Change Healthcare hack, each one has unique aspects to it. Do you have a sense for what your key lessons would be yet? I guess we’re still in the midst of it, but the key lessons, your takeaways from it?
Lynn Sessions (32:19):
Yeah. So where I sit right now with Change, there’s some unique things to Change because of who they are. They’re tied to UnitedHealthcare, which most people believe was too big to fail, so to speak on the cybersecurity front. We know that they’ve got good cybersecurity in place or at least believe them to have so. So it’ll be interesting again to see how this all shakes out when the investigation’s completed.
(32:45):
But one of the unique things about Change in my view is that as it acquired other smaller organizations over the years, sometimes those contracts work didn’t keep up with, for example, the name of the entity, the business associate name, things like that. In fact, some of our clients did not even realize that Change had acquired certain organizations until they started going in looking at what contracts were in play and what Change applications were in play. And they started mirroring those up. Some of those contracts were 20 years old, they had zero relationship with Change. And so from an internal legal perspective, I think that’s something that’s very important is we’ve got to have our eye on the ball as to all of the contracts that we have within our organization and ensure that they’re up-to-date and they meet our current privacy and security requirements. And I think that’s going to be a big lesson learned for a number of entities when all is said and done around this.
Chip Kahn (33:45):
I’m not a lawyer, so I don’t know these kinds of things. When a merger takes place like you’re describing, do the clients have any prerogative? Are they stuck with those contracts? How do they get those contracts updated?
Lynn Sessions (33:58):
Yeah, that’s a great question. A lot of times there’s no knowledge that the merger even took place, and that’s what I think we found happened here. And two, it’s not that the lawyers are the ones that are necessarily being made aware that there’s been a change, for example, of entity A to Change Healthcare because they’re not dealing with it on the front lines with the business. So I think that’s going to continue to be an issue. There are so many contracts, I cannot even tell you the number of contracts that healthcare organizations have to enter into to do not only these types of things, but many, many, many other functions that they don’t house within their own full walls. And so the contracts piece of this, I think, it continues to be a huge issue, and I don’t see it getting resolved overnight. But how do they find out about it? They can include contract revisions in their original contracts that basically say if there is any type of merger or any change in the ownership that we need to be made aware of it.
Chip Kahn (34:59):
Let’s close out with just looking over the horizon and five or 10 years from now, how do you see the cybersecurity landscape?
Lynn Sessions (35:10):
So I think that if I had that crystal ball, I would be a very, very wealthy woman because I would be able to predict what’s going to truly happen in the next five to 10 years. I do think in the healthcare space, we’re going to continue to get more sophisticated with our security, but it’s not cheap. It is expensive to have all the bells and whistles, to have the latest and greatest state-of-the-art security system on your house. It’s the cameras, it’s the motion detectors, it’s things that I can’t even think of to put on my house. It’s putting a perimeter around not just your house, but also your yard and then who knows where else? Kind of thing. And that’s not cheap. And we do see vendors that are coming up with more and more ways in which you can protect yourselves, and it comes at a price.
(36:00):
So I do think we are going to get more sophisticated in the 13 years I’ve done this where I have seen healthcare organizations have their most senior security guy or gal sitting at a director level. They’re now chief levels. We’ve definitely seen that evolution over the last 13 years where the level of sophistication internally has been very apparent. But by the same token, the bad guys are going to keep up too. So this is their job to look for ways into your systems. So what that’s going to look like? Perhaps Artificial Intelligence coming to the table to develop ways in which to get into healthcare systems. I do think that the good guys are going to come up with ways in which to combat that or detect that, but I think that’s probably closer than five years or 10 years from now. But we’re going to see continued level of sophistication with really smart people and other parts of the world that want to do harm to our systems for some payment of some type.
Chip Kahn (37:00):
Well, and that was just so informative and deeply appreciate your time with us this afternoon, and it’s just a big thank you and I know this podcast will be very, very helpful to our audience.
Lynn Sessions (37:14):
Thank you. Happy to be here.
Speaker 2 (37:19):
Thanks for listening to Hospitals In Focus, from the Federation of American Hospitals. Learn more at fah.org. Follow the Federation on social media at @FAHhospitals and follow Chip at @ChipKahn. Please rate, review and subscribe to Hospitals In Focus. Join us next time for more in-depth conversations with healthcare leaders.
Lynn Sessions leads the Healthcare Privacy and Compliance team in the Digital Assets and Data Management Practice Group and serves as national co-lead of the Healthcare Industry Team, demonstrating a career of advising healthcare industry clients in various areas of the law. She focuses her practice now on healthcare privacy and data security, breach response, regulatory defense and Health Insurance Portability and Accountability Act (HIPAA) compliance. Having previously served as in-house counsel and director of several departments at Texas Children’s Hospital, Lynn collaborates closely with healthcare clients and approaches her legal representation from a client’s perspective.
Lynn also regularly advises universities, medical schools and other higher educational institutions on breach preparedness, incident response and regulatory defense, and proactive compliance.
Lynn is a frequent speaker and writer on a range of topics affecting healthcare industry and university clients, including HIPAA compliance, data breach response, Office for Civil Rights investigations, Department of Education investigations, cyberliability and enterprise risk management.