A recent decision by the 3rd Circuit U.S. Court of Appeals could mean that cybersecurity regulations are to be enforced by the FTC.
The Department of Health and Human Services’ Office for Civil Rights (OCR) is the main enforcer of HIPAA regulations on patient privacy; however a recent decision by the 3rd Circuit U.S. Court of Appeals validates the Federal Trade Commission’s right to enforce cybersecurity regulations and take action against healthcare organizations that fail to protect the privacy of Americans
The FTC has not previously been overly concerned about healthcare industry data breaches, as this is an area already covered by the OCR; but with its powers to regulate cybersecurity now confirmed, there is a possibility that the agency will no longer stay on the side-lines, and may in fact start to take action against any healthcare organization failing to implement the necessary controls to keep confidential data private.
The FTC has become more involved in the investigation of data breaches resulting from hackers in recent months, following major security incidents that have exposed the data of millions of Americans. The FTC recently filed a lawsuit against the Wyndham Worldwide Corp (WWC) for engaging in “unfair cybersecurity practices,” with the hotel chain’s policies deemed to be “deceptive.” WWC was also found to have failed to implement robust security controls after suffering a major data breach in 2008.
The hotel chain has since suffered two further hacking incidents, which resulted in the records of over 600,000 customers being obtained by criminals. The data obtained in the attacks were used to rack up $10.6 million in fraudulent claims.
The FTC maintains that, in the guidance it issued on cybersecurity, all of the necessary controls to prevent the data breaches were explained in detail, but WWC did not heed its advice. That advice included the use of a firewall to protect computer networks, data encryption to safeguard sensitive data, and the guidance also explained the need to develop a breach response plan; should thieves gain access to protected data.
Furthermore, had that advice been taken after the first data breach was suffered, it is probable that the second two breaches would have been avoided.
Recently, the 3rd Circuit Court ruled that the FTC should be allowed to proceed with the legal action against WWC, and that decision is likely to pave the way to further enforcement actions for cybersecurity failures. Those enforcement actions could, in theory at least, be extended to healthcare providers that fail to protect healthcare data.
At this stage it is not clear whether healthcare cybersecurity regulations are to be enforced by the FTC, but healthcare providers should be cautious. There could well be another agency looking to take action against them if they blatantly disregard HIPAA Rules, ignore and ignore FTC guidelines on data security and cybersecurity regulations.