There is no shortage of talk about new cyber threats and their impact on the regulatory landscape, but what are their real implications? We’ve broken them down into three categories: “Penalties With Teeth” for our HIPAA readers, “Do I Feel Lucky?” for those under PCI requirements, and “Reputation, Reputation, Reputation” for, well, everybody.
Penalties With Teeth (Sometimes.)
Regulators in some industries are getting tough. Maybe they’ve started taking the threat landscape seriously and suddenly believe enforcement is the way to go. Or perhaps they see the current trend toward deregulation as marking the end of their reign, and want to squeeze as much pain as possible into their remaining days.
Whatever the cause, HIPAA penalties in the healthcare space have surged.
– St. Joseph Health, a 14-hospital system serving parts of California, Texas, and New Mexico, was fined $2.14 million because a server they added after their annual Risk Assessment included default settings that exposed some ePHI to the Internet. Their compliance with the prior assessment did not protect them because the server addition didn’t trigger another risk assessment.
A sobering conclusion, given that in most virtualized environments, adding a server can be done in minutes. Yet, HHS concluded that every such action represented a change in the environment, warranting another risk assessment.
– The University of Mississippi Medical Center was fined $2.75 million for a series of risks and vulnerabilities that remained unresolved from one annual audit to the next.
In theory, once a covered entity’s audit points out specific deficiencies, the expectation is that a corrective action plan will address them. In practice, UMMC had many of the same deficiencies crop up in multiple audits. And once a breach had occurred, the repeat instances of shortcomings in the system’s internal controls put them in line for a hefty fine.
– A 2016 guidance from Office of Civil Rights division of the Health and Human Services Agency stated unequivocally that ransomware attacks will be considered a data breach under 45 C.F.R. 164.400-414, regardless of whether any ePHI was stolen.
The most notorious ransomware attack in the HIPAA space was the one last year on Hollywood Presbyterian Medical Center, which operated with pen and paper for more than a week until a ransom payment of $17,000 enabled them to finally decrypt their files. But they were hardly alone. From the New Jersey Spine Center in the east, to the Marin Healthcare District in the west, more than a dozen systems were held up without a gun last year alone. And the dreaded breach guidelines defined the response protocols for every one of them.
You’ve got to ask yourself one question. “Do I feel lucky?”
“Well, do ya, punk?” Many retail merchants would suffer from Dirty Harry nightmares if they revisited the fine print in the payment card agreements they signed with their banks. Because while HIPAA has gone on an enforcement binge, PCI regulators continue to play wait-and-see.
They protect the giant credit card companies, of course, and push liability downstream to the banks. Who, in turn, in order to protect their cash reserves, often decide to enforce the 6-point type in their merchant agreements, and come after Mom and Pop whenever and however they can.
But Pop and Mom’s (why should she always get top billing) lack of institutional controls in how they store, transmit, and manage Personally Identifiable Information doesn’t often lead to a financial mess or loss of privileges until after the unthinkable happens. Then they can find themselves in the payment card penalty box, and left holding a very expensive bag.
According to Forbes, these are the seven consequences of non-compliance with PCI’s Data Security Standard:
1. Compensation costs. You know that free credit monitoring people get offered? It’s not free to the merchant who fell short.
2. Legal action. Unless you’ve got deeper pockets than TJMaxx, whose owners paid $40.9 million to settle lawsuits stemming from a breach deemed the fault of inadequate PCI compliance.
3. Bank fines. We keep telling you: put on those reading glasses and check out the agreement.
4. Federal audits. Pop and Mom can probably skirt by on this one. Only you can decide where you fit in the feds’ pecking order.
5. Remediation costs. Broken security system? Now fix it. Holes in your network defenses? Now fill them. Forensics, investigative charges, new hires, whatever it takes. And it ain’t cheap.
6. Lost revenue. How productive do you imagine your employees will be in the immediate aftermath of a damaging data breach?
7. Reputational damage. Which takes us to our third category.
Reputation, Reputation, Reputation.
Everyone knows the decrepit cliché about the three most important considerations in real estate. Well, we think it can be modified to answer this question: “What are the three most important things to any business, regardless of size, and regardless of industry?”
Thanks to social media, reputational damage spreads faster now than ever before. You want to test that theory? Run a Google search on any prominent organization that has suffered a recent data breach, and you’ll be able to count on one hand the number of articles that confer “good will.”
The problem can be worse in a B2B environment. Once notified of the breach, your largest corporate customers can be expected to double down on their own security, and possibly question their faith in you as a vendor.
We don’t want to beat this one to death. But if you’re in a highly competitive industry, where margins are tight and the loss of one client can turn a decent year into a disaster, the implications for getting your IT right cannot be higher
We hope you’ve enjoyed this edition of the Watch Out Wednesdays newsletter, and found its perspective worthwhile. Keep an eye out for another edition next week.
SLPowers provides small businesses with affordable security and compliance solutions that were previously only within reach of large enterprises. In other words, we make technology safe for small businesses. For more than 30 years, we’ve provided our clients with secure and stable computing environments, so their business could thrive.
If you’re in a regulated industry, we encourage you to consider transferring the compliance burden to our experts, who do this every day.
There really is a drama-free way to approach compliance and information security. Shoot us an email, or pick up the phone, and we’ll show you the difference.
Visit us at www.slpowers.com.