The CyberPHIx Roundup: Industry News & Trends, 12/15/22

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry leading practices, specifically for the healthcare industry. 

In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this week: 


  • OCR releases more detail on their Recognized Security Practices (RSPs) and what they mean for Covered Entities 
  • A cool new tool from the FTC for mobile health app developers to quickly determine which security and privacy regulations are in scope for their app 
  • Trends in the consumerization of healthcare with some interesting technology announcements from Amazon and Epic 
  • The next step in the Meta Pixel tracking story, including some interesting guidance from OCR on what constitutes PHI 
  • A new Medical Device Security Playbook from a MITRE and FDA collaboration 
  • A Moody’s report on how inflation is hindering health systems' ability to bolster cybersecurity 
  • An interesting impact you may not have expected in the CommonSpirit ransomware story 
  • A landmark decision in the realm of cybersecurity insurance in the T-Mobile / Zurich American Insurance case 
  • A report from Senator Mark Warner that gives us a glimpse into some regulatory activity we might see in 2023 


Britton Burton: [00:00:15] Hello and welcome to The CyberPHIx Health Care Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices, specifically for the healthcare industry. I am your host, Britton Burton. In addition to this roundup, be sure to check out our Resource Center on Meditology Services, which includes our CyberPHIx interviews with leading health care, security, privacy, and compliance leaders, as well as blogs, webinars, articles, and lots of other educational stuff. We have a full agenda to cover today, so let's dive into it. Hello loyal listeners. If you caught the last episode of The CyberPHIx, you're not surprised to hear this new voice. But just in case you didn't. I wanted to take a quick second to explain. We published an interview with your favorite host at the beginning of December in which we explained that Brian Selfridge is handing the podcast off to me. If you haven't heard that yet, I'd encourage you to go listen, especially if you're a big Brian Selfridge fan, which I most definitely am. Brian explains why we're making the change and then goes on to discuss some really interesting experiences he's had in his career as an OCR, HIPAA expert, witness, as a CSO, as a builder of cybersecurity businesses, and so on. So for my part, I'm very excited to be jumping into this role. I was a loyal listener of The CyberPHIx before joining Coral and I've wanted to get back into podcasting ever since, dabbling in it a few years ago, as you may hear me reference from time to time.

Britton Burton: [00:01:45] I was already helping Brian with the research that goes into these roundups each month for the last four months, But now it's my turn to actually take over the mic. So I know I've loved this podcast before because it was in my security leader role at a health system. I would see headlines all the time that I knew that I should be aware of and do research on and have kind of readily available to me to call forward in the course of conversations that may come up or in the course of shaping my programs and my teams. But I found that I just never had time to be as informed as I should be on them as a busy security leader, as I'm sure most of you are and feel. So I can't be Brian Selfridge, but hopefully, I can still bring you the most relevant news and provide some insight that will be valuable to you as security leaders and practitioners. And I will do the best I can to keep you informed of important things in these and these monthly roundups. And then, of course, to do those interviews with thought leaders and other practitioners who are experiencing things that you either experiencing yourself and wondering if someone else is going through or maybe we're curious what it's like.

Britton Burton: [00:02:54] So without further ado, let's dive in. We started the November round-up last month with a deep dive into the newly released CISA Cyber Performance Goals, or CPGs. And I want to lead off today with a similar story, but maybe one that you're a little bit more familiar with than when those CPGs first came out. So just a few days after we published that one on the CPGs. Ocr actually released a new video and some materials on the recognized security practices, or RSPs. It's a 30 minute video that's well worth the watch. But I want to hit some of the high points with you here. So the RRSPs were a high-tech amendment signed on January 5th, 2021. So you may be familiar with that, but there was a little bit of kind of lack of clarity about what they were going to be. And this video goes into the most detail, at least that I've seen so far about the evidence and documentation that covered entities can provide to qualify for relief. And that's an important point. I mean, the main point of these RRSPs is that a covered entity, if they can demonstrate that they have met these recognized security practices over the previous 12 months, it should mean that OCR will mitigate civil monetary penalties and other remedies that might be in an OCR agreement with that covered entity, and it should also allow for early favorable termination of an ongoing audit.

