Health Law Advisor

In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19^th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.

Throughout 2021, we closely monitored the latest privacy laws and a surge of privacy, cybersecurity, and data asset management risks that affect organizations, small and large. As these laws continue to evolve, it is important for companies to be aware and compliant. We will continue to monitor these trends for 2022.

The attorneys of the Privacy, Cybersecurity & Data Asset Management group have written on a wide range of notable developments and trends that affect employers and health care providers. In case you missed any, we have assembled a recap of our top 10 blog posts of 2021, with links to each, below:

Cyber threats and cybersecurity controls have evolved significantly over the past two decades since the HIPAA Security Rule were originally promulgated. During this same time, healthcare entities have increasingly become a prime target of hackers seeking to extort payment using ransomware, exfiltrate patient data to commit fraud, or disrupt operations in other nefarious ways.  Recognizing these challenges, some security professionals have sought further clarity on the HIPAA Security Rule that they deem to be “long in the tooth”. Yet, regulators have not made any ...

On October 18, 2018, the FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.  This guidance outlined recommendations for cybersecurity device design and labeling as well as important documents that should be included in premarket approval submissions.  This guidance comes at a critical time as the healthcare industry is a prime target for hackers.  On January 22, 2019, the U.S. Department of Homeland Security Industrial Control System Cyber Emergency Team (US-CERT) issued another advisory regarding medical device ...

Our colleague Stuart M. Gerson at Epstein Becker Green has a post on the Health Law Advisor blog that will be of interest to our readers in the health care industry: “NIST Seeks Comments on Cybersecurity Standards For Patient Imaging Devices.”

Following is an excerpt:

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the ...

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related ...

Executive Order Delay Trumps Administration Policy Development

President Trump's first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration's cyber policy – but that doesn't mean that this period has been uneventful, particularly for those in the health care space.

The events of the period have cautioned us not to look for an imminent Executive Order. While White House cybersecurity coordinator Robert Joyce recently stated that a forthcoming ...

The Food and Drug Administration ("FDA") recently announced that it will be hosting a public workshop on October 21 and 22, 2014, in Arlington, Virginia, entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity."

Officials from FDA, the Department of Health and Human Services ("HHS"), and the Department of Homeland Security ("DHS") will bring together medical device manufacturers, insurers, cybersecurity researchers, trade organizations, government officials, and other stakeholders to discuss the numerous challenges faced in medical device ...