link to page 1
September 19, 2016
Digital Health Information and the Threat of Cyberattack
The number of cyberattacks targeting sensitive health
Figure 1 shows the cumulative number of breaches
information maintained by health care providers and health
reported and number of individuals affected, by type of
plans has increased significantly in the past two years. This
breach, since reporting began in October 2009.
trend is raising concerns about the vulnerability of
electronic health data. Cybersecurity experts predict that the
Figure 1. Breaches of HIPAA-Protected Health Data
number of cyberattacks involving health information will
continue to grow because the data are so valuable.
Health information often contains a rich set of personal
identifiers. These can be used to create false identities for
various illegal purposes, including submitting fraudulent
insurance claims. Stolen health data fetches higher prices
than stolen credit card numbers, which can be quickly
deactivated.
Health care cybersecurity involves more than just
safeguarding patient data from medical identity theft. Many
hackers are now using ransomware to attack hospitals and
other health care facilities in an effort to extort money by
disrupting their daily operations. Ransomware is a type of
malicious software that prevents the victim from accessing
their data—usually by encrypting the data using a key
Source: CRS analysis of HHS/OCR data through August 24, 2016.
known only to the hacker—until a ransom is paid. By
denying a health care facility access to its own data,
ransomware attacks may put patients’ lives at risk.
To date, almost half of all reported breaches have been the
result of
theft—either theft of equipment and devices (e.g.,
Health care facilities also are concerned about the
servers, laptops, flash drives) that store electronic health
cybersecurity of medical devices used to monitor and
information, or theft of paper records. Breaches due to theft
support patients. Increasingly, such devices are connected
account for 738 (45%) of the total of 1,627 reported
to the Internet and other networks.
breaches. However, these incidents have affected only
about 24 million (14%) of the more than 167 million
Health care providers and health plans that handle health
individuals who have been affected by all types of reported
information in electronic form (as opposed to paper-based
breaches.
records) are subject to the Health Insurance Portability and
Accountability Act (HIPAA) security standards.
By comparison, breaches due to a
hacking/IT incident (i.e.,
Information security experts question whether the HIPAA
cyberattack)—in which electronic health information is
security standards are sufficiently protective of electronic
impermissibly accessed through technical intrusion using
health data. They argue that the standards fail to address
malicious software to attack or penetrate a system—
modern cybersecurity challenges.
represent a relatively small percentage of reported breaches.
But some of these cyberattacks have affected millions of
The HIPAA standards are administered and enforced by the
individuals, far more than other types of breaches.
Office for Civil Rights (OCR) within the Department of
Altogether, the 217 hacking/IT incidents (13%) have
Health and Human Services (HHS). OCR is working with
affected almost 126 million individuals, or about 75% of
other HHS agencies to provide guidance and compliance
the total number of affected individuals.
tools for HIPAA-covered entities.
Breaches also occur as a result of
loss of equipment or
Millions Affected by Health Care Cyberattacks
paper records,
unauthorized access to (and disclosure of)
Any breach of unsecured health information affecting 500
health information that does not involve technical intrusion,
or more individuals must be reported to OCR. A breach is
as well as by
other means (e.g., improper disposal).
the “acquisition, access, use, or disclosure of protected
health information in a manner not permitted under the
The cumulative data on hacking/IT incidents mask an
[HIPAA privacy standards] which compromises [its]
important trend. A majority of these incidents were reported
security or privacy.” Information is unsecured if “it is not
in the past two years. During the same period, the number
rendered unusable, unreadable, or indecipherable to
of reports of some of the other types of breaches (e.g., theft,
unauthorized persons,” for example, by using encryption.
loss, improper disposal) has been declining.
https://crsreports.congress.gov
Digital Health Information and the Threat of Cyberattack
HIPAA Security Standards Under Scrutiny
Large hospitals, which may have thousands of networked
The stated purpose of the HIPAA security standards is to
devices running on multiple software platforms, are
ensure the confidentiality, integrity, and availability of
especially concerned about device cybersecurity. A dozen
electronic health information; prevent its unauthorized use
hospitals recently volunteered to participate in a test in
and disclosure; and protect it from reasonably anticipated
which cybersecurity experts attempted and were able to
security threats, including cyberattacks. The standards were
hack into and control patient monitors and ventilators. The
issued in 2003 and have not been modified since.
