Healthcare remains one of the most targeted industries by cyberattacks and data breaches. Last year, the number of data breach victims hit an all-time high, and over seven hundred hospitals reported large data breaches that impacted more than 500 patients to the Department of Health and Human Services. Along with increased cyberattacks against hospitals and clinics, there has also been an increase in the number of data breach class action lawsuits filed against companies following a breach. Cyber incidents and lawsuits can cost companies millions of dollars and, in some instances, can impact patient care or even lead to hospitals closing.
In response to these trends, last year, the Oklahoma legislature provided some powerful protection for hospitals. The Oklahoma Hospital Cybersecurity Protection Act of 2023 provides hospitals with an affirmative defense if they meet certain cybersecurity requirements. This defense applies to tort claims alleging that a hospital’s failure to implement reasonable information security controls resulted in a data breach, one of the common claims found in data breach class action cases. With the passage of this law, Oklahoma joins Ohio, Connecticut, Utah, Iowa, and Tennessee with cybersecurity ‘safe harbor’ laws.
In order to use this defense, hospitals must create and follow a written cybersecurity program that provides safeguards to protect personal information. The cybersecurity program must not only protect the security and confidentiality of information but also meet industry-recognized cybersecurity frameworks. While the law does not define what needs to be in the cybersecurity program, the program must take into consideration the following:
- The hospital’s size and complexity;
- The nature and scope of its activities;
- The type and sensitivity of the information it collects;
- The cost and availability of tools to improve its information security; and
- The resources available to the hospital.
Along with creating and following a cybersecurity program, hospitals must review and update their programs at least once a year. The Act also requires hospitals to document their compliance with these requirements. Because of the potential safeguards this law provides hospitals, it is important that they work with experts in healthcare and cybersecurity to ensure that their cybersecurity program meets these requirements.
For assistance with evaluating how the Oklahoma Hospital Cybersecurity Protection Act of 2023 may impact your company, please contact Anthony Hendricks or another member of the firm’s Healthcare or Cybersecurity & Data Privacy Practice Groups.