- The majority of corporate healthcare attorneys have found that healthcare cybersecurity threats are increasing, and that they are being called upon more often to evaluate whether a security incident implicates reporting obligations.
A survey conducted by Bloomberg Law and the American Health Lawyers Association (AHLA) found that 97 percent of respondents expect their involvement in cybersecurity matters to increase over the next three years. Furthermore, approximately 70 percent said that they are working to develop their own data security expertise as the healthcare cybersecurity demands increase.
Bloomberg and AHLA interviewed nearly 300 healthcare attorneys in advance of the annual meeting of the Association of Corporate Counsel.
Nearly all of those surveyed - 84 percent - said that they’ve been asked to evaluate whether an incident should be reported. However, law firm attorneys and corporate counsel both said that the data breach response plans currently in place may not be adequate.
Approximately 40 percent of respondents said the response plans were too generic, lack specific guidance for the types of incidents their organizations or clients might face, and have not been adequately tested prior to an actual breach incident. One-third of those surveys added that the data breach response plans have not kept pace with the evolving cybersecurity threats.
"While it is encouraging that health care attorneys are on the front lines of preparing for and responding to cyber incidents, it is apparent from this survey that there is much more that needs to be done," Vice President and General Manager for Health Care and Litigation at Bloomberg Law Scott Falk said in a statement. "For example, there is overwhelming agreement from respondents that it is important to improve formal cybersecurity education and training for health care lawyers. Thus there is tremendous value in utilizing external resources and professional organizations that can meet this critical need."
AHLA CEO David Cade added that while healthcare providers have taken the necessary steps to improve their data protection measures over the last few years, healthcare attorneys still find the industry vulnerable to the evolving threats.
Healthcare attorneys need “quality education” so that they can be prepared to “effectively counsel clients in preventing and responding to cyberattacks," Cade said.
These findings similarly align with the results of the 2016 HIMSS Cybersecurity Survey. Specifically, HIMSS found that over 85 percent of respondents said that cybersecurity efforts within their organization were elevated as a business priority during the past year.
However, some facilities were still lacking in certain areas of data protection. For example, 84.9 percent of those surveyed in acute care facilities said they used anti-virus and anti-malware software, while 90.3 percent in non-acute care facilities reported that they did so.
Better education measures for staff measures could also be beneficial though, as the HIMSS survey showed that a lack of appropriate cybersecurity personnel was the top barrier to mitigating cybersecurity risks.
“Cybersecurity attacks have the potential to yield disastrous results for healthcare providers and society as a whole,” HIMSS Senior Director of Health Information Systems Rod Piechowski said in a statement. “It is imperative that healthcare providers acknowledge the need to address cybersecurity concerns and act accordingly.”