With cyberattacks increasingly targeting health care providers, an arduous bureaucratic process meant to address legal risk is keeping hospitals offline longer, potentially risking lives.
One more point: a well structured law would likely lower the administrative burden on affected parties as well.
Service providers are asking because they genuinely need to know, and because medical information is pretty much the only area where there are comprehensive regulations on data protection. They could absolutely be held responsible for the negligence of allowing a known infected system to infect them. A known compromised system is known to be compromised until you’ve fully evaluated the attack vector, the scope of access, and taken steps to prevent that attack from happening again.
But because there isn’t a legally standardized mechanism to report security issues, vendors are rolling their own. Many of them would be perfectly satisfied accepting an official, standard, form, especially is there was some language that made it clear that acceptance of the form for reports was enough of a “best practice” to limit their liability if the system infected them after the fact.
One more point: a well structured law would likely lower the administrative burden on affected parties as well.
Service providers are asking because they genuinely need to know, and because medical information is pretty much the only area where there are comprehensive regulations on data protection. They could absolutely be held responsible for the negligence of allowing a known infected system to infect them. A known compromised system is known to be compromised until you’ve fully evaluated the attack vector, the scope of access, and taken steps to prevent that attack from happening again.
But because there isn’t a legally standardized mechanism to report security issues, vendors are rolling their own. Many of them would be perfectly satisfied accepting an official, standard, form, especially is there was some language that made it clear that acceptance of the form for reports was enough of a “best practice” to limit their liability if the system infected them after the fact.