The article was originally presented as a Boardroom Brief Newsletter.
The issues of executive pressure related to data breach prevention, detection, and notifications are often addressed in media, HHS/OCR audits, and class action lawsuits. However, there also are important challenges to hospital leadership in early response or containment of data breach activity.
The push to improve data breach defense is no longer simply directed at a hospital’s IT organizations but at executive leadership and the board of directors. Current and evolving federal legislation wants hospital executives to ensure that data breach prevention measures are in place. The Senate “Health Care Cybersecurity and Resiliency Act of 2024” attempts to reinforce prevention best practices (often articulated as the implementation of multi-factor authentication (MFA), patch management, data encryption, and employee phishing awareness training). Timeliness of data breach disclosures to HHS and other federal and state agencies has also been increasingly pursued and supported by OCR fines and audits. Class action lawsuits against hospitals have included accusations of failure of prevention measures and failure of timely notifications, as well failure to monitor systems with some claims citing detection times of weeks, months, and even 17 months by different hospitals.