Budgets, GDPR, Australia Data Breach Law

TLP White
This week we revisit budgets, finish up with GDPR, look down-under, and worry about adversaries exploiting our data breach laws. Welcome back to Hacking Healthcare:

Hot Links –
1. Budgets: The HHS Secretary went in front of House Ways and Means last Wednesday for a two-hour budget hearing. Cybersecurity was mentioned only in passing – by Rep. Patrick Meehan (R-PA) who encouraged the Secretary to engage with Congressional leadership on efforts to protect the safety and privacy of patients.
Since then, HHS has put out their 2019 “Budget in Brief,” which adds details to the high-level budget proposal put out by the President last week. The budget proposes $68 million to “ensure the Department is able to detect, manage, and remediate cybersecurity risks.” While these are mostly funds designated to help protect HHS from cyber threats, there is also intent to “proactively engage with a range of stakeholders.” The budget proposal represents an increase of $18 million over the 2018 enacted budget.
A Budget in Brief can also be a helpful way to understand future Departmental plans. This document is no different and reveals OCR’s intent to develop guidance documents that explain “how to effectively respond to cybersecurity threats, including issuing resources to illustrate the steps HIPAA-covered entities or business associates should take in response to a cyber-related security incident.”

2. GDPR: For the last couple weeks we have looked at the foundations of GDPR and its implications in terms of breach notification requirements and potential penalties for non-compliance. But compliance with GDPR includes some proactive organizational measures related to how data is protected when stored and processed. Today we will look at those.

Register as an NH-ISAC member to get access to this analysis each and every week!

3. Privacy Shield: Tune in next week for more detail on privacy shield – a 2016 agreement that regulates the protections required for transporting data between the EU and US. Here’s a primer if you want to jump right in: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en

4. Australian Data Breach Law: Starting February 22 (this Thursday), Australia will introduce a new data breach notification requirement for organizations conducting business in the country. The law places a requirement to notify individuals and the government in the event of the unauthorized access, disclosure, or loss of personal information “likely to cause serious harm.” This requirement applies to all health service providers and organizations that hold health data on individuals. It also covers all other organizations operating in Australia with an annual turnover exceeding $3mm AUS.

When a data breach that may require notification is discovered, the organization has 30 days to conduct an assessment of the breach. If the assessment determines that serious harm may result, notification must occur “as soon as practicable.” Notification can occur through direct notification to impacted individuals or broad publication of the incident. Importantly, notification must include recommendations on how an impacted individual can protect oneself.

NH-ISAC is planning its first Australian Cybersecurity Workshop on April 13 in Sydney. Sign-up here: https://nhisac.org/events/nhisac-events/healthcare-cybersecurity-workshop-australia/

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below: