Organisations have realised the necessity to maximise the security of their data through data loss prevention (DLP) software which monitor and control endpoint activities, filter data streams on corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in use. The development of the chief information security officer (CISO) role has driven the wider adoption of DLP.
Listed below are the key corporate governance trends impacting the cybersecurity in medical theme, as identified by GlobalData.
California’s own General Data Protection Regulation (GDPR)
The May 2018 introduction of Europe’s GDPR has proved to be a worldwide catalyst for data protection regulation, with several countries following suit. From 1 January 2020, Californian consumers, vendors, and foreign companies selling into the state have to respect the new California Consumer Privacy Act (CCPA). The act will be monitored closely by tech companies operating in Silicon Valley.
Regulation in Europe
The European Union’s (EU) Directive on Security of Network and Information Systems (NIS) was adopted by the European Parliament on 6 July 2016. Member states had 21 months to transpose the directive into their national laws, and an additional six months to identify operators of essential services to whom the law applies. The EU NIS Directive harmonises EU cybersecurity regulations. It stipulates that breaches must be notified to a competent authority within 72 hours.
The goal was that within two years, Europe could have had the strictest cybersecurity compliance laws in the world. Companies could be fined up to 2%, or revenues of up to €20m ($26m) for breaches of this directive, which could lead to a significant rise in EU cybersecurity expenditure. The directive provides regulations meant to apply to the healthcare sector as well.
In order to align with GDPR regulations, health systems have had to make operational and technological advancements. Under GDPR, non-compliant organisations could suffer fines of 4% of their annual turnover or €20m ($26m), whichever is highest. Healthcare facilities have not been exempted from these fines: the first GDPR fine issued was a 400,000 Euro fine against a Portuguese hospital, for three violations of the GDPR.
Regulation in China
China’s new national security law aims to foster a secure and controllable internet infrastructure. Initially, it was thought that the law would force many foreign technology companies to hand over their source code and submit to intrusive product testing. Some US companies indicated they would pull out of China altogether to avoid this. Since then, the Chinese government has somewhat loosened its proposals.
China has also implemented specific rules surrounding collection and security of healthcare-related data. These regulations focus on collection, localisation, storage, and transfer of personal health information. In some cases, even the collection of personal data is subject to strict authorisation.
US federal plan will drive more government cyber spending
A bipartisan commission charged with recommending a re-organisation of the US federal government’s cybersecurity operations wants to see the appointment of a national cyber director. The recommendation for the new position comes from the Cyberspace Solarium Commission, which has argued that the appointment is needed to ensure federal agencies are adequately protecting themselves against cyberattacks.
However, the White House is expected to veto the idea, having eliminated a cybersecurity coordinator position in 2018. Among its other recommendations, the Commission wants to reform the US government’s structure and organisation for cyberspace. It also recommends Congress create a cyber state of distress that is accompanied by a cyber response and recovery fund.
Cyber bills pass through US Congress
The US government has stepped up its legislative activity and enacted several laws to try and reduce its vulnerability to cyberattacks. Cybersecurity-related bills for Washington departments and agencies to prevent cyber breaches include the Cybersecurity Vulnerability Remediation Act, which would allow the Department of Homeland Security’s Cybersecurity Agency to issue protocols to mitigate vulnerabilities, the Federal Risk Authorisation and Management Programme, which enables the US federal government to access cloud computing services using a risk-based approach, and the 2019 IoT Cybersecurity Improvement Act, which gives the National Institute of Standards and Technology the authority to manage IoT cybersecurity risks for devices acquired by the federal government.
Many established enterprises and data-driven start-ups have recently appointed their first CISO. A CISO protects a company’s assets (both physical and digital) from cyberattacks. JP Morgan did not have a CISO when it was breached in 2014. Sony’s CISO had only been in the job three months when its media arm was hacked.
Many hospitals have also appointed CISOs to oversee cyber risk management within health systems. Larger hospitals are more likely to have appointed a CISO, as they have more data to protect and are more able to justify the expense.
Executive board awareness
Business executives still think of the most important business risks as technology risk, human capital risk, interest rate risk, political risk, competition risk, and regulatory risk. In the next few years, cybersecurity risk should rise to number one or two, while cybersecurity expenditure could increase across several industries.
This is an edited extract from the Cybersecurity in Medical Devices – Thematic Research report produced by GlobalData Thematic Research.