On June 2, 2017, the Department of Health and Human Services (HHS) declared health care cybersecurity at critical risk. According to HHS, the health care industry is now the number one target for cyber-attacks. It is predicted that one in 13 patients in America will be affected by a health systems breach in the next five years. Constant, high profile cases of identity theft and ransomware illustrate the vulnerabilities of our nation’s health care data. In 2016, over 27 million patient records were affected by data breaches, costing an estimated $6.2 billion a year for the industry. Understanding the role of cybersecurity is central to managing risks to health and public health sectors.
Cybersecurity entails monitoring networks, computer systems, and data to prevent attacks or unauthorized access. The role of cybersecurity in public health is to ensure patient information is secure. Effective cybersecurity in health care organizations is essential to protecting individual privacy and the public’s health. Even a single weak link in software or systems could disrupt a hospital’s ability to provide services, lead to unauthorized disclosures of protected health information (PHI), and erode public and patient confidence in healthcare providers.
A May 2017 survey shows that 68 percent of patients considered leaving their health care provider if their hospital was attacked by ransomware. Public health reporting requirements and access to health information to preserve community health could be seriously hindered by patient avoidance of health services or withholding medical information to their health care provider, leading to the spread of communicable conditions like HIV or delays in treatments for chronic conditions.
Unauthorized access to health information impedes public health efforts in other ways. Incomplete or inaccurate data collected for a patient’s well-being or treatments can affect the quality, privacy and safety of patient care and impair public health surveillance. In December 2016, the New Hampshire Department of Health and Human Services was hacked, resulting in social security numbers and medical service records being shared via social media. In May 2016, The County of Los Angeles Department of Public Health also experienced a breach disclosing medical record numbers and medical information, including diagnoses and treatment information.
In addition to federal and state cybersecurity regulation, the HHS Security Rule, issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA), requires health providers to implement minimal safeguards to ensure confidentiality of PHI. However, the Rule insufficiently addresses cybersecurity preparedness because it does not outline specific technical safeguards. Health care entities are required to use their own discretion on how to achieve HIPAA compliance, but many lack training or resources on how to adequately address cybersecurity demands.
The Security Rule does not adequately address threats posed by employee mistakes or negligence, which cause almost half of all data breaches in hospitals. Health care entities need expert partners in cybersecurity to better prepare and train all employees on best practices about data security. In 2016, 60 percent of organizations said it is not mandatory to train employees about security risks; one-third of hospitals did not punish employees for negligent behaviors when data breaches occurred.
Many hospitals are still operating outdated systems and software. This is perilous. Older systems increase the likelihood that hackers can evade systems’ security programs, especially if they are not regularly updated via several different security programs. Cybersecurity experts recommend avoiding transmission of PHI across public networks without encryption and equipping all devices with strong authentication and access controls.
Advance planning, prevention and active preparedness for unexpected security breaches are essential. Information must be backed up offsite regularly so it can be accurately restored in the event of an emergency. Cybersecurity preparedness entails adequate planning and implementation of a response process, which includes up-to-date security measures and trained personnel.
This post was prepared by Rebecca Queensland, Legal Researcher and J.D. Candidate (2018), Center for Public Health Law and Policy, Sandra Day O’Connor College of Law, and James G. Hodge, Jr., J.D., LL.M., Director, Network for Public Health Law—Western Region Office, and reviewed by Sarah Noe, Senior Student Aid, and J.D. Candidate (2020), University of Pennsylvania School of Law.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult licensed lawyers in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not necessarily represent the views of, and should not be attributed to, RWJF.