In this New Year edition of Hacking Healthcare, we look ahead to a number of regulatory shifts on the horizon for international cybersecurity and data privacy. Specifically, we examine the approaches Australia, India, the European Union (“EU”), and the United States (“US”) have signaled they will take to cybersecurity and privacy in 2019. We summarize these countries’ proposed frameworks, map the rapidly changing cybersecurity and privacy landscape, distill some themes and recurring issues, and predict trends and outcomes for the New Year.
Welcome back to Hacking Healthcare.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion from the health sector perspective, become a member of H-ISAC and receive the TLP Amber version.
Hot Links –
2019: The Year of Privacy and Cybersecurity. Between the Cambridge Analytica scandal, the ever-growing number of data breaches affecting companies in nearly all sectors, and individuals’ increased understanding of the amount, type, and specificity of data that companies collect about them on a regular basis, 2019 appears to be a year that is ripe for legislation and regulation in the cyber and privacy arena. Legislators all over the world have spoken of the need for updated privacy and cybersecurity laws. A number of nations, like Australia and India, as well as national groups like the EU, have already begun to pass and implement regulations that will shape the international privacy landscape. On the other hand, some countries like the US have been less proactive about crafting a national approach to privacy and cybersecurity. Notwithstanding the US and other countries’ apparent reticence to write and pass comprehensive legislation in the space, it seems clear that the time is now for nations to draw a line in the sand on these issues. Otherwise, countries that have remained silent on privacy and cybersecurity may lose their ability to control and contribute to the global conversation about international privacy rights and cybersecurity protections. And make no mistake—despite the fact that solutions and laws proposed thus far have been mostly focused at the national level, privacy and cybersecurity are truly international issues with international implications.
The first and most important task for undecided countries will be to determine what kind of privacy and cybersecurity regime they wish to implement. Should their approaches bear more similarities to the legal frameworks of Australia and India, countries that have enhanced their governments’ abilities to control content online and access individuals’ personal data? Or should their approaches mimic the regime chosen by the EU, one that has enshrined the protection of “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data” in binding law? There are pros and cons to both of these extremes, and in making a decision on which approach to take, countries will have to grapple with their own notions of privacy rights, positions on access to consumer data, ideas of appropriate Internet oversight, law enforcement access, and tolerance of cybersecurity controls that protect the privacy of sensitive information.
An example of one country that appears to shade more toward the government oversight end of the spectrum is Australia. Australian legislators recently passed an “Assistance and Access” bill that requires technology companies to give law enforcement officials and security agencies access to previously unreadable and inaccessible consumer messages and online actions. We’ve written about this law in prior editions of this newsletter, branding it as an anti-encryption rule that has the potential to cause security vulnerabilities and privacy issues that were not present before the law was enacted. This is because Australia’s law essentially compels technology companies to build ways of breaking their end-to-end encryption mechanisms into the design of their products and services. Under certain conditions, the Australian government must be given access to these encryption-breaking protocols so that they can more easily access needed consumer information. One of the main arguments against the law is that if the Australian government is given such “back door” access to individuals’ sensitive data, ill-intentioned actors and hackers will have the opportunity to exploit these features for their own purposes. However, this argument only illustrates one side of the debate. The other side importantly notes that the Australian government will be better equipped to fight terrorism and crime, the majority of which takes place over internet channels in today’s day and age. Furthermore, use of such a “back door” appears to be restricted to instances in which the government has already been issued a lawful warrant to intercept telecommunications.
India is another country that has emphasized the importance of government oversight of online data in its recent draft legislation. Legislators in India have proposed amendments to rules that interpret Section 79 of India’s Information Technology Act that would require technology companies to “proactively” develop technologies to enable the government to outlaw content it deems “unlawful.” Additionally, similarly to Australia’s law, these amendments require technology companies to break end-to-end encryption so messages can be traced, read, and used by government actors. Opponents of the amendments have stated that they have deep implications for free speech, as they appear to encourage censorship of topics on which the government would like to control public discourse. Some opponents have also stated that the policies of censorship and government oversight of online content in these amendments take cues from China, a country that sharply limits the online content its citizens can access by using firewalls and other technical measures. On the other hand, proponents of India’s law say that the country has witnessed “the consequences of handing over the internet to the mob” by allowing content to go unregulated. Citing mob killings that occurred in the country just months ago due to fake news spread via the communication application WhatsApp, government officials in India have had to grapple with the dangers of false information disseminated via online mechanisms. Other proponents of the law say it will help the government in its ongoing effort to control “troll armies [and] toxic hate targeted against women [online].”
