banner



Which Of The Following Regulatory Laws Requires Data Protection For Health Care Institutions?

Spacer

By Stephen Wu

I. Why Worry About Data Security?

Information breaches proceed to be an everyday occurrence. Nosotros see them in the news all the fourth dimension. The recent Equifax alienation is only the latest in a long string of breaches. Competitors, onetime employees, and state-sponsored groups seek companies' merchandise secrets in club to bolster competing businesses. Hacktivist groups seek to damage the reputation of companies by publicizing sensitive information. Organized crime rings seek sensitive information for profit.

The consequences of data alienation liability are becoming apparent. Merchants sued for data breaches are paying staggering amounts to investigate and settle the cases against them. The TJX Companies set aside $107 1000000 to embrace the litigation against it and regulatory actions. Heartland Systems set bated $73.3 million for alienation expenses in 2009.

Although TJX and Heartland are huge cases, other companies find (or perhaps fail to observe) smaller security breaches every day. For instance, old employees departing companies commonly misappropriate trade secrets and confidential data every bit they leave their employment. Security breaches, both big and small-scale, cost companies real coin every day in investigation and remediation costs, litigation costs, customer anger, reputation losses, loss of competitiveness, and ultimately, loss of acquirement and shareholder value.

II. Business Risks

Security breaches damage a visitor'due south business and create fiscal and legal risks. First, a security breach involving the loss of trade secrets or confidential information may imperil the future of a company'southward business. Companies depend on keeping the new product and services they are developing away from competitors. Customer lists are critical to sales efforts. The loss of these primal assets jeopardizes a company's ability to compete in the marketplace.

Second, the costs involved with responding to a security breach are considerable. Companies responding to breaches may hire computer forensic experts to examine the cause of the alienation and preserve evidence. They may retain information security firms to shut vulnerabilities. In addition, companies may engage public relations and crisis communications experts to deal with consumers and the public to protect their reputation. All of these expenses are in add-on to legal fees incurred in the investigation and possible defense of claims brought past consumers against companies that compromised their personal information. For major breaches, the legal fees alone could amount to millions of dollars.

Finally, security breaches impact a company's reputation. Customers may beginning to feel uncomfortable doing business with a company that manifestly did not, before the breach, prevent the compromise of their sensitive information. The loss of reputation may crusade customers to movement to competitors or deter potential customers from doing business organization with the visitor. A reduction in client business hits the purse with reduced sales revenue and lost profits. Ultimately, the damaged reputation and diminished revenue stemming from a breach may reduce shareholder value and cause stock price drops.

III. Dissimilar Facets of Information Security Law

What is data security law? Information security law is an emerging area of law focusing on one of our society'due south about valuable sources of wealth – data. Information security law is cipher new. Yet, information security law is "emerging" in the sense that information technology has arisen largely in the last two decades, every bit opposed to more than traditional areas of police, like existent estate, that have been with us since the founding of the United states of america. Information technology has as well emerged because developments in the law accept been accelerating in recent years.

Returning to the original question, what is information security lawyers? Also, what do data security lawyers do?

Information security law, or infosec police force, is in some ways a new area of law. In other means, it is a new surface area of practice for law firms and has an industry-specific focus. This article discusses all of the dimensions of data security law.

Information security, equally an emerging area of law, includes a number of components. First and foremost, information security lawyers counsel their clients on requirements to keep data and data systems secure. These requirements may stem from public law (statutes and regulations) or private arrangements made via contracts. Infosec lawyers help clients answer the key question: What does my company need to exercise to comply with infosec requirements under applicable police and contracts?

Second, infosec police force addresses liability that arises from security breaches or defects in security products or services. Parties injured past a security breach may sue to seek damages or an injunction against the parties responsible for the alienation. When the perpetrators are unable to be plant or it isn't worth suing them, injured parties may sue others who supposedly immune the breach to occur or failed to end it. Companies purchasing security products or services may sue their vendors when the products or services don't work as advertised or when they neglect to prevent a breach. Infosec lawyers bring suit on behalf of the injured political party or defend these kinds of suits.

Third, infosec police force covers secure electronic commerce. Secure electronic commerce answers questions, such as:

  • How do parties form contracts online?
  • Are online contracts treated the same as paper contracts under the law?
  • What must a person or business concern practise to authenticate himself, herself, or itself to some other political party online?
  • What must be washed to tie an private or concern to an online transaction and concord that political party accountable for it?
  • How tin can you evidence that a person has agreed to an online transaction: an electronic signature, a secure form of electronic signature, or a digital signature?

Secure electronic commerce systems or programs may, for instance, establish a trading community in which a large arrangement can procure products or services from its vendors. Electronic "commerce" can also include eastward-government services. For example, an environmental regulatory agency may establish an online presence to accept submissions of environmental reports and disclosures. E-commerce lawyers counsel clients concerning ways to establish secure eastward-commerce systems, the interplay betwixt background police and contracts involved in establishing these systems, and liability concerns arising from e-commerce activities.

In addition to being an expanse of law, infosec law is too a constabulary do. Lawyers from a variety of traditional practice areas may work in the information security expanse. For instance, lawyers specializing in authorities regulatory matters may advise clients on federal or state statutes that impose infosec requirements. Attorneys working in government affairs in Washington or land capitols may become involved in lobbying efforts for or against new infosec legislation, such every bit the federal breach notification bills. Litigation lawyers are likely to exist the professionals handling disputes arising from security breaches. Finally, members of applied science transactions groups are often the kickoff lawyers called in to counsel clients seeking to protect sensitive data in It arrangements or appoint in secure e-commerce, although technology attorneys with the specialized skills needed to provide in-depth advice have created a distinct sub-specialty within the engineering transactions umbrella.

Finally, data security lawyers focus on ane industry: the information technology industry. Some law firms have IT law groups whose work includes addressing the specific needs of vendors of information security products and services. Infosec lawyers need to develop deep IT experience and exposure to clients that depend on IT for their operations and sometimes their entire livelihood. More contempo trends, such as cloud computing, pose even greater challenges to the legal community.

Infosec lawyers cultivate contacts amid Information technology professionals and infosec professionals, in particular. Servicing clients' infosec legal needs is a multi-disciplinary endeavour, and lawyers are creating fruitful partnerships and relationships with exterior and in-business firm technical experts. Lawyers in the infosec field just cannot perform their jobs solitary. They require considerable assistance from experts with the technical expertise to provide comprehensive communication to clients.

In sum, information security is at in one case an emerging area of police force, an area of exercise and an manufacture focus. As with new areas of the law in the past, attorneys practicing infosec law are those who have feel in allied areas of law and who accept IT and infosec technical expertise. The mix of technical and legal issues, the need to work with multi-disciplinary teams, and the novelty of the field challenge infosec lawyers, just make for a fascinating area of the constabulary.

4. Compliance with Security Laws

Over the years, state, federal, and international data security laws have proliferated. These laws impose security requirements on the businesses and governmental entities that they encompass. At first, these laws focused on specific sectors of the economy, such as fiscal services, health care, or government. Later, state legislatures, foreign governments, and international bodies created more than full general information protection laws that cutting broadly beyond sectors. Some of these laws plant only general requirements, such as the mandate to protect sure kinds of information with "reasonable security." Others provide a much more detailed set of requirements, some that fifty-fifty relate to the use of specific technologies, such as encryption.

Most security-related laws mandate the implementation of security controls to protect security-sensitive data. Other laws, however, create business opportunities if companies adopt security technologies.

A. Sarbanes-Oxley Deed

Congress enacted the Sarbanes-Oxley Human activity (SOX) to cover publicly traded corporations and address financial scandals, such as Enron and WorldCom. SOX addresses fraud in the finance departments of public companies by requiring that public companies establish reliable "internal controls" for gathering, processing, and reporting financial data with the ultimate goal of ensuring accurate reporting of public companies' finances for the benefit of investors. While SOX and its regulations practise not directly require specific data security controls, auditors and leading organizations have created guidance documents to define internal controls, and some of the guidelines address information security controls as a foundation for creating strong internal controls.

B. Gramm-Leach-Bliley Deed

The Gramm-Leach-Bliley Deed (GLBA) loosens certain regulations on the financial services manufacture. Still, it contains privacy and security requirements on financial institutions, which GLBA defines broadly. GLBA and regulations under it call for financial institutions to protect the privacy of its customers and to protect the security and confidentiality of their customers' nonpublic personal data.

C. Federal Information Security Management Act

Congress passed the Federal Information Security Management Human action (FISMA) to promote the security of federal bureau information systems. FISMA requires that agencies create and implement security programs and study the results of these programs to the Office of Management and Budget, which reports the results to Congress. The National Establish of Standards and Engineering (NIST) provides guidance with publications containing specific technology controls and standards for agencies to implement and meet.

D. Fair and Accurate Credit Transactions Deed/Red Flags Rule

The Fair and Accurate Credit Transactions Act (FACTA) helps to reduce consumer risks associated with identity theft. Under FACTA, the Federal Trade Commission (FTC) and other agencies promulgated what are known as the "Cherry-red Flags Rules," which covers financial institutions and creditors that hold consumer accounts. Covered entities must create an Identity Theft Prevention Program for combatting identity theft, which include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. These policies and procedures should include data security controls.

Eastward. Health Insurance Portability and Accountability Human action

The Health Insurance Portability and Accountability Human action (HIPAA), among other things, helps workers by protecting the portability of their health coverage. However, HIPAA contains administrative simplification provisions promoting electronic health transactions and protecting the privacy and security of wellness information as it is processed in these transactions. Under HIPAA, the Department of Health and Human Services enacted comprehensive and broad privacy rules and security rules, which phone call for specific security controls. The Wellness Information Engineering for Economic and Clinical Health Human activity (HITECH Act) within the American Recovery and Reinvestment Act of 2009, as well every bit final HIPAA/HITECH regulations issued in 2013, expanded the scope of the HIPAA Security Dominion and included new alienation notification requirements regarding the compromise of wellness information.

