Under Pressure: California Clarifies Cyber Risk Management Best Practices for Healthcare Sector
On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Agency, the Department of Justice, and the Federal Bureau of Investigation, which assessed that malicious actors are targeting the Healthcare and Public Health Sector through ransomware attacks, data theft, and other disruption tactics on the healthcare sector.
The Guidance also arrives in the wake of a recent spike in ransomware attacks directed at healthcare providers, many of which were not reported to the Office of the Attorney General. Ransomware is malicious software that encrypts data and servers to block access to a network until a “ransom” is paid. Oftentimes, it may not be immediately clear whether protected health information has been compromised following a ransomware attack, though providers should treat a successful attack as a presumed breach, thereby triggering the requirement to conduct an internal breach investigation under the federal Health Information Portability and Accountability Act (“HIPAA”). The Guidance notes that timely reporting is critical to help affected Californians “mitigate the potential losses that could result from the fraudulent use of their personal information[.]” Under California law, entities that are required to notify more than 500 Californians of a data breach must also report the breach to the Office of the Attorney General, who then notifies the general public.
Citing HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), the Guidance further reminds providers to implement reasonable administrative, technical, and physical security measures to prevent and mitigate against ransomware and other cybersecurity attacks. The California Consumer Privacy Act (“CCPA”) also establishes data protection requirements for data not otherwise subject to CMIA or HIPAA. CCPA guidance issued in 2016 recommended that California companies implement the twenty data security controls published by the Center for Internet Security to provide reasonable security. The recent Guidance outlines the minimum preventative measures that California health care providers, specifically, should implement in order to protect their data systems from cyberattacks:
keep all operating systems and software housing health data current with the latest security patches;
install and maintain virus protection software;
provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
restrict users from downloading, installing, and running unapproved software; and
maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.
The failure to implement the aforementioned measures could render California providers vulnerable to liability.