1. Ryan Flanagan
GIST 698: Capstone Seminar
April 9, 2014
CYBERSECURITY’S ROLE IN IMPROVING HEALTH CARE IN THE UNITED
STATES
Abstract
Health care spending per capita in the United States is more than twice the amount of other
peer industrialized nations, but health outcomes are still comparatively worse. The global
population is becoming increasingly interconnected through globalization, and even more so
through the significant increase in individuals connected to the Internet. Federal regulations
protecting the privacy and security of patients’ personal data have been mitigating
cybersecurity threats since 1996, but the global shift toward technologically-enabled health
care will require a significant response from the private sector to improve health care in the
United States. This paper analyzes the federal government and private sector’s roles in
improving cybersecurity in health care.
Table of Contents
Introduction 1
Background 3
Electronic Protected Health Information 3
Key Stakeholders 4
Current Health Technologies 6
Electronic Health Records 6
Telemedicine and Networked Medical Devices 7
Biomedical Research 9
The Federal Government’s Role 10
Limitations 10
Cybersecurity Threats to National Security 10
Proposed Solution 12
CDC of Cybersecurity 12
The Private Sector’s Role 15
Incentives 15
Health Care Technology and Innovation 15
Public Health 17
Patient Trust 18
Proposed Solutions 20
Human Resources Approach 20
Data Encryption and Other Technical Solutions 22
Conclusion 24
2. Introduction
Health care costs continue to consume an ever increasing proportion of U.S.
spending, significantly outpacing the growth of our economy for each of the last
four decades, and recently reaching as high as 18 percent of gross domestic
product…according to recent estimates, more than $700 billion of the $2.4
trillion in health care spending could otherwise be avoided through
improvements to the health care system.1
As of 2014, the health care industry now accounts for more data breaches than any other
industry sector. In 2013, more than 40% of total breaches affecting almost 9 million patient
records were reported.2
Data breaches cost the healthcare industry an estimated $6 billion
every year.3
In contrast to economic costs, the reputation for both the health care organization
and the victim of a data breach, are almost irreparable. The United States federal government
has established regulations to secure electronic patient health information (ePHI), but
improving cybersecurity in health care will require a significant shift in industry self-regulation.
The private sector must take the leading role in improving cybersecurity in health care or risk
losing the advancement of health care technology and innovation, the strengthening of public
health efforts, and most critically, patient trust.
Chapter 1 provides the background of the current legislation regulating ePHI, expands
on who the stakeholders are in handling this data, and describes some of the current health
1
West Health Institute, The Value of Medical Device Interoperability: Improving patient care
with more than $30 billion in annual health care savings, March 2013.
http://www.westhealth.org/institute/interoperability, 5.
2
Identity Theft Resource Center, “2013 Data Breaches,” February 2014.
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html.
3
Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security, March
2014. http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and-
data-security, 2.
2
3. care technologies that are at risk. Chapter 2 explains some of the state’s limitations before
presenting a few important solutions that would still minimize governmental interference.
Chapter 3 proposes the private sector’s major incentives for taking a leading role in improving
cybersecurity in health care, and then highlights a few solutions that together would expand
the current approach to addressing cybersecurity in health care to create a more multi-faceted
approach.
3
4. Background
This chapter begins with the two pieces of legislation that primarily govern cybersecurity
in health care, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the
Health Information Technology for Economic and Clinical Health Act (HITECH). Next, the major
stakeholders and current health technologies affected by the cybersecurity risks in health care
are identified.
Electronic Protected Health Information (ePHI)
President Barack Obama’s goal of forming an electronic health record (EHR) for every
American by 2014 is a basic component of the HITECH that was enacted on February 17, 2009.
This legislation dramatically expanded federal regulation for the security and privacy of
individually identifiable health care information since HIPAA.
