As the landscape rapidly shifts in the wake of the COVID-19 pandemic, information security teams are being faced with shoring up security in the face of a majority virtual workforce and increased attacks, on top of their day-to-day responsibilities of managing risk and meeting compliance.
2020 was slated to be a benchmarking year for many industries in terms of cybersecurity compliance - we saw the first version of the Cybersecurity Maturity Model Certification released by the Department of Defense for defense contractors, new regulations emerge from the New York Department of Financial Services, and the much-anticipated California Consumer Privacy Act was set to go into effect. Now, with security teams being pulled in many directions they are being faced with hardening security as well as meeting these standards - or are they?
Cybersecurity Regulations Impacted by COVID-19
In this difficult time, we started examining which compliance requirements are being adjusted in 2020 to allow organizations to get a handle on the impacts of the novel coronavirus. We’ve created a page dedicated to tracking compliance requirements and impacts of COVID-19. Below are some of our findings - subscribe here to get updates on the regulatory impacts of COVID-19 for infosec teams.
The HIPAA security rule is not new to the healthcare industry. However, in the face of the COVID-19 crisis, it is the healthcare systems and hospitals that are under the most strain. As a result, the United States' Department of Health and Human Services has announced that they are relaxing the enforcement of the security rules for the foreseeable future.
The relaxed enforcement focuses specifically on telehealth as it relates to using potentially less secure video conferencing tools to communicate with potentially infected patients.
The waiver only applies...
- In the emergency area identified in the public health emergency declaration,
- To hospitals that have instituted a disaster protocol,
- For up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
Following the European Union's General Data Protection Regulation (GDPR), and falling in line with the privacy laws of Massachusetts, Vermont, Ohio and many others, California's controversial new privacy law presents the opportunity for businesses to level-up on privacy best practices. And for those CISOs and IT leaders who help manage their business's security risk and privacy activities, there is some work to be done.
On June 28, 2019, the California Governor signed into law the California Consumer Privacy Act, and enforcement of the CCPA began January 1st, 2020.
As of March 26, the California Consumer Privacy Act is still on track for enforcement starting in July. However, a group of over 60 businesses have submitted a letter to the California Attorney General asking for an extension given the extraordinary circumstances. The California Attorney General responded, saying that at this time the regulation would be proceeding on schedule for the July enforcement date.
The Department of Defense's Cybersecurity Maturity Model Certification represents the next step toward securing the United States' defense industrial base and is slated to begin appearing in RFI's in the second half of 2020.
The CMMC has been developed in partnership with academia (Johns Hopkins and Carnegie Mellon) and industry leaders in the form of a listening tour and draws from a library of standards and frameworks, including NIST SP 800-171 and the NIST Cybersecurity Framework.
Working Through This Together
As we move through this together as a community, we will stay on top of these and any new updates that emerge for new and existing compliance requirements as a result of COVID-19. In this difficult time, we must unite to protect our organizations and ensure we know where to focus efforts. We will be keeping our Cybersecurity Compliance Standards Impacted by COVID-19 Resources page up to date - see the full list of regulations impacted by COVID-19 here.