Britton Burton: [00:04:17] So pretty big deal, right? If you can, if you can. In the pain of an audit early, every one of us would sign up for that. And then certainly if you're actually in an investigation that led to remedies, you know, this should mitigate that a little bit more on that as we go through. This is the term safe harbor is being thrown around and you need to be careful with that. And I'll get into that in a minute. Office of Civil Rights covers three recognized security practices. The first two should be very familiar to you. The first one that they cover is the Cybersecurity Framework Categories and Subcategories. That is one of their officially recognized security practices, meaning if you can demonstrate that you're doing what's in the CSF for a period of 12 months, then you are meeting the RSPs, the OCR RSPs. The second one that they cover, I usually call it HICP. I have recently heard other practitioners calling it Hick up its HICP practices and sub practices. It's a really good set of especially if you're kind of new and starting a new program or needing to reorganize an existing program against baseline practical steps for small, medium, and large size healthcare organizations to organize around a risk management framework, essentially. And then the third one is the mysterious other frameworks or laws as applicable.

Britton Burton: [00:05:34] You know, just my own opinion, just the way that OCR kind of presented this material, I would really lean towards the CSF and hickpea. There is some good documentation that they go through on what the other frameworks or laws can be and how you can sort of prove that they are relevant as an RSP. But honestly, I would really think I would just focus on the two that are so clearly outlined as the recognized security practices. If you're looking at doing this, they go on in this video to talk about some of the documentation that proves that you are meeting the recognized security practices. So it's kind of the stuff that you might expect. But there is some good detail here for you to be aware of. So basically, they want you to be able to provide evidence that RSPs are implemented in use, and those are policies and procedures regarding implementation of these security practices, implementation project plans and meeting minutes diagrams, and narrative detail [00:06:30] of security practice implementation and use training materials regarding security practices, even things like they mention application screenshots or reports showing implementation of security practices. So as you're implementing tools and technologies that actually support and uphold your controls, that sounds like that's going to be useful. Or that OCR will recognize that as evidence vendor contracts and statements of work and then anything that includes dates that support the implementation of these RSPs for the previous 12 months.

Britton Burton: [00:07:03] So that's all fairly basic stuff, I think. But it's interesting to just see those concepts in front of you as, Hey, these are acceptable forms of evidence. You're probably producing these through the course of your program work. It's just can you organize them in a way that they're available to you when you actually need them to, to prove that you're meeting the security practices. In addition to the basics that we've covered, there is an FAQ section. One of them specifically stood out. I referenced it just a moment ago. I think it's important to communicate this, so I'll read verbatim from the slide that they put up in the video. They collected a set of facts or a set of questions, I should say, from the industry, and kind of turned that into boil it down into a set of FAQs. And this one says Some in the health care industry have referred to the high tech amendment as providing a, quote-unquote, safe harbor in the event of a HIPAA violation along the lines that secured PHI provides safe harbor. And. In the event of a breach. Can you comment on the accuracy of this assertion? Does the law provide relief from liability? So OCR really, really clearly states the high-tech amendment provides mitigation to penalties, but it is not the same as a safe harbor.

Britton Burton: [00:08:11] So do not interpret this to me. Do not interpret these recognized security practices to mean that covered entities will not be held liable. They will be considered as a mitigating factor. But could absolutely still, you know, a case could absolutely still resolve with penalties monetary settlements, civil monetary penalties, or corrective action plans. So it may be a subtle difference, but just wanted to cover that to be sure. If you're running around using the term safe harbor, you're at least using it is appropriately and accurately, as you can certainly sum a ton of value here, but not quite the same as a safe harbor. And then just to kind of put a bow on this, I think to tie back to those cyber performance goals from last month that we covered. You know, those are at least from my view, from the research I've done an outstanding starting point. If you're building a security program from scratch or if you've inherited a program that has some capabilities but maybe isn't organized well from a risk management perspective, you'll start there. But CISA up front on the first page I think mentions the CPGs are not a full security framework or the end state goal. The KSF has long been viewed as that complete framework, and CISA states that the CPGs are really derived from the CSF and are a great starting point to get you on your journey towards a more robust implementation of full CSF.

