HIPAA Blog

[ Tuesday, August 27, 2019 ]

 

NY Dept of Health Issues Breach Notification Rules:  The Department has issued a letter to all licensed hospitals and other facilities outlining a new protocol that requires the facilities to notify the Department, along with other required notifications, of a potential cybersecurity incident.  So, in addition to OCR reporting (soon after the incident if it involves 500 or more persons, after year end for smaller breaches), reporting to affected individuals, and possibly reporting to credit reporting agencies and attorneys general, add a new recipient of the notice. 

Hmm.  OK, the Department argues that notifying them helps them spread the word and provide assistance to the victimized organization; that makes sense.

However, notification is required for cybersecurity incidents.  The notice says, "A cybersecurity incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of data or interference with an information system operations."  Attempted?  That's problematic.  Must every port scan and firewall ping, which are "attempted" access to an information system, be reported?  That looks like the Security Incident definition in HIPAA, which is equally overbroad.

Hat tip: Jackson Lewis.

Jeff [11:23 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template