F. California Confidentiality of Medical Information Human action and Other Land Privacy Laws

The California Confidentiality of Medical Data Act and other California laws prohibit healthcare providers from disclosing patient records without authority. Moreover, other California laws prohibit healthcare workers from "snooping" in patient records, which were enacted after high-profile security breaches resulting from hospital workers looking at celebrities' records. Newer legislation requires healthcare providers to protect the integrity of medical records and log admission to them.

Yard. California SB 1386 and AB 1950

California was the first land to enact a alienation notification constabulary, SB 1386, requiring businesses and state agencies to notify affected California residences whose personal information was compromised. SB 1386 covers personal information in the class of a driver's license/California ID card number, social security number, or financial account number (with admission code) in combination with a terminal proper noun and offset name or initial, as well as medical records. The constabulary covers businesses that own or license such personal information. SB 1386 requires them to notify California residences whose unencrypted personal information was or is reasonably believed to have been, acquired by unauthorized person.

California's AB 1950 covers the same category of businesses and personal information. Nether AB 1950, covered entities must implement reasonable security procedures and practices to protect personal information against unauthorized access, destruction, use, modification, or disclosure. AB 1950 does non phone call for specific security controls.

Other states and nations have laws or guidelines similar to both SB 1386 and AB 1950.

H. Country Consumer Protection Laws

California has three laws commonly used in consumer claims against product and service providers. Get-go, California's Unfair Competition Police (UCL) strikes at "unfair competition," including unfair and deceptive trade practices. The UCL appears at Business & Professions Lawmaking Section 17200 and following sections. 2d, California'due south False Advertizing Law prohibits making untrue or misleading ad statements. Finally, the California Consumers Legal Remedies Act prohibits specific categories of unfair and deceptive merchandise practices.

I. Cybercrime Laws

Federal and state cybercrime laws prohibit, among other things, gaining unauthorized access to computer systems, damaging computer systems, or spreading malware. The federal Computer Fraud and Abuse Act is a criminal statute. It creates a private right of action for victims of certain categories of cybercrimes. While these laws practise not constitute security requirements per se, they may go relevant to the bear of company personnel. Companies should train and supervise their employees to preclude them from violating these laws in developing products, delivering services, or the conduct of their business.

J. EU General Data Protection Regulation

In May 2018, companies collecting and processing personal data from citizens of the European Matrimony and European Economic Area (the EU plus Republic of iceland, Liechtenstein, and Norway) volition need to comply with the EUP General Data Protection Regulation or "GDPR" for curt. The GDPR is a law that recognizes the fundamental rights of individuals (called "data subjects") to certain privacy rights. As a regulation, the law imposes a compatible framework of privacy requirements on the member states of the European Spousal relationship and the European Economic Expanse.

GDPR covers a wide variety of "personal data." "Personal information" means any data relating to an identified or identifiable natural person, including just not express to names, wellness information, financial information, email addresses, and even IP addresses, telephone numbers, and device identifiers.

Businesses in the Usa that accept a European presence or are cultivating a customer base of operations in Europe are potentially covered. In addition to certain privacy protections, Commodity 32 of GDPR requires companies collecting personal data ("controllers") and data processors working on behalf of controllers to implement security controls. Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including ensuring the confidentiality, integrity, availability, and resilience of processing systems and services.

V. Liability Risks

When loftier-contour security breaches cause the loss of consumer personal data, lawsuits frequently follow. In fact, in the Sony PlayStation security breach, lawyers filed a form action against the company ix days after the breach occurred. If your company holds consumer personal information, a class activeness against your company is a pregnant chance if a data breach occurs.

Plaintiffs have asserted a number of claims against companies that have experienced data breaches. First, they frequently assert negligence claims against the defendant companies. Typically, plaintiffs merits the company had a duty to protect the security of personal information, the company failed to exercise reasonable intendance to protect that information, a alienation occurred as a consequence, and the breach caused the plaintiffs harm.

Second, plaintiffs may assert a alienation of contract merits against the visitor hit by the breach. They may point to express promises of security or claim an implied contractual duty to protect information. They then contend that the compromise in security constituted a breach of the contract between the company experiencing the breach and its consumer customers.

Finally, plaintiffs may assert statutory claims against the visitor based on laws confronting unfair and deceptive merchandise practices or laws confronting false advertizing. They may contend that inadequate security is an unfair merchandise practice, misleads consumers (perhaps because of advertised assurances of security), or is illegal nether information security laws. The violations may entitle consumers impacted past the alienation to a refund of their payments to the company. In improver, the FTC may bring an enforcement activity against a company experiencing a breach for these same reasons.

Companies may also confront information security liability for alleged privacy violations or by failing to supervise their employees. If companies curl out products or services that allegedly violate consumer privacy by accessing their applications or devices without permission, they may be sued for violating cybercrime laws. In addition, if rouge employees inside companies gain unauthorized access to competitors' computer systems to uncover business intelligence, they may face cybercrime claims based on the unauthorized access.

Six. How to Prevent Breaches?

