by Colin Konschak and Shane Danaher
If you’re in healthcare, your organization is an especially attractive cybercrime target because of the value of the sensitive information you are trying to safeguard, and how lax cybersecurity generally is in your industry. Recent studies show your costs of being successfully targeted are rising, not falling as they are in other industries. In addition to being in the healthcare sector, your location is also a factor in the high cost of breach response. Doing business in the United States means you are located where notification and post-data breach response costs are the highest in the world. (Ponemon Institute, 2017)
A major reason for these high costs is that the healthcare industry is highly regulated and under a great deal of scrutiny, especially when it comes to safeguarding personally identifiable information (PII) and protected health information (PHI). In a previous whitepaper in this 10-part series on cybersecurity titled, “HIPAA and the Intersection of Cybersecurity in Healthcare,” we detailed the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information for Economic and Clinical Health Act (HITECH) and other federal regulations that govern protection of sensitive information. We also detailed the compliance responsibilities of covered entities and their business associates under HIPAA’s Privacy and Security Rules, and the Breach Notification Rule.
In preparing for a cybersecurity breach, which leaders in the healthcare industry should consider as inevitable, not only federal regulations have to be considered, but state data breach laws as well. While federal law generally pre-empts state laws when the state laws are less stringent, covered entities must comply with the state breach notification laws to the extent that they exceed the notification requirements in HIPAA. Due to the myriad of state laws and requirements, it is possible a security incident that does not trigger a breach under HIPAA may trigger a breach requiring notification under state law.
In this whitepaper, we focus on ways to help ensure your organization has a well-developed plan to respond quickly and effectively to a cybersecurity breach involving the theft or ransom of sensitive information.
Download the full whitepaper – Preparing Your Cybersecurity Breach Response.