Delaware’s Comprehensive Data Privacy Law and HSCC’s Coordinated Healthcare Incident Response Plan Template

Comprehensive Data Privacy Law Passed by the Delaware Legislature

The Delaware legislature passed a comprehensive new data privacy law. Delaware Governor John Charles Carney Jr is likely to sign the Personal Data Privacy Act making Delaware the 12th U.S. state to implement a comprehensive data privacy law.

Unlike the data privacy laws in the other states, the Delaware Personal Data Privacy Act doesn’t have exclusions for HIPAA-regulated entities as well as their business associates, but the Act comes with an information-level exemption and is not applicable to protected health information (PHI). HIPAA-regulated entities must make sure that they are in complete compliance with the new legislation. A lot of the conditions shouldn’t prove too difficult for companies that comply with the HIPAA Privacy and Security Rules.

The Personal Data Privacy Act provides state residents with new rights to control their personal information and enables them to know the data that is being obtained concerning them, check that data, fix errors, and ask for the removal of their personal information, and consumers should not be discriminated against for claiming those rights. The Personal Data Privacy Act uses an extensive meaning of personal and sensitive data. Personal data consists of any information that is associated or sensibly linkable to an identified or identifiable person and doesn’t consist of de-identified information or publicly available data.

Sensitive personal data consists of information that shows racial or ethnic source, religious values, mental or physical health issue or diagnosis (which includes pregnancy), gender, status as transgender or nonbinary person, immigration or citizenship status. Sensitive information likewise consists of genetic/biometric information, precise geolocation information, and the personal information of an identified child and could not be processed with no permission. Consumers should be advised in a privacy notice about the way their personal information will be gathered and utilized, what information will be disclosed to third parties, and the classes of third parties that will get personal information. Consumers should likewise be given a chance to opt out of the selling of their personal information or its usage to deliver to them specific adverts. Any information obtained should be limited to what is sensibly essential to accomplish the reason for which the information is processed, and the information should be guarded with good security procedures to protect the integrity, confidentiality, and accessibility of personal information.

The Act uses a similar definition of a child like the Children’s Online Privacy Protection Act (COPPA) and has similar specifications for parental authorization as COPAA regarding a consumer who is a child. It is forbidden for data controllers to serve targeted adverts or sell the personal information of an individual who is aged 13 to 18 with no permission, where the controller has the statement that the consumer is 13 to 18 years old.

The Act is applicable to companies operating in Delaware that manage or process the personal information of at least 35,000 consumers, or over 10,000 consumers when over 20% of gross income is from sold personal information. The thresholds are substantially less in some states that have passed data privacy legislation.

The new legislation will be effective beginning January 1, 2025, supposing the state governor signs the bill before January 1, 2024 to be exclusively enacted by the Delaware Department of Justice. The Department of Justice is going to involve in public outreach no less than 6 months before the effective date to increase knowledge of the new requirements with customers and the business sector.

Coordinated Healthcare Incident Response Plan Template Published by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has released a Coordinated Healthcare Incident Response Plan (CHIRP) that healthcare organizations can use as a template to create a harmonized cybersecurity incident response plan.

Considering the regularity of cyberattacks on the healthcare industry and the damage that these occurrences could cause, it is essential for healthcare companies to create, put into action, protect, and check an incident response plan. In case of a cyberattack, the incident response plan may be started quickly to restrict the damage brought about and help make sure an immediate recovery.

There are a number of resources accessible about the technical response procedure to a cybersecurity incident, and although these resources offer assistance with the technical facets of the response, for instance, recognition, restriction, response, and retrieval, they don’t handle the effect of a cyberattack on patient treatment and security. Healthcare companies have emergency programs to make sure the continuity of business and patient treatment in case of IT breakdowns and natural disasters; nevertheless, these plans might not be completely efficient when addressing a cyberattack.

The new HSCC resource is meant to deal with the loopholes a lot of healthcare companies have in their incident response plans. The CHIRP is an instrument that may be utilized as a kick-off point when creating a good incident response plan, which will be customized to satisfy the requirements of every company. Healthcare Delivery Organizations have plenty of the parts and pieces required to take action on a cybersecurity incident, however, guidance is lacking on creating all of these distinct parts together. This template serves as the cog that could be set up in the device to enable all of the parts to work together as a Coordinated Healthcare Incident Response Plan.

The template serves as a guiding document with sample information to assist incident response plan administrators be aware of the reason for every segment when making their own plan. The plan can be changed as required in line with the requirements of every organization and must be employed along with Health Industry Cybersecurity Operational Continuity – Cyber Incident (HIC-OCCI) guide.

The template helps plan managers take steps in incident detection, response, IT system restoration, operations and emergency control, communications, and legal and risk administration and has been created to be quickly tailored to fit companies of all kinds and sizes. The guidance assists healthcare companies tie together active business continuity, group, and disaster recovery programs, and downtime processes to make sure an effective, synchronized response to any cybersecurity event.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.