The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Healthcare

  • From Vol. 3 No.6 (Mar. 22, 2017)

    Assessing Regulatory Responsibility When Reporting Postmarket Cybersecurity “Corrections” to the FDA

    Whether you are a technology company venturing into FDA-regulated territory for the first time, or a longstanding member of the FDA-regulated medical device community, recent regulatory developments around cybersecurity may require a shift in your perspective in order to meet FDA expectations. In this guest article, DLA Piper attorneys analyze the FDA’s Postmarket Management of Cybersecurity in Medical Devices guidance, including important definitions, and advise on what postmarket cybersecurity-related product changes may or may not be reportable to the agency. See also “Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part One of Two)” (Mar. 30, 2016); Part Two (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Technology Leader Discusses How to Deal With the Growing Threat of Ransomware 

    Ransomware attacks – where attackers hold data “hostage” unless a ransom is paid – are becoming more sophisticated and frequent. Law firms and hospitals are common targets. The Cybersecurity Law Report discussed the evolving nature of this threat, how to prevent an attack and what to do once a company is facing one with Shahryar Shaghaghi, the leader of BDO’s technology advisory services practice and the head of BDO international cybersecurity. See also “How to Prevent and Manage Ransomware Attacks (Part One of Two)” (Jul. 15, 2015); Part Two (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part Two of Two)

    “The risks of cybersecurity are being felt more in healthcare-related companies,” Abhishek Agarwal, chief privacy officer for legal and compliance at a major global healthcare company, told The Cybersecurity Law Report, particularly in the area of connected medical devices. Government, industry and outside counsel experts agree that it is essential to evaluate and monitor cybersecurity vulnerabilities and the potential impacts on patient health and safety from the beginning and throughout a product’s lifecycle to mitigate those risks. This second article in our two-part series explores operational best practices and post-market considerations to address medical device cybersecurity, including the new proposed FDA post-market guidance and adding connectivity to existing devices. Part one examined the development and risks of connected devices and recommended pre-market steps companies should take. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part One of Two)

    Along with many industries, healthcare companies are developing an increasing number of devices with internet and network connectivity. Bringing a medical device to market requires a greater level of scrutiny than other connected products, however, because a cybersecurity breach to one of these devices may be life-threatening. “When we look at the product lifecycle management process, privacy and cybersecurity have to be an essential step that is addressed as an integral product feature,” Abhishek Agarwal, chief privacy officer for legal and compliance at Baxter International, told The Cybersecurity Law Report. With input from outside counsel, in-house counsel and regulators, the first article in this series discusses the development and risks of connected devices and recommends pre-market steps companies should take, including questions to ask during a risk assessment and relevant laws and FDA guidance to consider. The second article will explore post-market considerations including breach response, adding connectivity to existing devices, the new proposed FDA post-market guidance and operational best practices. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).
    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Minimizing Breach Damage When the Rubber Hits the Road

    When a cybersecurity incident is discovered, a company’s first steps are crucial to minimize the damage. Kirk Nahra, a partner at Wiley Rein, gave candid, practical advice for breach response at the recent IAPP conference. He discussed, among other things, the importance of training employees about breach reporting; how the terms a company uses for a breach may come back to haunt them; when privilege should not be preserved; and how getting all of the healthcare providers and vendors in the country into the Dallas Cowboys’ stadium to streamline their contracts could save billions of dollars. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Year-End HIPAA Settlements May Signal More Aggressive Enforcement by HHS

    The Department of Health and Human Services’ Office for Civil Rights recently entered into two significant settlements, one with a healthcare insurance company and the other with a hospital, to resolve HIPAA charges.  Triple-S Management Corporation and its relevant subsidiaries agreed to pay a $3.5 million fine and take a series of corrective steps following several breaches involving protected health information.  Lahey Clinic Hospital, Inc. agreed to pay $850,000 and adhere to an action plan following the theft of a device that contained patient electronic protected health information.  Although there are still “a relatively small number of [OCR settlements] each year . . . the penalties have been steadily rising and I expect they will continue to do so,” Robert Belfort, a partner at Manatt, told The Cybersecurity Law Report.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part Two of Two)

    Companies in the life sciences and health information technology industry face unique data privacy and security concerns based on the highly sensitive personal health information that they handle.  In our continued coverage of a recent health sector data privacy and security webinar, WilmerHale partners Barry Hurewitz and Jonathan Cedarbaum address HIPAA’s nuances, including requirements for business associates and its applicability in medical research.  They also highlight the latest regulatory guidance regarding medical and mobile devices, and move beyond HIPAA to examine current state and international regulations.  In part one, Hurewitz discussed security issues specific to life science and health information technology companies and provided a federal regulatory overview.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part One of Two)

    The health sector is faced with a web of complex regulations due to the particular sensitivity of the information it handles.  During a recent webinar, WilmerHale partners discussed special health data regulatory considerations at state, federal and international levels and how health care companies can navigate them.  In this article, the first in a two-part series, Barry Hurewitz examines the security issues specific to life sciences and health information technology companies, and provides an overview of the applicable regulatory standards at the federal levels, with a focus on HIPAA.  The second article will feature Hurewitz and Jonathan Cedarbaum’s coverage of the regulatory landscape as it relates to business associate agreements, medical research and recent developments regarding mobile devices, as well as special considerations of health data privacy regulation at the state and international levels.  See “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    FTC Weighs In on the Security of Health Care Data on the Cloud

    Like many industries, the health care sector is relying more heavily on new technology to provide digital medical records that are often stored on cloud-based servers and transmitted electronically.  With the technological advances come privacy and security concerns that the FTC is watching closely.  Cora Han, a senior attorney in the Division of Privacy and Identity Protection at the FTC, recently spoke at a meeting of the Health Care Cloud Coalition, a not-for-profit representing cloud computing, telecommunication, digital health, and healthcare companies in the health care sector.  Han addressed the FTC’s expectations and enforcement efforts for privacy and security related to cloud-based mobile technology companies in the health care industry.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Steps to Take Following a Healthcare Data Breach

    The prevalence, size and cost of healthcare breaches is skyrocketing, with hackers gaining sophistication and regulators becoming more active.  It is a rare covered entity that has not had to report a data breach to patients/members and the U.S. Department of Health & Human Services Office for Civil Rights since the Health Information Technology and Economic Clinical Health Act became effective in 2009.  To assist healthcare companies in understanding and responding to data breaches in this regulatory environment, in a guest article, BakerHostetler partner Lynn Sessions discusses: the enforcement climate; the legal definition of a healthcare breach; strategies for handling unsecured personal health information; notification requirements and best notification procedures; activating a breach response team; mitigating the impact of a breach; and what’s next in cybersecurity for the healthcare industry.

    Read Full Article …