How to Manage Cyber Health Risk: Delta Risk Execs Offer Their Insights in Health Law Handbook

Joseph Abrenio, Delta Risk VP of Commercial Services, and Chris Evans, Delta Risk VP of Solutions, have co-authored the chapter “Cyber Health Crisis: How to Manage the Risk” for the 2016 edition of the Health Law Handbook. The Delta Risk VPs collaborated with Quarles & Brady Partner Jennifer L. Rathburn to develop a cyber security chapter focused on building effective programs, conducting risk analysis, and pinpointing best practices.

This chapter covers the significant penalties healthcare organizations face from federal and state regulators, especially when they haven’t created and implemented an adequate cyber security program.

The near 100-page chapter in the 28th edition of the Health Law Handbook provides healthcare and legal organizations with the guidance they need for implementing an effective cyber security program.

Along with introducing cyber-related penalties and the steps for building an effective cyber security program, key sections within the chapter discuss:

  • Current healthcare threat actors;
  • Potential applicable security laws, frameworks, and guidance;
  • How to conduct a risk analysis;
  • How to handle a data security event and related practical considerations;
  • Common pain points and cyber security best practices;
  • The value of table top exercises and penetration testing;
  • Cyber threat information sharing; and
  • Healthcare board duties regarding cyber security.

“We see increasingly complex cyber security threats facing our healthcare clients,” Abrenio noted. “The information provided in this chapter is very relevant and timely for organizations that need to address these threats in addition to meeting best practices and compliance requirements.”

“This chapter not only represents collaborative work between cyber security, law, and healthcare, but also recognizes and highlights the importance of the three fields coming together to address security issues,” Evans added.

OCR Classifies Ransomware as HIPAA Breach

The healthcare industry has been besieged by various forms of cyber-attacks, most notably ransomware. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has declared ransomware as a reportable breach that would trigger data breach notifications under the Health Insurance Portability and Accountability Act (HIPAA).

According to the Security Management Process standard of the HIPAA Security Rule, covered entities and business associates should follow specific guidance for preventing the introduction of ransomware and the compromise of electronic protected health information (ePHI), including thorough risk analysis to identify potential threats to the confidentiality of ePHI.
How should you interpret the new OCR guidance? In our next blog, we’ll outline the most meaningful recommendations that could impact your organizational approach for managing ransomware risk.