Healthcare Lawyers Increasingly Involved in Cybersecurity Matters

A recent survey conducted by Bloomberg Law and the American Health Lawyers Association (AHLA) asked more than 300 healthcare attorneys from across the United States about their involvement in cybersecurity matters and their opinions on their future involvement in data breaches and cyber-attacks.

The survey revealed the extent to which healthcare attorneys are being called upon to deal with cybersecurity matters and showed attorneys are increasingly becoming involved in cybersecurity incidents, and the development of policies and procedures.

84% of healthcare attorneys said that had already been called upon to advise healthcare organizations on cybersecurity matters such as incident response and the development of cybersecurity policies and procedures. 97% of attorneys said they expected to become more involved in healthcare cybersecurity matters over the next 3 years.

David Cade, CEO of the American Health Lawyers Association, suggested healthcare organizations have become more proactive in addressing cybersecurity risks in recent years; although there is still considerable ground to cover. He said the survey shows that “healthcare attorneys still believe that the health care industry is more vulnerable to breaches and attacks than other industries.”

More than 90% of surveyed corporate healthcare attorneys said their organizations are more vulnerable to cyberattacks than companies operating in other industry sectors.

While cybersecurity plans have been developed, a third of surveyed attorneys said cybersecurity plans were not developed further and updates were not made to take organization changes into count, and neither changes to the threat landscape.

Healthcare organizations are also not thoroughly testing their cybersecurity response plans. 40% of attorneys said that plans are not adequately tested or cybersecurity plans had not been developed to deal with specific types of attack; ransomware infections for example. All too often plans are too generic, which can create problems when cybersecurity attacks are experienced.

The healthcare industry has long been known to lag behind other industry sectors when it comes to data and network security. However, even with increased investment in cybersecurity, the industry is still off the pace. Many healthcare organizations are still ill-equipped to deal with a cyberattack if one should occur. Unfortunately, with cybercriminals now targeting the healthcare sector more extensively, that attack is likely to occur sooner rather than later.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of