February 12, 2024
Cybersecurity and Digital Health Information
As the technologies used in health care expand, so too do
HIPAA
cybersecurity vulnerabilities. Increasingly, health care
HIPAA was enacted to “improve the efficiency and
actors use electronic health records (EHRs), artificial
effectiveness of the health care system,” in part by ensuring
intelligence (AI) technologies, and telehealth services to
that patients have access to their health information and
provide and facilitate care. While these technologies have
establishing privacy and security measures for such data.
their advantages, stakeholders have noted they also increase
Pursuant to HIPAA, several rules were promulgated,
the number of potential cybersecurity weaknesses an entity
including the Privacy Rule, the Security Rule, and the
may be exposed to through greater technological
Breach Notification Rule—the latter two are especially
complexity and the number of actors with which an entity
important for e-PHI. The HIPAA Rules apply to covered
may interact.
entities that possess PHI or e-PHI, such as health care
providers, health plans, health care clearinghouses, and
Cyberattacks targeting sensitive health information
business associates.
maintained by health care providers and health plans have
sharply increased over the past decade. Cybersecurity
HIPAA Security Rule. Issued in 2003, the HIPAA
experts predict that cyberattacks involving health
Security Rule “establishes national standards to protect
information will continue to affect a growing number of
individuals’ [e-PHI] that is created, received, used, or
people in the future. This In Focus reviews the implications
maintained by a covered entity.” The Security Rule
of cybersecurity on health information.
enumerates 18 administrative, physical, and technical
safeguards (or standards) for ePHI to ensure its
Health care providers, health plans, and health care
confidentiality, integrity, and security. These standards are
clearinghouses that hold or transmit electronic protected
designed to be flexible and scalable to entities of all sizes,
health information (e-PHI) are subject to the Health
as well as technology neutral, so that entities may adopt
Insurance Portability and Accountability Act (HIPAA; P.L.
novel technologies as they emerge.
104-191) Security Rule and Breach Notification Rule.
These HIPAA rules are administered and enforced by the
Covered entities and business associates have discretion in
Office for Civil Rights (OCR) within the Department of
how they accomplish the 18 standards, depending upon the
Health and Human Services (HHS). OCR works with other
organization’s “size, complexity and capabilities,” its
HHS agencies to provide guidance and compliance tools for
“technical infrastructure, hardware, and software security
HIPAA-covered entities.
capabilities,” the “costs of security measures,” and the
“probability and criticality of potential risks to [e-PHI].”
Any breach of unsecured protected health information
Each security standard is accompanied by one or more
(PHI) must be reported to OCR pursuant to the Breach
implementation specifications. Specifications may be
Notification Rule. A breach is the “acquisition, access, use,
required, meaning an organization must implement them, or
or disclosure of protected health information in a manner
addressable, meaning an organization may implement
not permitted under the [HIPAA Rules] which
equivalent alternative measures if reasonable and
compromises [its] security or privacy.” Protected health
appropriate. For example, the security management process
information is unsecured if it “is not rendered unusable,
standard is accompanied by four required implementation
unreadable, or indecipherable to unauthorized persons”
specifications, one of which is a risk analysis. Every
(such as through encryption). There are generally five types
covered entity and business associate must “conduct an
of digital breaches reported to OCR: a hacking or
accurate and thorough assessment of the potential risks and
information technology (IT) incident of electronic
vulnerabilities to the confidentiality, integrity, and
equipment or a network server, unauthorized access or
availability of [e-PHI]” in its possession. This analysis is
disclosure of records containing PHI, theft of electronic
the foundation of all other safeguards in the Security Rule.
equipment/portable devices, loss of electronic media, and
OCR has published guidance and jointly released a HIPAA
improper disposal of PHI. During 2021, OCR was notified
Security Risk Assessment (SRA) Tool with the Office of
of 609 breaches where each affected 500 or more people,
the National Coordinator for Health Information
the majority of which were hacking incidents. Over 37
Technology (ONC) to help entities properly conduct this
million people were affected by these breaches. OCR was
risk analysis. The National Institute of Standards and
notified of 63,571 breaches affecting fewer than 500 people
Technology (NIST) and OCR have also been collaborating
during the same period, with the most common cause being
on a revised special publication that would, in part, discuss
unauthorized access to, or disclosure of, PHI. Over 300,000
how to conduct this risk analysis.
people were affected by these breaches.
The HIPAA Security Rule has faced criticism. A primary
current stakeholder concern is that it does not apply broadly
https://crsreports.congress.gov
Cybersecurity and Digital Health Information
enough in the context of emerging technologies. Some
and address, as appropriate, in a reasonable time,
entities, such as personal health application developers,
postmarket cybersecurity vulnerabilities” and a software
may receive e-PHI yet fall outside the rule’s scope.
bill of materials, among other things (Federal Food, Drug,
Stakeholders question whether such entities will use or
and Cosmetic Act §524B).
disclose sensitive data for marketing and other purposes.
