The Securities and Exchange Commission’s rule requiring publicly traded companies to quickly disclose cybersecurity breaches will pose unique risks for the health-care sector, data privacy and cybersecurity attorneys say.
“The health-care industry is going to be held to a higher standard,” said Bess Hinson, a privacy and cybersecurity attorney for Holland & Knight in Atlanta. “Given the nature of the data that they hold about patients—how sensitive it is and also the fact that the disruption to their business or operations—is literally life-threatening.”
The SEC’s requirement to report breaches within four business days means higher costs for health-care companies for cybersecurity training and management. Complying with the rule will also mean that companies won’t always have time to halt breaches before having to report them, potentially giving hackers the upper hand. The rule (RIN: 3235-AM89) reflects the agency’s belief that cybersecurity incidents have increased in size and severity and that its oversight will inform investors of incidents and mitigate their losses.
However, poor care at health-care facilities crippled by ransomware attacks will trigger lawsuits from patients and other stakeholders, attorneys say. The SEC’s requirements to disclose cybersecurity attacks—which sometimes companies aren’t aware of immediately—will be difficult for some health-care facilities to meet, the attorneys say.
“Even the most technically sophisticated information security team will find it difficult to collect sufficient evidence to provide definitive notice of cybersecurity events in only four days,” said Meghan O’Connor, Mark Bina, and Rachel Weiss, attorneys at Quarles & Brady LLP, in a statement about ways businesses can prepare for the SEC rule.
A Major, Vulnerable Target
Ransomware attackers often target health-care entities because of their “data rich environment,” Lancer Seaman, chief information officer for Recovery Centers of America, said. Seaman, who works with dozens of hospitals, said most medical practices don’t have the resources on staff to handle advanced data protection, let alone know when a cybersecurity attack has occurred.
“Most breaches technically go unnoticed for a significantly long period of time, even months, where hackers will get in, they’ll infiltrate the system,” Seaman said. “They’ll be in and about your system for several months, waiting for an opportune time.”
The Department of Health and Human Services earlier this year declared that hacking now accounts for 80% of large data breaches. This year has also seen a major health-care data breach that resulted in nearly a dozen class actions. A 2022 report from the FBI found that the health-care sector reported the most ransomware attacks out of the 16 critical infrastructure sectors surveyed.
Hackers can take control of technology and shut down systems, which can affect daily services like performing surgeries, dispensing drugs, and accessing medical records.
Prospect Medical Holdings, a medical system that operates 16 hospitals and over 165 clinics and outpatient centers in Connecticut, Pennsylvania, Rhode Island and Southern California, was a victim of a cybersecurity attack Aug. 4, which caused emergency rooms to shut down. Some facilities have closed until further notice.
The rule, which also applies to publicly traded third-party vendors used by hospitals, such as those providing data storage, staffing solutions, laboratories, and pharmaceuticals, is an “additional burden during the rush of an incident response,” said Dianne Bourque, an attorney at Mintz in Boston.
“When you’re in the throes of responding to a cyber incident, there are so many moving parts in so many different flanks that you have to cover in a short amount of time because clocks are ticking,” Bourque said.
Building on HIPAA, State Laws
Health-care providers and associated covered entities who electronically transmit health information already must comply with the Health Insurance Portability and Accountability Act of 1996. The HHS issued the HIPAA Privacy Rule and the HIPAA Security Rule to implement the requirements of HIPAA to protect patients’ health information while allowing the flow of information needed to provide high-quality health care. Those federal measures have worked in concert with state laws for years, and now the SEC oversight is an additional responsibility.
“When you have an incident and you have to respond in accordance with HIPAA, you probably also have to respond in accordance with applicable state law, and there’s 50 different ones of those. And so now, here comes another requirement if you’re publicly traded that applies simultaneously,” Bourque said.
Most public companies will be required to comply with the incident disclosure requirements beginning on the later of Dec. 18, 2023, and 90 days after Aug. 4, which was when the rule was published in the the Federal Register.
“Public health-care companies will need to really ensure that their cybersecurity procedures and protocols are strengthened to reflect best in industry standards,” Hinson said. “They’re going to need to practice what would happen in the event of a material cybersecurity incident, including an incident that would create disruption to the administration of health care.”
To contact the reporter on this story:
To contact the editor responsible for this story: