Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

FTC Increases Targeting of Companies Lacking Cyber Protection

Client Alert
May 13, 2024

Here is how businesses can develop cyber strategies to mitigate breaches and financial risk.

The Federal Trade Commission (FTC) recently released a comprehensive cybersecurity report outlining key findings and recommendations based on emerging threats, trends in data breaches, and strategies for businesses to enhance their cybersecurity posture observed over the last year. The FTC strives to protect consumer privacy and respond to the evolving ways that companies use consumer data such as in the development of artificial intelligence models and misuse of health data. 

Importantly, the report emphasized the need for proactive measures to mitigate risks and highlighted the FTC’s initiative in targeting companies that fail to implement reasonable data security measures to protect consumer data. 

Here are some key strategies for businesses: 

  1. Risk Assessment and Management: Conduct regular risk assessments (at least annually) to identify potential vulnerabilities and prioritize them based on their potential impact on the business. Develop and implement a risk management plan to address these vulnerabilities effectively.
  2. Cyber Security Policies and Procedures:  Implement basic cybersecurity policies to protect its assets, data, and operations from cyber threats.
  3. Employee Training and Awareness: Educate employees about cybersecurity best practices, such as recognizing phishing emails, using strong passwords, and reporting suspicious activity. Regular training exercises help reinforce awareness.
  4. Access Control and Privilege Management: Implement strong access controls to limit user privileges and restrict access to sensitive data and systems. Use multi-factor authentication (MFA) where possible to add an extra layer of security.
  5. Data Encryption: Encrypt sensitive data to protect it from unauthorized access. 
  6. Patching: Keep software and systems up to date with the latest security patches to address known vulnerabilities. Establish a patch management process to ensure timely deployment of patches across the organization.
  7. Network Security: Deploy firewalls, intrusion detection/prevention systems, and other network security measures to monitor and protect against unauthorized access and malicious activity. Segment networks to limit the spread of potential breaches.
  8. Incident Response Plan: Develop a comprehensive incident response plan that outlines procedures for detecting, containing, and mitigating cybersecurity incidents. Test the plan regularly through tabletop exercises and simulations.
  9. Vendor Risk Management: Assess the security practices of third-party vendors and service providers to ensure they meet your organization's security standards. Include contractual clauses that outline security requirements and responsibilities.
  10. 10. Cyber Insurance: Consider obtaining cyber insurance to mitigate financial risks associated with cybersecurity incidents, such as data breaches or business interruptions.

By adopting a proactive approach to cybersecurity and implementing these strategies, businesses can enhance their cybersecurity posture and better protect themselves against evolving threats and complying with ever increasing legal obligations.  

BMD assists companies design and implement a strategy to achieve technical and organizational controls to bolster cybersecurity and data protection.  

If you have any questions regarding this topic and how to protect your company's data, please contact BMD Member Brandon Pauley at btpauley@bmdllc.com.

Cybersecurityfederal trade commissionBrandon PauleyConsumer PrivacyArtificial Intelligence
Client Alert

HIPAA Business Associate Agreements: Why These Contracts Matter

January 27, 2021No one loves drafting, reading or negotiating HIPAA Business Associate Agreements (BAAs). Yet many of us need to do so, and some of us do so daily. They are often boring, dense and technical, but BAAs are important from both a legal and a business perspective, and they deserve our attention. Failure to enter a BAA when one is required can constitute a HIPAA violation that results in substantial liability, as demonstrated by certain recent Department of Health & Human Services (HHS) settlements.1 A business associate who makes a disclosure that is not authorized by the applicable BAA or required by law can be subject to civil and, in some cases, criminal penalties. Further, parties are often presented with BAAs that contain onerous one-sided indemnification and other provisions that can be devasting to an organization in the event of a HIPAA breach. The significance of a BAA is often not fully understood by the parties until something goes wrong (e.g., a HIPAA security incident or breach, an Office of Civil Rights (OCR) audit or a fracture in the relationship between the parties) and, at that point, there is limited opportunity to mitigate legal and business risk. Ideally, attention should be given at the commencement of the business associate relationship, when the parties are able, to thoughtfully addressing regulatory requirements, planning and preparing for potential adverse events and appropriately allocating risk among the parties. As with most healthcare regulatory compliance initiatives, a proactive approach with respect to BAAs is preferable. This article provides a broad overview of certain BAA requirements and some practical negotiating tips for the parties involved.Client Alert

“I’m Out Of Here!” Now What?

January 27, 2021We all know that the healthcare industry is experiencing a wave of integration. This trend has been evident for many years. Fewer physicians are willing to assume the legal, financial and other business risks associated with owning their own practices. More and more physicians, including anesthesiologists, are becoming employed by large physician groups, health systems and national providers. This shift necessarily involves not only entry into new employment arrangements but also the termination of existing relationships. And those terminations are often governed by written employment agreements, state and federal healthcare laws and employer benefit plans and other policies and procedures. Before pursuing their next opportunity, physicians should pause for a moment and first attend to the arrangement that they are leaving. Departing physicians need to understand their legal rights and obligations when leaving their current employment relationships in order to avoid unintended consequences and detrimental missteps along the way. Here are a few words of practical advice for physicians contemplating an exit from their current employment arrangements.Client Alert

Investment Training for the Second and Third Generations

January 19, 2021Consider this scenario. Mom and Dad started the business from the ground up. Over the decades it has expanded into a money-making machine. They are able to sell the business and it results in a multimillion-dollar payday for their labors. The excess money has allowed Mom and Dad to invest with various financial advising firms, several fund management groups, and directly with new startups and joint ventures. Their experience has made them savvy investors, with a detailed understanding of how much to invest, when, and where. They cannot justify formation of a full family office with dedicated investors to manage the funds, but Mom and Dad have set up a trust fund for the children to allow these investments to continue to grow over the years. Eventually, Mom and Dad pass. Their children enjoy the fruits of their labors, and, by the time the grandchildren are adults, Mom and Dad's savvy investments are gone.Client Alert

Provider Relief Funds – Continued Confusion Regarding Reporting Requirements and Lost Revenues

January 15, 2021In Fall 2020, HHS issued multiple rounds of guidance and FAQs regarding the reporting requirements for the Provider Relief Funds, the most recently published notice being November 2, 2020 and December 11, 2020. Specifically, the reporting portal for the use of the funds in 2020 was scheduled to open on January 15, 2021. Although there was much speculation as to whether this would occur. And, as of the date of this article, the portal was not opened.Client Alert

Ohio S.B. 310 Loosens Practice Barrier for Advanced Practice Providers

January 14, 2021S.B. 310, signed by Ohio Governor DeWine and effective from December 29, 2020 until May 1, 2021, provides flexibility regarding the regulatorily mandated supervision and collaboration agreements for physician assistants, certified nurse-midwives, clinical nurse specialists and certified nurse practitioners working in a hospital or other health care facility. Originally drafted as a bill to distribute federal COVID funding to local subdivisions, the healthcare related provisions were added to help relieve some of the stresses hospitals and other healthcare facilities are facing during the COVID-19 pandemic.
Older posts
Newer posts