About 87% of health law attorneys think their healthcare clients are at a greater risk for cybersecurity attacks than other industries, a survey released Thursday found (PDF).
The survey, conducted by the American Health Lawyers Association, a nonpartisan organization with 13,500 members, along with media research company Bloomberg Law, found attorneys overwhelmingly think the healthcare industry is vulnerable to hacks and they have since become “intimately” involved in managing cybersecurity issues for their clients.
The survey included the responses of 290 health law attorneys with clients in the healthcare industry. Of those, 158 work within a law firm and 100 work in-house for a healthcare corporation.
Almost all of the surveyed lawyers, 97%, said they expect their involvement in cybersecurity matters among their healthcare clients to increase in the next three years. In addition, 75% said their health law practices are developing cybersecurity expertise to meet the demand.
But nearly 40% of all attorneys are concerned their plans to respond to a breach are “too generic and lack specific guidance for the types of incidents their organizations or clients might face.” One-third of surveyed attorneys said their plans aren't updated to reflect recent types of hacks or even changes within healthcare organizations.
A way to combat this is for healthcare lawyers to establish “tabletop” exercises with healthcare clients to prepare for a potential breach, said Elliot Golding, a lawyer at Crowell Moring in Washington, D.C., who works with healthcare organizations to address privacy concerns.
He said an incidence response plan should be crafted, up-to-date and frequently reviewed with those at a healthcare organization who will be at the frontlines of handling a potential hack so everyone understands what their role is.
But only 21% of the surveyed lawyers indicated they are involved in planning a data security approach before something goes wrong, and 46% of the surveyed attorneys said they are asked for counsel after a breach has occurred.
Legal counsel can help healthcare organizations develop data loss prevention programs, determine when they should report a breach to federal authorities and review relevant policies and procedures, according to the report.
Nearly 90% of in-house attorneys for healthcare organizations said their clients were prepared. On the other hand, nearly 70% of law firm attorneys said only half of their clients had incidence response plans.
The need for lawyers versed in both cybersecurity and healthcare has dramatically increased as technology advances and protocols around privacy and protection continue to expand, said Elisabeth Belmont, past president of the American Health Lawyers Association and a corporate counsel attorney for MaineHealth, an integrated delivery network in Portland.
Belmont said she expects health lawyers will continue to need more education to stay informed on regulatory requirements enforced by federal agencies like the Office for Civil Rights and the Office of the National Coordinator for Health Information Technology.
Healthcare is more vulnerable to hacks than other industries because medical records are so valuable, both Belmont and Golding said.
This summer, a hacker was spotted on the black market offering to sell nearly 10 million patient records for $880,000. A lot of criminals who steal credit card account information will use it themselves for fraudulent purchases or sell it.
Hackers can get anywhere from $5 for the card number to $1,000 for the information contained in account balances, according to Business Insider.
The survey found medical records are the most frequent target of cyberattacks with 60% of all attorneys indicating that medical records were the target of data breaches for their healthcare clients in the past two years. Nearly 50% said Social Security numbers and credit card data were targets. Forty percent said billing and insurance records were threatened.
Overall, the number of healthcare attacks over the past five years has increased by 125%, according to a 2016 survey from HIMSS Analytics, the research arm of the Healthcare Information and Management Systems Society, and security firm Symantec.