Tips for Protecting the Confidentiality and Integrity of Patient Data

On April 26, 2022, Tenet healthcare Corporation (NYSE: THC) announced that a cybersecurity incident occurred a week before. “The Company immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and quickly took steps to restrict further unauthorized activity.” In essence, and in accordance with HIPAA, the two hospitals that were impacted immediately invoked its disaster recovery and business continuity plans in order to, first and foremost, mitigate the impact on the delivery of patient care.

Tenet is a publicly traded company, so the timing of its disclosure to the market is also crucial in avoiding potential liability under a variety of SEC rules and regulations. On March 9th, the SEC issued proposed rules on a variety of items related to cybersecurity, including incident disclosure by public companies. As SEC Chair Gary Gensler stated, "cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors.”

What can organizations do to be proactive in protecting personally identifiable information (PII) and protected health information (PHI)?