Preventing data breaches requires a combination of approaches to manage people, processes, and technologies to implement robust security controls. This section addresses the security controls that can help you minimize the risk of security breaches. It is impossible to forestall all data breaches, and it would be cost-prohibitive to try. Nonetheless, each organization volition need to conduct its own gamble management process to settle on a balance between implementing controls to minimize the risk of breaches and the time, effort, and coin needed to implement such controls.

This section refers to a business covered by a security policy as the "Covered Entity."

A. Administrative Controls

Authoritative safeguards are the non-technical, "soft" measures that direction establishes regarding acceptable employee behave, personnel procedures, and correct technology usage within the enterprise.

1. Risk Analysis and Management

Run a risk analysis consists of four components:

  1. Asset identification and valuation
  2. Threat identification
  3. Vulnerability identification
  4. Run a risk identification.

2. Asset Identification and Valuation

The term "assets" refers to items of value to the Covered Entity, which includes (among other things) calculator hardware, mobile devices, software, records, and other information. Asset identification and valuation involves listing assets to be considered inside the telescopic of the risk assessment. One time identified, the Covered Entity needs to assign the advisable value to each asset, which tin can be monetary or simply a qualitative measure of the nugget's value (due east.g., high, medium, or low).

iii. Threat Identification

A threat is a negative result that has the potential to damage an asset that is vulnerable to such a threat. Information security threats compromise the confidentiality, integrity, or availability of information. Threats may be intentional, such as a hacker attempting to break into a network. Additionally, threats may as well be inadvertent, such every bit the mistyping of an email address, which may be attributable to natural human being carelessness or fatigue. Threats may extend beyond human conduct, whether intentional or not, to natural or concrete phenomena. For case, hurricanes and earthquakes pose threats to the availability of information when they strike data centers and the equipment operating in them.

4. Vulnerability Identification

A vulnerability is a weakness in an asset that allows a threat to damage that nugget. This weakness tin stalk from the lack of a control designed to protect the asset, a weakness in the control, or in a feature of the nugget itself. Threats have the potential of exploiting these weaknesses to damage the confidentiality, integrity, or availability of the asset. Because vulnerabilities only be in the context of a threat, the Covered Entity must advisedly consider which threats are relevant to them when assessing the vulnerability of an nugget to a particular threat.

five. Take a chance Identification

The risk identification stride analyzes chance based on the likelihood that a threat volition exploit a vulnerability and the touch on that issue would accept on the vulnerable asset. The Covered Entity can use existing questionnaires, interviews with experts, past history and other ways to determine the risks the organization may encounter. The Covered Entity should document potential risk elements as office of its risk management process. High risks are those involving threats that occur frequently and/or exploit vulnerabilities of high-value assets. Low risks are those where a pocket-sized vulnerability may expose a depression-value asset to unlikely or infrequent compromise or loss. Fifty-fifty when the gamble identification pace is completed, there is a remaining "unidentified adventure."

Risk Direction describes the continuous, iterative procedure of:

  1. Analyzing changes to the Covered Entity'due south environment, including such factors as: (i) implementation of new engineering science and associated vulnerabilities; (two) developments in new threat technology; (three) changes to organizational structure and business goals; and (four) changes in regulations.
  2. Measuring and prioritizing risks and corresponding mitigation measures and incorporating them into a Risk Management Plan.
  3. Implementing those mitigation measures defined in the Risk Direction Plan.

The Risk Direction Plan should address how a risk is to exist managed to an acceptable level. Risks may exist prioritized on the basis of degree of risk, magnitude of harm that a threat could cause, the price to mitigate a vulnerability, business goals and disquisitional needs, and expected effectiveness of mitigation measures.

6. Security Direction Function

A Covered Entity should accept a person in charge of the data security function at the company. For purposes of accountability, that ane person should exist accountable to senior management and ultimately the board of directors or equivalent. If the Covered Entity does not have such a person, and so the security function is scattered, multiple people may attempt to shift responsibility among themselves, and disquisitional security tasks may fall through the cracks. Frequently, management assigns security oversight in a company to a Chief Information Security Officer.

7. Hiring/Supervising/Terminating Workers/Single-user Accounts/Accountability

People are the weakest link in whatever security programme. To address this vulnerability, the Covered Entity must institute policies, procedures, and standards for ensuring that the security risk of the workforce itself is managed. Those workers without the need to access should not be given access rights, and workers without explicit access rights should be denied access to security-sensitive information. To comply with these administrative safeguards, the Covered Entity, through administrative procedures, should implement the following three procedures:

  • Authorization and/or supervision (granting access privileges and supervising workers' access to security-sensitive data),
  • Workforce clearance procedure (managing the hiring and Hr policies of the Covered Entity to ensure that it fills roles with trustworthy and competent personnel), and
  • Termination procedures (revoking access privileges and obtaining the return of devices, media, and security-sensitive information).

8. Access Management

These authoritative procedures govern how Covered Entities grant access privileges for applications, workstations, and security-sensitive information to authorized people in the organization. When determining who in the organization should access systems, programs, databases, or other intermediaries to security-sensitive data, management should consider policies that limit access to the minimum number of people and minimum extent necessary for employees to perform their task. Granting privileges that exceed the minimum required for proper job operation can add together chance to the security and privacy of sensitive information.

9. Security Sensation and Preparation

People cannot perform their duties securely unless they are familiar with the entity's security policies and procedures. Awareness allows employees to grasp the importance of security and its function in protecting privacy. Preparation focuses on how to use the security features and maintain a secure information-processing environment.

  1. Reminders: grooming and sensation are continuous, not one-fourth dimension events. The Covered Entity must have an ongoing, periodic security awareness and training programme. Its goal should exist to keep staff updated on the latest risks and threats the system is facing, besides whatever changes in the Covered Entity's security programs.

  2. Malware/Social Engineering:The system must have a policy and procedure on how it will protect itself from malicious software and phishing attacks. Malicious software tin can be whatsoever lawmaking that affects the confidentiality, integrity, and availability of security-sensitive information. Examples of malicious software include viruses, worms, and Trojan Horses. Most recently, companies have been victimized past numerous "ransomware" attacks in which malicious software encrypts a company's data and attackers need a ransom to decrypt the information.

    Software tin enter the surroundings from many sources including email, USB drives and other media, employee-installed software, and websites. Phishing attacks involve sending messages to people to go them to sign into phony sites and disclose their login credentials, which tin can exist harvested and used for impersonation, identity theft, and other malicious purposes.

  3. Log-in Monitoring: the Covered Entity should have appropriate procedures for monitoring attempts to log into systems or applications that incorporate or can access security-sensitive information and for reporting dissonant events. Examples of these events include:

    • Unusual times for a workstation to be active or logged in (such every bit well subsequently business hours or during an employee'southward off fourth dimension), which may indicate an employee may be trying to get protected information exterior of the scrutiny of his/her supervisor, or an aggressor may exist attempting to gain unauthorized admission.
    • Unusually high numbers of failed login attempts (which might indicate that an attacker is trying to log in, does not know the countersign, but is attempting to guess the countersign).
  4. Password/Credential Management

Covered Entities can train their personnel to choose and maintain secure passwords used for admission command to systems and data. Passwords may have security standards themselves such as:

  • Minimum length.
  • Complexity (due east.m., required numeric and non-alphabetical characters, lower and upper case letters, etc.).
  • Difficulty of guessing (eastward.g., avoidance of lexicon words, maiden names, pets' names, spouse'southward name, etc.).
  • Minimum and maximum usage time dictating when they must be inverse.

Password management and password confidentiality policies and procedures direct affect the security of the accessed system or application.

If the Covered Entity uses authentication methods other than passwords, such every bit smart cards or other hardware tokens, it should have policies and procedures for issuing, managing, and revoking credentials associated with such devices.

10. Incident Response and Handling

The Covered Entity should train all personnel to be aware of events that may show a security incident took place. Information technology should likewise establish mechanisms and procedures for reporting such incidents every bit potential security incidents, and procedures for investigating and responding to such incidents.

As a response to incidents, Covered Entities must take steps to mitigate the effect of incidents. Mitigation may have the class of closing a vulnerability that acquired the incident, retrieving information that was lost or misappropriated, implementing a new security safeguard, or strengthening an existing safeguard.

In any event, Covered Entities should document incident reporting and handling to make a record of what happened, aid in managing hereafter efforts to answer to the incident, and facilitate remedial actions to preclude similar incidents in the future.

11. Fill-in/Disaster Recovery/Business organization Continuity

Data backup planning and execution involves more than occasionally making a copy of security-sensitive information and storing it somewhere. Backup planning and implementation should be a formal procedure that includes planning for:

  • Backup frequency and maximum allowable data loss. The backup frequency (eastward.g., in one case per calendar week, once per solar day, one time per hr) and the location of the backup media make up one's mind the maximum allowable data loss (the amount of data that wasn't backed upward, but now due to the emergency or other incident, is not retrievable).
  • Maximum time to restore. This metric determines how long it will have to motility the backup re-create into service. Different methods of storage – tape, optical disk, etc. – require unlike amounts of time to restore.

Backups demand the same security protection every bit data receives in its primary (production) systems for normal utilize. Fill-in policies and procedures must be subject to the same management controls every bit the production services.

12. Assessment

No policy or procedure lasts forever. Management should ensure that policies and procedures are kept current with prevailing security threats, data organization vulnerabilities, and security and privacy risks. Management should identify the policy and procedure evaluation frequency (such as once per twelvemonth, etc.) and document information technology in the Covered Entity's security policies and procedures. Covered Entities need to maintain version control of all policies and procedures. All personnel and advisors should be working with the near recent version of a policy or procedure.

13. Third-Party Supervision

Today, outsourcers and vendors perform many key roles for Covered Entities. When performing these functions, they will likely have access to security-sensitive information. Covered Entities should put into place appropriate agreements to crave that third-political party service providers protect the security of such information. Agreements should place the information that needs to exist protected, require assurances of security, contain a machinery to assess compliance, require notification if a security breach occurs, and impose consequences in the event of a breach.