In contrast to Australia, India, and other nations who have emphasized the importance of government oversight over Internet content and the accessibility of individuals’ online data, the EU has taken an approach to privacy and cybersecurity that is rooted in individual rights and personal freedoms. The General Data Protection Regulation (“GDPR”), frames data privacy as an individual right and gives European citizens expansive abilities to access and delete the data companies hold about them as well as the ability to opt in to allowing companies to collect personal data. The GDPR contains no provisions expressly allowing for government censorship of online content or the ability for government agents to bypass encryption mechanisms in order to access individuals’ personal data.
In addition to passing arguably the most individual rights-friendly legislation in the world on data privacy and cybersecurity, the EU has also already built out an impressive enforcement and regulatory structure to bolster the GDPR. Europe’s primary cybersecurity agency, the European Network and Information Security Agency (“ENISA”), has recently signaled that it will have expanded authority in 2019 to certify online services and consumer devices for cybersecurity throughout Europe. Although the proposal has not yet been made formal law in the EU, ENISA believes that establishing a common framework for EU-wide valid cybersecurity certificates will decrease fragmentation and barriers to commerce in the market. This new product and device certification framework will help align European companies’ internal practices with the GDPR, a law that encourages companies to afford significant weight and resources to personal data privacy protections and data security.
The law of the land in the US regarding data privacy and cybersecurity differs markedly from the built-out, nuanced structure that is developing in the EU. This is because there is no current national standard for data privacy or cybersecurity in the US. In lieu of a legislative solution, federal agencies such as the National Institute of Standards and Technology (“NIST”) have moved in the direction of developing voluntary frameworks for cybersecurity and data privacy. The NIST Cybersecurity Framework, a guide for organizations to detect, respond to, and mitigate security threats, was published 2014 and updated in April of last year. Similarly, NIST is in the process of developing a privacy framework that will counsel organizations on how to best approach individuals’ data privacy, as companies and interested stakeholders have been invited to comment on the proposed framework and advocate for important points they think should be included in the voluntary structure until mid-January of this year.
On the healthcare front, HHS just released another voluntary guide aimed at healthcare organizations. Entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, the guide was required as part of the Cybersecurity Act of 2015. We’ll be providing more coverage of this in future editions.
These voluntary frameworks, however useful, do not serve as a substitute for national privacy legislation. To fill the void that the lack of a national standard has brought about, states have attempted to set forth their own fragmented legislative solutions. California’s new Consumer Privacy Act and Vermont’s new act relating to data brokers and consumer protection serve as examples of state laws that impose strict requirements on organizations and give consumers greater access to information about entities that collect and use their data. In response to some of the expansive rights that these laws afford certain citizens, companies in the U.S. such as Apple, Google, and others have openly stated that they would support a broad, nationalized privacy law that would preempt these particularized state solutions. These companies hope that a national standard would do away with individualized state regulations and would present one, comprehensive set of rules that organizations and private sector companies would have to follow.
While no such comprehensive privacy law has been passed in the US just yet, a number of cybersecurity-focused bills are floating around the Senate. For example, after Facebook encountered scrutiny for the Cambridge Analytica scandal, Sen. Amy Klobuchar (D-MN) introduced the Social Media Privacy and Consumer Rights Act of 2018. This legislation, which was co-sponsored by Sen. John Kennedy (R-LA), would allow users of social media to opt out of data collection, require companies to better explain their data practices, and mandate that such companies disclose the existence of a data breach within 72 hours of learning of the breach. In addition to the Social Media Privacy and Consumer Rights Act of 2018, Sen. Klobuchar also recently co-sponsored the Data Care Act of 2018. The Data Care Act purports to hold internet companies liable for consumer data loss and would impose a per-violation fine in the amount of $10,000 on companies that violate the bill’s terms.
