North Carolina 30-Day Data Breach Notification Law

The Effect On Healthcare Organizations

On January 22nd, North Carolina Attorney General Josh Stein and Rep. Jason Saine reintroduced data privacy legislation that would give organizations only 30 days to report a breach.

This proposed legislation limits the time to report a breach to the State of NC to half of the time outlined in HIPAA, which mandates breach notifications occur within 60 days of discovery.

The State’s goal is to give consumers more transparency into where their data lives. They say that lessened notification time will “allow people to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs.”

The Strengthen NC Identity Theft Protection Act mandates:

“When a person’s personal information has been compromised by a security breach, the entity that was breached must notify the affected person and the Attorney General’s office as soon as possible and no later than 30 days. This quick notification will allow people to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs.”

Thirty days is a very short amount of time… Is your medical facility ready for this?

Ransomware Infections Will Now Be Deemed Data Breaches By The State

The re-introduced legislation redefines a data breach to include ransomware attacks, where the personal information is accessed and but not acquired. This is important for healthcare organizations in North Carolina, as hackers are targeting them with ransomware attacks because ePHI is a valuable commodity on the Dark Web.

Now more than ever, you must ensure your healthcare business is protected from data intrusions and ransomware infections. As fast as we tell everyone about the various types of ransomware, another one surfaces.

And now there’s a new more dangerous form of ransomware circulating that can creep in without you knowing it…

It’s called Phobos Crypto-Locking Ransomware and it’s been attacking organizations since December 2018. It has the ability to crypto-lock files on a local drive, as well as mapped network drives, unmapped network shares and virtual machine drives.

Phobos is different … A lot of ransomware ends up on systems as a result of spam or phishing attacks where individuals are tricked into clicking on a malicious link. But, Phobos “sneaks in on its own when you don’t have the security you need for Remote Desktop Ports (RDPs). And, they’re an even bigger problem when healthcare and other businesses don’t have properly partitioned networks with strong administration controls.

Lists of RDP ports are available on the Dark Web for cybercriminals to purchase. Once in, attackers steal sensitive data such as payment card numbers or ePHI. By the time you find out that they’re in, they ‘ve already encrypted your files.

If Phobos Ransomware Gets In Via Your RDPs And You Don’t Know It –You Could Be In Violation Of NC’s New Law

Some organizations don’t realize that they’ve been inside their networks for weeks or even months…  So, what happens if you find out that your system was breached by ransomware for months, but you didn’t notify the authorities within the 30 days? You may have violated the new NC notification law.

Even if you’re following HIPAA Security Best Practices, but your RDPs aren’t secured appropriately, your system can be infected without your knowledge. Or if even one employee accidentally opens a ransomware link in a phishing email and you don’t report it within 30 days, you’ve violated the North Carolina Data Breach Notification law.

It’s Essential That You Bolster Your Cybersecurity Posture

It’s vital that all of your network and computing assets be monitored and managed to keep them protected from ransomware and other intrusions. Data breaches are serious business these days with new laws like North Carolina’s Data Breach Notification Law. And companies that face one violation can count on the costs being far more than they ever imagined.

According to Verizon’s 2018 Data Breach Investigations Report (DBIR), the healthcare industry is experiencing tremendous increases in the number of data breaches. Almost daily, we hear of a new breach at some doctor’s office or hospital.

The job of network security is ongoing and takes a 24/7 commitment. It’s essential for your healthcare organization and all of your business associates to have strong IT security measures in place. These rules must be followed by everyone in order to keep patients’ confidential data secure in all formats.

You Must Find New Ways To Protect Your Patients’ Data

Our team understands what’s at stake when it comes to your network security. We stay abreast of what’s going on in the world of cybercrime and the Dark Web. And we’re always aware of any new cyber scams.

We also monitor hardware and software applications for vulnerabilities. And we specialize in helping healthcare companies comply with regulations like HIPAA, SOC, FINRA and others.

You don’t have time to worry about network security. We can do this for you. That’s our commitment to you–to give you excellent network security that works as expected so you never have to deal with unexpected surprises such as a Phobos ransomware attack.

For assistance protecting your patients’ data from Phobos ransomware or other malware infections, contact the IT specialists at HitsTech in Charlotte, NC. We’ll be happy to visit your facility and explain how we can secure your network.

In The Meantime–Stay Up To Date On Ransomware And IT News

Just like our techs do, you and your employees must stay up to date on the latest IT threats and how you can avoid them. Visit our Media Center where we publish new helpful information all the time.

Need More Information?

HitsTech is focused on bringing the right information technology solutions to organizations throughout North Carolina.
We welcome you the read some of our latest blog posts and technology articles.