Britton Burton: [00:09:33] And from what we're seeing now, from OCR RSPs, they cite the CSF as its number one recognized security practice. So if you're needing a reboot, starting with those CPGs to get going and to have practical initial steps you can take, is it just sounds like a perfect opportunity to do that while also building towards this future state of broader CSF adherence. And as you go, you'll build years and years of ramp defense ability. So this is the kind of alignment that I think a lot of us think we have been sorely missing from the federal level. So really excited to see this. And I think there's some great things in store here. Moving on to the next one, this is an interesting topic for any of you who may have had an eye on the mobile health application market. I think you probably all seen a disconnect in where it looks like the future of health care is going with wearables and more personal device and technology-based healthcare experiences, but also in some places, complete lack of regulation from a security and privacy standpoint in that space. So the FTC has released additional guidance that focuses on companies that collect health information but are not a covered entity or business associate under HIPAA. So this new commentary interprets the FTC's health breach notification rule and enforcement activity.

Britton Burton: [00:10:59] But the coolest part of this is an update to its mobile health app interactive tool. This has existed apparently for a little while. I was not aware of it until seeing this, so I thought I would share it with you. It's an interesting little tool that I think could have several use cases. So I would encourage you to check it out. If you Google FTC, Mobile Health App, interactive tool, you should be able to find it. Use the term tool a little bit lightly because it's really more of just a manual decision tree. But still, it's a really useful tool that allows developers. The primary intention is to allow developers of mobile apps that are touching health information to understand what regulatory compliance obligations they face. So the tool walks you through a question set. I believe it's about 17 questions, and these questions tell you if your app triggers HIPAA, the FTC Act, the Food Drug and Cosmetic Act, the 21st Century Cures Act, C information blocking regulations, the FTC's health breach notification rule and then COPPA COPPA. So I'm sure we have some app and software development listeners who would find this useful. But I think even defenders in traditional healthcare settings might find this useful in their third-party risk management efforts. You know, share this tool with your legal teams or look at it yourself to get a sense for what the vendors coming in your doors are obligated to do.

Britton Burton: [00:12:24] You might be able to gain some ground and pushing for stronger security controls by using regulation that's called out through this tool as you're backing rather than just your own company standards. So I think this is also an interesting signal that FTC is likely to have some increased expectations for non-HIPAA covered companies in 2023. So it's definitely going to be something to keep our eye on as the explosion of healthcare technologies that are not traditional covered entity or business associate settings continues. Coming off of that Fctc news. I think this is an interesting couple of quick hitters that I'll kind of couch under the banner of consumerization of health care, which is why that FTC expansion of guidance is coming our way that consumerization mobile health apps all of that is changing kind of the landscape of health care. So two headlines caught my eye in the past month. On November 15, Amazon announced the launch of its own telehealth platform called Amazon Clinic. This service is set to roll out in 32 states and will connect users to health providers to help treat over 20 common conditions. It cites examples such as allergies, acne, and dandruff. So the announcement explains how it will work. It's basically the patient will select their condition, fill out a questionnaire, and then Amazon will connect them with a doctor to get a treatment plan.

