Aug 18 2023

What Are Your Data Breach Notification Requirements?

Category: Data Breachdisc7 @ 9:47 am

Data breach notification requirements are complex in the US, with various federal and state laws containing different requirements for when security incidents must be disclosed.

Some even have substantially different definitions for what a ‘data breach’ or ‘personal data’ is.

As such, it can be hard to know whether you need to report an incident, let alone how you should go about it.

We address these issues in this blog, bringing some much-needed clarity to the subject.

State laws on data breach notification

There is no single set of data protection laws in the U.S., with the rules instead comprised of a patchwork of industry-specific federal laws and state legislation.

To complicate matters further, several states have created new laws in recent years to bolster data protection requirements. For instance, New York has created the SHIELD Act, while Colorado and California have both created data privacy legislation.

Elsewhere, the U.S. government is attempting to unify data protection requirements with its National Cybersecurity Strategy.

The decision to revise data protection laws follows the introduction of the EU GDPR (General Data Protection Regulation) in 2018, which radically shifted organizations’ requirements.

Organizations in the U.S. that process EU residents’ personal data are required to comply with the GDPR, and those that conduct business across state lines will face similar compliance challenges.

You can find a summary of each state’s federal data breach notification laws on our website, along with links to the texts themselves.

The GDPR is particularly important here, because many organizations in the U.S. assume that it only applies in the EU. However, its requirements apply to any organization that processes EU residents’ personal data, which is particularly common for organizations that have an online presence.

GDPR compliance is also helpful for managing patchwork of U.S. data protection legislations. Its requirements are far stricter than any domestic laws, so achieving GDPR compliance will cover you for a range of other requirements.

You can learn more about the GDPR and the ways it can help you meet your data protection requirements by reading General Data Protection Regulation (GDPR) – A compliance guide for the US.

This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.

You’ll also learn about the Regulation’s core principles and data subject rights, and the benefits of GDPR compliance.

We also provide tips on how to write your data privacy notice and give you tips on how to further your understanding of its compliance requirements.

Download now

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: CPRA, Data Breach Notification Requirements, Data Privacy Solutions, gdpr, hipaa


Mar 02 2010

HITECH Act increases HIPAA security requirements

Category: hipaaDISC @ 3:03 pm

by Marcia Savage
The health care industry was buzzing with the news: For the first time ever, a hospital was being audited for compliance with HIPAA security requirements. The audit of Piedmont Hospital in Atlanta by the U.S. Department of Health and Human Services’ inspector general in 2007 was surprising for hospitals, health insurers and others in an industry accustomed to a lack of enforcement of federal privacy and security requirements.

A year later, HHS took another unusual step, meting out a $100,000 fine to Seattle-based Providence Health & Services for HIPAA security and privacy violations. The organization had lost backup tapes, optical disks and laptops containing unencrypted protected health information on more than 360,000 patients.

But those enforcement actions could be small potatoes compared to what’s ahead. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act signed into law last year, earmarks about $19 billion in incentives to encourage adoption of electronic health record technology but also expands on HIPAA’s security and privacy requirements. In addition to instituting new breach notification rules and extending the rules to health care business associates, HITECH implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorney generals to file civil actions for HIPAA violations.

“HITECH is perceived as the enforcement arm of HIPAA,” says Barry Runyon, research vice president covering health care providers at Gartner. “The stakes are higher and more people can enforce it.

“What it’s done has kind of jump started HIPAA. Health care delivery organizations’ programs languished for a while,” he adds. “When there’s no enforcement, people tend to get complacent. HITECH is making them revisit their security plans and look at their controls — essentially what they should have been doing.”

Let’s take a look at the ramifications of the HITECH Act on security and privacy in the health care industry and its impact so far.

