accountants and business advisers
13 Jan 2020
The decade ended the way it began – with cybercrime in the headlines. As we ease into the 2020s, however, more ways to combat it and more laws to protect us against it are being devised. In the meantime, we need to keep aware and be proactive. Hopefully, reading our monthly Cyber Roundup will keep you attentive and responsive to digital wrongdoing and potential protective workarounds.
The following is a rundown of what happened during the month of December 2019. We welcome your comments, insights and questions.
Tom’s Takeaway: In most modern operating systems, be it Windows or Apple, encryption is a feature that is included at no additional charge. If you are not utilizing encryption on your devices ‒ especially mobile devices ‒ I encourage you to do so. It is a simple and powerful control in protecting your data should your device be lost or stolen.
Tom’s Takeaway: GDPR is a comprehensive privacy regulation that applies not only to EU-based companies, but also, in certain circumstances, to U.S. entities that process EU resident data. Should GDPR not apply to your business, this should serve as a reminder that if you maintain records that contain personal information, ensure you have a reasonable process to verify the identity of the caller/requestor before releasing any information. Privacy has become a key issue for many regulatory bodies. If you are not sure if the GDPR regulation applies to your business or would like more information on designing a privacy program, please feel free to contact me.
Tom’s Takeaway: In the cyber realm, we often forget that attackers exist not only externally, but internally as well. Insiders have a tremendous advantage over external parties as a consequence of the trusted foothold they already have in the work environment. As a business, when you define your cyber/information security strategy, be sure to also account for effectively restricting and monitoring the trusted insider. If you need assistance in performing an insider threat risk assessment, please contact us.
Tom’s Takeaway: PHI ‒ in the simplest terms ‒ is any information identifiable to a person that is created, used, or disclosed by a HIPAA-covered entity during the course of providing a health care service. When a covered entity (e.g., a hospital) has a breach, the onus is on the covered entity to prove by way of a documented risk assessment that the information was not disclosed. In the case of Sentara, they clearly misunderstood the breach notification rule and what constitutes a breach. HIPAA compliance is a specialty that requires knowledgeable individuals to navigate the compliance obligations. If you need assistance in understanding your HIPAA compliance obligations, we would be happy to assist.
Source: PKF O'Connor Davies
For more information on how our services can help your business get in touch.