As if a cyber attack on a healthcare organization isn’t bad enough, the legal ramifications can be another daunting task to deal with in addition to the discovery, investigation and mitigation phases, among others.

The legal costs will be heavy, in part because there are several regulatory agencies that are likely to get involved. These include the HHS Office for Civil Rights, state Attorney General Office, and the Federal Trade Commission, among others. If a breach occurs in California, for instance, there is the California Confidentiality of Medical Information Act, which could impose fines of as much as $1,000 per affected individual, even if damages from the attack can’t be proven, says Adam Green, a former OCR official and now a partner at the law firm of Davis Wright Tremaine.

While most breach lawsuits do not prevail because definitive harm cannot be proven, there are exceptions, Green says. Florida health insurer AvMed was sued following a large breach on the premise that its members kept paying premiums that AvMed unjustly kept without improving security, and the insurer wound up paying a $3 million settlement.

Dealing with OCR could be another big problem, Green warns. HIPAA doesn’t require covered entities to oversee their vendors, but that doesn’t matter if a breach happens and OCR discovers a pattern of minimal compliance with HIPAA. The FTC, which has expressed significant interest in vendor management and the following of best practices, could be another thorn, he adds.

During the Cybersecurity Symposium at HIMSS16 on February 29, Greene will walk through the legal costs of a cyber attack, what laws apply and what the penalties can total. He’ll outline recent changes in cybersecurity law, ways to sell increased security spending to senior executives, explain federal initiatives to permit the sharing of threat information and create standards for cybersecurity preparedness, and describe the cyber security framework guidance of the National Institutes of Standards and Technology.

Session CS2, “Cybersecurity and the Law,” is scheduled at 9:30 a.m. in Lando 4205.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access