Top Stories
News that the SEC fined Ernst & Young $100 Million because hundreds of its auditors cheated on ethics exams brought up the age-old question, "Who audits the auditor?"
The SEC accused Ernst & Young of misleading regulators about an internal report of cheating on required ethics exams, and suggested the firm’s lawyers and other executives were aware of the tip but failed to reveal it. Ernst & Young's fine seems to have resulted from the SEC investigation that ensued after KPMG was fined $50 Million in 2019 for stealing inspection information from the Public Company Accounting Oversight Board (PCAOB) in addition to internal exam cheating by its employees.
This was not Ernst & Young's first violation for cheating. A similar scandal involving more than 200 EY professionals exploiting a flaw in the company’s testing software took place between 2012 and 2015.
This is one of the reasons we at Vicis Law like working with HITRUST, where every HITRUST Validation goes through HITRUST's QA process where the auditor's work is scrutinized and evaluated. This is unlike other information security reporting mechanisms like SOC audits, where an accounting firm's report is not subject to any independent Quality Assurance. To us, having guarantees that someone is auditing the auditor is something that is sorely missing from other information security & privacy validations and adds to the value of a HITRUST Certification.
Breaches
GAO: HHS Needs Improved Data Breach Reporting
The Government Accountability Office is recommending the Department of Health and Human Services establish a feedback mechanism to improve the effectiveness of its data breach reporting process.
CISA reiterates two-year timeline to implement breach-reporting rules
In a House Homeland Security hearing Tuesday, Matt Hartman, deputy executive assistant director for the Cybersecurity and Infrastructure Security Agency, reiterated to lawmakers that the agency was looking at a 24-month timeline to develop specific regulations for the reporting regime and laid out a number of questions officials were grappling with as they determine the scope.
Security
Researchers disclose cloud vulnerability of accounting firm Moss Adams
A security team at VPNOverview initially found what it deemed “an improperly stored virtual machine image [belonging] to Moss Adams ... which was stored in a publicly accessible Amazon Web Services S3 bucket, [and] did not require a password.”
Over 900,000 Kubernetes instances found exposed online
Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface.
However, if Kubernetes isn’t configured properly, remote actors might be able to access internal resources and private assets that weren’t meant to be made public.
AHA Expresses Member Support for PATCH Act, Medical Device Security
On behalf of its nearly 5,000 member healthcare organizations, the American Hospital Association (AHA) expressed its support for the Protecting and Transforming Cyber Health Care (PATCH) Act, which was introduced by Senators in April to enhance medical device security.
Privacy
European Cloud Restrictions Could Limit U.S. Providers’ Reach - WSJ
Companies and tech associations are concerned that the coming European Union system will require that data considered critical or in need of high security measures must be stored in cloud services run by European companies, limiting businesses’ use of major U.S. providers such as Microsoft Corp. , Alphabet Inc.’s Google Cloud or Amazon.com Inc.’s cloud unit.
Google Analytics enforcement fallout: ‘Cry and pray’
Authorities in Austria and France ruled earlier this year that Google Analytics violates the EU General Data Protection Regulation, and just last week, Italy’s data protection authority, the Garante, followed suit deeming the transfer of Google Analytics data collected through cookies by website operators is a GDPR violation
HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care
HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe
Senators target security, privacy risks of mental health apps, misuse of health data
Sens. Ron Wyden, D-Ore., Elizabeth Warren, D-Mass., and Cory Booker, D-N.J., are giving some mental health app developers until July 6 to shed light on their data mining and third-party data sharing practices because of ongoing concerns about the possible misuse of health data.