BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Will NAIC Cybersecurity Regulations Affect Healthcare Industry?

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 29 Apr 2015 18:59:22 -0600
http://healthitsecurity.com/2015/04/28/will-naic-cybersecurity-regulations-affect-healthcare-industry/

The Cybersecurity (EX) Task Force of the National Association of Insurance
Commissioners (NAIC) announced that it adopted new cybersecurity
regulations, designed to help protect sensitive consumer information.

The cybersecurity regulations highlight 12 principles that state insurance
regulators should follow to protect sensitive information and
infrastructure, according to NAIC. It is the regulators’ responsibility to
ensure that any personally identifiable consumer information held by
insurers, producers and other regulated entities is protected from
cybersecurity risks. The proper notification systems should also be in
place, ensuring that consumers are notified in a timely manner.

Another regulation stipulates that cybersecurity regulations for insurers
and insurance producers “must be flexible, scalable, practical and
consistent” with nationally recognized efforts. This could include what the
National Institute of Standards and Technology (NIST) has outlined in its
framework.

NAIC also called for state insurers to provide appropriate regulatory
oversight, including but not limited to, conducting risk-based financial
examinations. Additionally, regulators should provide market conduct
examinations regarding cybersecurity, according to NAIC.

Many of the principles align with regulations that are already in place for
healthcare organizations through the HIPAA Privacy Rule or Security Rule,
and touch on issues such as information sharing and performing risk-based
analyses:

Principle 9: Cybersecurity risks should be incorporated and addressed as
part of an insurer’s or an insurance producer’s enterprise risk management
(ERM) process. Cybersecurity transcends the information technology
department and must include all facets of an organization.

Principle 10: Information technology internal audit findings that present a
material risk to an insurer should be reviewed with the insurer’s board of
directors or appropriate committee thereof.

Principle 11: It is essential for insurers and insurance producers to use
an information-sharing and analysis organization (ISAO) to share
information and stay informed regarding emerging threats or
vulnerabilities, as well as physical threat intelligence analysis and
sharing.

Principle 12: Periodic and timely training, paired with an assessment, for
employees of insurers and insurance producers, as well as other regulated
entities and other third parties, regarding cybersecurity issues is
essential.

However, in the wake of large-scale health data breaches like Anthem and
Premera, it will be interesting to see how cybersecurity measures develop
for insurers as a whole.

“These principles will serve as the foundation for protection of sensitive
consumer information held by insurers as well as insurance producers and
guide regulators who oversee the insurance industry,” NAIC President and
Montana Commissioner of Securities and Insurance Monica J. Lindeen said in
a statement.

NAIC has also expressed concern specifically for the healthcare industry in
terms of cybersecurity regulations. After the Anthem data breach, NAIC
called for a multi-state examination of the health insurer and its
affiliates.

“Since the news broke, regulators have been working together and have been
in discussion with Anthem executives,” Lindeen said at the time. “We are in
agreement that an immediate and comprehensive review of the company’s
security must be a priority to ensure protection of consumers who are
covered by Anthem.”

The organization added that all 56 states and territories should sign on to
the examinations because the Anthem data breach was so large and will
potentially affect many individuals.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: