Is Your Cybersecurity Strategy Government Approved?

by

Just a few weeks back, the Department of Health and Human Services (HHS) fined Denver-based Metro Community Provider Network (MCPN) $400,000 for failure to protect some 3,200 patient records that were covered by HIPAA. The attack? An employee fell victim to a phishing scam, which allowed the hacker to gain access to her email account.

The fine (which is well below HHS’s normal of $2M – $5M) was only the beginning as HHS also required MCPN to: (1) conduct an initial risk assessment, (2) conduct subsequent, annual risk assessments, (3) develop and implement a risk management plan, (4) review and revise their policies and procedures, (5) review and revise appropriate employee training materials, (6) report any future violations of such policies and procedures directly to HHS, (7) report annually to HHS on their status, (8) retain documentation and files for six years, and (9) implement a breach notification process. End of the day, those nine items will cost MCPN millions of dollars in legal fees, consulting fees, and auditing fees.

If this story doesn’t scare you, it should. Phishing schemes are so rampant that everyone is vulnerable, even John Podesta, the chair of Hillary Clinton’s 2016 election campaign. And, if you don’t think it matters because your organization does not fall under HIPAA, you should think long and hard about the myriad of government laws and agencies that do regulate your business:

  • Health and Human Services (HHS) – primarily focused on the health care system and protection of patient information. HHS operates under HIPAA, which provides specific requirements to protect information. HHS has the power to fine and specify rules following a breach.
  • Securities & Exchange Commission (SEC) – primarily focused on the protection of investors in public companies and securities. The SEC’s Office of Compliance Inspections & Examinations (OCIE) looks for specific disclosures by companies to ensure that there are no substantial risks to investors from potential cyber threats. The SEC can both fine and regulate in areas where it believes companies are not properly protecting or disclosing such risks.
  • Federal Trade Commission (FTC) – primarily focused on business practices and the protection of consumers. The FTC has enforcement power of the FTC Act, FCRA, GLBA, and COPPA. While the FTC does not initially have the power to fine, it has the power to regulate security risks (via its power to regulate against unfair business practices), as well as regulate online terms of service (via its power to regulate against false or misleading business practices).
  • Federal Communications Commission (FCC) – primarily focused on radio, television, and telecommunications (including wireless and internet providers), the FCC regulates against carriers, including net neutrality regulations passed under the Open Internet Transparency Rule. While recent FCC regulations related to data privacy were over-turned by Congress, such rules may likely re-appear in the future.
  • Department of Commerce (DoC) – primarily focused on helping business and economic growth, the DoC published the NIST Cybersecurity Framework. While the framework is voluntary, it almost certainly will be used in cases of security breaches to show areas where an organization may have failed to reasonably secure information.
  • United States Congress – in addition to many of the federal laws indicated above, Congress has passed many others related to financial data, government data, national security-related data, and the regulation of computer crimes. Just a few of these include FCRA, GLBA, FISMA, COPPA, CFAA, and FISA.
  • Individual State Laws – aside from federal laws, 48 states have now passed some form of data breach notification laws, and 31 states have passed laws that require businesses to take some type of substantive data security steps.

No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity. Each of these government entities demand some level of business executive ownership. Unfortunately, the complexity of the patchwork of laws and regulations can be confusing. To that end, it is important to include cybersecurity as a component of any business strategy that will have impacts on technology, processes, and your organization.

UPDATE 4/26/17: An astute reader has pointed out that one of my conclusions needed a little more clarification. When I said, “No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity,” I should have added, “…in a vacuum.” Government organizations (including HHS, FTC, SEC, etc.) along with security frameworks (such as NIST Cybersecurity, OCIE, SOC, etc.) require pro-active board / executive level understanding and responsibility of cybersecurity along with post-incident board / executive level actions.

READ MORE

Your Personality Is Showing

Your Personality Is Showing

There I was, minding my own business one evening, digging into my organization's SEO performance (as one does), when I came across something interesting. Search terms related to "MBTI" — or the Myers-Briggs Type Indicator, developed by Katherine Cook Briggs and Isabel...

read more
Lessons From a Change Manager Who Hates Change

Lessons From a Change Manager Who Hates Change

Hello. My name is Monique, and I’m a change manager who hates change.   After years of receiving “consulting therapy” from various mentors, I am now able to say these words out loud and proudly. But for a long time, it felt more like an admission of guilt. I mean, who...

read more
Creativity as a Cure

Creativity as a Cure

The topic of creative solutioning has been front and center these days as we talk more and more about organizational adaptability in the face of dynamic and uncertain times. For example, I recently read about a project that got me thinking about specific priorities...

read more
Thought Ensemble, a Pariveda Company — Why Now?

Thought Ensemble, a Pariveda Company — Why Now?

Big news over here as we close out the year - we have been acquired by Pariveda, a 750-person consulting firm in 12 markets across North America! We are now “Thought Ensemble, a Pariveda Company” and I’ll be serving as the Managing Vice President continuing to lead...

read more
Thought Ensemble Joins Pariveda Solutions!

Thought Ensemble Joins Pariveda Solutions!

Dallas, December 9, 2021 /PRNewswire/ -- Pariveda, a leader specializing in solving complex technology and business problems, announces the acquisition of Thought Ensemble. With the addition of Thought Ensemble, Pariveda now provides holistic business strategy,...

read more
Thoughts on Colorado’s Equal Pay for Equal Work Act

Thoughts on Colorado’s Equal Pay for Equal Work Act

It was about a year ago that we first started hearing about Colorado’s Equal Pay for Equal Work Act (SB19-085) and I knew it was going to be national news. We’d just gotten past the “Rocky Mountain High” jokes, and our lovely state was trying to break new ground...

read more
Disruption Is the New Normal

Disruption Is the New Normal

By nature, disruptors are not popular. “First they ignore you, then they laugh at you, then they fight you, then you win, then they copy you.” We have all heard some version of this quote, and we have all seen it play out in real life. We've seen it with building...

read more
What Would You Say You Do Here?

What Would You Say You Do Here?

“I deal with the … customers so the engineers don't have to! I have people skills!” That famous Office Space quote from Tom Smykowski cracks me up every single time. I know Toms. I’ve been Tom. Change the quote to say, “IT Team” instead of “engineers,” and there’s a...

read more