Is Your Cybersecurity Strategy Government Approved?

by

Just a few weeks back, the Department of Health and Human Services (HHS) fined Denver-based Metro Community Provider Network (MCPN) $400,000 for failure to protect some 3,200 patient records that were covered by HIPAA. The attack? An employee fell victim to a phishing scam, which allowed the hacker to gain access to her email account.

The fine (which is well below HHS’s normal of $2M – $5M) was only the beginning as HHS also required MCPN to: (1) conduct an initial risk assessment, (2) conduct subsequent, annual risk assessments, (3) develop and implement a risk management plan, (4) review and revise their policies and procedures, (5) review and revise appropriate employee training materials, (6) report any future violations of such policies and procedures directly to HHS, (7) report annually to HHS on their status, (8) retain documentation and files for six years, and (9) implement a breach notification process. End of the day, those nine items will cost MCPN millions of dollars in legal fees, consulting fees, and auditing fees.

If this story doesn’t scare you, it should. Phishing schemes are so rampant that everyone is vulnerable, even John Podesta, the chair of Hillary Clinton’s 2016 election campaign. And, if you don’t think it matters because your organization does not fall under HIPAA, you should think long and hard about the myriad of government laws and agencies that do regulate your business:

  • Health and Human Services (HHS) – primarily focused on the health care system and protection of patient information. HHS operates under HIPAA, which provides specific requirements to protect information. HHS has the power to fine and specify rules following a breach.
  • Securities & Exchange Commission (SEC) – primarily focused on the protection of investors in public companies and securities. The SEC’s Office of Compliance Inspections & Examinations (OCIE) looks for specific disclosures by companies to ensure that there are no substantial risks to investors from potential cyber threats. The SEC can both fine and regulate in areas where it believes companies are not properly protecting or disclosing such risks.
  • Federal Trade Commission (FTC) – primarily focused on business practices and the protection of consumers. The FTC has enforcement power of the FTC Act, FCRA, GLBA, and COPPA. While the FTC does not initially have the power to fine, it has the power to regulate security risks (via its power to regulate against unfair business practices), as well as regulate online terms of service (via its power to regulate against false or misleading business practices).
  • Federal Communications Commission (FCC) – primarily focused on radio, television, and telecommunications (including wireless and internet providers), the FCC regulates against carriers, including net neutrality regulations passed under the Open Internet Transparency Rule. While recent FCC regulations related to data privacy were over-turned by Congress, such rules may likely re-appear in the future.
  • Department of Commerce (DoC) – primarily focused on helping business and economic growth, the DoC published the NIST Cybersecurity Framework. While the framework is voluntary, it almost certainly will be used in cases of security breaches to show areas where an organization may have failed to reasonably secure information.
  • United States Congress – in addition to many of the federal laws indicated above, Congress has passed many others related to financial data, government data, national security-related data, and the regulation of computer crimes. Just a few of these include FCRA, GLBA, FISMA, COPPA, CFAA, and FISA.
  • Individual State Laws – aside from federal laws, 48 states have now passed some form of data breach notification laws, and 31 states have passed laws that require businesses to take some type of substantive data security steps.

No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity. Each of these government entities demand some level of business executive ownership. Unfortunately, the complexity of the patchwork of laws and regulations can be confusing. To that end, it is important to include cybersecurity as a component of any business strategy that will have impacts on technology, processes, and your organization.

UPDATE 4/26/17: An astute reader has pointed out that one of my conclusions needed a little more clarification. When I said, “No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity,” I should have added, “…in a vacuum.” Government organizations (including HHS, FTC, SEC, etc.) along with security frameworks (such as NIST Cybersecurity, OCIE, SOC, etc.) require pro-active board / executive level understanding and responsibility of cybersecurity along with post-incident board / executive level actions.

READ MORE

What’s in a Name?

What’s in a Name?

In today’s impression-obsessed, content-rich, never-ending-narrative-building climate, there is a surplus of articles that exacerbate the importance of developing a strong competitive BRAND for your organization. But what about your company’s name? What about the...

read more
What Is Ted Lasso Teaching Us?

What Is Ted Lasso Teaching Us?

Featuring Dave Allston For me, it started about six months ago… “Do you watch Ted Lasso?” This question pops up on Zoom calls. References often show up deep within the heart of important meetings as a form of verbal punctuation and most certainly are a mainstay of...

read more
Calling Everyone Back to the DEI Table

Calling Everyone Back to the DEI Table

It is no secret that 2020 put a glaring spotlight on the importance of diversity, equity, and inclusion in our everyday lives. As our communities reckoned with difficult questions and conversations around racial equity and justice, those topics found their way into...

read more
Did We Just Fall in Love With Hybrid Meetings?

Did We Just Fall in Love With Hybrid Meetings?

Last week, we held a two-day training session for our extended leadership team. We’d been planning it for months — the meeting room, the dinner activity, the team building exercises … the works! This was, as I’m sure you’re picking up on, more than just a meeting,...

read more
“The Great Resignation” Has a Really Good Publicist

“The Great Resignation” Has a Really Good Publicist

Mass resignations are a big deal right now. Yes. Is it surprising? Absolutely not. People leaving for greener pastures is not a new concept. How many of you — given a choice between two situations — would choose the one that LEAST benefited you? If a better option...

read more
The Human Quotient: Heuristics and Bias in Analytics

The Human Quotient: Heuristics and Bias in Analytics

As individuals, we all have a unique set of heuristics and biases that show up in our daily lives, whether we notice them or not. This means that for a lot of the decisions we make, whether personal or professional, there is an underlying, subconscious process that...

read more