To read further on HITECH Act increases HIPAA security requirements




Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", HHS, hipaa, hipaa security, hitech act, status of arra and hitech


Feb 03 2010

UCSF laptop containing patient files stolen

Category: hipaa,Security BreachDISC @ 3:46 pm

UC Berkeley-UCSF Joint Medical Program
Image via Wikipedia

The Associated Press

SAN FRANCISCO—The medical records of more than 4,000 patients at the University of California, San Francisco may have been compromised after a laptop they were on was stolen.
Officials with the university said Wednesday the laptop was recovered earlier this month after it was taken from a medical school employee during a flight in November. It does not appear that anyone gained access to the computer or the confidential patient information, but officials say the records still could have been exposed.

The files contained patients’ names, medical record numbers, ages and clinical information, but no Social Security numbers or financial data.

School officials say they are notifying the 4,400 patients whose records were on the computer. They were all treated in 2008 and 2009.
———
Information from: San Francisco Chronicle, http://www.sfgate.com/chronicle


Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Evaluate your current business and system risks to make sure this does not happen to you.

Contact DISC for any question if you think, this may apply to you.

The Practical Guide to HIPAA Privacy and Security Compliance







Tags: arra and hitech, confidential patient information, Data, hipaa, Medical record, medical records breach, Medicine, Patient files stolen, San Francisco, San Francisco Chronicle, UCSF, University of California San Francisco


Dec 16 2009

Internet security breach found at UCSF

Category: hipaa,Security BreachDISC @ 2:38 pm

University of California, San Francisco
Image via Wikipedia

By Erin Allday, SF Chronicle

Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.

The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.

The university is not identifying the physician.

A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.

The patients have all been notified of the security breach.

Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.

For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.

In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.


Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.


Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?

Reblog this post [with Zemanta]




Tags: arra and hitech, arra hitech provisions, Computer security, Credit card, Health Insurance Portability and Accountability Act, hipaa, Identity Theft, phishing, social security, Social Security number


Nov 06 2009

Laptop Heist Exposes Doctors’ Personal Data

Category: hipaa,Security BreachDISC @ 6:50 pm

doctor

Another stolen laptop puts thousands of people’s personal data at risk but this time it’s the caregivers — not the patients — who are at risk.

November 6, 2009
By Larry Barrett:

More than 10,000 physicians’ and dentists’ personal data was exposed last week in New Hampshire after an employee at Anthem Blue Cross and Blue Shield transferred the health care providers’ Social Security numbers and other data to a personal laptop that was later stolen.

Anthem spokesman Christopher Dugan said the security breach took place at the national level and the files did not include any patients’ personal data.

The Blue Cross Blue Shield Association said the employees’ ill-fated decision to transfer the sensitive information to a personal laptop violated the insurer’s security policies.

Just last week, more than 33,000 patients receiving care from a Daytona Beach, Fla. medical center were notified that their data may have been compromised when a laptop was stolen from an employee’s car.
New Hampshire is one of 43 states that require companies and organizations to notify people when their personal or financial information is accidentally or deliberately compromised.

Anthem officials said it will provide free credit-monitoring services to all the affected physicians and dentists for a year.

It’s not been the best of months for the insurer.

On Oct. 5, Blue Cross warned another 39,000 doctors that a yet another laptop stolen from the company’s Chicago headquarters could have potentially exposed an assortment of personal information including Social Security numbers and tax identification numbers.
A Ponemon Institute by Traverse City, Mich.-based data security researcher Ponemon Institute estimates that more than 12,000 laptops are stolen or lost at airports alone each week.

It also found that the average large company has 640 laptops, 1,985 USB memory sticks, 1,075 smart phones and 1,324 other various data devices stolen or lost each year — ;a total of 800,000 data-sensitive memory devices a year.

