Tag Archives: cybersecurity

New York Joins the Wave of States Requiring Businesses to Adopt Reasonable Cybersecurity Safeguards to Protect Private Information

New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020. Notably, New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

Read more

Read full article

Recent Indictment of Anthem Hackers Serves as a Reminder of the Importance of Rigorous Workforce Cybersecurity Training, Incident Response Plans and Formalized Security Programs

On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology, healthcare and infrastructure organizations with valuable data to protect. The indictment serves as a reminder that organizations subject to advanced persistent threat from organized hacking groups should adopt a defense in depth strategy including workforce cybersecurity training, vulnerability scanning, network monitoring and comprehensive incident response plans to thwart or mitigate these attacks. These protective countermeasures should be part of the organization’s formalized information security program.

Read more

Read full article

Supreme Court Refuses to Impose Class Action Arbitration Based on Ambiguous Agreements

Our colleague Stuart M. Gerson at Epstein Becker Green recently posted an article on LinkedIn that will be of interest to our readers: “SCOTUS Today: Class Action Ambiguity Finds No Shelter Under the Federal Arbitration Act.”

Read more

Read full article

Harden Your Organization’s Domain Name System (DNS) Security To Protect Against Damaging Data Loss and Insider Threat

The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers to route the transmission. A malicious party who is able to exploit a weakness in DNS can re-route sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII) and other valuable information from the intended recipient to the malicious actor. Indeed, as recent attacks on DNS indicate, even encrypting the communication may not be an effective countermeasure because the transmission can be decrypted after interception. Malicious employees and other insiders may also abuse DNS as a side channel to covertly exfiltrate the organization’s most sensitive proprietary information avoiding Data Loss Prevention (DLP) countermeasures that may operate at different layers of the communication process. The recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy.

Read more

Read full article

Artificial Intelligence: A Potential Cybersecurity Safeguard or Viable Threat to the Healthcare Industry?

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

Read more

Read full article

FDA Embraces Role in Managing Medical Device Cybersecurity Risk by Issuing New Guidance

On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device vulnerabilities.  Further, a report by KLAS Research in collaboration with the College of Healthcare Information Management Executives (CHIME) found that 18 percent of healthcare organizations reported that their medical devices were hit by malware or ransomware.  Many experts are also projecting that more cyber-attackers will target devices in 2019.

Read more

Read full article

OIG Publishes Report: FDA’s “Deficient” Cybersecurity Policies and Procedures Need Improvement

On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”

Read more

Read full article

FTC Commissioner Chopra Calls for Greater (and More Expensive) Enforcement

Recent comments by the Federal Trade Commission (FTC) Commissioner Rohit Chopra should have companies on notice for increased enforcement actions across the board. During the “Privacy. Security. Risk.” Conference in Texas last week, Chopra made comments regarding his views on increasing enforcement, including the imposition of greater civil monetary penalties. “I’ve already raised concerns about settlements we do with no monetary penalties. I want to see monetary consequences for egregious breaking of the law” said Chopra as reported by the IAPP during a live podcast taping. Chopra also stated that he was troubled by current federal enforcement action in the United States, the answer to which appears in part to come with heftier fines.

Read more

Read full article

FDA Issues Draft Guidance on Management of Cybersecurity in Medical Devices

The FDA issued a new Draft Guidance today to ensure medical devices – an increasing potential target for hackers – are better protected from unauthorized digital access.

Read more

Read full article

NIST Seeks Comments on Cybersecurity Standards For Patient Imaging Devices

Our colleague  at Epstein Becker Green has a post on the Health Law Advisor blog that will be of interest to our readers in the technology industry: “NIST Seeks Comments on Cybersecurity Standards For Patient Imaging Devices.”

Read more

Read full article