Similar concerns have been raised regarding data used to
Considerations for Congress
train, validate, and test AI models. Other critiques include
Myriad government actions targeting, in whole or in part,
that the Security Rule insufficiently addresses cybersecurity
the cybersecurity of digital health information have been
threats such as ransomware.
proposed, undertaken, issued, and enacted. Select examples
include the Cybersecurity Act of 2015 (P.L. 114-113,
HIPAA Breach Notification Rule. Introduced in 2009, the
Division N) and the Cyber Incident Reporting for Critical
HIPAA Breach Notification Rule requires covered entities
Infrastructure Act of 2022 (CIRCIA; P.L. 117-103,
and their business associates to notify select parties
Division Y). Section 405, entitled Improving Cybersecurity
following an unsecured PHI breach. A breach is generally
in the Health Care Industry, of the Cybersecurity Act of
assumed when there has been an impermissible use or
2015 in particular tasked HHS with multiple actions to
disclosure of PHI, unless an exception is met or the entity
assess and strengthen cybersecurity in the health care
performs a risk assessment that demonstrates a low
industry. Within Subsection (d) of Section 405 specifically,
probability that PHI has been compromised. Generally, if a
HHS was also granted the authority to create common,
breach affects 500 people or more, a covered entity must
voluntary guidelines and best practices, methodologies,
timely notify individuals affected and the HHS Secretary,
procedures, and processes to combat cybersecurity risks in
who must publish a list of such breaches on the HHS
the health care and public health (HPH) sector.
website. Additionally, if more than 500 individuals in a
particular state or jurisdiction are affected by a breach,
Further considerations for Congress exist regarding the
prominent media outlets serving those regions must be
cybersecurity of digital health information. Select
notified by the covered entity. In turn, if fewer than 500
considerations include issues related to the scale of
people are affected, generally a covered entity must timely
cyberattacks and their outcomes, limited and patchwork
notify individuals affected and the Secretary.
privacy and security governance, and a lack of
cybersecurity resources available to different parties.
Similar breach notification provisions under the Federal
Trade Commission (FTC) Health Breach Notification Rule
Regarding the scale of cyberattacks in the United States
(HBNR) apply to vendors of personal health records
against the HPH sector, both domestic and foreign parties
(PHRs) and related entities not already subject to HIPAA.
have been implicated. Some cyberattacks against this sector
The FTC has stated that the HBNR encompasses health
have also been attributed to nation-states. According to
applications and other connected device companies.
stakeholders, the outcomes of these cyberattacks (often due
to ransomware) include hospital closures, regional health
Medical Device Cybersecurity
care delivery disruptions, and potentially even patient
Device software functions regulated by the U.S. Food and
deaths. Consequently, some stakeholders have suggested
Drug Administration (FDA), which have proliferated in
that such cyberattacks should be considered and treated as
recent years, include software as a medical device (SaMD)
regional disasters.
and software that is a component of a device. Many such
devices are “cyber” devices; that is, they may connect to the
No comprehensive digital data protection law exists in the
internet and networks to facilitate patient care, increasing
United States. While OCR may enforce HIPAA and FTC
the devices’ susceptibility to cyberattack. Large hospitals
may enforce the HBNR, stakeholders have noted confusion
may have thousands of networked devices running on
regarding their applications, especially as technologies
multiple software platforms. Responsibility for the
evolve. In addition, states may have varying data privacy
cybersecurity of medical devices has been an ongoing
and security laws. Furthermore, although many data
concern for stakeholders, with medical device
protection guidances are available, they are voluntary.
manufacturers and device users often unclear about the
locus of responsibility for ensuring device cybersecurity.
Additionally, there is inequity in access to cybersecurity
Traditionally, FDA addressed device cybersecurity through
resources among health care actors. Rural and smaller
its existing authorities (i.e., Quality System [QS]
health care facilities in particular may not have the funds to
Regulation, 21 C.F.R. Part 820) and guidance on both
maintain a cybersecurity workforce or regularly update
premarket and postmarket device cybersecurity. In 2023,
their technologies and cybersecurity measures. In general,
Congress established requirements for premarket
the cybersecurity workforce is already limited, making it
submissions for cyber devices, including for 510(k)
particularly difficult for rural and smaller providers to
notifications, de novo requests, and premarket approval
attract and retain qualified staff.
applications (PMAs), among others (Consolidated
Appropriations Act, 2023; P.L. 117-328). Device sponsors
Nora Wells, Analyst in Health Policy
are required to “design, develop, and maintain processes
Amanda K. Sarata, Specialist in Health Policy
and procedures to provide a reasonable assurance that the
device and related systems are cybersecure” and to include
IF12591
in their premarket submissions “a plan to monitor, identify,
https://crsreports.congress.gov
Cybersecurity and Digital Health Information
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12591 · VERSION 2 · NEW