*4.1.1 Industry-specific regulations*

In the United States, medical critical infrastructure entities have both sectorspecific regulatory requirements as well as other requirements, such as Payment Card Industry (PCI)-compliance, to consider in risk management [27]. If an organization does not pass PCI (re)compliance auditing, then they are at risk of losing the use of credit cards, among other payment sources under PCI regulations. In the past, organizations would consider themselves a cash-only facility if they lost PCI (re)compliance. Today, with the birth of cryptocurrencies and alternative payment methods not under PCI, losing the use of credit cards might not be as drastic as it has been historically. Other regulations include compliance with those from the International Standards Organization (ISO). Globally, there are many industryspecific regulations that are not necessarily enforceable laws.

#### *4.1.2 Industry-specific Laws*

Medical-covered entities under HIPAA/HITECH are subject to audits by the United States Health and Human Services (HHS) Office of Civil Rights (OCR). The OCR manages many civil rights across the United States in addition to HIPAA. Organizational breaches of patient electronic health information of over 500 individuals must be reported to the OCR as ruled in HITECH. Such breaches are both subject to federal fines and corrective actions. The OCR also can audit covered entities at any point in time. HIPAA is a very well-organized law. It has specific mandates for electronic health data requirements, which should be consistently mapped during a risk assessment to appropriately manage organizational risk. HHS lists many documents for guidance on their website, including mappings between NIST frameworks for cybersecurity and HIPAA requirements. These are extremely useful resources for practitioners.

### **4.2 Training requirements**

Security education and training awareness (SETA) needs may occur at the vendor level or as federal, state, or city regulations. They are not only legally mandated in many instances for legal responsibilities, but also are ethical mitigations. For example, employing staff who have not been properly trained on data security and then holding them responsible for data security mistakes is unethical. In fact,

in such a case, labor laws may also be violated. Also, in New York State, the loss of employee Social Security Numbers (SSN) through any sort of data breach is a crime subject to legal penalties [28].

## *4.2.1 Regulation trainings*

Different regulations require different levels of SETA. In the credit card industry, organizations using alternatives to cash which are highly-corporately regulated must protect the data by complying with the Payment Card Industry (PCI) regulation. The PCI Data Security Standard (DSS) requires software developers for services using credit cards to be properly trained to code such systems. In addition, federal laws such as HIPAA also have specific training requirements. Lastly, little work on cybersecurity training is being done at state or city levels; however, proper awareness could be suddenly mandated at these local levels. If an organization or their accepted vendors are missing any of these training requirements, the organization may be financially liable.
