Recent regulations in the health sector – Data Driven Investor | #exploits | #cybersecurity | #informationsecurity


The current health emergency is forcing us to suddenly change our perspective and increase our defences to protect individuals.

Precisely for this reason, the European Commission has issued a series of guidelines, aimed at regulating the production of essential medical equipment, with an appropriate vademecum for manufacturing companies.

On the other side of the Ocean, the HIPAA law, on protected health information, tries to give “rules”, to avoid dispersion, diffusion and manipulation, as well as theft and cyber attacks on health systems.

EC Emergency Guidelines COVID-19

Three key areas are identified during this emergency period: 3D printing, personal protection systems, DPI(disposal protective individual) and detergents. Last month’s Recommendation 2020/403 also serves to relax compliance requirements and vigilance checks on emergency medical systems. Therefore, in accordance with the World Health Organization, it is recommended that production should ensure a sufficient level of protection according to the safety requirements of the European Union, even if they have not completed the CE certification process.

It is therefore recommended to:

– bring DPI on the market;
– the introduction of 3D printing systems, called Additive Manufacturing (AM), whereby manufacturers must ensure the conformity of 3D printers with the essential health and safety requirements of the Machinery Directive (2006/42/EC) by drawing up a technical file and affixing the CE marking before placing them on the EU internal market.
– comply with the essential requirements for the production of hydroalcoholic hand dishwashing detergents, as the European Centre for Disease Prevention and Control recommends ‘wash your hands with soap and water for at least 20 seconds or use alcohol-based solutions, gels or wipes in all contexts’. Such products may fall within the scope of either the Cosmetics Regulation or the Biocidal Products Regulation (normally only one regulation applies to a given product). It follows that:
– when the main purpose is to clean or clean the skin, the products generally fall under the Cosmetics Regulation;
– if the main purpose is not declared and the products contain an active substance and are marketed with indications of a biocidal activity or specific cross-contamination reduction effects, the Biocidal Products Regulation generally applies.

It is no coincidence that many local manufacturers have redirected their production lines to facilitate the spread of adequate pandemic protection and help the market in a state of emergency.

HIPAA vulnerability scans

The Health Insurance Portability and Accountability Act (HIPAA) is a law of 1966, enacted by the former President of the United States, Bill Clinton, which aims to establish standards for privacy and security of the flow of protected health information (PHI), with regard to health care, payments and operations, which so-called “covered entities” must follow. Although such entities may disclose PHI to specific parties without the express written consent of the patient, in order to facilitate their treatment, payment or healthcare operations, generally any other disclosure requires the individual’s written consent, combined with appropriate data minimisation.

PHI or protected health information are personal data, such as name, date of birth, processing history, financial information.

Every organization, working in the healthcare sector, and using digital technologies to follow the patient, must first ensure that this service is HIPAA-compliant, making “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic health information protected by the entity covered or the business partner”. In fact, vulnerability scans are used to indicate any weaknesses that could compromise the security and defence of electronic health information, and the scans are designed to anticipate and provide adequate defences. That is, with these scans we identify holes, missing or missing implementations or incorrect system configurations. If a vendor has released a security patch, the correct installation of the patch can block the system failure.

Through the above scans two categories of defects can be detected:

– Defects in the software. These defects can be found in operating systems (such as Microsoft 7) or in software programs (Microsoft Office, Google Chrome or Internet Explorer).

– Defects in hardware. Vulnerability scans can reveal vulnerabilities on hardware devices (network firewalls, printers or routers).

As we have noticed, in this phase of the health emergency, one of the primary objectives of cyber-criminals has been precisely the health sector, as an essential service and filled with significant sensitive data about each of us. An attack on the confidentiality of PHI is defined by HIPAA, a security incident, which is identified as such in the Regulations:

– The attempt or unauthorized access, which has, as its purpose, the use, disclosure, modification, or destruction of data in an information system; or

– Unauthorised, attempted or successful unauthorised access, use, disclosure, modification or interference in an information system.

In essence, a HIPAA security incident is an attempt (which may or may not be successful) to do something unauthorized. The “something” that is not authorized is unauthorized access, use, disclosure, modification, destruction or interference.

HIPAA itself lists the types of phenomena that fall under the “security incident” category, which are:
– Theft of passwords used to access electronic protected health information (ePHI).
– Viruses, malware or hacking attacks that interfere with the operation of information systems with ePHI.
– Failure to close the account of a former employee, which is then used by an unauthorized user to access information systems with ePHI.
– Providing media with ePHI, such as a PC or laptop hard drive, to another user who is not authorized to access ePHI, before removing the ePHI stored on the media.

Rightly the resources, regulatory and IT, are all aimed at protecting and safeguarding a sector, the health sector, whose importance, which has always been fundamental, has summed up full effectiveness in these times of pandemic.

All Rights Reserved
Raffaella Aghemo, Lawyer

_________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

.  .  .  .  .  .  . .  .  .  .  .  .  .  .  .  .   .   .   .    .    .   .   .   .   .   .  .   .   .   .  .  .   .  .





Source link

Leave a Reply