Top Stories
HITRUST Selected for TEFCA Security Certification
The TEFCA Recognized Coordinating Entity (RCE) – The Sequoia Project – has selected HITRUST and the HITRUST r2 Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements for their Qualified Health Information Network (QHIN) designation.
TEFCA, born from the 21st Century Cures Act, was approved by the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) for the U.S. Department of Health and Human Services for national-level healthcare interoperability. TEFCA brings together public and private stakeholders to develop and support an exchange framework for trust policies and practices, as well as a common agreement for data exchange between Health Information Networks.
To learn more about how to prove TEFCA compliance using HITRUST, contact us today.
Breaches
Florida Orthopaedic reaches $4M settlement over 2020 health data theft | SC Media
Florida Orthopaedic Institute reached a $4 million settlement with the 647,000 patients affected by a server hack and subsequent ransomware attack in 2020. The data theft incident was the fifth-largest healthcare data breach that year.
Security
SEC, CISA push dueling cyberattack incident reporting rules - Protocol
CISA’s initiative to regulate critical infrastructure on incident reporting is just beginning. The focus on industry engagement by CISA and its director, Jen Easterly, could be about to pay off.
Janet Jackson's Rhythm Nation music video is now a vulnerability for crashing hard disks
Assigned CVE-2022-38392, the vulnerability is a Denial of Service (DoS), specifically a side-channel attack that causes hard drives of some laptop PCs from 2005 to malfunction and crash. "It turns out that the song contained one of the natural resonant frequencies for the model of 5400 rpm laptop hard drives that they and other manufacturers used."
Privacy
Sensitive data ruling by Europe’s top court could force broad privacy reboot – TechCrunch
Since May 2018, the GDPR has set strict rules across the bloc for processing so-called ‘special category’ personal data — such as health information, sexual orientation, political affiliation, trade union membership etc — but there has been some debate (and variation in interpretation between DPAs) about how the pan-EU law actually applies to data processing operations where sensitive inferences may arise.
Mozilla Foundation - In Post Roe v. Wade Era, Mozilla Labels 18 of 25 Popular Period and Pregnancy Tracking Tech With *Privacy Not Included Warning
Despite handling volumes of personal health data, most reproductive health tracking apps have opaque privacy protection policies and no clear policy on data-sharing practices with law enforcement
Will China’s new certification rules be a popular legal path for outbound data transfers?
Article 38 of the PIPL provides several conditions (or legal paths) that must be met before a cross-border data transfer may occur.
Misc
In Tennessee, Possible Solution to the Cyber Talent Shortage - WSJ
East Tennessee State University and health insurer BlueCross BlueShield of Tennessee Inc. have teamed up to put students through an intensive program of classroom learning and practical experience in cybersecurity.
Workplace Productivity: Are You Being Tracked? - The New York Times
Across industries and incomes, more employees are being tracked, recorded and ranked. What is gained, companies say, is efficiency and accountability. What is lost?