Other US bills have been introduced in the privacy space, such as the Customer Online Notification for Stopping Edge-provider Network Transactions (“CONSENT”) Act, which imposes an opt-in system similar to the GDPR that would require companies to obtain consumers’ affirmative consent before using their sensitive information. This bill, which was introduced by Senator Ed. Markey (D-MA), also directs the Federal Trade Commission (“FTC”) to establish further privacy protections for individuals via regulations. Additionally, Senator Ron Wyden (D-OR) introduced the Consumer Data Protection Act, which directs the FTC to establish new data privacy regulations, increases the FTC’s civil penalty authority, requires certain covered entities to submit annual data protection reports to the FTC, and establishes a “do-not-track” list that would enable consumers to opt out of all data sharing, as a possible starting point for comprehensive privacy legislation in the US. Notably, the bill does not preempt state privacy laws, leaving room for strict regimes like California’s Consumer Privacy Act to remain in-tact.
It still remains to be seen whether the US will take Senator Wyden’s lead by establishing a consumer-focused national privacy regime or whether the US will take a different approach altogether. It appears that on the whole, legislators in the US are not in favor of imposing legally mandated back door access to consumer information for law enforcement officials. In fact, some efforts have been made to curb this possibility entirely with the Secure Data Act of 2018 and the Ensuring National Constitutional Rights for Your Personal Telecommunications (“ENCRYPT”) Act of 2018. These bills would prohibit agencies, states, and local governments from forcing technology companies to create back doors to access encrypted information. However, because these laws are still in draft form, the full contours of the US approach to privacy and cybersecurity are yet to be decided.
The US and other similarly situated countries that have not yet promulgated comprehensive national laws on data privacy and cybersecurity will benefit from solidifying their approach to these issues in 2019. We predict that the US will eventually settle on a framework that does not go quite as far as the GDPR in terms of consumers’ ability to opt-in to data collection and sharing, but it’s clear that some restrictions for entities and private organizations that collect and process consumer data are certainly on the horizon.
Ultimately, the US and any nation that has not yet come to a legislative consensus on data privacy and cybersecurity will need to engage in thoughtful discussions and deliberations with industry, innovators, and stakeholders in order to craft an approach that best suits that country’s needs and ideals. So far we’ve seen nations adopt approaches to data privacy and cybersecurity that fall somewhere on a spectrum of emphasis on government oversight and access at one end to emphasis on personal autonomy and individual rights on the other. Countries such as Australia and India have chosen a path that places increased import on government oversight, while national groups such as the EU have adopted an approach that deems privacy to be an individual right and refrains from mandating government back door access to individuals’ private communications. While much remains to be seen, it is clear that nations will benefit from taking a stance on privacy and cybersecurity issues in 2019. If they fail to do so, these nations run the risk that the data privacy and cybersecurity conversation will proceed full steam ahead without them, which could render their regulatory preferences moot and could diminish their ability to influence international privacy and cybersecurity policy.
Tuesday, January 1:
–No relevant hearings.
Wednesday, January 2:
–No relevant hearings.
Thursday, January 3:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19 – 4/4/19)
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019 – 4/16/2019)
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
–HEALTH IT Summit (Florida) – Wesley Chapel (5/21/19-5/22/19)
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
—Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites
—Meet the 9 U.S. Lawmakers Who Will Impact Tech Regulation in 2019
—European Commission sets out plan to drive investment in research and innovation in AI
—Cyber attack hits U.S. newspaper distribution
—The Failure of the United States’ Chinese-Hacking Indictment Strategy
—Open-source tool aims to curb BGP hijacking amid Chinese espionage concerns
—Hackers steal data on 1,000 North Korean defectors, jeopardizing their safety
—US Petroleum Employee Charged with Stealing Trade Secrets for Chinese Firm
—Pilot project demos credit cards with shifting CVV codes to stop fraud
Contact us: follow @HealthISAC, and email at email@example.com
 https://www.forbes.com/sites/forbestechcouncil/2018/08/20/how-will-californias-consumer-privacy-law-impact-the-data-privacy-landscape/#76f2e87ae922; https://iapp.org/news/a/analysis-vermonts-data-broker-regulation/