While Congress is unlikely to pass major new national cybersecurity legislation in an election year, federal regulators and state attorneys general will be busy addressing evolving health data privacy and security issues in 2020, predicts attorney Marcus Christian of the law firm Mayer Brown.
“On a national level, one might say that the politics are against legislation passing for healthcare [data security and privacy] or cybersecurity for a number of reasons,” he says in an interview with Information Security Media Group. “But on the state level, there are other factors that increase the likelihood of activity.”
For example, state attorneys general know that privacy and security issues resonate with their constituents, he says. “The constituents want to see their AGs being aggressive in these states, and if the AGs get that message, they are going to be aggressive.”
He predicts more states will pass laws that require notification of state attorneys general when there is a cybersecurity incident in all sectors, and perhaps in healthcare.
Christian predicts that in the year ahead, the Department of Health and Human Services, in its HIPAA compliance examinations, will scrutinize whether “organizations have administrative, physical and technical controls.”
He also expects the Federal Trade Commission and Food and Drug Administration to conduct reviews that focus on “devices that collect personal data and the claims that their manufacturers make about cybersecurity – that is going to be a very focused area.”
In the interview (see audio link below photo), Christian also discusses:
- The most worrisome security threats, vulnerabilities and risks in healthcare;
- “Growing pains” involving the privacy and security of health data;
- The impact of the California Consumer Privacy Act;
- Other federal and state regulatory and legislative issues involving health data privacy and security to watch in 2020.
Christian is a Washington-based partner in law firm Mayer Brown’s cybersecurity and data privacy practice and white collar defense and compliance group. Previously, he was the executive assistant U.S. attorney in the southern district of Florida. In that work, he oversaw a number of identity theft task forces, maintained critical incident response readiness and supervised investigations and prosecutions of crimes related to data breaches.