Just a few weeks back, the Department of Health and Human Services (HHS) fined Denver-based Metro Community Provider Network (MCPN) $400,000 for failure to protect some 3,200 patient records that were covered by HIPAA. The attack? An employee fell victim to a phishing scam, which allowed the hacker to gain access to her email account.
The fine (which is well below HHS’s normal of $2M – $5M) was only the beginning as HHS also required MCPN to: (1) conduct an initial risk assessment, (2) conduct subsequent, annual risk assessments, (3) develop and implement a risk management plan, (4) review and revise their policies and procedures, (5) review and revise appropriate employee training materials, (6) report any future violations of such policies and procedures directly to HHS, (7) report annually to HHS on their status, (8) retain documentation and files for six years, and (9) implement a breach notification process. End of the day, those nine items will cost MCPN millions of dollars in legal fees, consulting fees, and auditing fees.
If this story doesn’t scare you, it should. Phishing schemes are so rampant that everyone is vulnerable, even John Podesta, the chair of Hillary Clinton’s 2016 election campaign. And, if you don’t think it matters because your organization does not fall under HIPAA, you should think long and hard about the myriad of government laws and agencies that do regulate your business:
- Health and Human Services (HHS) – primarily focused on the health care system and protection of patient information. HHS operates under HIPAA, which provides specific requirements to protect information. HHS has the power to fine and specify rules following a breach.
- Securities & Exchange Commission (SEC) – primarily focused on the protection of investors in public companies and securities. The SEC’s Office of Compliance Inspections & Examinations (OCIE) looks for specific disclosures by companies to ensure that there are no substantial risks to investors from potential cyber threats. The SEC can both fine and regulate in areas where it believes companies are not properly protecting or disclosing such risks.
- Federal Trade Commission (FTC) – primarily focused on business practices and the protection of consumers. The FTC has enforcement power of the FTC Act, FCRA, GLBA, and COPPA. While the FTC does not initially have the power to fine, it has the power to regulate security risks (via its power to regulate against unfair business practices), as well as regulate online terms of service (via its power to regulate against false or misleading business practices).
- Federal Communications Commission (FCC) – primarily focused on radio, television, and telecommunications (including wireless and internet providers), the FCC regulates against carriers, including net neutrality regulations passed under the Open Internet Transparency Rule. While recent FCC regulations related to data privacy were over-turned by Congress, such rules may likely re-appear in the future.
- Department of Commerce (DoC) – primarily focused on helping business and economic growth, the DoC published the NIST Cybersecurity Framework. While the framework is voluntary, it almost certainly will be used in cases of security breaches to show areas where an organization may have failed to reasonably secure information.
- United States Congress – in addition to many of the federal laws indicated above, Congress has passed many others related to financial data, government data, national security-related data, and the regulation of computer crimes. Just a few of these include FCRA, GLBA, FISMA, COPPA, CFAA, and FISA.
- Individual State Laws – aside from federal laws, 48 states have now passed some form of data breach notification laws, and 31 states have passed laws that require businesses to take some type of substantive data security steps.
No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity. Each of these government entities demand some level of business executive ownership. Unfortunately, the complexity of the patchwork of laws and regulations can be confusing. To that end, it is important to include cybersecurity as a component of any business strategy that will have impacts on technology, processes, and your organization.
UPDATE 4/26/17: An astute reader has pointed out that one of my conclusions needed a little more clarification. When I said, “No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity,” I should have added, “…in a vacuum.” Government organizations (including HHS, FTC, SEC, etc.) along with security frameworks (such as NIST Cybersecurity, OCIE, SOC, etc.) require pro-active board / executive level understanding and responsibility of cybersecurity along with post-incident board / executive level actions.