B. Physical Safeguards

Physical safeguards consist of the business policies, procedures, and recordkeeping required to protect a Covered Entity's concrete facilities and equipment that incorporate security-sensitive information confronting specified hazards.

1. Facility Planning

Part of planning for physical safeguards involves protecting information systems from concrete intrusions, such as break-ins, and from workers with legitimate access to some facilities seeking to gain unauthorized access to facilities to which they accept no access privileges. A Covered Entity should have documented and implemented policies and procedures to limit who has physical access to information systems, such as who has the ability to bear upon the data system component's keyboard, to look at its screens, to access servers, or to have a laptop out of the workplace and into the domicile or car.

Data center structure involves complex planning to protect sensitive systems in loftier-security zones. Information security professionals speak of protecting sensitive systems with multiple physical security tiers. A tier is a self-contained protected area that cannot be accessed from outside without inbound through an opening to which access is controlled, for example a locked door. High security zones are protected past multiple tiers of physical security.

Because information systems are increasingly mobile, the physical premises, interior, and exterior of a building that contains sensitive data could include an employee's home or other structure outside the general intuitive pregnant of a workplace building. Thus, the concept of a controlled facility may extend into these non-traditional areas. The Covered Entity must consider the touch on of physical security across its entire extended facility.

2. Workstation/Mobile Device Employ Policies and Procedures/BYOD

The mobile revolution has engulfed the business concern world. People are increasingly using tablet computers, smart phones, and other mobile devices to perform business-critical functions. At the same fourth dimension, people still utilize PCs for much of the intensive work they do, such every bit writing lengthy reports, doing work that requires the use of large displays, or running processor-intensive applications. Theft and loss of mobile devices and laptops are all the same leading causes of data breaches. Office break-ins show that even desktop PCs and servers are vulnerable to theft. Both computers and mobile devices require protection, and the Covered Entity should have policies and procedures in place to prevent the accidental loss and theft of computing devices.

In addition, companies are increasingly embracing "bring your own device" (BYOD) – a policy that permits workers to choose the mobile device they want to perform work functions. Companies may pay for such devices, may subsidize the price, or may simply crave employees to bear the toll of such devices. BYOD advocates tout the policy'due south ability to increase worker productivity and credence, since they are using devices they like and feel nearly comfortable with. Companies that shift some or all of the cost of devices on employees may see savings.

On the other paw, BYOD policies have their own fix of security and privacy challenges that companies must consider before adopting them. For instance, among other things, companies must accept policies, procedures, and technology to secure visitor information stored on it, ensure that mobile devices do not innovate malware into the company's systems, ensure that they run across company security standards, register the devices, control access to visitor networks when workers are using them, and ensure that they accept access to such devices in the upshot of an ediscovery request or upon termination of the worker.

3. Concrete Safeguards Effectually Workstations

Workstation security involves the Covered Entity assessing and managing the run a risk of what work is being done and where. Administrative and technical safeguards may exist taken into account when a Covered Entity determines the overall risk to information security that a item location poses. The use of partitions, and the layout of workstation may reduce the risk of unauthorized viewing of information on screens. Locks may prevent visitors from taking devices from the workstation area.

Stiff hallmark, encryption, and software access controls, for example, may mitigate risks of poor concrete security. Laptops and other mobile devices often contain these kinds of technical safeguards to mitigate risks to confidentiality.

iv. Inventory and Media Control and Disposal

The Covered Entity should inventory and track the devices under its control. A failure to know what devices it has could permit personnel or persons outside the Covered Entity to take devices without dominance and without detection. An updated inventory allows the Covered Entity to notice if devices are missing and to investigate any discrepancies.

The Covered Entity should have policies and procedures to ensure that security-sensitive data located on hardware or electronic media is in fact destroyed prior to its disposal. "Disposing" tin can include reusing a piece of hardware for applications that do not crave access to security-sensitive information. All security-sensitive data should be erased earlier reuse or disposal. When erasure is impractical, as in the case of a CD-ROM, the Covered Entity should physically destroy the electronic media.

One particular threat is the reuse or disposal of a workstation or laptop that previously stored or processed security-sensitive information. Simple file deletion generally does not permanently erase the information, and many utilities can easily recover these files. The Covered Entity should utilise a secure data destruction methodology to cleanse whatever storage media before reusing it.

C. Technical Safeguards

Technical safeguards are security controls protecting security-sensitive information that are carried out via engineering science or managed by applied science. Security hardware and software enable the Covered Entity to implement such controls. Among other things, technical safeguards prevent unauthorized access to security-sensitive information, protect against malware, provide inspect trails for investigation or assessments, and prevent corruption or tampering with systems.

1. Access Control Technology

Access control systems should place, authenticate, and authorize people and processes, implement a method of mediating access to information based upon the authenticated entity's authority, and log information accesses for later review. The Covered Entity should set up policies and procedures on how it manages access control to security-sensitive information. These policies and procedures should include controls to ensure:

  • Every user is uniquely identified and authenticated.
  • User activeness is logged.
  • Admission controls are in identify and are effective (e.g., security-sensitive information is kept secure and/or encrypted to ensure its confidentiality).

In add-on, the Covered Entity should have systems to foreclose unauthorized access to systems containing security-sensitive information (e.g., firewalls) and detect intrusions (east.g., intrusion detection systems).

2. Patching/Updates

Covered Entities should have systems for regularly updating system and awarding software. Software manufacturers regularly effect patches and software updates to address security vulnerabilities and improve the power of the software to resist attacks. Keeping software up-to-engagement will lower the hazard of exploits and malware. The recent Equifax breach evidently stemmed from the company'due south failure to update software to address a known vulnerability.

3. Logging

Covered Entities should have a technical method for logging user and organisation activity and a method, automated or procedural, for examining that activity log sometime in the future. The overall intent of this requirement is to give the Covered Entity a means of monitoring user access to security-sensitive information and to hold users accountable for their access behavior. Logs of machine processes help in monitoring the condition of systems, and may assist in investigations of malicious activeness, equally well equally possible corruption or software errors.

4. Integrity Controls

Covered Entities should use technology to prevent, or at least detect, improper data alteration and devastation from causes such as:

  • Equipment failure.
  • User accidents.
  • Malicious user acts.

Technologies like redundant arrays of inexpensive disk (RAID), error-correcting retentiveness, and fault tolerant (clustered systems) already be to reduce chance of information alteration or loss from equipment failure. Well-designed user interfaces to databases and applications tin reduce accidental data alteration or loss. Digital signature technology assists in identifying and preventing malicious user data manipulation or corruption.

v. Authentication

Authentication engineering permits a Covered Entity to know that an authorized person, entity, or procedure is gaining access to information or systems. Systems commonly employ passwords, tokens, biometrics, or punch-back techniques to verify an individual's or entity'due south identity. Covered Entities oftentimes apply these authentication technologies to control access to security-sensitive information.

half dozen. Manual Security/Wireless Security

Covered Entities should protect security-sensitive data while information technology is in transit over a network, such equally office wireless networks or the Net. Security threats addressed include:

  • Eavesdropping – An unauthorized person "listens" in on an unprotected or open up network conveying security-sensitive information.
  • Information modification – Interception and underground modification of security-sensitive information by an intruder in a way that the recipient cannot detect.

The Covered Entity should protect information while in transit commensurate with the manual security risks and their associated mitigation costs.

7. Encryption

The Covered Entity should evaluate and decide whether to encrypt some or all of its security-sensitive information while it is at residue in storage or transmitted over networks. Considerations going into this determination include:

  • The recipients' ability to receive and decrypt an encrypted message.
  • The sensitivity of the transmitted information.
  • The potential impacts of unauthorized disclosure.
  • The costs of implementing, managing, and operating the encryption organization.
  • The vulnerabilities of storage, the network, and overall environment.

D. Robust Policies, Procedures, Standards and Documentation

Covered Entities should maintain robust documentation relating to their security programs. Common types of documentation include:

  • Policies – Management's documented statement of intent.
  • Standards – Policy-mandated technical measures the Covered Entity will utilize to solve specific problems. Standards frequently specify the appropriate utilise of technology.
  • Guidelines – Suggested, usually strongly suggested, behavior recommendations that commonly will exist followed.
  • Procedures – Documented methods for implementing mandated processes.

Policies are more general than other forms of documentation, while procedures are the virtually specific form of documentation. Standards and guidelines are in between. Documentation also includes security-related records, such equally take chances assessments, adventure management conclusion-making, and records of investigations.

VII. Incident Response Steps: What Happens When At that place is a Breach?

Imagine for a moment that you believe your company may have experienced a information breach. In other words, your security visitor has detected or has been notified of some outcome. What do you exercise now?

First, take a deep breath. Information technology is important to think clearly and not react instantly based on gut feelings and instinct.

Next, if you've done advance planning, you will have a breach response programme set to go. Information technology is a thing of executing the plan that y'all have already created. Initial steps include notification to your alienation response team. Depending on the nature of the breach, team members include senior executives from the legal, Information technology, security, Hr, marketing, and finance departments. Initial meetings can focus on the nature of the events, the initial take on what happened, agreement the severity of the incident, and identifying afflicted external parties or participants in the event.

Post-obit initial meetings, the initial days of a breach response include an internal investigation to determine the facts and circumstances surrounding the apparent breach. What really happened? Information begins streaming in, and it may or may not show that a breach occurred. If information technology is clear that a alienation occurred, it might not be clear how it happened, who was responsible, and whether it is still ongoing. The internal investigation stage is to notice answers to all of these questions.

At the aforementioned time the internal investigation is starting, internal IT, security, and perchance external forensic experts should exist analyzing systems to determine the all-time course of action to prevent further exploitation of the breach, minimize the damage from the breach, make up one's mind the source and scope of the attack, go out open the possibility of a law enforcement investigation, find and find prove of the assaulter, and preserve evidence needed for later on legal proceedings, including both defensive and offensive deportment. It may not be possible to run across all of these goals. Accordingly, the visitor may need to decide on the priority of these goals.

