White House Publishes National Cybersecurity Strategy Implementation Plan

Posted by Steve Alder

The White House has published a roadmap for implementing President Biden’s March 2023 National Cybersecurity Strategy to ensure transparency and a continued path for coordination. The National Cybersecurity Strategy Implementation Plan (NCSIP) includes more than 65 federal initiatives that aim to improve resilience against cyber threats and disrupt cyber threat operations, and changes how the United States allocates roles, responsibilities, and resources in cyberspace.

Two major shifts include ensuring that the biggest, most capable, and best-positioned entities in both the public and private sectors assume a greater share of the burden for mitigating cyber risk and increasing the incentives to favor long-term investments in cybersecurity. The initiatives are based on five pillars and aim to achieve 27 strategic objectives. The first pillar is concerned with defending critical infrastructure against cyberattacks that are increasing in number and sophistication. Cybersecurity requirements will be established to support national security and public safety across all critical infrastructure sectors, including healthcare. Public-private collaboration will be scaled to drive the development and adoption of secure-by-design and secure-by-default technology, Federal defenses will be modernized, and the Federal incident response plans and processes will be updated.

The second pillar is concerned with the disruption and dismantling of threat actors’ infrastructure. The initiatives include increasing the speed and scale of intelligence sharing and victim notification, the prevention of abuse of U.S. infrastructure, countering cybercrime, and disrupting ransomware. The third pillar is concerned with shaping market forces to drive security and resilience, including initiatives to drive the development of secure IoT devices, shifting liability for insecure software products and services, using grants and other incentives to ensure built-in security, and exploring the need for a Federal cyber insurance backstop for catastrophic cyber events.

The fourth pillar concerns investment in a cyber-resilient future, including securing the technical foundation of the internet, improving federal research and development in cybersecurity, preparing for a post-quantum computing future, and developing a national strategy for strengthening the cyber workforce. The fifth pillar involves forging international partnerships to pursue shared cybersecurity goals, including building coalitions to counter digital threats, strengthening the capabilities of international partners, expanding the ability of the U.S. to assist allies and partners achieve shared goals, and securing global supply chains for information, communications, and operational technology products and services.

The plan will be spearheaded by 18 Federal agencies, with the Office of the National Cyber Director (ONCD) coordinating all activities under the plan. Several of the initiatives are already underway and some have already been completed ahead of schedule.

The post White House Publishes National Cybersecurity Strategy Implementation Plan appeared first on HIPAA Journal.

First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach

Posted by Steve Alder

Lawsuits against HCA Healthcare were an inevitability following a data breach that affected approximately 11 million individuals and saw the stolen data listed for sale on a dark web forum. The breach was announced by HCA Healthcare on July 10, 2023, and while the total number of affected individuals affected has yet to be confirmed, 27 million lines of data were compromised, which equates to around 11 million individuals.

Since the investigation is still in the early stages, little information has been released so far about the nature of the cyberattack, other than an unauthorized individual gaining access to an external storage location used for formatting emails. HCA Healthcare said highly sensitive information such as Social Security numbers, financial information, and clinical information does not appear to have been compromised, only information such as names, dates of birth, email addresses, phone numbers, and next appointment dates.

The first lawsuit in relation to the breach was filed in the Tennessee Middle District Court on Wednesday by the law firms Shamis & Gentile and Kopelowitz Ostrow Ferguson Wieselberg Gilbert, naming Gary Silvers and Richard Marous as plaintiffs. The lawsuit, Silvers et al v. HCA Healthcare, Inc., alleges a failure to comply with the HIPAA Rules and FTC guidelines, and HCA Healthcare was negligent by failing to safeguard the personal and protected health information of patients. As a result of that negligence, patient data is now in the hands of cybercriminals and the plaintiffs and class members are likely to have their sensitive data misused in a variety of fraudulent ways and face a lifetime risk of identity theft and fraud.

This lawsuit claims injuries have been suffered in a number of ways, including the lost or diminished value of private information, costs associated with the prevention, detection, and recovery from identity theft and fraud, lost opportunity costs to mitigate the data breach’s consequences and lost time, and emotional distress from the loss and control of “highly sensitive private information.”

The lawsuit seeks monetary damages, legal fees, a jury trial, and injunctive relief, requiring HCA Healthcare to implement a variety of safeguards to better protect patient data. The injunctive relief requested includes data protection through encryption, the deletion of private information unless there is a legitimate reason for retaining that information, prohibiting the storage of data in a cloud-based database, independent third-party security audits, data segmentation, the implementation and maintenance of threat management and monitoring programs, and audits, tests, and training of security personnel.

Lawsuits are commonly filed following healthcare data breaches and a breach of this magnitude is likely to trigger many more lawsuits over the coming days and weeks; however, while legal action can be taken, there is no guarantee of success. Healthcare data breach lawsuits often hinge on whether there has been a concrete injury that more than likely was caused by a specific data breach. Lawsuits that only allege a risk of identity theft and fraud are unlikely to be granted standing.

The post First Lawsuit Filed Against HCA Healthcare Over 11 Million-Record Data Breach appeared first on HIPAA Journal.