TLP White: In this privacy-focused edition of Hacking Healthcare we first highlight the release of the NIST Privacy Framework. We then explore the current state of the California Consumer Privacy Act (CCPA). Next, we brief you on industry’s push for federal privacy legislation. Lastly, we provide some insight into how Australia is approaching its own data privacy laws.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.


1. NIST Privacy Framework Release.

Last week saw the release of the preliminary draft of the NIST Privacy Framework. The voluntary framework, which is billed as “A Tool for Improving Privacy through Enterprise Risk Management,” is modeled after the structure of the NIST Cybersecurity Framework. NIST hopes that the shared structure will help organizations see the Privacy Framework as a complement to that document.[1] The Privacy Framework has made steady progress since development began in October of 2018, and NIST is currently looking for comments to this preliminary draft. The NIST Privacy Framework can be found either through the NIST website or through the first link in the endnotes of this paper.


2. The California Consumer Privacy Act.

Certain businesses and industry representatives advocated for important amendments to the California Consumer Privacy Act (CCPA) to make the law more workable for businesses and more privacy protective for consumers before California’s legislators headed home on Friday, September 13th.  Ultimately, five amendments were passed before the legislature adjourned and will now go to California Governor Gavin Newsom to sign or veto by October 13th.  The California legislature advanced AB 25, AB 874, AB 1146, AB 1355, and AB 1564 to amend the CCPA.  Barring some exceptional circumstances, the CCPA will become operative on January 1, 2020 as amended and will become enforceable either on July 1, 2020 or 6 months after the California Attorney General’s publication of final rules interpreting the law, whichever comes first.

The amendments make a number of changes to the law including a temporary employee data exemption, a clarification on the private right of action, a revision of the definition of “publicly available information”, and a dozen or so others.  The amendment that failed to pass, AB 846, would have restricted the use of personal information businesses collect through loyalty programs.  Overall, the amendments the legislature advanced are not industry-centric and anti-consumerist, and they will primarily help to clarify and improve some parts of the CCPA for both consumers and industry.


3. Industry Looks to Congress for Federal Privacy Legislation.

On September 10th, the Business Roundtable drafted a letter to Congress imploring them to create a comprehensive federal consumer data privacy law to counter the ever growing patchwork of state laws.[2] The letter was signed by the CEOs of 51 major companies.  Among the 51 signatories were Amazon, AT&T, Dell, IBM, State Farm, Visa, and Qualcomm.

The letter briefly outlined how the lack of a comprehensive federal privacy bill will lead to confusion among consumers and hurt the competitiveness of businesses operating within the United States.  Additionally, the letter emphasized that a clearly defined federal regulation was a necessity to ensuring stability and innovation.  In closing, the Business Roundtable referenced their Framework for Consumer Privacy Legislation as a “detailed roadmap” for Congress to follow.[3]

The Business Roundtable’s efforts reflect a larger trend in industry of concern over competing and potentially conflicting state standards when it comes to data privacy.  Industry generally hopes that preemptive federal legislation is coming and they have a vested interest in procuring such legislation so they do not have to potentially comply with up to 50 state privacy laws in the event of unauthorized data exposure.  In addition, consumers have an interest in a single federal privacy standard so they can benefit from businesses’ compliance with clear rules that are not dependent on geography or overly complex privacy policies.  But the longer a federal policy takes, the longer industry will have to contend with the growing patchwork of state laws.  With the 2020 election year rapidly approaching, there will be limited bandwidth for Congress to engage in a thoughtful and prolonged debate over data privacy, but this is likely an issue they will have to take under consideration sooner rather than later.


5. Australia Backtracks on Consent.

The United States is not the only country currently attempting to navigate issues surrounding data privacy.  A new development out of Australia represents a blow to privacy advocates who have demanded that consent be a requirement of any new national privacy legislation.  A recently published Discussion Paper, which focuses on the government’s efforts to modernize its laws on public sector data, outlines the Australian government’s new position.  The paper backtracks on the government’s previously expressed views concerning consent from only a year ago.  The government’s revision is being framed as taking what they call a “nuanced” position on the matter.[4]

The Australian government cited their concern that requiring consent for the collection of public sector data would skew data collected for policy research and public programs, ultimately creating biased data sets that would lead to ineffectual polices and public programs. They have instead opted for “placing the responsibility on Data Custodians and Accredited Users to safely and respectfully share personal information where reasonably required for a legitimate objective.”[5]  It is unclear if the revision on consent will become final as there is at least one more round of public engagement before any bill is introduced into Parliament.[6]




Tuesday, September 17th:

-No relevant hearings


Wednesday, September 18th:

-No relevant hearings


Thursday, September 19th:

-No relevant hearings



International Hearings/Meetings


EU – None this week



Conferences, Webinars, and Summits

–H-ISAC Medical Device Security Workshop – Plymouth, MN (9/17/2019)

— Health and Real Estate Webinar: Shared Cyber and Physical Challenges – Webinar (9/19/2019)

–HEALTH IT Summit (California) – Los Angeles, CA (9/19/2019-9/20/2019)

–Healthcare Cybersecurity Forum – Los Angeles, CA (9/20/2019)

–2019 Alabama Healthcare Fraud Summit – Birmingham, AL (9/20/2019)

Peer Sharing ICS Security Workshop (New Jersey) – Bridgewater, NJ (9/24/2019-9/26/2019)

–Summit on Security and Third-Party Risk – Leesburg, VA (9/30/2019-10/2/2019)

— Healthcare Cybersecurity: The Current Diagnosis & How to Cure Pain Points – Webinar (10/1/2019)

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/2019-10/4/2019)

–Northeast Healthcare Cybersecurity Forum – Boston, MA (10/4/2019)

–H-ISAC Grand Rounds Webinar Series #1: Cost Effective Threat Intel – Webinar (10/9/2019)

–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)

–Health IT Summit (Midwest) – Minneapolis, MN (10/17/2019-10/18/2019)

–Healthcare Cybersecurity Forum (Midwest) – Minneapolis, MN (10/18/2019)

–CHIME Healthcare CIO Boot Camp – Phoenix, AZ (11/6/2019-11/9/2019)

–Health IT Summit (Southwest) – Houston, TX (11/14/2019-11/15/2019)

–Southwest Healthcare Cybersecurity Forum – Dallas, TX(11/15/2019)

–Health IT Summit (Northwest) – Seattle, WA (11/19/2019-11/20/2019)

–Pacific Northwest Healthcare Cybersecurity Forum – Seattle, WA (11/20/2019)

–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/2019)




Sundries –


–New NetCAT Attack Can Leak Sensitive Data From Intel CPUs

–6 biggest healthcare security threats for 2020

–Apple continues health push with three new medical studies

–Consumer Technology Association publishes new health data privacy guidelines


Contact us: follow @HealthISAC, and email at