Florida Representative Mike Giallombardo is introducing a bill to protect healthcare organizations from liability due to cyberattacks.
What happened
The legislation, filed on November 15th, would protect counties, municipalities, commercial entities, and third-party agents from liability if they follow certain security requirements.
According to a recent news report, cybersecurity breaches have been plaguing Florida for months; last month, Florida’s First Judicial Court suffered a cybersecurity breach that allowed hackers to access personal data and more from the court’s system. Tampa General Hospital and HCA Healthcare experienced cyber attacks in the spring, resulting in leaked patient information.
Aside from the proposed legislation, the Florida Department of Management Services also seeks $57 million in the next state budget to improve cybersecurity measures.
Going deeper
For entities to be protected, the bill will require them to follow certain guidelines and security frameworks. Organizations must follow certain standards from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Furthermore, organizations covered by HIPAA or other federal laws must remain compliant.
If an organization experiences a cyberattack and could be held liable, it must prove it followed the listed guidelines. If they do, they may be protected.
The bill states, “A sole proprietorship, corporation, association, or other commercial entity that acquires, maintains, stores, or uses personal information is not liable for a cybersecurity incident if the entity substantially complies with [the cybersecurity frameworks.”
Organizations that do not follow the guidelines are not automatically found liable if they experience a cyberattack. However, they must go through the normal legal process to determine liability.
The bill reads, “Failure of a county, municipality, or commercial entity to substantially implement a cybersecurity program that is in compliance with this section is not evidence of negligence and does not constitute negligence per se.”
Why it matters
As states continue facing cybersecurity attacks and breaches, many are trying to develop new strategies to prevent attacks and the costs associated with resolving them. New York recently proposed increased cybersecurity regulations, outlining preventative and responsive measures.
Paubox’s Quarter 3 report found a 24% increase in hacking and IT-related incidents, with emails being a consistent risk. These attacks aren’t just a liability issue; they can also lead to financial implications, delays in patient treatment, and even hospital shutdowns.
The big picture
While states continue to deal with reforming legislation to combat evolving cyberattacks, healthcare organizations must also do their best to strengthen security measures whenever possible.
With many breaches and incidents starting in email networks, Paubox highly recommends organizations be diligent in securing their email platforms and providing employees with security training.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
