We start first with exciting news regarding a new NH-ISAC partnership and then visit the Security Exchange Commission’s latest guidance on data breach disclosures. We also take a look at recent healthcare breaches, including an update on the CareFirst case, and conclude with the latest Amazon team up. Welcome back to Hacking Healthcare:
Hot Links –
1. NH-ISAC Partners With Anomali: NH-ISAC is excited to announce that we have partnered with Anomali, a leading provider of threat management and collaboration solutions. Anomali will provide NH-ISAC the tools and infrastructure necessary to enable NH-ISAC members to share threat information securely and efficiently with one another. NH-ISAC board member, Jim Routh, recently said, “Sharing threat intelligence among member firms is one of the most essential services of any ISAC… [and] [t]he NH-ISAC Board is pleased with the opportunity to work with the ThreatStream platform to enhance threat intelligence sharing for the healthcare sector.” 
2. Regulatory. Living in a Material World. Last week U.S. Securities and Exchange Commission (“SEC”) Commissioner Robert J. Jackson Jr. made “the rising cyber threat” the focus of his keynote address during the annual Tulane Corporate Law Institute conference. His remarks were some of his first as SEC Commissioner, and were timed about a month after the SEC released new guidelines on disclosing material cybersecurity risks and incidents. The new SEC guidance provides that publicly traded companies may be obligated to make timely disclosure of material cybersecurity risks and incidents that could potentially impact stock prices. The materiality standard is highly fact-specific, and is intended to balance the nature and scope of a breach, the nature of the information compromised, and the resulting harm or costs.
3. Legal News. CareFirst Data Breach Ruling: Harmless for Healthcare? Although the Supreme Court chose not to take up CareFirst’s case in February, CareFirst will have yet another opportunity to argue its case to the DC District Court. Incase you forgot, the case has been working its way through federal courts since 2015. At issue is whether victims of the 2014 and 2015 CareFirst data breaches suffered an injury for purposes of establishing legal “standing.”
Because the Supreme Court will not hear the case, the Circuit Court’s decision to reverse and remand the case back to the District Court stands. Elizabeth Snell of HealthITSecurity does a nice job at explaining how the case, despite being denied by the Supreme Court, impacts health care.
According to Ms. Snell, the Supreme Court’s denial “is unlikely to have any significant impact on future data breach cases” because the Supreme Court’s denial leaves the DC Circuit Court’s decision in place. Therefore, she recommends that healthcare organizations continue to take cybersecurity seriously and invest in cybersecurity measures.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.
Read full blog below:HackingHealthcare Public TLP White Newsletter 3.20.2018