On January 25, 2013, the Department of Health and Human Services (HHS)
issued the long-awaited Omnibus Final Rule consolidating and modifying
regulations stemming from HIPAA, the Breach Notification Rule under HITECH,
and the Genetic Information Nondiscrimination Act (GINA) and making other
proposed changes to HIPAA final. In promulgating the Omnibus Final Rule, the
agency was unable to quantify the benefits of the new Omnibus Final Rule,
referencing the ‘impossibility of monetarizing the value of [an] individual’s
privacy and dignity,’ the lofty goals of the federal regulatory system for health
information security and privacy4
Some of the major changes and improvements to the protection of health information
included making business associates more directly liable for violations, increasing patient rights
4
Arthur E. Peabody, Jr., “The Evolution of HIPAA: Protecting the Privacy of Individuals in Their
Physician’s Office, in the Hospital, at the Lab, as a Subject of Research, and throughout the
World,” in Health care IT: the essential lawyer’s guide to health information technology and the
law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 144.
4
5. to obtain an electronic copy of their health information, and increasing the maximum annual
penalty to $1.5 million for all violations of an identical provision. One of the largest data breach
fines collected by HHS was against WellPoint Inc. after over 600,000 records with ePHI were
breached between October 2009 and March 2010. The company was unaware of the data
breaches caused by network security weaknesses until a WellPoint applicant filed a lawsuit in
California “notifying the company that she could access personal health data of other
customers.”5
The Ponemon Institute estimates a single data breach to have an average
economic impact of $404,2006
, but “additional recovery actions, such as legal actions, recovery,
new security control investments, extended credit protection services for victims and other
related costs, actually push the cost much higher…$142,689,666 in the case of the WellPoint
incident.”7
Key Stakeholders
Figure 1 illustrates the complexity of addressing the cybersecurity issue in health care,
by providing only some of the stakeholders, rules/regulations, and information assets involved.
Other than the federal/state agencies, the key stakeholders addressed in this paper are the
patients, health care providers, payers, medical device manufacturers, and business associates.
Prior to HITECH and the Omnibus Final Rule, business associates were broadly defined and
included “all those entities having some affiliation with covered entities in the delivery of health
5
Rachel Landen and Joseph Conn, “WellPoint to pay $1.7 million HIPAA penalty,” Modern
Healthcare, July 2013, online.
http://www.modernhealthcare.com/article/20130711/NEWS/307119954.
6
Ponemon Institute, Fourth Annual Benchmark Study, 8.
7
Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected,
Compliance Nightmare on Horizon, SANS-Norse, February 2014, http://norse-
corp.com/HealthcareReport2014.html, 5.
5
6. care or the support of health services afforded by the covered entity that have some use or
contact with PHI.”8
The current definition is still somewhat inclusive, but increasing direct
liability for business associates increased accountability for business associates and the health
care providers they work for.
Figure 1 Complex Interactions in Cybersecurity
Source: Interoperability requirements from Robert J. Michalsky, Protecting and Defending
Digital Health Information—What Is at Stake? (Chantilly, VA: NJVC, July 2013), 5.
8
Arthur Peabody, Jr., “The Evolution of HIPAA,” 148.
6
7. Current Health Technologies
Electronic Health Records (EHRs)
The United States federal government has created a significant burden for the health
care industry by pressuring the adoption of EHRs through Medicare and Medicaid EHR Incentive
Programs under the Affordable Care Act (ACA). The adoption of EHRs at a fast rate, from about
12 to 44 percent between 2009 and 2012, has been labeled a success by the federal
government. But these statistics do not accurately represent if a health care provider is in the
process of adopting a system or if the adopted system allows them to interact with other
medical applications they currently use. One of the major barriers to adopting EHRs is cost,
which has been suggested to contribute to an increase in physicians leaving their own practices
and seeking employment with hospitals or even retiring. The most important risk for the
adoption of EHRs, especially without careful planning, is the cybersecurity risk. “Respondents in
69 percent of organizations represented believe the ACA significantly increases (36 percent) or
increases (33 percent) risk to patient privacy and security.”9
The World Health Organization
recognizes the need for “more detailed information about a patient” and “the need to share
information across groups”, but they emphasize that any country must avoid compromising the
patient’s trust of their health care provider.10
In Chapter 4, interoperability requires the security
of both EHRs and medical devices to save the health care industry almost $30 billion in
quantifiable wasteful spending as well as “a number of additional benefits enabled by
9
Ponemon Institute, Fourth Annual Benchmark Study, 3.
