Wall Street Journal Focuses on Cybersecurity Priorities in Journal Report

June 25, 2015.  On Monday, June 22, 2015, the Wall Street Journal published “Journal Report:  CFO Network,” in which a task force outlined four critical recommendations in a section entitled:  The Pursuit of Cybersecurity.  These critical recommendations are:

 

A Primer in Four Parts on Breach under HIPAA and HITECH Act Rules: Part 4

June 23, 2015.  In recent posts, HIPAA Safeguard has discussed the critical importance of having cyber security insurance in place and supporting the underwriting process for such insurance by conducting a risk analysis and implementing safeguard policies and procedures.  In this four part series, HIPAA Safeguard discusses the definition of breach in the HIPAA/HITECH Act healthcare environment (see Part 1, posted on June 11, 2015), the risk assessment  (see Part 2, posted on June 17, 2015), factors in the risk assessment for determining a reportable breach (see Part 3, posted on June 18, 2015), breach notification requirements, and creating a safe harbor from the consequences of unsecured protected health information (PHI) that is breached.  In this final Part 4 of the series, we focus on breach notification requirements and creating a safe harbor from the consequences of unsecured protected health information (PHI) that is breached.  

A Primer in Four Parts on Breach under HIPAA and HITECH Act Rules: Part 3

June 22, 2015.  In recent posts, HIPAA Safeguard has discussed the critical importance of having cyber security insurance in place and supporting the underwriting process for such insurance by conducting a risk analysis and implementing safeguard policies and procedures.  In this four part series, HIPAA Safeguard discusses the definition of breach in the HIPAA/HITECH Act healthcare environment (see Part 1, posted on June 11, 2015), the risk assessment  (see Part 2, posted on June 17, 2015), factors in the risk assessment for determining a reportable breach, breach notification requirements, and creating a safe harbor from the consequences of unsecured protected health information (PHI) that is breached.  In this part, we focus on the four factors that must be addressed in the required risk assessment and that are stated in section 2 of the definition of breach from the January 25, 2013, so-called Omnibus Final Rule [also referenced in the text as 45 FR ] that is in the Code of Federal Regulations (CFR) at 45 CFR 164.402.  Section 2  of the breach definition is repeated here, with the factors in (2)(i)-(2)(iv):

A Primer in Four Parts on Breach under HIPAA and HITECH Act Rules: Part 2

June 18, 2015.  In recent posts, HIPAA Safeguard has discussed the critical importance of having cyber security insurance in place and supporting the underwriting process for such insurance by conducting a risk analysis and implementing safeguard policies and procedures.  In this four part series, HIPAA Safeguard discusses the definition of breach in the HIPAA/HITECH Act healthcare environment (see Part 1, posted on June 11, 2015), the risk assessment and factors in determining a reportable breach, breach notification requirements, and creating a safe harbor from the consequences of unsecured protected health information (PHI) that is breached.  In this part, we focus on the required risk assessment in determining a reportable breach that is outlined in section 2 of the definition of breach from the January 25, 2013, so-called Omnibus Final Rule [also referenced in the text as 45 FR ] that is in the Code of Federal Regulations (CFR) at 45 CFR 164.402.  Section 2  of the breach definition is repeated here:

 

A Primer in Four Parts on Breach under HIPAA and HITECH Act Rules: Part 1

 

June 11, 2015.   In recent posts, HIPAA Safeguard has discussed the critical importance of having cyber security insurance in place and supporting the underwriting process for such insurance by conducting a risk analysis and implementing safeguard policies and procedures.  In this four part series, HIPAA Safeguard discusses the definition of breach in the HIPAA/HITECH Act healthcare environment, factors in determining a reportable breach, breach notification requirements, and creating a safe harbor from the consequences of unsecured protected health information (PHI) that is breached.  In this part, we present the definition of breach from the January 25, 2013, so-called Omnibus Final Rule [also referenced in the text as 45 FR ] that is in the Code of Federal Regulations (CFR) at 45 CFR 164.402:

 

 

 

Cyber Insurance Required for Breach Coverage

We have discussed in previous posts the importance of having cyber security insurance coverage, especially as Insurance Services Office (ISO) commercial general liability (CGL) policies now exclude coverage of HIPAA breaches in most states.  A recent Supreme Court ruling in Connecticut, reported in a May 24, 2015, article in Business Insurance entitled:  “Court rules for insurers in case of data that fell off truck,” found that “insurers are not obligated to defend or indemnify the loss of data under general liability and umbrella insurance.”  An attorney quoted in the Business Insurance article said “the ruling ‘just confirms (general liability) policies were not intended to, and do not, cover data breach crisis events.’  But separate cyber coverage is available.” 

 

Average Cost of Breached Record Up to $154 in 2015 Study

June 4, 2015.   The May 2015, IBM-sponsored Ponemon Institute Research Report, 2015 Cost of Data Breach Study:  Global Analysis, determined that “the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.”  The $154 per lost or stolen record figure represented the global cost across a number of industries studied.  The Ponemon Research Report also found that “if a healthcare organization has a breach, the average cost could be as high as $363.”  There are a number of factors comprising the average cost, including costs associated with remediating the harm, notification of the breach to affected individuals, and lost business.  For a small covered entity or business associate, a loss of 1,000 or fewer records could imperil the viability of the business.

HIPAA Safeguard Embraces NIST ‘Cybersecurity Framework’ Functions

June 1, 2015.  On February 12, 2013, President Obama issued Executive Order # 13636:  Improving Critical Infrastructure Cybersecurity, a provision of which directed the National Institute of Standards and Technology (NIST) to develop “a framework to reduce cyber risks to critical infrastructure (the ‘Cybersecurity Framework’).”   On February 12, 2014, NIST published Version 1.0:  Framework for Improving Critical Infrastructure Cybersecurity.   Two definitions relating to terms in the title are required before examining the elements of the framework:

 

Categories



Archives

  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)