Five Steps Health Care Providers Should Take as DOJ Expands Cybersecurity Oversight

Modern Healthcare recently reported that 2021 produced the largest number of health care data breaches since regulators began keeping records. In this environment, an announcement was issued by the DOJ which could have a profound impact on hospitals and other health care providers, suppliers, physician groups and vendors.

On Oct. 6, the DOJ announced its Civil Cyber-Fraud Initiative. The Civil Division’s Commercial Litigation Branch of the Fraud Section will lead the initiative. The Civil Division is the largest litigating division in the DOJ with more than a thousand lawyers, and its Fraud Section leads the DOJ’s enforcement of the False Claims Act. 

The health care industry should take note of this as it faces increased threats of ransomware attacks and other security incidents. In addition to the operational disruptions, DOJ settlement agreements and sanctions, and breach response and remediation costs brought by ransomware attacks, the industry must now add application of the FCA and its punitive sanctions—such as treble damages and integrity agreements—to its list of concerns.

The initiative will likely focus particular scrutiny on three types of conduct:

• • Knowing failure to comply with cybersecurity standards
  • Knowing misrepresentation of security controls and practices
  • Knowing failure to timely report suspected breaches

Given the HIPAA definition of "breach" and the anecdotal condition of many providers’ security programs, the third area could be of the most concern to health care providers.

In response, providers should review their compliance programs and strongly consider taking these steps:

• • Immediately review their cyber insurance coverage with their insurance broker. They should be sure they have cyber coverage and that the amount and scope of coverage are adequate. For instance, with many breaches, an entity is required to give written notice to affected patients that their data has been accessed. Even if the entity has just 200,000 patient records in its system, postage alone to send those notices would exceed $100,000, which comes from the entity's pocket. So providers need to be sure that they not only have cyber insurance coverage, but that they have enough coverage.
  • In cooperation with staff, consultants and legal counsel, conduct or update their HIPAA-mandated risk assessment to find areas of vulnerability and assess the sufficiency of their policies and procedures for responding to and, as needed, reporting security incidents.
  • In cooperation with IT and software vendors, review the adequacy of their systems and technical compliance with the HIPAA Security Rule.
  • Review or set up a disaster recovery plan to facilitate operations if a security breach or ransomware event occurs.
  • Review the sufficiency of mandated employee security awareness training and the designation of the mandated security official or the provider responsible for enterprise data security.

These may still not prevent a security breach, but they can help your health care entity respond and minimize its effect. And they might go a long way toward reducing sanctions from regulatory response. Please contact Tom Sullivan, Chris Couch or any member of Phelps’ Health Care or Cybersecurity, Data Privacy and Protection teams if you have questions or need compliance advice and guidance.