Issue 3  

Top Stories

Busy Week for the HHS

The HHS had an active week issuing a new threat brief, guidance on telehealth security, and a new version of their Security Risk Assessment Tool.

The threat brief, Strengthening Cyber Posture in the Health Sector explores steps that can be taken to strengthen cyber posture including:

  • Conduct regular security posture assessments
  • Consistently monitor networks and software for vulnerabilities
  • Define which department owns what risks and assign managers to specific risks
  • Regularly analyze gaps in your security controls
  • Define a few key security metrics
  • Create an incident response plan and a disaster recovery plan

The telehealth guidance offers guidance on how the HIPAA rules permit covered entities to use remote communication technologies for audio-only telehealth.

Version 3.3 of the SRA Tool includes some bug fixes and feature enhancements including the incorporation of Health Industry Cybersecurity Practices references.

HIPS Clips

Breaches

Shields Health Care Group data breach affects 2 million patients

According to a data breach notification published on the company's site, Shield became aware of the cyberattack on March 28, 2022, and hired cybersecurity specialists to determine the scope of the incident.

bleepingcomputer.com

Confidential Record Leak Leaves CalBar, Lawyers, Clients Exposed

California’s state bar association, which is responsible for licensing and regulating more than 250,000 lawyers in the most populous US state, is itself under scrutiny for a data leak that allowed confidential client complaint and attorney disciplinary record data to be captured by a free court records website.

bloomberglaw.com

Security

A New Policy Is Making Corporate Compliance Chiefs Uneasy - WSJ

Compliance officers are worried that a new Justice Department policy, aimed at raising their stature within companies, will actually make their jobs harder—and even leave them open to criminal prosecution.

wsj.com

Senators push for more frequent medical device cybersecurity guidance from FDA

The legislation would impose requirements on the FDA to work with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to issue binding guidance for industry and FDA staff regarding medical device cybersecurity no less than every two years.

cyberscoop.com

Big Tech cries foul over EU cloud-security label – POLITICO

Four major lobby groups — ITI, CCIA Europe, BSA and Amcham EU, all of which have American cloud giants as key members — on Tuesday released a statement saying requirements aimed at boosting Europe's sovereignty over the cloud sector "are politically motivated, will create complex legal compliance procedures and will not add to increased levels of cybersecurity."

politico.eu

Privacy

Senate bill would ban data brokers from selling location and health data | Ars Technica

Warren's bill summary said the proposed Health and Location Data Protection Act "forbids data brokers from selling or transferring location data and health data and requires the Federal Trade Commission to promulgate rules to implement the law within 180 days, while making exceptions for HIPAA-compliant activities, protected First Amendment speech, and validly authorized disclosures."

arstechnica.com

US House committee showcases federal privacy momentum, opportunity

The proposed American Data Privacy and Protection Act discussion draft has been touted for its bipartisan and bicameral development, and such cooperation showed Tuesday with subcommittee members picking the brains of an eight-witness panel.

iapp.org

Canada introduces new federal privacy and AI legislation

The Digital Charter Implementation Act, 2022 features three pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. 

iapp.org

EDPB adopts guidelines on certification as a tool for transfers and an Art. 65 dispute resolution binding decision regarding Accor | European Data Protection Board

The EDPB adopted guidelines on certification as a tool for transfers. Art. 46(2)(f) GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement.

europa.eu

New data strategy to drive innovation and improve efficiency - GOV.UK

The principles set out in the data strategy are: improving trust in the health and care system’s use of data giving health and care professionals the information they need to provide the best care improving data for adult social care supporting local decision-makers with data empowering researchers with the data they need to develop life-changing treatments and diagnostics working with partners to develop innovations that improve health and care developing the right technical infrastructure

www.gov.uk

No spam, ever. We'll never share your email address and you can opt out at any time.