Britton Burton: [00:13:51] It doesn't accept insurance, and the cost of seeing a doctor is at least a claim will be around that of the average copay for a doctor's visit. Sort of unrelated, but in my own crazy mind-related news, I also saw that Epic has announced this was actually just a few days later that it's launching a CRM platform called Cheers. So CRM meaning customer relationship management, if you're familiar with that term. The article I read on this said, quote, Epic Systems developed cheers because there was a significant need in health care to help patients navigate their health care needs and journeys in a way that is familiar, convenient, and in most cases, tech-driven patients are used to Amazon guiding them through their shopping needs, and they want something similar to manage their health care interactions. So Amazon is even referenced in the article about Epic after seeing that Amazon article just a few days before. So I bring these two up for two reasons. One, there's there will be obvious privacy and security implications here as personal health data becomes a marketable asset in the same way that our buying habits and our online search habits, and other personal data already are. And there's an obvious mistrust in current day of tech giants like Amazon and doing the right things with our personal data. So just as security and privacy professionals, I think that's an obvious your antenna go up with that.

Britton Burton: [00:15:10] But secondly, as security leaders at healthcare organizations, we really have to be aware of what our C-suite leaders are thinking and what strategic investments they are considering. And just seeing this, I can promise you the need to either incorporate these kinds of offerings into what your health system is doing or the need to compete with these offerings in some way will be will be something that your business and your business and clinical leaders are talking about in 2023. So that security and privacy conundrum could be coming your way before you know it. And I just thought this was worth a mention. And speaking of tech giants, the meta pixel story is back in the news. Brian Selfridge covered this story thoroughly in the podcast and with some blogs over the summer, and it's interesting to see how quickly OCR has moved to provide further guidance here. Ocr issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a BA is a HIPAA violation if the tracking technology is touching PHI or individually identifiable data. Interestingly, though, even with a ban in place, the use of tracking technology may still violate rules due to that identifiable data and the lack of patient consent. So OCR specifically calls out megapixel as the impetus for this bulletin.

Britton Burton: [00:16:29] So that's interesting too. I won't recap all of the details of what meta pixel is because we covered it before, but just kind of a high level is discovered that many hospitals had added this meta pixel code that transmitted sensitive data back to Facebook without a or patient consent. The purpose of the code is just to track web activities for ad possibilities and increasing customer engagement. All the things we were talking about in the last story that we might be worried about with customer relationship management platforms, [00:17:00] integrating with EMRs, and so on. But in the intervening time since the story first came up, several lawsuits have been filed against healthcare providers that were using this meta pixel code. So the bulletin clarifies that HIPAA rules do apply when third-party tracking technologies are used. If that tracking technology is collecting individually identifiable information protected under HIPAA, and if that data is transmitted to a third party, whether it's the vendor of the tracking technology or any other third party, if any identifiers are collected, it's now classified as PHI because the information connects the individual to the regulated entity. So, quote, indicating the individual has received or will receive health care services or benefits from the regulated entity that relates to the individual's past, present or future health or health care or health payment or excuse me, or payment for care, end quote. So this statement.

Britton Burton: [00:17:57] Is a little bit of a cause for concern for me, specifically on the future health care of the patient aspect of things. I'm not sure how this interpretation would handle a net new patient or really net new visitor to your website who's never been to your health system but is browsing your site and has some data captured about them if they never become a patient of the system. That certainly doesn't seem like it should be. But even if they do become a patient in the future, what obligation does the covered entity have to retroactively protect that data court and some kind of tracking software before the person became a patient? And maybe it's a nuance that I'm just overinflating in terms of being problematic because future has always been included within the context of that person already being your patient. And maybe this is just an obvious well, that doesn't count, but I don't know. We'll definitely warrant some monitoring to see if we get further interpretation or maybe just questions from the professional community that make us all go stop and think. Ocr [00:19:00] also states, quote, Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA rules, end quote. So I think you'll see lots of advice from all of this to make sure that any tracking technologies are being used, quote-unquote, in a manner compliant with HIPAA regulations.

