Cottage Health System has settled a state enforcement action over two separate data breaches that made more than 50,000 patients’ medical information publicly available online. The no-fault settlement requires Cottage Health System to:
Continue reading “California’s First 2017 Health Care Data Breach Enforcement Results in $2 Million Settlement”
Category: Cybersecurity
A Bipartisan Effort to Focus on Healthcare Cybersecurity
House Energy and Commerce Committee members Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.) introduced the HHS Cybersecurity Modernization Act earlier this month in a bipartisan effort to address cybersecurity threats to the Department of Health and Human Services (HHS). Representatives Long and Matsui have both described the bill, H.R. 4191, as a stepping-stone towards improving cybersecurity at HHS and the health care industry at large. However, the bill does not authorize any additional appropriations to do so.
Continue reading “A Bipartisan Effort to Focus on Healthcare Cybersecurity”
A.G. Schneiderman Announces SHIELD Act to Protect New Yorkers
The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was introduced in the New York legislature in early November and would amend New York’s state breach notification law. The bill was announced after the release of a New York Office of the Attorney General report found a nearly 60% hike in data breaches affecting state residents in 2016 and following the Equifax breach in September, which A.G. Schneiderman is investigating.
Among other things, the SHIELD Act would:
- Require reasonable security for private information, using standards tailored to the size of the business, while avoiding duplicate regulations and providing incentive to businesses that certify security compliance and provides clear examples of safeguards (e.g., technical, administrative, and physical measures).
- Carve out “compliant regulated entities,” which are defined as those already regulated by, and compliant with, existing or future regulations of any federal or NYS government entity (including NYS DFS cybersecurity regulations; regulations under Gramm-Leach-Bliley; HIPAA regulations) by deeming them compliant with this law’s reasonable security requirement.
- Provide safe harbor from AG enforcement actions under this law for “certified compliant entities,” (those with independent certification of compliance with aforementioned government data security regulations, or with ISO/NIST standards).
- Provide a more flexible standard for small business (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets): requiring reasonable safeguards “appropriate to the [small business’s] size and complexity.
Continue reading “A.G. Schneiderman Announces SHIELD Act to Protect New Yorkers”
Latest OCR Reminder Regarding Mobile Device Security and PHI
With the ever-increasing use of mobile devices in the workplace that create, receive, maintain, and transmit electronic protected health information (ePHI), the Department of Health and Human Services (HHS), Office for Civil Rights (OCR)’s latest Cybersecurity Newsletter issued an important reminder of the importance of mitigating the risks surrounding the use of mobile devices.
Mobile devices pose unique security risks because of their portability, small physical size, and capacity to store vast amounts of data. Both the Federal Trade Commission (FTC) and OCR frequently remind all organizations, but especially those entities that process ePHI, of the importance of protecting data on mobile devices.
Continue reading “Latest OCR Reminder Regarding Mobile Device Security and PHI”
Department of Education Posts CyberAdvisory on Extortion and Student Data Threats
Acknowledging that schools have “long been targets for cyber thieves,” the Federal Student Aid Office (FSA) of the U.S. Department of Education (ED) posted an alert on October 16, warning school districts and other educational institutions of criminal extortion schemes threatening to release sensitive student data. Recent, similar cyberattacks in Montana and Iowa are being investigated by the FBI.
Continue reading “Department of Education Posts CyberAdvisory on Extortion and Student Data Threats”
Tech Companies Issue White Paper Recommending a National IOT Strategy
Over the course of the last year, a number of U.S. technology companies and associations, including Intel, Samsung and the Information Technology Industry Council (ITIC) initiated a process dubbed “the National IOT Strategy Dialogue” the purpose of which was to develop strategic recommendations for U.S. government policymakers on the Internet of Things.
The group recently issued a white paper capturing the recommendations they advocate that the U.S. government undertake or implement. These players suggest that for the U.S. to win the global race to test, develop and deploy beneficial IOT technologies, that the U.S. government needs a strategic roadmap.
Continue reading “Tech Companies Issue White Paper Recommending a National IOT Strategy”