How The New FTC Safeguards Rule Will Radically Change

January 17th, 2023
How The New FTC Safeguards Rule Will Radically Change

How Even Small Organizations Operate

A little over a year ago, the FTC made several amendments to the existing Safeguards Rule requiring even very small organizations to ensure the protection of client/patient data. These changes, set to go into effect back in December of 2022, are now going to be enforced starting June 9, 2023 – and it’s very likely that your office, regardless of how small or how your tech is being handled, WILL be required to implement certain new security protocols.

The Safeguards Rule was originally created for financial institutions. However, the new amendments broaden the definition of financial institutions to include real estate appraisers, car dealerships, payday lenders, and any business that regularly deals with finances moving to and from consumers. These organizations are required to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.

Here are the provisions you must implement:

  • Designate a qualified individual to oversee their information security program. That means someone at these companies need to be trained in information security, receive continuing security education, and be in charge of ensuring the organization is correctly executing the written information security plan. If no one on your team meets this requirement, you should think about hiring someone urgently.
  • Develop a written risk assessment. A risk assessment is done in two parts: one, a technical scan, and two, a questionnaire designed to reveal common security loopholes. This is typically outsourced to an IT firm like ours and needs to be reviewed annually (by law), but best practices should be quarterly, if not monthly, in situations where an office is handling a lot of sensitive information and the tolerance for risk by the owner is low. If you need this risk assessment, contact us.
  • Limit and monitor who can access sensitive client/patient information. For example, don’t give your entire team access to your credit card processing system. Only allow one employee (perhaps your biller or office manager), as well as one backup person (possibly you, the owner), to be able to log in and access this information.
  • Encrypt all sensitive information. Again, this is typically done by an outsourced IT company like ours, unless your organization is large enough to have a robust cyber security team that can handle it. “Sensitive information” is not just medical records and credit cards, but patients’ e-mail addresses, phone numbers, Social Security information, driver’s license information, and birthdays. ALL of this can be used by hackers to exploit your patients using the data you host.
  • Train security personnel. Employee awareness training is another key component to not only this law, but also to get and keep insurance coverage on cyber liability, crime, and other insurance policies.
  • Develop an incident response plan. Specifically, if (or when) you get compromised, you need to have a plan in place for how you will respond. This is also another service we offer to our clients but should be reviewed by your insurance agent, leadership team, board, and other key players in the organization.
  • Periodically assess the security practices of service providers. This law also requires you to ensure any partners or vendors you are doing business with – specifically ones where sensitive information is shared – to be secure and compliant. This may include requiring that vendors state in their contracts that they are adhering to the Safeguards Rule and to certain security frameworks, like CIS, or NIST.
  • Implement multifactor authentication or another method with equivalent protection for any individual accessing patient information. Also known as “2FA,” this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.

If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here to schedule a phone consultation to discuss your concerns, questions, and specific situation. If you prefer, you can call us at 631-224-9450.