Britton Burton: [00:19:23] But that can be such a nebulous statement. We hear that about a lot of things, and it's always like, what does that actually mean? Right? So I just think my best advice would be to ask start by just asking your chief marketing officer or whoever runs that department for a meeting and say, Hey, are we using these? If so, how and why, and what data is being transmitted? Do we truly need it? Is it truly improve patient experience or patient care outcomes? Those answers may be yes. And that's great if they are. But I think you at least have to have that conversation. And then I'm sure there would be some ability to kind of tailor the data being sent back to eliminate identifiable information. One kind of sub-point here are patient portals that require authentication and obviously contain loads of PHI, So there's probably an elevated risk of an impermissible disclosure for something like meta pixel or Google Analytics is another one that has been referenced here. If one of those is used on an authenticated page or portal, so at the very least, maybe negotiate with your marketing teams to not use this tracking code on any authenticated type page. [00:20:30] But even on unauthenticated pages, there's the potential to access PHI The way this is being defined. If you think about location data or unique device identifiers like IP addresses.

Britton Burton: [00:20:42] A lot to unpack there. Finally, you also have to keep in mind that these tracking tech vendors are now being classified as business associates, according to this announcement from OCR. So at a minimum, you'd need to get back signed. So if you couple [00:21:00] this, I think with the last story about consumerization of health care know, I just I don't think this kind of tech is going away. I think it's only going to accelerate. And we just need to be aware, be aware that our businesses are considering them, using them in some cases and find ways to use it responsibly, safely, securely, and of course, within the regulations that we're all facing. Another one is in the three letter government agency space. Fda and Miter have partnered to produce a medical device cybersecurity playbook that is designed primarily for healthcare delivery organizations to be incorporated into their existing medical device cybersecurity response plan, or to serve as a starting point if they don't have a response plan already. Playbook outlines a framework for all the players and potential medical device related cybersecurity incidents. This framework that's outlined is designed to provide kind of baseline medical device cybersecurity information for emergency preparedness and response to define roles and responsibilities for internal and external stakeholders, to describe standardize approach to response efforts to enhance coordination among the different stakeholders, to identify resources that those that health care delivery organizations may use as a part of their preparedness and response activities and to inform decision making.

Britton Burton: [00:22:20] So the playbook itself is 54 pages long. I'm not going to go super deep into it, but there is also a quick start companion guide. We love it when these multi [00:22:30] page documents have Quickstart companion guides that I think does a great job of hitting the high points in areas like preparedness and information sharing, procurement and best practices, inventory management, inclusion of medical device, cyber considerations with your hospital emergency team planning communications, and then several sections on cyber incident response that are unique to the medical device space, which if you are familiar with this space, you know that it is it is a different world compared to your kind of standard i.t incident response playbooks and indicators and so on. So definitely a resource worth your read if you're spinning up a specialized medical device security program or wanting to evaluate how mature your existing medical device security program is. That quick start guide is a good kind of quick scan to get a sense of what's in there, and then you can dive into the 54 page document for more detail. Switching gears here a little bit. Moody's issued a report at the end of November on the state of cybersecurity in health care with five key findings that I thought just did a really good job of kind of breaking the situation down into these five easy to consume talking points.

Britton Burton: [00:23:40] So I'm going to read them verbatim from the report because I think they're just so succinctly stated that I couldn't really do any better summarizing them. Number one, remote work, telehealth and new technologies such as remote monitoring services and connected medical devices are allowing hackers to gain more access to hospitals and health systems. Number two, health care systems will need to deploy and create additional resources to thwart cyber attacks as these exposure risks rise. Number three, with hospitals facing heightened financial stress from elevated labor costs and high inflation, there have been little funds left over for cyber risk defenses. I think we've all heard that if you've been in the boardroom recently. Number four, cyber insurance, which is widely held among hospitals, is becoming increasingly expensive and is providing less coverage. And number five, US health insurers have increasingly become a target for cyber attacks, especially ransomware. But they're threat level isn't as high as that of health systems and hospitals. So any time you can distill a really complex topic into a quick elevator pitch like this, I think it's useful. So hopefully you can remember these the next time you're asked about the state of things, because I think this is really succinctly states the problem and all really resonate with me, at least in my experience.

