Is Your Cybersecurity Strategy Government Approved?

by

Just a few weeks back, the Department of Health and Human Services (HHS) fined Denver-based Metro Community Provider Network (MCPN) $400,000 for failure to protect some 3,200 patient records that were covered by HIPAA. The attack? An employee fell victim to a phishing scam, which allowed the hacker to gain access to her email account.

The fine (which is well below HHS’s normal of $2M – $5M) was only the beginning as HHS also required MCPN to: (1) conduct an initial risk assessment, (2) conduct subsequent, annual risk assessments, (3) develop and implement a risk management plan, (4) review and revise their policies and procedures, (5) review and revise appropriate employee training materials, (6) report any future violations of such policies and procedures directly to HHS, (7) report annually to HHS on their status, (8) retain documentation and files for six years, and (9) implement a breach notification process. End of the day, those nine items will cost MCPN millions of dollars in legal fees, consulting fees, and auditing fees.

If this story doesn’t scare you, it should. Phishing schemes are so rampant that everyone is vulnerable, even John Podesta, the chair of Hillary Clinton’s 2016 election campaign. And, if you don’t think it matters because your organization does not fall under HIPAA, you should think long and hard about the myriad of government laws and agencies that do regulate your business:

  • Health and Human Services (HHS) – primarily focused on the health care system and protection of patient information. HHS operates under HIPAA, which provides specific requirements to protect information. HHS has the power to fine and specify rules following a breach.
  • Securities & Exchange Commission (SEC) – primarily focused on the protection of investors in public companies and securities. The SEC’s Office of Compliance Inspections & Examinations (OCIE) looks for specific disclosures by companies to ensure that there are no substantial risks to investors from potential cyber threats. The SEC can both fine and regulate in areas where it believes companies are not properly protecting or disclosing such risks.
  • Federal Trade Commission (FTC) – primarily focused on business practices and the protection of consumers. The FTC has enforcement power of the FTC Act, FCRA, GLBA, and COPPA. While the FTC does not initially have the power to fine, it has the power to regulate security risks (via its power to regulate against unfair business practices), as well as regulate online terms of service (via its power to regulate against false or misleading business practices).
  • Federal Communications Commission (FCC) – primarily focused on radio, television, and telecommunications (including wireless and internet providers), the FCC regulates against carriers, including net neutrality regulations passed under the Open Internet Transparency Rule. While recent FCC regulations related to data privacy were over-turned by Congress, such rules may likely re-appear in the future.
  • Department of Commerce (DoC) – primarily focused on helping business and economic growth, the DoC published the NIST Cybersecurity Framework. While the framework is voluntary, it almost certainly will be used in cases of security breaches to show areas where an organization may have failed to reasonably secure information.
  • United States Congress – in addition to many of the federal laws indicated above, Congress has passed many others related to financial data, government data, national security-related data, and the regulation of computer crimes. Just a few of these include FCRA, GLBA, FISMA, COPPA, CFAA, and FISA.
  • Individual State Laws – aside from federal laws, 48 states have now passed some form of data breach notification laws, and 31 states have passed laws that require businesses to take some type of substantive data security steps.

No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity. Each of these government entities demand some level of business executive ownership. Unfortunately, the complexity of the patchwork of laws and regulations can be confusing. To that end, it is important to include cybersecurity as a component of any business strategy that will have impacts on technology, processes, and your organization.

UPDATE 4/26/17: An astute reader has pointed out that one of my conclusions needed a little more clarification. When I said, “No longer is it acceptable for a business to merely allow for the IT organization to be responsible for cybersecurity,” I should have added, “…in a vacuum.” Government organizations (including HHS, FTC, SEC, etc.) along with security frameworks (such as NIST Cybersecurity, OCIE, SOC, etc.) require pro-active board / executive level understanding and responsibility of cybersecurity along with post-incident board / executive level actions.

READ MORE

Shifting Perspectives: 3 Learnings From a 3-Day Training

Shifting Perspectives: 3 Learnings From a 3-Day Training

About a week ago, I completed the second live (virtual) training in the process of becoming a Certified Professional Coach through iPEC. Once again, my mind was blown! It reinforced for me that virtual workshops can, and do, work, and, in a lot of ways, I prefer them...

read more
Finding My Work-Life Balance

Finding My Work-Life Balance

In my previous post, I told the story of how I got back into consulting after becoming a mom. All of the diverse experiences I had during that journey have helped me to find my work-life balance by… Defining Boundaries “Go home,” my first boss said 12 years back —...

read more
How I Got Back to Work After Being a Full-Time Mom

How I Got Back to Work After Being a Full-Time Mom

I Landed My Dream Job Throwback to 2014, I had completed my MBA, landed my dream job as a consultant, and was hoping that my new consulting career would exponentially ramp up my career growth for the next 5 years. This would position me to take on critical decision...

read more
Self-Awareness is Key to Belonging

Self-Awareness is Key to Belonging

In August of this year, as part of our annual company meeting, our team at Thought Ensemble participated in the foundational session of Diversity, Equity, and Inclusion (DEI) training led by Dr. Nika White, IOM, CDE (she/her/hers). One of the most meaningful moments...

read more
Finding Your Organization’s Magic Pixie Dust

Finding Your Organization’s Magic Pixie Dust

It is often said that organizational culture is like a fog — it is all around us; it impacts our ability to see, to move quickly, and to deliver; but we cannot quite put our finger on it. Indeed, some organizations see their culture as a byproduct of operations,...

read more
We’ve Refreshed Our Brand!

We’ve Refreshed Our Brand!

Why have we refreshed our brand, you ask? Well, as we have grown and matured as an organization, we felt that our previous brand elements no longer represented us as well as they could. You see, we founded Thought Ensemble back in 2008 to help companies better compete...

read more
Thought Ensemble’s Purpose — Inspired in 2020

Thought Ensemble’s Purpose — Inspired in 2020

I recently wrote about how company purpose is being tested and inspired by all the events of 2020. This topic is very real for us at Thought Ensemble. We’ve been thinking a lot about what really matters as we’ve navigated the...

read more
How 2020 Is Testing and Inspiring Corporate Purpose

How 2020 Is Testing and Inspiring Corporate Purpose

In August 2019, the Business Roundtable rewrote their statement of corporate purpose. I followed this with significant interest being that I have never forgotten the debates about corporate purpose in business school almost two decades ago. We were taught that the...

read more
Why Purpose-Driven Organizations May Struggle With Change

Why Purpose-Driven Organizations May Struggle With Change

I love working with companies who really want to make a difference, beyond just making money for their shareholders. I mean, making money is fun and all, but it is even more rewarding to join in on a just cause. Plus, as this HBR article explains, companies who have...

read more