During this initial phase, the company should also consider notifying law enforcement. Collaborating with police force enforcement has plusses and minuses beyond the telescopic of this paper. One important plus for involving law enforcement, however, is that fact that under many states' breach notification laws, a company may filibuster in making required breach notifications if police enforcement believes that such delay is important for its investigation of the alienation. Accordingly, working with police force enforcement may buy the company some time when it comes to making decisions about the need for, or the timing of, breach notifications.

While the internal investigation is getting underway, the legal squad tin can determine the legal posture of the company in calorie-free of the breach. The legal squad should consider implementing a litigation hold and its scope, too as taking steps to preserve testify relevant to possible litigation. It should too commencement analyzing possible claims that parties could assert against the visitor, or possible claims that the company has against others, arising from the apparent breach.

Keep in mind that if investigations may evidence that the visitor had vulnerabilities, the company may want to take outside counsel rent the calculator forensic experts investigating the breach. Hiring experts in this mode makes them an extension of exterior counsel. Communications betwixt the company and such experts can be protected by the attorney-client privilege. Thus, when the company is discussing vulnerabilities and weaknesses in systems or other information that may tend to signal liability, it can protect such discussions with the privilege.

Upon the completion of an initial internal investigation, the company should develop plenty data to decide if a alienation notification is necessary and if it is, whom the company should notify. Different jurisdictions have dissimilar triggers for notifications, and it is important to analyze their different laws to decide whether notification is needed. If notifications are required, so the company should make up one's mind the timing, and brainstorm drafting the notices for review and approval by the squad. Once approved, the company should send notices out as rapidly as possible.

In preparing the notices, the company should account for requirements about the content of the notices. It should also take into account those jurisdictions requiring notification to the chaser general or other entities, in addition to the afflicted individuals. Finally, it should be aware of possible culling means of discover under certain state laws, in case these means are the only way to inform some of the afflicted individuals.

Once an investigation is completed and law enforcement has wrapped up its investigation, the visitor can modify systems, close vulnerabilities, and remediate problems uncovered by the investigation. The idea here is to prevent the attackers from making additional attacks or exploiting the current breach. In addition, these steps volition hopefully prevent future breaches by others.

Following the remediation phase, the visitor can then "shut the loop" and undertake steps to evaluate what happened and brand changes to prevent future breaches. For example, post-breach assay is a good time to reconsider the controls in the company's security program to make changes and upgrades to minimize the risk of hereafter breaches. The company may wish to brand changes in its security policies, its procedures, technical standards, training programs, supporting guidelines, or engineering.

In addition, the company may want to undertake a new chance assessment to provide an updated view of the company's security posture. A risk assessment is a fundamental tool to determine what risks exist, which risks to mitigate, which risks it makes sense to shift (east.one thousand., through insurance or indemnities), and which risks to accept.

Upon completion of these steps, the company should implement changes to procedures, standards, training, guidelines, and technology based on the data developed in this phase. At the finish of this process, the visitor will hopefully be in a amend position to deter, detect, and prevent security breaches.

Eight. Secure Electronic Commerce Systems

How does a company carry electronic commerce in a secure way? In creating secure ecommerce systems, a visitor may seek to take advantage of the Net to open new markets and facilitate paperless transactions at Internet speed. At the aforementioned time, companies want to enter into enforceable transactions and impose limitations of liability, disclaimers, and other critical terms on their customers or vendors. How can a visitor set up up an ecommerce system to meet all of these goals?

Your company may apply technologies such every bit digital signatures, supported by digital certificates or their equivalent, to cosign contracting parties, facilitate the encryption of transactional information to protect its confidentiality, and tie contracting parties to your terms of service or other agreements. Other technologies provide like assurances of security, although perhaps not every bit finer as digital signatures and digital certificates.

Establishing secure electronic commerce systems involves making utilise of security applied science, supported by procedures and training, to facilitate online transactions. The systems of the company and vendors providing the technology or supporting services will demand to implement many of the security controls discussed above. Implementing such controls volition enable the company to create a credible secure ecommerce arrangement, whose security can be demonstrated to customers, vendors, and other stakeholders through security audits, assessments, and related attestations.

9. Conclusions

With the ever-increasing number of attacks from competitors, former employees, hacktivists, state actors, and organized crime, companies holding sensitive information face escalating challenges to secure their systems, comply with security laws, protect the value of their sensitive client information and intellectual belongings, and minimize their liabilities. Data breaches pose considerable risks to companies. However, companies take tools at their disposal to manage the risks of information breaches. Moreover, if they take the right steps, they can recover from data breaches and increase the security of their organizations.

To find out more about how your company tin can reduce the risks of data security breaches, or reply to an ongoing breach, please contact Stephen Wu, (408) 573-5737.

Which Of The Following Regulatory Laws Requires Data Protection For Health Care Institutions?,

Source: https://www.svlg.com/data-security-breaches-a-legal-guide-to-prevention-and-incident.html

Posted by: hodginwitswoompose1968.blogspot.com

0 Response to "Which Of The Following Regulatory Laws Requires Data Protection For Health Care Institutions?"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel