Category:Privacy & Security
Critical Infrastructure and Cybersecurity Legislation: America’s Cybersecurity Problem
Long gone are the days when cybersecurity concerns existed solely in the domain of technology teams. Various organizations, from schools to government entities (at every level), to private companies alike have fallen prey to cyberattacks. May 2021’s Colonial Pipeline attack caused chaos and a temporary gas frenzy that brought awareness of the vulnerabilities of the technology we rely on to even the least technically minded American. Cybersecurity, and more specifically, the security of critical infrastructure immediately became an issue that the U.S. Government is taking very seriously.
Senate Brings Bipartisan Attempt to Update Health Privacy Regulations
On February 9, a group of senators led by Tammy Baldwin of Wisconsin and Bill Cassidy of Louisiana introduced a new bill, the Health Data Use and Privacy Commission Act (the “Act”), in attempt to revitalize current legislation regarding the protection and use of health data. The bill also has the support of a number of representatives from within the healthcare industry, including Epic, IBM, and Teladoc Health, as well as a number of professional associations like the American College of Cardiology, the Association for Behavioral Health and Wellness, and the Association of Clinical Research Organizations.
2022: U.S. Privacy Chaos, Continued?
Conversation surrounding the hodgepodge of state data privacy legislation in the U.S. has long been a subject of frustration within the U.S. and abroad. 2021 saw a drastic uptick in awareness and a need for meaningful comprehensive consumer privacy laws. With both data privacy and cybersecurity repeatedly making front page news over the last year, and even becoming high priority within the Biden Administration, it has become one of the few issues on which people across the political spectrum can agree. But will 2022 be the year that comprehensive federal privacy legislation becomes a reality? Don’t count on it.
Compliance Spotlight: William Hanning, CISSP, CISO
William Hanning is a Chief Information Security Officer with Groups360 and close to twenty years of Information Security experience. Mr. Hanning has built and managed security programs in multiple industries in organizations of varying sizes, as well as within Fortune 100 companies. Here, he gives insight about the separation between data privacy and cybersecurity, the role of information security teams, and how cybersecurity relates to and supports the work of legal and compliance departments.
The “Cyber Pandemic” – COVID-19’s Influence on Cybersecurity Practices
There is no doubt that the COVID-19 pandemic has affected almost every aspect of life for people around the globe. While the internet has allowed people to stay connected and continue working from home, it has also presented an opportunity for cybercriminals to take advantage of susceptible remote working setups. Cybercrime has significantly increased since the start of the pandemic, prompting corporations to mitigate the risk of a data breach against an onslaught of new vulnerabilities to their internal systems.
The Pandora Papers and the Bank Secrecy Act
The recent Pandora Papers leak in October 2021 shined the light on the massive and intricate web of offshore accounting that allows for insurmountable amounts of wealth to be hidden throughout the world. One of the most shocking revelations of these Papers was how heavily the United States was implicated in creating and perpetuating this system. As such, legislators have been pressured to find a way to crackdown on this sort of offshore money. One way that they have proposed addressing the problem is by amending the United States’ current criminal financial legislation, the Bank Secrecy Act.
The Quiet Corporate Health Cybersecurity Struggle Playing Out in Plain Sight
Cyberattacks on the healthcare industry have reached a fever pitch. In 2020 alone, there was a drastic increase in healthcare organization cybersecurity breaches. In 2021, the average cost of a healthcare data breach increased by over $2 million to $9.23 million. Healthcare providers continue to be the most targeted industry for cybersecurity breaches, with over ninety-three percent of healthcare organizations experiencing a data breach over the past three years. 306 breaches of unsecured protected health information (“PHI”) impacting 500 or more individuals were reported to the U.S. Department of Health and Human Services (“HHS”) in 2020. Yet healthcare organizations continue to be ill-equipped to handle this growing problem.
The Explosion of Remote Patient Monitoring in the Wake of COVID-19
The COVID-19 pandemic has fundamentally changed many aspects of healthcare delivery. Most notably, the pandemic increased the demand for digital health services. Telemedicine saw ten years’ worth of expansion in one year, but it was not the only digital health service that exploded as a result of the pandemic. Telehealth has evolved from merely meeting with a provider via a video conference to include more sophisticated technologies. Remote Patient Monitoring (“RPM”) allows for providers to collect patient data without the patient having to go to a healthcare facility for monitoring. RPM can improve the quality of healthcare delivery by more closely monitoring a patient while also reducing patient volumes within a healthcare setting. In addition, because RPM allows patients to get more care at home, it can largely reduce costs to the patient and the payor while increasing access. Despite the many benefits associated with RPM, there are considerable risks and compliance issues.
Security Awareness — Not Just an IT and Compliance Responsibility
Since the start of 2021, cyber-attacks have dominated headlines across every industry. From governments and government organizations, healthcare companies, and banks, to gaming companies and oil pipelines, ransomware has impacted organizations of all types and sizes. The scale and scope of these attacks have continued to grow and have far reaching consequences. Despite current agency attempts to strengthen cybersecurity through regulation, individual users continue to pose a serious threat due to insufficient security education.
A Practical Approach to Post-Schrems II Remediation of Cross-Border Data Transfers to the U.S. and Other “High Risk” Third Countries
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its deafening decision that summarily and immediately invalidated the EU-US Privacy Shield. The regulatory program established between the European Council and the U.S. Dept. of Commerce allowed for the transfer of personal data of EU residents to be sent from the EU to the US without violating the data transfer restrictions of the General Data Protection Regulation (“GDPR”). The decision went on to cast serious doubt on the sufficiency of standard contractual clauses to adequately protect data transferred to any third country, not just the US. Several months later, data exporters in the EU are still sorting through the wreckage of their privacy programs and waiting for practical advice on the way forward.