Security Bill May Leave Health Data at Risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthdatamanagement.com/issues/23_5/PATIENT-DATA-PROTECTION-Security-Bill-May-Leave-Health-Data-at-Risk-50439-1.html

Draft congressional legislation to create a national standard on data
security and breach notification does not address healthcare data, leaving
consumer health information vulnerable, according to the Federal Trade
Commission.

A draft bill, authored by House Energy and Commerce Committee Vice Chairman
Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.), would require
certain entities that collect and maintain personal information on
individuals to secure that information and provide notice to individuals in
the case of a security breach.

However, Jessica Rich, director of the Bureau of Consumer Protection at the
FTC, told a House subcommittee in March that the draft Data Security and
Breach Notification Act of 2015 does not cover certain types of consumer
information such as health data, "even though misuse of this and other
information can cause real harm, including economic harm, to consumers."

Rich warned lawmakers that "bad actors" have an economic incentive to
target valuable health data for the purpose of selling it to debt
collectors or private investigators. "The Commission has seen instances
where bad actors have hacked into company systems and stolen consumers'
personal information in order to extract payments for its return," she
testified.

A breach revealing that an individual attends counseling for addiction
could result in economic and physical harm, Rich said, and revelations
about an individual's cancer treatment might cause the patient to lose a
job. She argued that firms collecting information about an individual's
physical or mental health condition should have a duty to provide
reasonable security for this data.

Some of the state data security and data breach laws that protect this
information would be preempted under the draft bill, Rich said. She argued
that the situation also is complicated by the fact that businesses
operating in the consumer-generated and -controlled health information
space might not be covered by HIPAA and, as a result, might not be subject
to HIPAA's data security protections.

Rep. Michael Burgess (R-Texas), chairman of the House Energy and Commerce
Committee's Subcommittee on Commerce, Manufacturing, and Trade, said while
he hopes the committee will have an opportunity in the future to look at
the issue of healthcare data, that should not prevent Congress from moving
forward with legislation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!