Hey everyone, I'm Drex, and this is The Two Minute Drill, where we do at least three stories, at least two times a week, all part of one great community, the 229 cyber and risk community here at This Week Health. ORDR is the exclusive sponsor of The Two Minute Drill. ORDR is Healthcare's connected asset visibility and security company, and it's a great way to find and eliminate blind spots.
Find out more at thisweekhealth. com slash ORDR, that's O R D R. Thanks for being with me today. Here's some stuff you might want to know about. On Saturday's Two Minute Drill, I talked a bit about CIRSIA, the Cyber Incident Reporting for Critical Infrastructure Act. The new CIRSIA law will require critical infrastructure, like healthcare organizations, to report cyber incidents to CISA within 72 hours.
and ransom payments within 24 hours. There's a bunch of other stuff in there too. You should give it a read. And then a couple of days ago, there was a story published about a pharmacy benefit management company, a PBM called SaveRx, who had a breach last October and just now told anybody about it. 2. 8 million people had data exposed in the breach, and eight months later, They finally reported it.
So if you're wondering why the federal government and lots of state governments are now really digging into healthcare cyber, uh, it might be because there's plenty of examples of organizations not being transparent when something happens. In Save Our X's case, they barely suffered a blip in the ongoing operations.
So nobody really noticed when the cyber event happened. Even though a lot of data was exposed, those kinds of things keep happening, which means a lot of attention from the government, usually now in the form of laws and regulations, often with bigger sticks or punishment. Uh, that punishment may be delivered when organizations don't comply with those new regulations or standards.
And that term stick, like Stick and carrot, carrot and stick. I think the stick part turns out to be pretty important for us to pay attention to because in spite of having both the carrot and the stick as part of the incentives to adhere to these coming regulations, and I think you need a bit of both, we seem to hear a lot about the stick right now and not a lot about the carrot part.
So the stick may be things like financial penalties for non compliance or claim payment reduction. Both of which would suck a lot for most healthcare organizations, especially critical access hospitals and other hospitals who might, in a really good quarter, hit 1 percent margins. By the way, there's several articles about all these things at thisweekhealth.
com slash news. But now let's talk about carrots. I'm not a lawyer, and I'm not a doctor. What I'm going to suggest here, you know, might be impossible, or there might be some kind of other statute against it, or probably somebody will just say I'm trying to stir up trouble, which I'm not. Um, I've talked to a lot of folks all over the country about a lot of these carrot ideas.
And also, unfortunately for you, that includes a bundle of email and text that I sent yesterday and received yesterday while I was in the middle seat of a flight from Seattle to Philadelphia. And this is the kind of thing that happens when I'm in the middle seat for five hours. So let me start the carrot section by simply saying more damned carrots.
Because if we think we're going to solve the cyber problem with more rules and more regulation and more penalties, I think we're headed Word a lot of, you know, very bad, not good, unpleasant, unintended outcomes. Um, so Here's just a couple of suggestions for carrots. I didn't magically come up with these on my own.
These aren't my ideas. I'm out and about. I hear things. And here's what I'm hearing from a lot of folks in the field. First, there's consensus that cyber standards are good and it would be terrific if all healthcare organizations could get to a standard level of cybersecurity that could evolve over time and be agile given new technology and changing threats, just, you know, a bar that.
Could kind of gradually raise over time, but that costs money. And while some healthcare organizations are able to make those kind of investments, many, and maybe most, are not. Don't forget all those critical access hospitals and physician's offices and other organizations that are part of what is now clearly a massively interconnected healthcare industry that relies completely, almost, on technology to care for patients and families.
So, cyber incentive programs, please. Not meaningful use for cybersecurity, but you get the idea. If you were around in that era, that idea of seeing an organization progress through layers, levels of cybersecurity and be reimbursed or get incentivized payments to do that, I think would be a really great idea.
I think there are a lot of folks who think that would be a really great idea, so there's another suggestion. Financial incentives for organizations to improve their cyber position. Also, Consider some kind of relief from class action lawsuits. The class action lawsuit tidal wave we see now, it seems like it's only minutes between the time a health system has a cyber downtime until there's some lawyer somewhere filing a class action lawsuit.
By the way, there's articles on the news site about Tennessee's new law essentially banning class action lawsuits on healthcare organizations who've had a cyber event unless some specific requirements are met. But what if we just said something like, there's no class action lawsuits, uh, until a 90 day cooling off period?
The last thing a healthcare organization needs when they're trying to get back on their feet after a cyber event is a distraction from a lawsuit? Or what if there was some kind of model where if you were compliant with the current cyber standards, you would be in a safe harbor that would keep class action lawsuits at bay?
Now there's a bunch of other carrots that I could aggregate from the conversations that I'm having. These are just a few. And like I said, I know the immediate answer will probably be, we can't do something like that because of insert reason here. And I'm sure those probably are going to be really good reasons.
But we need carrots. I don't think we'll make real progress without a lot of carrots. And carrots of course will be difficult, but in the spirit of the Saturday Night Live skit with Will Ferrell and more cowbell, I have to say more carrot. Okay, let's go. By the way, all the stories I talked about today are available at thisweekhealth.
com. It's a great way to start your day. Go and check it out. And seriously, I'll Thanks so much for spreading the word about the two minute drill and the long form cyber show that I'm doing now called Unhack the Podcast. Uh, the number of show impressions and the minutes watched keeps going up and up and up, and that's because of you.
And I know it's because of you. Thank you. So like and share and leave comments and tag a friend. Uh, who needs to see all of this stuff. And I, I think that's most of us now. Um, I love the community that we're building together. I, I really do. I'm actually in Philadelphia tonight for a city tour dinner with a bunch of great CXOs and some amazing partners.
And Bill Russell is going to join us too. So, uh, that'll be fun. This one's full up, but we're going to keep the Supper Club going. And we have several other cities on the agenda. But if you'd like us to come to your town. Send me a note, we'll see if we can work something out and make it happen. Thanks again to our partner, ORDR, the exclusive sponsor of the 2 Minute Drill.
Did you know that ORDR integrates with more than 170 network, security, infrastructure, IT, and clinical solutions? It's true. Drop a message and I'll tell you more. And that's it for the 2 Minute Drill. Thanks for listening. Stay a little paranoid. I'll see you around campus.