Page 48 - Publication6
P. 48
Last year was a memorable one for data security breaches a qualified CISO, more checks and balances on governance
and so far, 2015 looks to be no different. These data and training, and increasingly stringent management of
breaches have occurred at some of the country�s largest third-party services.
financial institutions, within some of the biggest retailers,
New York is not alone in expanding its governance
and what at least seemed to be, some of the most
programs. The Federal Financial Institutions Examination
impenetrable government agencies. These attacks have led
Council (FFIEC) has already announced it will conduct
to a renewed discussion about the role that regulators
random audits of 500 community banks in 2015 that will
should play in holding organizations accountable for data
mirror several of the aspects of the random audits
breaches.
performed by the Office of Civil Rights of the healthcare
To date in the United States, however, it has been entities industry in 2012. Additionally, the Securities and Exchange
connected to the healthcare industry that have encountered Commission (SEC) recently reaffirmed its intention to
the vast majority of financial penalties in the event of such �play a role� in the security and regulation of data. The SEC
breaches. Under the Health Insurance Portability and and the Financial Industry Regulatory Authority (FINRA)
Accountability Act (HIPAA) and the Health Information are both conducting independent examinations and
Technology for Economic and Clinical Health Act investigations on areas of cybersecurity governance
(HITECH), healthcare organizations can and have including an inventory of devices, software and apps, maps
incurred significant penalties for not adhering to the of data flows, network security, and security policies.
formalized security requirements and procedures outlined
(Although the majority of regulatory penalties have been
within these laws and associated regulations.
imposed on the healthcare industry, the financial industry
This past May, New York Presbyterian Hospital and has not been totally immune from investigations and fines.
Columbia University Hospital were cumulatively fined $4.8 Two years after its own data breach, a large North
million when physician negligence led to the inadvertent American bank is still negotiating settlements with various
disclosure of thousands of patients� private healthcare agencies and regulators, the latest being a $625,000 fine
information. This is the largest US HIPAA settlement to issued by the Massachusetts Attorney General, bringing its
date. total penalties to more than$1.5 million.
HIPAA represents the first legislation in the United States
to place regulatory responsibility on an organization “Recent attacks
through formal privacy laws. With data breaches occurring
in other industries at unprecedented rates, regulatory demonstrate the
agencies responsible for those industries are looking to
healthcare laws to model their own formalized security numerous entry
governance laws. In fact, we are already seeing its influence
in new regulations in financial services. points whereby
data breaches
In New York, the DFS recently introduced new regulations
that would require cybersecurity insurance as well as
examinations on the use of multi-factor authentication and occur”
identity and access management systems. The
requirements have also expanded to include the hiring of
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 3
