The new Maryland SB 207 and Kentucky HB 474 data security laws are designed to help protect insurance companies from cyber attacks by implementing cybersecurity standards, developing, implementing, and maintaining a written information security program. Their service providers are also required to implement such programs which include a requirement to report cyber security incidents within 3 days of discovery.
In this episode:
Everybody get on board! – Ep 356
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[07:45] Say there is a social media post that has some negative stuff about your practice. What do you do? First, you should pull out your Social Media policy (yes, you should have one) and see what it says. Among other things, your policy should include some standard acceptable language that should be posted as a response in situations like this. That language should be something like “Sorry to hear that. Please contact us directly at this number and we’d be happy to help you.”Should you call the poster of the message directly? No – only if they ask you to contact them. Do NOT go on a quest to figure out exactly who it was by looking through patient records. You have to let it go.
405(d) Tip of the Week
[12:43] Practice #4: Data Protection and Loss PreventionData Protection and Loss Prevention Poster
For Small Organizations:
- Instill proper procedures for data protection throughout your organization. These policies and procedures manage sensitive data and can ensure consistency, reduce errors, and provide clear and explicit instructions for users.
- Implement proper Data Protection and Loss Prevention Education within your organization.
- Prohibit the use of unencrypted storage, such as thumb drives, mobile phones, or computers. Require encryption of these mobile storage mediums before use.
For Medium/Large Organizations:
- Use a classification structure for all of the data you use in your organization. You can prioritize your data using four labels: Highly sensitive, sensitive, internal and public to build a classification scheme and labeling scheme.
- Incorporate backup strategies that encompass each mission critical asset in your environment. Backups can be executed using a variety of methods including disk-to-tape, disk-to-disk, or disk-to cloud backups.
- Establish Data Loss Prevention (DLP) systems. DLP systems should be implemented to ensure that sensitive data is used in compliance with standard data policies and also establish Advanced DLP systems that include cloud storage, onsite file storage, and web based scanning
Everybody get on board!
[18:29] So we’ve got two different States, and of course, the state of confusion is not one of them, but two different States that have enacted some insurance data security laws recently. So let’s talk about what is happening in Maryland and Kentucky today.There is a great article on a privacy blog that covers the newly signed legislation: Two States Enact Insurance Data Security Laws
MD legal language of note:
Establishing certain cybersecurity standards applicable to insurance carriers, including health maintenance organizations and third-party administrators; requiring a carrier to take certain actions related to cybersecurity, including developing, implementing, and maintaining a written information security program, identifying certain threats, and establishing a certain incident response plan; applying certain requirements relating to cybersecurity to managed care organizations; etc.
Adoption of secure development practices for in–house developed applications used by the carrier and procedures for evaluating, assessing, or testing the security of externally developed applications used by the carrier.
KY incident response specific language noted:
(8) (a) As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises:
1. The confidentiality, integrity, or availability of nonpublic information in its possession;
2. The licensee’s information systems; or
3. The continuing functionality of any aspect of the licensee’s business or operations.
These laws are both based on 668-1 Insurance Data Security Model Law
[28:42] Third party service providers are required to comply with this law too. It also says that it means an individual who is a contractor. So independent contractors who provide services to maintain, process or store non-public information. Or, here’s one that’s important, is otherwise permitted access to non-public information through its provision of services. So we always say, I don’t care if you say you’re not going to do anything with the data. The fact that you have access to the data is what matters. [32:18] But the big thing that is important is the written information security program. Don’t just say you’re doing it. Prove you’re doing it. And what do we say to that? You got to prove it.It shocks me how many times people say we have a comprehensive risk management plan. I’m like, cool, Where’s your risk assessment? We haven’t done one of those. How did you do a plan?
Overview of requirements included in the source article:
- Risk Management Program
- Conduct risk assessments;
- Develop, implement and maintain a comprehensive written information security program based on the risk assessment and ensure that the program includes
- (1) specified data security safeguards,
- (2) requirements for secure development practices, and
- (3) a cybersecurity incident response plan;
- Develop, implement and maintain a comprehensive written information security program based on the risk assessment and ensure that the program includes
- Stay informed of emerging threats and vulnerabilities, and use reasonable security measures when sharing information;
- Address cybersecurity risks in relevant enterprise risk management processes;
- Conduct risk assessments;
- Provide cybersecurity awareness training to personnel;
- Obligate service providers to implement and maintain appropriate data security measures;
- Provide regular reporting to the insurance carrier’s board of directors on the overall status of the information security program, the insurance carrier’s compliance with the data security law, and material matters related to the information security program (such as risk assessments, risk management and control decisions, results of cybersecurity testing, cybersecurity events, and recommendations for any changes to the information security program);
- Submit written compliance certifications to the relevant state Insurance Commissioner on an annual basis;
- Maintain records of the insurance carrier’s compliance with the law and its own information security program; and
- Report certain cybersecurity incidents to the relevant state Insurance Commissioner within three business days of a determination that a cybersecurity incident has occurred.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
