.st0{fill:#FFFFFF;}

Podcast

New Breach Notification Bill – Ep 315 

 July 30, 2021

By  Donna Grindle

Share0
Tweet0
Share0

There’s a new data breach notification bill in Congress that will affect the business community as a whole, not just healthcare. It will create a new data breach disclosure requirement for federal agencies, federal contractors and critical infrastructure companies. It’s time to let folks know when breaches happen. We can’t protect ourselves from things we don’t know about.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

New Breach Notification Bill – Ep 315

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The HIPAA Boot Camp

Virtual Edition Aug 17-19, 2021

Sold Out

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[04:33] Remember this “HIPAA vs HIPPA” chart from a Twitter post (https://twitter.com/BadHippa/status/1416215930393272320?s=20) that we shared back in Episode 310 – DOL Cybersecurity Guidance? Well, we thought it was hilarious but now being used for proof that HIPPA is a thing! Come on, man! Don’t educate yourself with headlines! Read the content of the article before you open your mouth to express your opinion.

https://twitter.com/BadHippa/status/1417998021921439745?s=20 – HIPAA crap is happening so much now it has created a treasure trove of memes making fun of those who act like experts explaining what they think HIPAA means. Running jokes like asking me if I floss – HIPAA violation, asking my name – HIPPA violation, but this video is really one of the best. A lot of work went into this masterpiece of meme.

Elekta Data Breach

[14:03] A few episodes ago, Offshore or Not? – Ep 312, we talked about offshoring BAs but didn’t bring up the Elekta breach case. There is a lot going on here, but a Swedish company’s data breach has impacted a long list of companies that do radiation oncology and other similar procedures. Check out the link below to learn more as it involves a lot of questions about having vendors in other countries.

Elekta health Data Breach Victim Count Grows

Update on Kaseya Hack

[17:15] Now, an update on the Kaseya ransomware attack that we discussed in MSPs Attacked Again – Ep 313 where the cyber gang REvil launched a ransomware attack on the Kaseya software that affected thousands of endpoints. And then all of a sudden during the ransom negotiations, REvil disappeared. Well, apparently Kaseya has gotten the decryption keys and they are rolling that out as we speak. The “how they got them” hasn’t been released yet, though.

In related news, CBS News reports that the world’s top ransomware gangs have created a cybercrime cartel where they are working together on cyber attacks.

The world’s top ransomware gangs have created a cybercrime “cartel”

It’s time that the IT community starts working together to combat these gangs and the new cartel. You should join an ISAC group, Information Sharing and Analysis Center, that’s sharing information. What are we seeing? What’s going on? What problems are we facing or should we be looking at protecting ourselves against? Because there’s so much information coming at you so quickly you need a way to keep up with threats. Most of the cybersecurity frameworks include the recommendation to join an ISAC.

New Breach Notification Bill

Well, well, well

[22:56] Knock me down and steal my teeth! Double Ds done told ya that!

We have known for some time this was coming. We even mentioned it repeatedly in recent months that it is coming sooner rather than later. It still isn’t here yet but this is closer than we expected to see this year already. No doubt, the difference is the SolarWinds case followed by Colonial Pipeline and now Kaseya one after another.

Senator Mark Warner hinted there was this kind of legislation coming back in mid June. He said then that he thought the business community was starting to see things differently now. Which made it a good time to introduce the Bill.

When we had this debate six or seven years ago, the business community did not want any additional mandatory reporting. I think they now realize that they themselves are put in jeopardy if they don’t have mandatory reporting.Sen Mark Warner, June 2021

The bill would create a new data breach disclosure requirement for federal agencies, federal contractors and critical infrastructure companies. They would have to notify the DHS, which we know means CISA, when there is an identified breach. To get past the whole problem that has been out there with not wanting to let people know this happened to me, they even included a limited immunity when they report to prevent the information from being used against them. It also would require DHS to anonymize PII when sharing the information about the report. They think this will get companies to report quickly and help us respond quickly.

New bill would make some companies report cyberattacks to government

Senators introduce cyber incident notification act | 2021-07-22

A few things to note:

  • They are already saying covered entities will need to do X. This is not going to be fun!
  • They get special treatment if they report. How long before HIPAA notifications are questioned?
  • Healthcare will likely not be included due to HIPAA even though it is a critical infrastructure industry. There is usually a carve out for everything like this deferring to HIPAA.
  • It is promising that this bill seems to have bipartisan support. But there is no way to even guess if this will get anywhere. Not out of the question though. Remember Recognized Security Practices was introduced last July 2020 and passed in December 2020.

Cybersecurity involves people, processes and technology. You can’t just throw technology in and think you’ve got cybersecurity covered. You’ve got to educate your staff and put processes in place in addition to having technology in place to have an effective cybersecurity program.

Organizations like CISA, 405d, and NIST are releasing information and best practices on ransomware. CISA has a new Stop Ransomware site and NIST has published a specific cybersecurity framework, fact sheet and infographics just focusing on preventing ransomware.

Go to top

Ransomware and cyber attacks are not going away. They are getting worse and happening more frequently. So it’s clear that we can’t ignore this stuff anymore. We have to give it the attention it deserves to have a solid cybersecurity prevention program.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: