Cybersecurity and Data Privacy Compliance
Cybersecurity and Data Privacy Compliance
The privacy and protection of personal information has always been important for most people in the US. In fact, some of the earliest US privacy efforts date back to Benjamin Franklin. He implemented measures to maintain the privacy of mail during the 1700s by locking postal carriers’ saddle bags, which could only be unsealed at their destination.
However, the availability of that data via information technology channels has made it an even bigger deal ─ and a more complicated one ─in the last several years. More business than ever is being conducted online, whether it’s making a purchase, applying for a mortgage or scheduling a medical procedure.
With so much personal data traveling across networks, the risks of data breaches keep growing. It doesn’t help that cybercriminals continue to become increasingly sophisticated and devious in their exploits.
Given the preponderance of data breaches and cybercrime, a number of regulations, standards, and guidelines have emerged or are being updated to help protect personal information.
Government Privacy Mandates
The European Union set the bar high when it enacted the GDPR in 2018. It’s considered the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere that target or collect data related to people in the EU. The GDPR levies harsh fines against those who violate its privacy and security standards, with penalties reaching tens of millions of euros.
While the US hasn’t put a nationwide privacy regulation in place, individual states have enacted comprehensive consumer data privacy laws. That includes Connecticut, Utah, California, Colorado, and Virginia. Other states are expected to follow suit or have already implemented some form of privacy legislation.
PCI DSS Updates
The PCI Security Standards Council (PCI SSC) isn’t a government entity but its global payment security standard carries a lot of weight for organizations that in some way handle credit card information. The organization issued version 4.0 of the PCI Data Security Standard (PCI DSS) on March 31, 2022. The updates are designed to address emerging technologies better and provide innovative ways to combat new threats.
One of the big changes – and repercussions – of PCI DSS 4.0 is its increased focus on risk assessments. Under PCI DSS v4.0, organizations may have to disclose more information about their security programs to qualified security assessors (QSAs) than under previous versions of the standard. PCI security assessments aren’t conducted under privilege, so organizations should be prepared for more scrutiny of their assessment documents if a security incident occurs.
HIPAA Privacy Rule
The big unknown in the compliance world is what will happen with one of the US’s original privacy acts ─ the Health Information Portability and Accountability Act (HIPAA). It hadn’t seen changes since 2013 when it was updated to cover new requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
In December of 2020, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) proposed modifications to the HIPAA Privacy Rule. It’s been expected that a Final Rule will be issued in 2022 but there’s no indication as to when it will actually happen.
Nonetheless, it’s a good idea to be prepared because whether it happens in 2022 or 2023, HIPAA will eventually be updated. Here are five leading suggestions for the HIPAA Privacy Rule announced by Office for Civil Rights (OCR):
- Allow patients to look at their protected health information (PHI) individually and take photos and notes
- Change the maximum time of providing access to PHI from 30 to 15 days
- Permit patients’ requests to transmit their PHI to the personal healthcare app
- Specify when patients can require their ePHI for free
- Publishing of individual pricelists for PHI access and disclosures on their websites by covered entities
Other HIPAA Privacy Rule alterations proposals can be found here.
HIPAA Security Rule
While the National Institute of Standards and Technology (NIST) isn’t authorized to create HIPAA regulations, it did release an updated draft of its HIPAA Security Rule guidance on July 21, 2022. Designed to assist HIPAA-regulated entities in “maintaining the confidentiality, integrity, and availability of electronically protected health information (ePHI),” the draft places greater emphasis on risk assessment and management of ePHI than the prior guidance did.
Guidance from CSA
The Cloud Security Alliance also released updated guidance to better support healthcare delivery organizations with managing third-party vendor risk. (Vendors are behind some of the largest healthcare data breaches reported.) The report provides an overview of healthcare’s greatest third-party vendor security risks, as well as program tools, examples, and use cases. With vendors behind some of the largest healthcare data breaches,
Vendor risks are especially prevalent in the healthcare industry due to the lack of automation and the proliferation of digital applications and medical devices used in time-consuming and costly vendor risk assessment procedures, and the lack of fully deployed critical vendor management controls.
Other recent legislation to be aware of includes the HIPAA Safe Harbor bill, HR 7898, which was signed into law on January 5, 2021. It amends the HITECH act to require the Department of Health and Human Services to incentivize best-practice cybersecurity for meeting HIPAA requirements.
In 2020, the Department of Health and Human Services published two final rules designed to reduce regulatory barriers and improve care coordination. Both contain safe harbor provisions that will allow health systems and hospitals to donate cybersecurity technologies to provider offices.
2022 Cybersecurity Legislation
On June 21, 2022, U.S. President Joe Biden signed two cybersecurity bills into law. The State and Local Government Cybersecurity Act of 2021 is designed to improve coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and state, local, tribal, and territorial governments. Under the law, these bodies will be able to share security tools, procedures, and information more easily.
Under the Federal Rotational Cyber Workforce Program Act of 2021, U.S. government employees in IT, cybersecurity, and related fields will be able to rotate through roles across agencies, enabling them to gain new skills and experience in various job functions.
In addition, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March 2022. It will require critical infrastructure companies, including financial services, to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA).
Also in March 2022, the US Securities and Exchange Commission (SEC) proposed a rule requiring publicly listed companies to report to the SEC cybersecurity incidents, their cybersecurity capabilities, and their board’s cybersecurity expertise and oversight.
Other 2022 legislation to check out: the Federal Information Security Modernization Act of 2022 and the Federal Secure Cloud Improvement and Jobs Act of 2022.
The Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, and other government entities are also working on new rules for cybersecurity and privacy. Things are happening at the state level too. In 2021 alone, 36 states enacted new cybersecurity legislation.
There’s a lot going on in the world of data privacy and cybersecurity legislation, mandates, and industry standards. To help make sure you’re keeping on top of what it takes to keep your IT systems in compliance, talk to the experts at US Signal. Call 866.2.signal or email: [email protected].