Britton Burton: [00:24:54] Quick check in on the common spirit breach that we covered back in the early days [00:25:00] of that ransomware event about two months ago. I'm sure a lot of you have been seeing headlines on this. This was just it caught my attention, as you know. Chalk it up to the kind of impact you just may not have included in your risk analysis. So on November 30th, a news story from Fox 26, Houston came out stating that employees of Houston-based St Luke's Health are being asked to repay the health system after they were overpaid during the ransomware attack against its parent company, Chicago based Common Spirit Health. The health system paid staff members as much as 7000 more than it was supposed to, and plans to recoup the money from future paychecks through the end of the year. So I just mentioned that because it's just it's kind of a fascinating anecdote to me for the impacts that these massive ransomware events can have. We all think about clinical downtimes and outages, but overpaying staff may not have been one that was at the top of your mind. So I just that was attention grabbing and felt like it was worth a mention. Onto a slightly different topic, because it's not specific to health care, but I think it's going to have ramifications [00:26:00] for health care. And really anywhere where cyber insurance is a topic and what appears to be a pretty big precedent setter in the cyber insurance space.

Britton Burton: [00:26:08] T Mobile had a win that may pave the way for organizations to use third-party data breach settlement payments to satisfy skyrocketing cyber insurance deductibles. So this is all stemming from a 2015 Experian data breach where T-Mobile customer's credit information was exposed and T-Mobile was left with about 17.3 million in losses. [00:26:30] T-mobile had a $10 Million deductible with Zurich American Insurance, Zurich American Insurance, perhaps to allow the full policy of $15 Million to kick in. Now, T-Mobile wound up receiving a little over $10 Million settlement from Experian. So Zurich was arguing that T-Mobile actually experienced less than $7 Million in total losses, which means that they didn't meet the $10 Million deductible threshold. And on November 28th, the Washington appeals court ruled in favor of T-Mobile and that Zurich must provide $7.3 Million in coverage. I cover this because I just think it's it's significant in a climate where we're seeing premiums and deductibles absolutely skyrocket. You know, there are some quotes and some of the articles I read from folks who are in the industry saying, you know, companies who now have $10 million deductibles, you know, today only two or three years ago had 1 million or less deductibles and some with 250,000 deductibles before now paying at 1 million. And it also mentioned that most it's very typical for midsize and large companies to have $10 million deductibles and for multinational companies to be in the $25 million range for those deductibles.

Britton Burton: [00:27:47] So ultimately, I view this as a net positive. But I do have some mixed feelings. I think on the positive side, this should set a precedent that an upstream organization can expect to receive settlements from [00:28:00] its third parties who have been breached but not have that limit. What the upstream organization can recover from, it's its insurance policy overall. That's good because honestly, it just really can't be any other way in my mind anyway. But I also wouldn't be super surprised to see insurers price this into their model in some way and see already a skyrocketing prices go up even further or to have. Have something related to their assessment of your third-party program. Make it even harder to get cyber insurance. [00:28:30] And we know it's uniquely difficult to get it right now, whether it be because of price or just because you get rejected for not being able to meet some of the markers they're looking for. Our last story for today is actually from early November. But it was significant enough that I didn't want to leave it out. So Senator Mark Warner from Virginia is the chairman of the Senate Intelligence Committee. You've probably heard his name before because he's involved in a lot of legislation [00:29:00] or proposed legislation that could impact the cybersecurity industry in a positive way.

