Reporting data breaches can be a lot like walking on egg shells for organizations.
On one hand, you want to put your customers and people first and make sure they are fully aware of a cyber incident, especially if any of their personal information has been compromised.
On the other hand, publicly admitting to a data breach can create serious blowback for the organization and perhaps damage both reputation and earnings.
For the healthcare industry, this became more complicated amidst the pandemic. And apparently, many of them are not reporting data breaches they are required to report.
This is based on recent actions of California Attorney General Rob Bonta.
California healthcare not reporting data breaches
State Attorney General Bonta recently issued guidance to healthcare services and providers, reminding them they must comply with state and federal health data privacy laws, which includes reporting data breaches.
He notes that his message comes following multiple unreported ransomware attacks against California healthcare facilities:
"Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats. California law mandates that data breaches impacting more than 500 of our residents be reported to the California Department of Justice. In addition, I implore all entities that house confidential health-related information to be vigilant and take steps now to protect patient data, before a potential cyberattack."
Bonta also urges healthcare organizations to take the following steps to protect patient data:
- "Keep all operating systems and software housing health data current with the latest security patches;
- Install and maintain virus protection software;
- Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
- Restrict users from downloading, installing, and running unapproved software;
- Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident."
Other organizations hesitate to report cyber incidents
Earlier this year, BlackBerry was faced with the difficult decision of going public with a newly discovered vulnerability.
The vulnerability, known as BadAlloc, was found in the company's QNX operating system. That operating system is used in over 195 million vehicles worldwide and spans multiple industries, including aerospace and defense, automotive, commercial vehicles, heavy machinery, industrial controls, medical, rail, and robotics.
Knowing how costly it could be to publicly admit to the discovery of this vulnerability, BlackBerry attempted to privately mitigate the situation with its customers. But that didn't work out so well.
Eventually, U.S. CISA convinced the company to go public, though this was months after other organizations with the same BadAlloc vulnerability had done so.
Now, California hospitals and clinics are also on notice that they must report most cyberattacks or risk finding themselves out of compliance with state law.
[RESOURCE: See the upcoming schedule of SecureWorld educational webcasts]