October 17, 2021

Volume XI, Number 290

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Under Pressure: California Clarifies Cyber Risk Management Best Practices for Healthcare Sector

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Agency,[1] the Department of Justice, and the Federal Bureau of Investigation, which assessed that malicious actors are targeting the Healthcare and Public Health Sector through ransomware attacks, data theft, and other disruption tactics on the healthcare sector.

The Guidance also arrives in the wake of a recent spike in ransomware attacks directed at healthcare providers, many of which were not reported to the Office of the Attorney General. Ransomware is malicious software that encrypts data and servers to block access to a network until a “ransom” is paid. Oftentimes, it may not be immediately clear whether protected health information has been compromised following a ransomware attack, though providers should treat a successful attack as a presumed breach, thereby triggering the requirement to conduct an internal breach investigation under the federal Health Information Portability and Accountability Act (“HIPAA”). The Guidance notes that timely reporting is critical to help affected Californians “mitigate the potential losses that could result from the fraudulent use of their personal information[.]” Under California law, entities that are required to notify more than 500 Californians of a data breach must also report the breach to the Office of the Attorney General, who then notifies the general public.[2]

Citing HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), the Guidance further reminds providers to implement reasonable administrative, technical, and physical security measures to prevent and mitigate against ransomware and other cybersecurity attacks. The California Consumer Privacy Act (“CCPA”) also establishes data protection requirements for data not otherwise subject to CMIA or HIPAA. CCPA guidance issued in 2016 recommended that California companies implement the twenty data security controls published by the Center for Internet Security to provide reasonable security. The recent Guidance outlines the minimum preventative measures that California health care providers, specifically, should implement in order to protect their data systems from cyberattacks:

  • keep all operating systems and software housing health data current with the latest security patches;

  • install and maintain virus protection software;

  • provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;

  • restrict users from downloading, installing, and running unapproved software; and

  • maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.

The failure to implement the aforementioned measures could render California providers vulnerable to liability.

©2021 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume XI, Number 251
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Christopher D. Taylor Healthcare Attorney Epstein Becker Green
Associate

Chris Taylor* brings his passion and analytical talents to assisting health care clients with a variety of matters, from telehealth and food and drug issues to mergers, acquisitions, and divestitures. He has helped private equity firms identify and quantify the risk of proposed transactions in the health care and life sciences industries. He has also contributed research to state-level regulatory surveys for the use of health care providers seeking to expand geographically.

During and after law school, Chris worked on Capitol Hill, managing a portfolio of legislative issues,...

202-861-1895
Audrey Davis food and drug law Epstein Becker Washington DC
Law Clerk

Audrey Davis* is a Law Clerk – Admission Pending – in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. She will be focusing her practice on food and drug law, fraud and abuse, health care compliance, and managed care issues. 

Ms. Davis received her Juris Doctor, cum laude, from Temple University, Beasley School of Law, where she served as a Staff Editor of the Temple Law Review and on the executive board of the school’s Health Law Society. During law school, she also interned with...

202-861-1830
Advertisement
Advertisement
Advertisement