10
World Health Organization, Legal frameworks for eHealth: Based on the findings of the
second global survey on eHealth (Geneva: World Health Organization, 2012), 67.
7
8. interoperability which are more difficult to quantify or require additional enabling factors to be
realized.
Telemedicine and Networked Medical Devices
The ageing population worldwide, and especially in the United States, has led to a
significant increase in the use of telemedicine to reach a wider patient population and decrease
health care costs. Telemedicine has also been the major technology in public health efforts on a
global level. “Telehealth, defined as ‘the use of digital technologies to deliver medical care,
health education, and public health services, by connecting multiple users in separate
locations,’ is expected to grow sixfold by 2017.”11
The reasons for this significant increase are
because of 1) the governmental incentives under HITECH for health information technology, 2)
the newer method of delivering primary care through patient-centered medical homes (PCMH),
3) the reduction of reimbursement payments by the Centers for Medicare and Medicaid
Services (CMS) for patients readmitted within 30 days of discharge related to the previous
admission, and 4) the predicted shortage primary care physicians, nurses, and certified diabetes
educators.12
Diabetes is by no means the only disease contributing to the $2.4 trillion in US
health care spending, but is estimated to have cost a total of $245 billion in 2012. $176 billion
was attributed to direct medical costs, while the other $69 billion is due to reduced
productivity.13
11
Teresa L. Pearson, “Teleheath: Aiding Navigation Through the Perfect Storm of Diabetes Care
in the Era of Health Care Reform.” Diabetes Spectrum 26, no. 4(2013): 221.
12
Ibid., 221-22.
13
William H. Herman, “The Economic Costs of Diabetes: Is It Time for a New Treatment
Paradigm?,” Diabetes Care 36, no. 4(2013): 775.
8
9. These types of medical devices currently face the difficulty of falling in the cracks when
trying to identify the federal agency responsible for regulating security and privacy. The Food
and Drug Administration (FDA) is responsible for medical device software failures, but they
deem “cybersecurity to be a ‘shared responsibility’ between medical device manufacturers and
health care providers.”14
Although no cases have been reported of hacked networked medical
devices causing injury, “researchers have been able to gain access wirelessly to pacemakers,
defibrillators, and insulin pumps.”15
The lack of federal regulation over these devices negates
the recent increased direct liability of business associates for data breaches, because “mere
connectivity between a device and a health care provider does not render the device
manufacturer a business associate.”16
Due to the lack of federal regulation, patients are forced
to accept the medical device company’s terms of use since not using the device is often not a
choice. The proposed solution to the networked medical devices privacy and security risks is
empowering the Federal Trade Commission if industry self-regulation fails.17
However, this will
only increase regulation fragmentation and cause medical device manufacturers to prioritize
safety or security/privacy using cost-benefit analysis.
Biomedical Research
Note: This estimate only includes the diagnosed cases of diabetes.
14
David J. Dykeman, Afia K. Asamoah, Jessica A. von Reyn, and Yuaheng “Sally” Wang, “Medical
Devices in the Digital Age,” in Health care IT: the essential lawyer’s guide to health information
technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association,
2013), 107-08.
15
Ibid., 107.
16
Joseph L. Hall and Deven McGraw, “For Telehealth To Succeed, Privacy and Security Risks
Must Be Identified And Addressed,” Health Affairs 33, no. 2(2014): 218.