hackers also triggered false alarms, which under normal
circumstances might have prompted doctors and nurses to
Health care entities have considerable discretion in how
administer unnecessary or adverse treatments.
they implement the 18 separate standards, which cover such
areas as security management, security incident procedures,
Hospital officials complain that medical device
access controls, and data transmission security.
manufacturers are not taking sufficient steps to address
cybersecurity and, instead, are shifting that responsibility to
Each security standard is accompanied by one or more
those who purchase and use their products. Many health
implementation specifications. Some of these are required.
care providers would like to see the Food and Drug
To meet the security management standard, for example,
Administration (FDA) make cybersecurity a requirement
each covered entity must conduct an accurate and thorough
for premarket approval of new medical devices.
security risk analysis to identify potential threats and
vulnerabilities. This is the first and most important step that
In 2014, FDA issued nonbinding guidance on medical
needs to be taken, as it forms the foundation upon which all
device cybersecurity. As part of the required process of
subsequent HIPAA security activities are based.
software validation and risk analysis, the agency
recommended that manufacturers also address
Other implementation specifications are addressable,
cybersecurity and incorporate appropriate controls during
allowing the entity to implement equivalent alternative
the design and development of new (and upgraded) devices.
measures if reasonable and appropriate.
Earlier this year, FDA sought public comment on draft
The standards are designed to be flexible and scalable, as
guidance for managing the cybersecurity of marketed
they must apply to entities ranging from the largest health
medical devices. It recommended that device manufacturers
care organization to the smallest provider practice. When
monitor, identify, and respond to cybersecurity
implementing the standards, each entity must take into
vulnerabilities and cyberattacks throughout a product’s life
account its size and complexity, its technical infrastructure
cycle. FDA emphasized that cybersecurity is the collective
and capabilities, the security risks and vulnerabilities that it
responsibility of all stakeholders and encouraged
faces, and implementation costs. Moreover, the standards
cybersecurity information sharing and collaboration.
are technology neutral, allowing entities to take advantage
of the continual emergence of new technologies.
Congress Acts on Health Care Cybersecurity
The Cybersecurity Act of 2015, enacted last December
The HIPAA security standards face growing criticism.
(P.L. 114-113, Division N), included three sets of
Health care providers complain that the standards are not
provisions aimed specifically at the health care sector. First,
sufficiently prescriptive. Each standard describes what to do
it instructed the HHS Secretary, by December 2016, to
but not how to do it. For example, each entity must
report to Congress on the preparedness of the department
implement a security training and awareness program for its
and the health care industry to respond to cyberattacks.
workforce. But there are no specific instructions about the
content and frequency of such programs. In light of recent
Second, the law established a Health Care Industry
cyberattacks, some information security experts question
Cybersecurity Task Force and instructed it to (1) analyze
whether heath care payers and providers should be given so
how other industries are addressing cybersecurity threats;
much latitude in implementing the HIPAA standards versus
(2) examine the challenges that the health care industry
having to meet a more prescribed set of requirements.
faces in resisting cyberattacks, including securing
networked medical devices; and (3) provide the Secretary
Other experts argue that the standards do not capture the
with information for public dissemination on improving
realities of today’s digital technology and fail to address
cybersecurity preparedness and response. The task force is
modern cybersecurity challenges. While recognizing that
expected to report its findings and recommendations to
HIPAA’s one-size-fits-all approach provides a basic road
Congress by April 2017.
map for organizations with little or no information security
experience, they maintain that the standards have not kept
Finally, the law required the Secretary to oversee the
pace with cyber technology. For example, the standards say
development of a common set of voluntary, consensus-
nothing about malware and ransomware, intrusion
based, industry-led guidelines and best practices for
detection, or specific cyber incident responses.
reducing the cybersecurity risks faced by health care
organizations.
New Focus on Medical Device Cybersecurity
Medical devices are often connected to networks to
C. Stephen Redhead, Specialist in Health Policy
facilitate patient care. Networked devices, like other
networked computer systems, incorporate software that can
IF10473
make them vulnerable to cyberattack.
https://crsreports.congress.gov
Digital Health Information and the Threat of Cyberattack
Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10473 · VERSION 2 · NEW