Cybersecurity Laws & Regulation
We are going to turn our attention to the laws and regulations that will apply to cybersecurity. In a sense, there will be parts of the discussion that will sound like alphabet soup. Like any other profession, cybersecurity practitioners have a language that may be difficult for those new to the field to understand.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a federal statute in the United States signed into law by President Bill Clinton in 1996. It advocates for the security and privacy of personal medical information. HIPAA pertains to covered entities and their business associates who help carry out health care activities and functions. In general, if a company simply captures information to provide to an insurance company as part of their HR function, they will not be subject to HIPAA compliance.
HIPAA lays out three different types of information safeguards: 1) administrative, 2) physical, and 3) technical. First, administrative safeguards are policies and procedures that detail how an organization is complying with the law. For example, identity and access management policies and standards govern account creation and termination functions.
The administrative controls fall into five key areas:
- Having a security management process
- Designating security personnel
- Implement information access management
- Providing workforce training
- Performance of periodic security assessments
Organizations can benefit from implementing these regardless of whether they are required to comply with HIPAA or not.
Physical safeguards are controls that physically protect against inappropriate access. For example, one provides direction for the proper disposal of IT equipment. Let’s think about the processes used by our organizations. How do we verify that we’ve removed potentially sensitive data such as health information? In general, we should maintain data destruction policies and ensure users are following them.
Sensitive data will end up in some of the most unlikely places. My first experience with data loss prevention was at a local state college. Our team deployed agents on all college systems, including those in the common spaces where it did not seem to make sense as computers in those areas did not process personal data. Our first round of scans discovered more than 76,000 social security numbers in local system caches located on public systems!
I have noticed that the screens used by office staff in doctors and dentist offices are often left unprotected. There have been many times I’ve been able to read patient data on a screen while interacting with office staff. HIPAA physical security safeguards prohibit access to patient data. Remediation would be installing privacy filters that will limit viewing angles from which a person views onscreen data.
Technical safeguards control access to systems containing personal health information. Access controls are an example of these. We need to make sure technical policies and procedures are implemented appropriately in our organizations. Another example would be audit controls which are hardware, software, and procedural mechanisms focused on recording and exam access to systems containing electronic health information. Integrity controls make sure that information has not been altered or destroyed. Transmission security is the final category. Covered HIPAA entities must implement technical security measures to guard against unauthorized access to electronic health information flowing through our networks.