17
Ibid., 220.
9
10. The goal of individualized medicine has kept geneticists and other biomedical
researchers occupied since Watson and Crick’s discovery of the structure of DNA. Biobanks are
the storage facilities for human biological material and the related data for biomedical research
purposes, and are located on every continent on Earth, including Antarctica. The estimated
growth rate of the biobank market is about 20-30% per year to exceed 2.25 billion by 2015.
Increased cybersecurity of electronic health records is unavoidable since “the promise of
individualized medicine will depend in large part upon the ability of physicians to evaluate a
patient’s cellular and genomic traits alongside medical history, and interrogate the data
appropriately.”18
However, the issues of informed consent and patient confidentiality
complicate combining biobank databases with electronic health records. The relevant
cybersecurity risk is caused by Internet access. “Though federal human subject protection law
requires all identifying information be removed from data before sharing, true de-identification
of medical records may be virtually impossible.”19
The Federal Government’s Role
The federal government has attempted to address cybersecurity in the past, but has
been unsuccessful because of their narrow focus and incremental implementation.20
18
Christopher Thomas Scott, Timothy Caulfield, Emily Borgelt, and Judy Illes, “Personal
medicine—the new banking crisis.” Nature Biotechnology 30, no. 2(2012): 141.
19
Ibid., 145.
20
Richard J. Harknett and James A. Stever, “The New Policy World of Cybersecurity,” Public
Administrative Review 71 (May/June 2011): 455. doi: 10.1111/j.1540-6210.2011.02366.x
10
11. Additionally, cybersecurity threats to other sectors require the federal government’s attention
before any further regulation in the health care industry. There is one proposed solution for the
federal government that would significantly assist in improving cybersecurity while at the same
time allowing the organization to operate with too many constraints.
Limitations
Cybersecurity Threats to National Security
Cybersecurity experts have identified major areas of concern that pose a threat U.S.
national security including the Tier 1 ISPs (the ‘backbone’ of the Internet), an insecure power
grid, and the Department of Defense’s network.21
“In the first decade of the twenty-first
century the number of people connected to the Internet worldwide increased from 350 million
to more than 2 billion (it is now over 2.4 billion)…by 2025…if the current pace of technological
innovation is maintained, most of the projected eight billion people on Earth will be online.”22
There are hundreds of Internet service provider companies in the United States but only a few
major providers own the majority of the fiber-optic cable running across the country and into
the undersea fiber-optic cables connecting the entire world. A lack of self-regulation in the
telecommunications industry is partly due to the fear of customers suing for any disruption of
service, even if it were to prevent further cybercrime. The federal government would also
experience difficulties because of increased public distrust from the NSA’s activities exposed by
Edward Snowden. Despite concerns, the telecommunications industry must be significantly
21
Richard A. Clarke and Robert K. Knake, Cyberwar: The Next Threat to National Security and
What to Do About It (New York: HarperCollins Publishers, 2010), 160-178.
22
Eric Schmidt and Jared Cohen, The New Digital Age: Transforming Nations, Businesses, and
Our Lives (New York: Vintage Books, 2014), 4.
11
12. secure to minimize risks to both national security and the health care industry.
The second area of concern is to secure the power grid through federal regulation,
despite the resistance from power companies. “In December 2012, denial-of-service attacks
(DDOS) made possible by the use of botnets, networks of computers controlled through
malware, targeted a German utility. The 5 day attack shut the utility off from communications,
including all email.”23
Unfortunately, in the United States, “if the attacks destroy generators, as
in the Aurora tests, replacing them can take up to six months, because each must be custom
built.”24
The European Union’s mandatory directives regarding cybersecurity compared to the
United States’ primarily voluntary approach to cybersecurity have explained this difference
between Germany and the United States.25
The third area of concern is the Department of Defense’s network. An average US
citizen would assume that the DoD’s network would be comparatively more secure than their
personal or work network, but “in November 2008, a Russian-origin piece of spyware began
looking around cyberspace for dot-mil addresses, the unclassified NIPRNET. Once the spyware
hacked its way into NIPRNET computers, it began looking for thumb drives and downloaded
itself onto them.”26
This common cybercrime technique has the negative consequence of
connecting the unclassified intranet with the network containing secret-level classified
information. The same technique contributes to data breaches in health care organizations and
23
Janine S. Hiller and Roberta S. Russell, “The challenge and imperative of private sector
cybersecurity: An international comparison.” Computer Law & Security Review 29, no. 3(2013):
237.