Reblog this post [with Zemanta]




Tags: arra and hitech, crime, data breach, data security, Health Insurance Portability and Accountability Act, hipaa, laptop, Physician, Security, stolen laptop


Oct 30 2009

HIPAA and business associate

Category: hipaaDISC @ 10:14 pm

medical-symbol
How ARRA and HITECH provisions affect HIPAA compliance
AIS reported taht the new HITECH Act requires hospitals, providers, health plans and other HIPAA covered entities (CEs) to meet a February 2010 deadline for revising their business associate (BA) agreements. New language in BA amendments should require BAs to comply with (a) the HIPAA Security Rule,(b) new security breach notification rules and related strategies that CEs choose to implement, and (c) new privacy obligations imposed on CEs by the HITECH Act. Developing and maintaining effective BA relationships should be a top compliance priority for CEs, since privacy and security breaches often take place at the BA level and can be just as damaging to a covered entity’s reputation. With February approaching and lots of tricky questions to resolve, covered entities need a quick crash course in what their options are for designing and implementing these amendments in the next three months.

While the HITECH Act did not come right out and say “business associate agreements must be revised,” it does stipulate that certain provisions “shall be incorporated into the business associate agreement between the business associate and the covered entity.” Among them: business associate agreements must be amended to reflect the new mandate that BAs must comply with the Security Rule, should be amended to provide the covered entity with adequate notice in the event of a security breach, and should incorporate new privacy obligations imposed on CEs by the HITECH Act

Reblog this post [with Zemanta]




Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", breach of privacy, covered entities, health insurance, hipaa, hipaa privacy, hippa compliance, hitech, hitech act, hospital, privacy, SOX HIPAA, status of arra and hitech


Jun 10 2009

How ARRA and HITECH provisions affect HIPAA compliance

Category: hipaaDISC @ 4:02 pm

HIPAA Compliant Seal

Image by Kestelnon via Flickr

HIPAA Plain and Simple

How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss a possible solution, how to comply with these new HIPAA security and privacy requirements. American Recovery and Reinvestment Act of 2009 (ARRA) was signed into a law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA include important changes in Health Insurance Portability & Accountability Act (HIPAA).

2/17/210 applies to business associate – Covered Entity (CE) can apply the HIPAA provisions to Business Associates (BA) through business associate agreement. The HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. CE should revise their business associate contracts to reflect the changes before the deadline.

Civil Action & Penalties – State Attorney General can prosecute neglect and individual can receive monetary compensation. HIPAA now have teeth with monetary, civil and criminal prosecution.

Breach Notification – Notification to individual, HHS and media – Notification become more formal if the affected residents are more than 500. Use appropriate public media for cases involving more than 500 individuals. A breach requires notification, which is activated when there is an incident of “unsecured protected health information”.

Accounting for disclosure – CE is accountable for its BA disclosure of Protected Health Information (PHI)

Sale of Protected health Information – CE and BA cannot receive payment in exchange of PHI without an individual authorization. CE and BA are required to tell patients about disclosure of PHI for payment, treatment and administrative operation.

HIPAA compliance and how to manage your risks to healthcare assets:

HIPAA requires CE to have appropriate administrative, technical and physical safeguards to protect the privacy of health information. However HIPAA did not provide specific guidance as to what measure and controls will be appropriate.

ISO 27001 provides the basis to build an Information Security management System (ISMS), where organization can develop its own ISMS by applying controls from ISO 27002 code of practice. Only those controls apply which relate to its business objectives and the potential risks to the business. One document which is required to build ISMS is the Statement of Applicability (SoA) which explains why each of the 133 controls from ISO27002 is included in SoA and justification of the remaining controls which are not included. You can build ISMS suitable to your HIPAA needs, a healthcare organization could use its ISMS to ensure that HIPAA security standards required controls were selected from ISO 27002 and appropriately implemented. You need to certify ISMS (ISO 27001) to provide an ongoing assurance to HHS and healthcare business associates which can provide an edge in this downturn economy and more opportunities to enhance business worldwide.

5 HIPAA Rules Regarding Text Messaging

Resources:
CMS audit checklist
NIST guide for implementing HIPAA

Reblog this post [with Zemanta]




Tags: American Recovery and Reinvestment Act of 2009, arra, Health Insurance Portability and Accountability Act, hipaa, hipaa laws, hipaa privacy, hipaa security, hippa compliance, hitech, Protected Health Information


Jun 04 2009

Virtualization and compliance

Category: Cloud computing,VirtualizationDISC @ 1:04 am

Virtualization madness
Image by lodev via Flickr

The core technology utilized in the cloud computing is virtualization. Some organization may not want to jump into cloud computing because of inherent risks can take a shot at virtualization in their data centers. Virtualization can be utilized to reduce hardware cost and utility cost. Organization that might have 100 servers can consolidate into 10, where each physical machine will support 10 virtual systems will not only reduce the size of data center, but also hardware cost, and huge utility bill savings.

Virtualization was being utilized to increase efficiency and cost saving, which is now turning into centralized management initiative for many organizations. In centralized management patches, viruses and spam filter and new policies can be pushed to end points from central management console. Policies can be utilized to impose lock out period, USB filtering and initiate backup routines, where policies can take effect immediately or next time when user check in with the server.

The way virtualization works is OS sits on an open source hypervisor which provides 100% hardware abstractions where drivers become irrelevant. With OS image backed up at management console, which allows virtualization technology a seamless failover and high availability for desktop and servers.

As I mentioned earlier, virtualization allows enforcing of policies on end points (desktops). As we know compliance drive security agenda. If these policies are granular enough which can be map to existing regulations and standards (SOX, PCI and HIPAA) then virtualization solution can be utilized to implement compliance controls to endpoints. It is quite alright if the mapping is not 100% that is where the compensating controls come into play. The compliance to these various regulations and standards is not a onetime process. As a matter of fact standard and regulation change over time due to different threats and requirements. True security requires nonstop assessment, remediation’s and policy changes as needed.

Reblog this post [with Zemanta]




Tags: Cloud computing, Data center, Health Insurance Portability and Accountability Act, hipaa, Hypervisor, Open source, PCI, Security, sox, Virtualization


Aug 08 2008

ISO27k and compliance

Category: Information Security,ISO 27kDISC @ 2:42 am

Security review is performed to identify and analyze risks and weaknesses in the current security posture of an organization. An ISO assessment is performed utilizing international standard ISO 27002 and company security policy, the purpose of the review is to evaluate the information security posture of an organization based on international standard. The level of compliance will indicate how close your organization is to meeting the key objectives for each 133 controls defined within 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

It is important to not only assess the control for completeness (all relevant areas are addressed) and comprehensiveness (each individual area is covered completely), but also this balanced framework serves as the basis for both measuring an organization’s effectiveness in addressing risk and structuring an organization’s overall security program. Because ISO 27002 requirements are largely a superset of other major regulations, achieving ISO 27002 compliance positions most organizations to be well on their way to meeting the requirements of SOX, HIPAA and GLBA.

To achieve ISO compliance, thorough assessment utilizing all 133 controls will provide mitigating solution guidelines for gaps. To give your business an edge, conduct a security review based on ISO controls, if you would like to compare your security practices with international standard.
The result of the assessment will not only establish and maintain security policy, but also validates the policy’s completeness, design new controls and provide a road map to mitigate risks. An assessment of risks will determine what issues need to be addressed and provide a guideline to meet security regulations and a road map to build a world class ISMS (Information Security Management System).

ISO27001 is an international standard which is considered as an information security best practice or due diligence and is part of the security controls and audit controls specification document. ISO27002 is a code of practice which recommends guidelines for information security management systems and is closely linked to ISO 27001. ISO27001 continues to provide comprehensive best-practice advice and guidance to private and public organizations around the globe on how to design and implement a compliant information security management system ISMS.
An ISMS is not simply a set of documents. Maintaining and improving ISMS allows it to grow over time to address new business requirements. An ISMS is simply a system which addresses information security risks facing an organization and identifies the level of organization compliance with applicable regulations.

Reblog this post [with Zemanta]




Tags: glba, Health Insurance Portability and Accountability Act, hipaa, Information Security, Information Security Management System, isms, iso 27002, iso assessment, iso compliance, ISO/IEC 27001, ISO/IEC 27002, sox