September 19, 2016
Digital Health Information and the Threat of Cyberattack
The number of cyberattacks targeting sensitive health
information maintained by health care providers and health
plans has increased significantly in the past two years. This
trend is raising concerns about the vulnerability of
electronic health data. Cybersecurity experts predict that the
number of cyberattacks involving health information will
continue to grow because the data are so valuable.
Figure 1 shows the cumulative number of breaches
reported and number of individuals affected, by type of
breach, since reporting began in October 2009.
Figure 1. Breaches of HIPAA-Protected Health Data
Health information often contains a rich set of personal
identifiers. These can be used to create false identities for
various illegal purposes, including submitting fraudulent
insurance claims. Stolen health data fetches higher prices
than stolen credit card numbers, which can be quickly
deactivated.
Health care cybersecurity involves more than just
safeguarding patient data from medical identity theft. Many
hackers are now using ransomware to attack hospitals and
other health care facilities in an effort to extort money by
disrupting their daily operations. Ransomware is a type of
malicious software that prevents the victim from accessing
their data—usually by encrypting the data using a key
known only to the hacker—until a ransom is paid. By
denying a health care facility access to its own data,
ransomware attacks may put patients’ lives at risk.
Health care facilities also are concerned about the
cybersecurity of medical devices used to monitor and
support patients. Increasingly, such devices are connected
to the Internet and other networks.
Health care providers and health plans that handle health
information in electronic form (as opposed to paper-based
records) are subject to the Health Insurance Portability and
Accountability Act (HIPAA) security standards.
Information security experts question whether the HIPAA
security standards are sufficiently protective of electronic
health data. They argue that the standards fail to address
modern cybersecurity challenges.
The HIPAA standards are administered and enforced by the
Office for Civil Rights (OCR) within the Department of
Health and Human Services (HHS). OCR is working with
other HHS agencies to provide guidance and compliance
tools for HIPAA-covered entities.
Millions Affected by Health Care Cyberattacks
Any breach of unsecured health information affecting 500
or more individuals must be reported to OCR. A breach is
the “acquisition, access, use, or disclosure of protected
health information in a manner not permitted under the
[HIPAA privacy standards] which compromises [its]
security or privacy.” Information is unsecured if “it is not
rendered unusable, unreadable, or indecipherable to
unauthorized persons,” for example, by using encryption.
Source: CRS analysis of HHS/OCR data through August 24, 2016.
To date, almost half of all reported breaches have been the
result of theft—either theft of equipment and devices (e.g.,
servers, laptops, flash drives) that store electronic health
information, or theft of paper records. Breaches due to theft
account for 738 (45%) of the total of 1,627 reported
breaches. However, these incidents have affected only
about 24 million (14%) of the more than 167 million
individuals who have been affected by all types of reported
breaches.
By comparison, breaches due to a hacking/IT incident (i.e.,
cyberattack)—in which electronic health information is
impermissibly accessed through technical intrusion using
malicious software to attack or penetrate a system—
represent a relatively small percentage of reported breaches.
But some of these cyberattacks have affected millions of
individuals, far more than other types of breaches.
Altogether, the 217 hacking/IT incidents (13%) have
affected almost 126 million individuals, or about 75% of
the total number of affected individuals.
Breaches also occur as a result of loss of equipment or
paper records, unauthorized access to (and disclosure of)
health information that does not involve technical intrusion,
as well as by other means (e.g., improper disposal).
The cumulative data on hacking/IT incidents mask an
important trend. A majority of these incidents were reported
in the past two years. During the same period, the number
of reports of some of the other types of breaches (e.g., theft,
loss, improper disposal) has been declining.
https://crsreports.congress.gov
Digital Health Information and the Threat of Cyberattack
HIPAA Security Standards Under Scrutiny
The stated purpose of the HIPAA security standards is to
ensure the confidentiality, integrity, and availability of
electronic health information; prevent its unauthorized use
and disclosure; and protect it from reasonably anticipated
security threats, including cyberattacks. The standards were
issued in 2003 and have not been modified since.
Health care entities have considerable discretion in how
they implement the 18 separate standards, which cover such
areas as security management, security incident procedures,
access controls, and data transmission security.
Each security standard is accompanied by one or more
implementation specifications. Some of these are required.
To meet the security management standard, for example,
each covered entity must conduct an accurate and thorough
security risk analysis to identify potential threats and
vulnerabilities. This is the first and most important step that
needs to be taken, as it forms the foundation upon which all
subsequent HIPAA security activities are based.
Other implementation specifications are addressable,
allowing the entity to implement equivalent alternative
measures if reasonable and appropriate.
The standards are designed to be flexible and scalable, as
they must apply to entities ranging from the largest health
care organization to the smallest provider practice. When
implementing the standards, each entity must take into
account its size and complexity, its technical infrastructure
and capabilities, the security risks and vulnerabilities that it
faces, and implementation costs. Moreover, the standards
are technology neutral, allowing entities to take advantage
of the continual emergence of new technologies.
The HIPAA security standards face growing criticism.
Health care providers complain that the standards are not
sufficiently prescriptive. Each standard describes what to do
but not how to do it. For example, each entity must
implement a security training and awareness program for its
workforce. But there are no specific instructions about the
content and frequency of such programs. In light of recent
cyberattacks, some information security experts question
whether heath care payers and providers should be given so
much latitude in implementing the HIPAA standards versus
having to meet a more prescribed set of requirements.
Other experts argue that the standards do not capture the
realities of today’s digital technology and fail to address
modern cybersecurity challenges. While recognizing that
HIPAA’s one-size-fits-all approach provides a basic road
map for organizations with little or no information security
experience, they maintain that the standards have not kept
pace with cyber technology. For example, the standards say
nothing about malware and ransomware, intrusion
detection, or specific cyber incident responses.
New Focus on Medical Device Cybersecurity
Medical devices are often connected to networks to
facilitate patient care. Networked devices, like other
networked computer systems, incorporate software that can
make them vulnerable to cyberattack.
Large hospitals, which may have thousands of networked
devices running on multiple software platforms, are
especially concerned about device cybersecurity. A dozen
hospitals recently volunteered to participate in a test in
which cybersecurity experts attempted and were able to
hack into and control patient monitors and ventilators. The
hackers also triggered false alarms, which under normal
circumstances might have prompted doctors and nurses to
administer unnecessary or adverse treatments.
Hospital officials complain that medical device
manufacturers are not taking sufficient steps to address
cybersecurity and, instead, are shifting that responsibility to
those who purchase and use their products. Many health
care providers would like to see the Food and Drug
Administration (FDA) make cybersecurity a requirement
for premarket approval of new medical devices.
In 2014, FDA issued nonbinding guidance on medical
device cybersecurity. As part of the required process of
software validation and risk analysis, the agency
recommended that manufacturers also address
cybersecurity and incorporate appropriate controls during
the design and development of new (and upgraded) devices.
Earlier this year, FDA sought public comment on draft
guidance for managing the cybersecurity of marketed
medical devices. It recommended that device manufacturers
monitor, identify, and respond to cybersecurity
vulnerabilities and cyberattacks throughout a product’s life
cycle. FDA emphasized that cybersecurity is the collective
responsibility of all stakeholders and encouraged
cybersecurity information sharing and collaboration.
Congress Acts on Health Care Cybersecurity
The Cybersecurity Act of 2015, enacted last December
(P.L. 114-113, Division N), included three sets of
provisions aimed specifically at the health care sector. First,
it instructed the HHS Secretary, by December 2016, to
report to Congress on the preparedness of the department
and the health care industry to respond to cyberattacks.
Second, the law established a Health Care Industry
Cybersecurity Task Force and instructed it to (1) analyze
how other industries are addressing cybersecurity threats;
(2) examine the challenges that the health care industry
faces in resisting cyberattacks, including securing
networked medical devices; and (3) provide the Secretary
with information for public dissemination on improving
cybersecurity preparedness and response. The task force is
expected to report its findings and recommendations to
Congress by April 2017.
Finally, the law required the Secretary to oversee the
development of a common set of voluntary, consensusbased, industry-led guidelines and best practices for
reducing the cybersecurity risks faced by health care
organizations.
C. Stephen Redhead, Specialist in Health Policy
https://crsreports.congress.gov
IF10473
Digital Health Information and the Threat of Cyberattack
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10473 · VERSION 2 · NEW