secalerts.co/news/no-federal-funding-for-us-healthcare-providers-lacking-cyber-security/4VFNjpb6oxtJyqRW2jFOyh
The US government is laying down the 'cyber law' for healthcare providers and will outline requirements for hospitals to establish basic digital cyber security defences ... or miss out on receiving federal funding.
News - GeneralLet’s start with a law that prevents hospitals and healthcare providers from demanding that patients hand over their valuable identity documents, specifically, a government-issued photo ID, without any guarantees about how they’ll safeguard your ID, including a mandatory rule that hospitals and healthcare providers must hand the patient, 1) A copy of the provider’s Data Security Policy. Trying to get them to hand that over currently is like pulling teeth. 2) Financial reimbursement for every patient record accessed in a data breach and/or allowing a patient to sue for damages when a data breach occurs containing their data.
Establishing serious financial penalties is the only way to get the attention of healthcare providers who presently refuse to spend real money on security.
You mean like HIPAA?
HIPAA cannot stop a healthcare provider from demanding you hand over ID documents.
Healthcare providers don't just require IDs for the fun of it. CMS, a government entity, requires ID verification to prevent fraud. It's in the conditions of participation. Other insurance companies do as well.
HIPAA requires healthcare orgs and their Business associates secure your ID documents against unauthorized disclosure.
And that’s the problem. You have healthcare organizations that don’t provide adequate security and protection, yet at the same time, demand that people hand over their valuable ID documents.
There are multiple ransomeware attacks weekly. At present, consumers are told by healthcare: “Oops, your data was stolen in a cyberattack. Here’s 2 years of credit monitoring. Good luck.” You can’t tell people their ID documents are valuable and then treat them as if they’re not.
The part you don't see is the large fines these organizations face from the OIG if you're not adequately securing data.
Simple truth though, the cybercriminals already have your IDs and they don't need to breach a hospital to get them. Your financial institutions, your local government, state government, federal government, court systems, credit agencies, and nearly every company you do or have done business has already been breached.
Why then continue to support a broken system that in addition to not taking security seriously, places the burden on the victims of cybercrime?