USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields
October 2024, the NYDFS issued guidance on how companies can address the emerging secu - rity threats from AI. It includes recommendations such as updating employee training to expand awareness of AI-powered social engineering and designing access controls to better withstand deepfakes and other AI-enhanced attacks. 6.3 Cybersecurity in the Healthcare Sector HIPAA is the primary law that regulates data pri - vacy and security for healthcare entities. HIPAA’s Security Rule includes prescriptive requirements for covered entities to implement specific safe - guards to ensure the confidentiality, integrity and availability of ePHI, including through risk assessments, encryption, “minimum necessary” access controls, a contingency plan to restore any loss of data, and business associate con - tracts. In December 2024, the HHS published a Notice of Proposed Rulemaking and announced proposed changes to the Security Rule that would heighten the requirements for covered
entities – for example, newly requiring annual penetration testing, as well as a written technol - ogy asset inventory mapping the data flows of ePHI within the covered entity’s systems. Shortly after his election, President Trump issued an executive order directing federal agencies to not propose or issue any rule until a department or agency head appointed by President Trump approved such rule. Accordingly, the future of these proposed amendments remains unclear. Additionally, the HIPAA Breach Notification Rule requires covered entities to provide notification of certain breaches of protected health informa - tion to affected individuals, the HHS, and the media. Through the Health Breach Notification Rule, the FTC separately requires vendors of person - al health records and their third-party service providers to report certain breaches to affected individuals and the FTC.
357 CHAMBERS.COM
Powered by FlippingBook