First, let's talk about health data. Health data is one of the most sensitive types of information a business can safeguard for its customers and employees. Health data can reveal a lot about a person, including their medical history, medical diagnosis, prescribed medications, and any treatments they may be undergoing. Health data became protected to prevent discrimination, stigmatization, and the loss of employment or insurance coverage. And personal health information (PHI) is commonly used to perpetrate identity theft, financial fraud, profiling, and other criminal activities.
To address these concerns, governments around the world have enacted legislation to protect personal health information (PHI). For example, in 1996, the US passed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA established a national standard to ensure the privacy and security of individually identifiable health information, including electronic records (ePHI), to safeguard individual privacy and prevent the misuse of information for harmful purposes. HIPAA defines two categories of personal health information data owners - covered entities and business associates. A covered entity includes healthcare providers, health plans, and healthcare clearinghouses, while a business associate is a third-party person or organization that works with or for the covered entity. Under HIPAA, both entities are responsible for protecting PHI's privacy and security. There are specific security requirements to ensure PHI's confidentiality, integrity, and availability outlined within the HIPAA security rule. These include administrative, physical, and technical safeguards and organizational requirements to prevent, detect, contain, and correct security violations, incidents, breaches, and other failures.
A covered entity is required to have written policies and procedures in place to comply with the Privacy Rule, have a designated security officer, and conduct regular security awareness training for all members of its workforce. On the other hand, a business associate must have a written agreement with the covered entity that outlines the specific requirements for safeguarding PHI.
Next up is biometric data. Biometric data is data obtained from a person's unique physical or behavioral characteristics used to identify them, typically for access to a secure area, to unlock a device, or verify your identity. Examples are fingerprints, retinal scans, facial recognition, and voice recognition.
Biometric data is considered personal data because it is unique to an individual. As a result, biometric data collection, storage, and use are subject to specific laws and regulations.
As the new kid on the block, laws and regulations regarding biometric data are only beginning to unfold. In the US, specific state laws include the Illinois Biometric Information Privacy Act (BIPA), Texas Biometric Privacy Act (TBPA), Washington State Biometric Privacy Act (SBPA), and the California Consumer Privacy Act (CCPA). These laws all require reasonable security measures to protect biometric data from unauthorized access, use, and disclosure and for the secure retention and destruction of the data.
Sensitive information is any information that, if disclosed, could harm or negatively affect an individual or organization. This information includes personal information (PI) such as financial, medical, biometric data, and other types of personally identifiable information (PII).
Sensitive information can also include confidential or proprietary information. Examples include trade secrets, intellectual property (IP), client lists, business plans, trade secrets, classified national security information, military secrets, and other government information.
Sensitive information is subject to specific laws and regulations that govern its collection, storage, and use and requires special protections and security measures to prevent unauthorized access, use, or disclosure. Examples are HIPAA for medical information, the General Data Protection Regulation (GDPR) for personal data in the European Union (EU), and various state-level data breach notification laws in the US that require companies to notify individuals or entities of a security data breach involving sensitive information.
As you can see, cybersecurity and data privacy are not for the faint of heart. Companies must comply with legal and regulatory requirements to ensure their systems and data are reasonably protected. Data privacy and cybersecurity are closely aligned and sometimes overlapping fields concerned with protecting information from unauthorized access, use, and disclosure. There are several areas of overlap between data privacy and cybersecurity:
After a cyber breach, you need a team ready to hit the ground running. We’re here for you 24/7/365. That’s our promise.
Our incident response project managers, data analytics experts, and review specialists are seasoned professionals who understand the magnitude of the situation your company is facing and the related expenses.We are here to ensure timely, accurate notification of affected parties.
CyTrex Cyber helps entities that need assistance managing a cybersecurity incident or that want to learn more about cyber breach management. Insurance carriers, law firms, businesses, government agencies, and educational institutions depend on us for cyber incident response support.
© 2023 CyTrex Cyber, Inc