Pamela Hepp, shareholder in the firm's Healthcare section, comments on cybersecurity preparation guidelines in Healthcare Financial Management’s article “CFOs Play a Key Role in Cybersecurity Planning.”

Pam's comments include:

There are many sources of guidance on preparing for cybersecurity. Insurance companies offer cyber insurance policies that cover some of the costs of cyberattacks, including the legal fees and forensic consultant costs, and correspondingly, they can recommend consultants who can guide preventive efforts, says Pam Hepp, a healthcare attorney at Pittsburgh-based Buchanan, Ingersoll & Rooney.

Hepp adds that another source of help may be a law firm that specializes in that area. "One advantage of a law firm is that not only may the legal advice be protected under the attorney client privilege, but counsel may be able to engage the forensic consultant to guide the legal advice in connection with the investigation under the attorney client privilege. In addition, if the situation calls for remediation, such remedial measures likewise may be protected under the attorney client privilege," Hepp says.

"It's a diverse cross-sectional group that has to be involved in what can be a robust investigative process that demands a lot of staff time," says Pam Hepp, a healthcare attorney who co-chairs the cybersecurity and privacy group at the Pittsburgh-based law firm Buchanan, Ingersoll & Rooney.

Hepp explains that beyond staff costs, hacked hospitals that experience a breach will need to provide notice and in many cases credit monitoring to affected individuals, notice to the Secretary of Health and Human Services and sometimes state regulators, and, depending on the size of the breach, notice to the media as well. Once the cause of the hack has been determined, hospitals must also take remedial measures and amend policies procedures and conduct training.

“Typically, the OCR [Office of Civil Rights of the Department of Health and Human Services” investigates, and they routinely ask for all policies and procedures, risk assessments, training materials and evidence of training, and so on,” Hepp says. “And that investigation could result in fines or a settlement imposed by OCR. Then there can be state regulatory sanctions and private lawsuits as well.”

“The total bill for a serious hack can reach into the millions of dollars, Hepp says. She has seen cases where the settlement with OCR reached $5.5 million, in addition to costs that may need to be incurred to comply with the requirements of the settlement agreement.

Hepp adds that the decision to pay or not pay often depends on how prepared the hospitals is. If the hackers have locked up a hospital’s data, but it has a good back-up that can quickly restore the system, the hospital may decide not to pay. “But in certain situations, the hospital may have no choice,” Hepp says.