Britton Burton: [00:29:04] For the most part, I think I'm a fan of his without really knowing him personally, but he issued a report divided into three sections that recommend the federal government improve the country's cybersecurity risk posture in the health care sector, help the private sector mitigate cyber threats, and then assist health care providers and responding and recovering from cyber-attacks. I usually try to not go super deep into just things that are kind of being thrown out as ideas, but there's [00:29:30] enough meat on this bone that I think is sort of a forebear of some things that we all can expect to see in 2023 and beyond for some new laws and some changes that might be coming our way. Again, I just think it's worth going over the basis of the report from Senator Warner is that the healthcare sector is uniquely vulnerable to cyber attacks. And basically, we've got to get better or we're going to find ourselves in a bad situation if we're not already in it. But some of the things that he recommends. So first, recommending that the federal government enhance its cybersecurity leadership within the healthcare sector, there's actually some interesting stuff here where he kind of criticizes CISA, which I I'm not super into that one. I feel like what CISA has been doing lately has been really positive. You've heard us talk about it on the podcast, Brian before and now some really good things are coming out of there.

Britton Burton: [00:30:22] So that one, I don't really get as much, but here's a couple of the other things. There's a suggestion that the government mandates a regular process to improve the HIPAA Act. And that's interesting because I think there's been a little bit more public discussion about, Hey, hip is pretty old, it might be time to update it and not just saying it should be updated, but he actually proposes some routine regular updates to keep up with changes in technology. So that's really interesting. And the second section, which is about the ways that federal government can help private sector reduce cyber risks, is the most interesting part to me. The report recommends that the government incentivize and require healthcare organizations to adopt minimum cybersecurity hygiene practices to mitigate threats. So a couple of threads here that we've already talked about today. We've talked about or a month ago, we talked about the CISOs cyber performance goals. Today we talked about the recognized security practices from OCR. And then if you've paid attention to news out of Washington over the last year or two or three even, I think you may have seen some hints at, Hey, what if there was an incentivized incentive-based program for [00:31:30] increasing cybersecurity among critical infrastructure or in health care? It hasn't gotten a lot of traction, but sort of a meaningful use style proposal or law that would actually incentivize putting implementing security controls in some way.

Britton Burton: [00:31:46] And that really, really is interesting. So much of the problem that you face and some of these industries like health care that are just really struggling with raising the bar from a security standpoint is there's just not as much cash to go around

[00:32:00] as there is in some other industries. I'm not saying that that's a valid excuse, but if you have been in the security leader's shoes, you know that you have fought those battles and felt that. So if you actually incentivize through some sort of payment structure to improve security programs and you latched on to some of these really strong things that have come out recently and not just create new from scratch, here's what a program should look like, but things like the cyber performance goals or the OCR recognize security practices, the cybersecurity

[00:32:30] framework. It's hard not to think that that's at least headed down a positive path. And then the final really interesting point here is Warner has also proposed the establishment of a federal reinsurance program to help insurance companies cover some of the costs related to cyber-attacks. So apparently the federal government has been thinking about whether or not it should assist private insurance companies to cover these cyber-related costs and to sort of treat, you know, major cyber events more like major natural disasters where [00:33:00] there is federal assistance with covering costs.

Britton Burton: [00:33:03] Obviously, the topic we just talked about, the spike in insurance costs, the difficulty in even obtaining coverage. Now, that is a really interesting thing. Obviously, some double edged sword there as well. We don't want to view that as the get-out-of-jail-free card. Right. But there is definitely a need, especially with less resourced organizations. You have a way to help deal with some of the costs that might arise from these major cyber disasters.

[00:33:30] So as I mentioned, just some interesting themes to kind of keep your eye on. I think as we move into a new year, some potential new rule-making could come down, some themes that have been discussed before and back always, but maybe coming to light a little bit more. Obviously, can't say exactly where things like this will lead, but just a lot more momentum towards some I think more radical changes to cybersecurity regulations that we probably need to be looking at in 2023.

[00:34:00] That's all for this session of The CyberPHIx Health Care Security round-up. We hope this was informative for you and we'd love to hear from you. If you want to talk about any of this. Please just reach out to us at CyberPHIx@Meditology That's all for this week. So long. And thanks for everything you do to keep our healthcare organizations safe.