It's a tall order, considering the confusing constantly changing landscape for healthcare privacy rules, but hospitals and health systems should be taking a more proactive approach to regulatory compliance, says Michelle Garvey Brennfleck, healthcare corporate and regulatory shareholder at Buchanan Ingersoll & Rooney PC. 

Through her work supporting healthcare organizations "when compliance efforts fall short," Garvey Brennfleck has developed some useful insights about how providers can better manage their own regulatory challenges while safeguarding their patients' data. 

She offered Healthcare IT News readers several recommendations on how healthcare organizations can respond appropriately and quickly to mitigate risk. 

Q. In the event of a potential privacy and security incident, many health systems will go to their playbook. Still, some may fail to have implemented the necessary steps to ensure procedures can be followed or neglect to update it in order to keep pace with emerging threats. What are some of the most common areas or pitfalls you see where providers fall short?

A. Having a playbook that is appropriately tailored to the organization is the first step. 

Many organizations adopt "off-the-shelf" template playbooks that are not specific to their organizations. Organizations with the best playbooks have engaged resources – both internal and external – to prepare robust, tailored playbooks, which are practical, easy-to-understand and widely disseminated to the organization's workforce through education and training initiatives.

Q. In your work, you recommend drilling tabletop exercises to practice cybersecurity incident response. For clients that are just starting to develop training programs, what resources do you point them to and what is your advice for establishing effective programs?

A. Because tabletop exercises can be time and resource intensive, we frequently recommend that organizations work with outside resources, such as legal counsel or consultants, to launch pilot tabletop exercises that are, again, tailored to a particular organization. 

Involving an organization's chief information security officer, privacy officer, chief legal counsel and other key personnel allows for a "train-the-trainer" option where the internal team then conducts future tabletop exercises for other workforce members, alleviating the need to engage external resources for each and every tabletop exercise.

Q. When it comes to insurance, covered entities need to have a lot of mitigation practices in place just to get coverage. But what should hospitals and health systems look at to make sure they have the appropriate cybersecurity coverage for their needs, and how can they make sure they get it? 

A. Contractual and other third-party arrangements frequently require hospitals, health systems and other organizations to maintain appropriate levels of cybersecurity coverage. These organizations can work with their insurance brokers to assess appropriate levels of cybersecurity coverage based on organizational activities. 

We further recommend that organizations work with their insurers to identify legal counsel who are on a particular insurer's panel of approved legal counsel to ensure appropriate legal support in the event of a cybersecurity event or incident.

Q. What can healthcare organizations do to prepare themselves to work with their insurers and their business associates when an incident occurs? How can they best prepare for exposure through potential third-party vulnerabilities?

A. Healthcare organizations that have relationships with third-party vendors frequently push to use their "form" data use agreements or business associate agreements that contain healthcare organization-friendly terms. 

For example, requiring notification in the event of a security "incident" involving a vendor, as opposed to notification only in the event of a "breach." This allows the organization greater access to information in the event of a security issue involving a third-party vendor. 

On the flip side, we recommend that vendors maintain a log of key terms of data use agreements and business associate agreements, so that they can respond rapidly and make required notifications upon a security-related event.

From an insurance perspective, as suggested above, healthcare organizations should review their insurer's approved panel of legal counsel to ensure seamless engagement of legal expertise, if it is needed.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.