Cybersecurity Gets Presidential Attention

Information security isn’t just about HIPAA. As the Sony movie studio hacking and the recent Anthem data breach demonstrate, any industry or organization can be affected by deliberate hacking as well as inadvertent breaches and disclosures of protected information. Multiple news agencies including the New York Times, Wall Street Journal and Privacy Rights Clearinghouse reported a major breach occurred at Anthem, Inc. due to a cyber attack on the system, exposing millions of individuals’ records. Anthem notified potentially affected members that cyber attackers gained unauthorized access to personal information and explained how to sign up for free identity theft repair and credit monitoring services. In addition to the exposure of personal information and personal emails that garnered so much attention in the mainstream press, Reuters is also reporting that Sony now faces a civil lawsuit against the company by affected individuals. Laboratories aren’t safe either. BioReference laboratories reported a breach in 2014 and explains on its website that it believes a test server was inadvertently rendered accessible for a short period of time exposing personal information, including in some cases, social security numbers. While this wasn’t an instance of intentional hacking, BioReference’s response demonstrates the costs associated with any data breach. BioReference’s website indicates it had to undertake the costs of an “extensive internal investigation, hired an independent security firm to conduct a forensic investigation, … retained a company to regularly monitor our servers, and implemented enhanced security measures.” It also offered to provide a year of credit monitoring, identity theft and other security services to those whose information was involved. While data breaches got a lot of attention in Hollywood this past year, every industry needs to focus on cybersecurity. A White House press release highlighted President Obama’s comments this past December calling for legislative security proposals: “[I]f we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy in ways that are extraordinarily significant.” Recent Presidential orders and actions have therefore made cybersecurity a national priority, calling for coordinated efforts to protect sensitive information. In February, the President issued an executive order calling for the private sector to “share information related to cybersecurity risk and incidents and collaborate to respond in as close to real time as possible.” While emphasizing the need to share information, and encouraging voluntary formation of organizations that will share such cybersecurity information, the order also cautions that information sharing must be accomplished in a way that protects “privacy and civil liberties of individuals, that preserves business confidentiality, that safeguards the information being shared, and that protects the ability of the Government to detect, investigate, prevent, and respond to cyber threats to the public health and safety, national security, and economic security of the United States.” The order discusses formation of Information Sharing and Analysis Organizations (ISAOs), including both public and private sector organizations. The National Cybersecurity and Communications Integration Center (NCCIC) will coordinate with ISAOs in sharing information, addressing cybersecurity risks and incidents and improving information security. An ISAO Standards Organization will establish voluntary standards for information sharing and ISAO activities. The President also issued a memorandum Feb. 25, 2015, directing the Director of National Intelligence to establish the Cyber Threat Intelligence Integration Center. That Center will provide “analysis and intelligence” regarding foreign cyber threats or threats “affecting U.S. national interests.” It will also assist other government entities focused on information security and cybersecurity risks and “oversee the development and implementation of intelligence sharing capabilities” and support efforts to coordinate response to cyber threats. A January White House press release notes that “public and private networks are facing an unprecedented threat from rogue hackers as well as organized crime and even state actors” and announces proposed cybersecurity legislation that “promotes better cybersecurity information sharing between the private sector and government and … enhances collaboration and information sharing amongst the private sector.” The release states the proposed legislation will encourage private entities to share cyber threat information with the Department of Homeland Security’s NCCIC which will in turn share that information “in as close to real-time as practicable” with other federal agencies and ISAOs. The proposed legislation also provides law enforcement with tools to investigate and prosecute cyber crimes, including prosecution of insiders who “abuse their ability to access information to use it for their own purposes.” Finally, the proposal also addresses state laws requiring reports of data breaches by standardizing these reporting requirements in a federal statute with a “clear and timely notice requirement” for security breaches. Takeaway: Laboratories need to be concerned about information security not just for HIPAA compliance but also due to broader data security purposes as evidenced by recent cyber attacks.