This week, Hacking Healthcare begins by breaking down cybersecurity and privacy legislation developments in the United States’ 118th Congress. Specifically, we look at the recent efforts to revive federal data privacy legislation, healthcare cybersecurity funding, and what we know so far about impending healthcare cybersecurity legislation. Next, we examine how the European Commission’s agenda to revise enforcement of the General Data Protection Regulation (GDPR) could impact the healthcare sector.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version:
Text Version:
Welcome back to Hacking Healthcare.
Legislation Begins to Take Shape with 118th Congress
After weeks of administrative procedures, party organization, and agenda setting, the United States’ two-year legislative cycle has begun shift toward regular legislative business. While it is still early days, Health-ISAC members can read about some of the issues staked out by congressional representatives that could have significant impact on healthcare sector cybersecurity.
Action & Analysis
**Included with Health-ISAC Membership**
European Commission Eyes GDPR Enforcement
Years of criticism over how big technology companies like Meta, Google, and Microsoft have gotten off easy when it comes to GDPR enforcement seem to have pushed the European Union into action. Between signaling it is interested in taking a more active oversight role, and the expectation of new GDPR-related regulations in Q2 of 2023, the European Union appears to have an eye on reinforcing its landmark data protection legislation. Depending on how the EU goes about it, there could be notable impacts on the healthcare sector.
At the center of this issue is dissatisfaction among some EU member states over how the Irish entity in charge of GDPR enforcement, the Data Protection Commission (DPC), has dealt with GDPR cases related to Big Tech. Because many of the Big Tech companies are established in Ireland, the Irish DPC has a leading role in enforcement actions even when potential violations occur outside Ireland’s borders. As a result of longstanding criticism, the European Commission appears ready to try to do something about it.
First, the European Commission has signaled its intent to receive more regular and detailed reports on the status of “large-scale cross-border investigations” that are carried out by all national supervisory data protection authorities.[vii] Second, the commission has signaled its intent to issue new GDPR-related regulations in Q2 of 2023.[viii] The Commission has suggested that the new regulation will touch on:[ix]
- – Clarifying procedural steps in handling GDPR cases;
- – Harmonizing administrative procedures in cross-border cases; and
- – Smoothing the functioning of GDPR cooperation and dispute resolution mechanisms
Action & Analysis
**Included with Health-ISAC Membership**
Congress
Tuesday, February 28th:
– No relevant hearings
Wednesday, March 1st:
– House of Representatives: Committee on Energy and Commerce – Hearing: Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy
Thursday, March 2nd:
– No relevant hearings
International Hearings/Meetings
– No relevant meetings
[i] https://www.congress.gov/bill/117th-congress/house-bill/8152/text
[ii] https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-promoting-u-s-innovation-and-individual-liberty-through-a-national-standard-for-data-privacy
[iii] https://healthitsecurity.com/features/what-the-american-data-privacy-and-protection-act-could-mean-for-health-data-privacy
[iv] https://www.congress.gov/bill/118th-congress/house-bill/286/text?s=4&r=12&q=%7B%22search%22%3A%5B%22cyber%22%5D%7D
[v] https://www.warner.senate.gov/public/_cache/files/f/5/f5020e27-d20f-49d1-b8f0-bac298f5da0b/0320658680B8F1D29C9A94895044DA31.cips-report.pdf
[vi] https://healthsectorcouncil.org/wp-content/uploads/H-ISAC-HSCC-Comments-on-Warner-Report.pdf
[vii] https://techcrunch.com/2023/01/31/gdpr-enforcement-reform-dpa-oversight/
[viii] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13745-Further-specifying-procedural-rules-relating-to-the-enforcement-of-the-General-Data-Protection-Regulation_en
[ix] https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13745-Further-specifying-procedural-rules-relating-to-the-enforcement-of-the-General-Data-Protection-Regulation_en
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why