24
Clarke and Knake, Cyberwar: The Next Threat to National Security and What to Do About It,
170.
25
Hiller and Russell, “The challenge and imperative of private sector cybersecurity,” 245.
26
Clarke and Knake, Cyberwar: The Next Threat to National Security and What to Do About It,
171-72.
12
13. their business associates, but these three areas of concern should be top priorities and be
thoroughly before the federal government further increases cybersecurity regulation in the
health care industry.
Proposed Solutions
The Center for Disease Control (CDC) of Cybersecurity
Despite the federal government’s preoccupation with cybersecurity threats to national
security, there is one solution that would considerably contribute to improving cybersecurity in
health care in a more indirect way. Singer and Friedman suggest looking at the cybersecurity
issue as parallel to public and health and the CDC. They note that the most common analogy for
cybersecurity is the Cold War, but argue that the CDC is a better analogy not only because of
the similarity between malware and computer viruses with biological viruses, but also how the
public health approach would be a more effective way to address cybersecurity. “Organizations
like the CDC play a key role in public health by serving as research organizations, trying to
understand emerging threats, as well as trusted clearing houses, transparently sharing
information to anyone and everyone who needs it.”27
The suggested model would create a ‘Cyber CDC’ that is linked to a relevant U.S.
department, but with enough independence that it is kept separate from the current
CYBERCOM and private organizations that have their own motives to be profitable. Just like the
CDC and its multiple offices spread across the country to monitor and track outbreaks, the
‘Cyber CDC’ would be spread out both physically and virtually. The ‘Cyber CDC’ would also share
27
P.W. Singer and Allan Friedman, Cybersecurity And Cyberwar: What Everyone Needs To Know,
(Oxford: Oxford University Press, 2014), 174.
13
14. responsibility for action just like the CDC works with local, national, and international
organizations. Singer and Friedman suggest an international version like the World Health
Organization is possible, but not at this time because of the significant level of cooperation that
would be required. Viewing cybersecurity like public health would also allow policy makers to
thoroughly analyze the situation, rather than the current proposal from leaders to rush the
development of offensive and counteroffensive strategy. The CDC assisted the Soviet deputy
health minister during the Cold War to combat smallpox, so a ‘Cyber CDC’ could help deescalate
major international tensions. One of the major benefits of the CDC is the research performed to
focus on the causal factors and how disease spreads. This would allow health care organizations
and even companies providing cybersecurity services to utilize the most cost-effective
measures to prevent and resolve cybersecurity issues. The most important way that a ‘Cyber
CDC’ would benefit society is the increase in public dialogue and awareness. We are
surrounded by the CDC’s advice on preventing the spread of the common cold or are alerted
with any outbreak of a disease and what precautions we should take. One of the added benefits
of increased public awareness is increased accountability for health care providers and the
health care industry.
The same kind of ‘cyber hygiene’ and ‘cyber safe’ ethics might be bolstered
through similar efforts to help prevent the spread of threats and malware. As
Scott Charney, Vice President of Trustworthy Computing at Microsoft explains,
‘Just as when an individual who is not vaccinated puts others’ health at risk,
computers that are not protected or have been compromised with a bot put
others at risk and pose a greater threat to society.’28
28
Ibid., 176.
14
15. The Private Sector’s Role
The federal government will be necessary in improving cybersecurity in health care, but
the private sector has too much at stake to fail at self-regulating the health care industry.
Individualized medicine, global health efforts to reduce the cost of health care technology, and
a more empowered patient are some of the few incentives that the private sector has for
15
16. making cybersecurity in health care a top priority. One of the best solutions for reducing health
care spending in the U.S. will require this effort by the private sector. Although cost is a
concern, and quite often an excuse, for improving cybersecurity, there are a few solutions that
are more focused on simple rules and increasing employees’ cybersecurity awareness.
Incentives
Health Care Technology and Innovation
The West Health Institute has estimated that medical device interoperability could save
about $36 billion in U.S. health care spending each year by reducing adverse events, avoiding
redundant testing, increasing clinician productivity, shortening patients’ length of stay, and
decreasing the need for customized interfaces between devices. More than 90% of hospitals
use at least six types of medical devices that are able to be integrated with EHRs, but only 1/3
actually link medical devices to EHRs. Additionally, the hospitals that are currently integrating
medical devices and EHRs are at integrating less than three medical devices on average.29
In
addition to the quantified benefits, other benefits not quantified could increase the estimated
savings as shown in Figure 2. The majority of the cost-savings will benefit the providers,
approximately $33.4 billion, the payers, $2.1 billion, and the rest of the $36 billion is almost
split between patients and device vendors. However, the non-quantified benefits may
significantly favor the patients, which is why a joint effort between providers and patients could
create the push necessary to increase medical device interoperability.
Figure 2 Areas of Waste
29
West Health Institute, The Value of Medical Device Interoperability, 10.
16
17. Source: Areas of Identified Waste and the Primary Stakeholders Benefitting from Medical
Device Interoperability from The Value of Medical Device Interoperability: Improving patient
care with more than $30 billion in annual health care savings (San Diego, CA: West Health
Institute, March 2013), 9.
The most significant benefit not quantified comes from the reduction of mortality
caused by adverse events. Another significant benefit that comes from commonly adopted
standards is the increase in innovation by allowing “small companies to quickly and efficiently
create and bring new technologies to market.”30
This would allow providers to have a wider
variety of, and more innovative, devices to choose from, likely leading to reduced costs and
30
Ibid., 29.
17
18. reducing the current substantial barriers a hospital faces when deciding the cost-effectiveness
of integrating medical devices and EHRs. Currently, Medtronic Inc., General Electric Company,
and St. Jude Medical Inc. control about 32% of the medical device market.31
Interoperability
may increase innovation, but it cannot be like the mobile health app movement and other
software development which focus on functionality and usually think about security after the
development cycle.
Public Health
Public health efforts may seem irrelevant to the private sector, but a large majority of
health care technology and innovation originate from public health efforts. “In 2008, 2.47
billion people lived on the equivalent of less than US$2 a day, and these people live in low-
income and middle-income countries with often little access to technology for health.”32
The
significant increasing use of electronic health and mobile health (eHealth and mHealth),
medical devices utilizing cell phones and the Internet, has mitigated the lack of access to health
technology in these countries About 90% of the world’s population has cell phone coverage,
and the Internet is used in developing countries than in developed countries. Medical device
manufacturers may have about 87% of their sales in high-income countries, but the increasing
use of eHealth and mHealth in developing countries may cause them to miss the opportunity
for an increased market share. This can be further damaging since donations of health care
technology from high-income countries are usually wasted in low-income and middle-income
countries, because they are designed for high-income countries with high health spending,
31
Dykeman et al., “Medical Devices in the Digital Age,” 85.
32
Peter Howitt et al., “Technologies for global health,” The Lancet 380 (August 2012): 508. DOI:
10.1016/S0140-6736(12)61127-1
18
19. stable energy supply, and a large quantity of trained health-care workers.33
One of the
suggestions is to develop more frugal technologies, a technology “specifically developed to
meet the needs of the world’s poorest people.”34
It is suggested that multinational corporations
who manufacture products in India and China will most likely develop frugal technologies. The
global pressure on high-income countries to adopt frugal technologies may worsen
consequences for medical device manufacturers, especially the 19 out of 30 top companies
headquartered in the United States, if the frugal technologies increase cybersecurity
vulnerabilities. The same concern has been expressed with the wireless network equipment
that is almost entirely produced in China.
Patient Trust
A loss of patient trust is possibly the most important incentive that the private sector
has for increasing cybersecurity in health care. At the global level, “the most significant impact
of the spread of communication technologies will be the way they help reallocate the
concentration of power away from states and institutions and transfer it to individuals”
because of greater agency.35
The U.S. health care industry can learn from the European Union (EU) and their
cybersecurity legislation for network and information security that “gaining and maintaining the
trust and buy-in of citizens that their data is secure and protected represents a potential risk to
the future development and take up of innovative technologies and higher value added online
33
Ibid., 509.
34
Ibid., 509.
35
Schmidt et al., The New Digital Age, 6.
19
20. services.”36
These risks are the same for health care organizations in the United States, but
despite federal regulation of ePHI, the data reflects that cybersecurity is not a high priority. In a
globally interconnected world, decreased patient trust in the United States will not go
unnoticed by businesses and governments around the world.
This is already true as seen in the WHO’s global surveys on eHealth. The WHO
emphasizes the importance of a legal framework to protect patient privacy in EHRs, and points
out that the United States does have a considerable amount of privacy legislation but that
‘informational privacy’, according to the U.S. Supreme Court, is not a federally-protected
constitutional right and is ultimately the citizens’ responsibility.37
It is true that “ensuring
security of information ‘at rest’ and ‘in motion’…helps preserve consumer confidence in and
goodwill toward the health care provider from a business or operational standpoint,”38
but, as
the WHO recognizes, the provider and patient relationship has reached the limits of a “simple
fiduciary trust relationship.”39
The increased use of telemedicine in patient care will require
substantially more patient trust than the traditional setting.
Proposed Solutions
The private sector must recognize and address cybersecurity in health care as a multi-
faceted issue just like public health has done. Cybersecurity must be viewed as having “both
36
European Union Agency for Network and Information Security, “Data Breach Notifications,”
accessed March 26, 2014, http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-
data-breaches/dbn (accessed March 26, 2014).
37
World Health Organization, Legal frameworks for eHealth, 34.
38
Lee Kim, “Electronic Health Records: Selecting the EHR Solution and Negotiating the License
Agreement,” in Health care IT: the essential lawyer’s guide to health information technology
and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 20.
39
World Health Organization, Legal frameworks for eHealth, 67.
20
21. technical and nontechnical factors that work to prevent governments, corporations, and even
individuals from securing their systems.”40
The following proposed solutions address some of
the technical and nontechnical factors.
Human Resource Approach
The human resource approach differs from the traditional structural approach, by
focusing “on the positive aspects of human nature” and identifying “technological and
organizational vulnerabilities that create windows of opportunities to carry out malicious
acts.”41
Proper barriers must be in place in order to cybersecurity incidents, and because this is
the responsibility of management, the user cannot be blamed for accidental incidents. Figure 3
shows the various organizational aspects that influence individual information security
behavior. Technology can include a variety of technical solutions. Formal structures are the
daily operating procedures and job responsibilities of an organization. “How management is
performed is an important ingredient”42
of the interactions within an organization. The social
relations include both the informal, collegial relations, and the formal, professional relations.
Awareness, values, and norms are important because they affect “how people interpret
situations and choose their actions, thus influencing work practices and norms. The attributes
are maintained by formal structures, interactions, and relations.”43
However, organizational
aspects still require simple actions by users to prevent cybersecurity issues such as proper
40
Simson L. Garfinkel, “The Cybersecurity Risk,” Communications of the ACM 55 (June 2012):
30. doi: 10.1145/2184319.2184330
41
Eirik Albrechtsen and Jan Hovden, “Information Security Management—From Regulations to
End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes (Boca
Raton: CRC Press, 2012), 300-301.
42
Ibid., 302-303.
43
Ibid., 303.
21
22. password etiquette and being cautious when using the Internet or electronic communications.
Figure 3 The Influence of Organizational Aspects on Individual Information Security Behavior
Source: Eirik Albrechtsen and Jan Hovden, “Information Security Management—From
Regulations to End Users,” in A Multidiscipinary Introduction to Information Security, Stig F.
Mjolsnes (Boca Raton: CRC Press, 2012), 302.
Safety psychology argues that establishing cybersecurity measures directed at users are
most effective if performed in a certain order. Measures should adopted in the following order:
working conditions, improving skills and knowledge, improving attitudes, improving behavior,
and selection of personnel. Employee participation in the process of creating and modifying
cybersecurity measures can have both positive and negative consequences. Some of the
positive consequences include reducing the gap between cybersecurity experts and employees
and creating a more democratic work environment. The negative consequences of employee
participation could be a concern for health care organizations since it may jeopardize the need-
to-know principle, which is guided by HIPAA regulations. “However, a participative approach
22
23. does not necessarily imply contact with sensitive information. Rather it is the process behind
the participation that is important for creating improved support for decision making among
the security managers as well as improving awareness among users.”44
Creating a cybersecurity
culture within health care organizations would balance the technical-administrative systems to
the social context of the organization.
Data Encryption and Other Technical Solutions
Technical solutions can mitigate the consequences of cybersecurity incidents within a
health care organization, but this should be secondary to the administrative/HR approach.
Sharon Klein, head of the privacy, security and data protection practice at the
law firm Pepper Hamilton, notes that, in the United States, there are 47 different
sets of (inconsistent) data breach regulations and multiple regulatory
frameworks. If there are overarching standards, they come from the National
Institute of Standards and Technology, Klein says, noting the Office for Civil
Rights and Department of Health and Human Services have "consistently" used
NIST standards.45
The National Institute of Standards and Technology (NIST) encryption standards are used in
multiple other industries other than health care including the financial industry. Health care
organizations and the public were alarmed though last year when the National Security Agency
was able to discover a backdoor to the same NIST encryption algorithm used to protect ePHI.
The NSA denied accessing any ePHI, but the NIST was responsible and recalled the encryption
algorithm earlier this year. It is also very encouraging to see the Department of Defense has
44
Ibid., 307.
45
Brian Eastwood, “Will Healthcare Ever Take IT Security Seriously?” CIO, February 26, 2014,
http://www.cio.com/article/748810/Will_Healthcare_Ever_Take_IT_Security_Seriously_
23
24. adopted NIST standards and “will now embrace a combination of more heavily risk-
management-focused approaches…including standards for assessment and authorization, risk
assessment, risk management, and dynamic continuous monitoring practices”46
in order to
reduce costs by not having companies follow both the DoD and national standards. Health care
organizations must understand that NIST security standards are best practices, so just like in
patient care, adhering to the best practices is only a starting point.
Conclusion
HIPAA and HITECH have significantly increased cybersecurity in health care, but they
have also created a burden for health care organizations to implement EHRs without the
freedom to thoroughly analyze their needs before adopting a system. The United States federal
government has been attempting to establish national cybersecurity legislation, but any such
measures have been very narrow and slow in implementation. Additionally, the federal
government has higher priorities with cybersecurity threats to national security. The
Department of Defense’s adoption of NIST security standards is comparatively little progress,
but still deserves recognition for moving in the right direction. An ageing population across the
46
Leonard T. Marzigliano, “Defense Department Adopts NIST Security Standards,”
InformationWeek, March 14, 2014,
http://www.informationweek.com/government/cybersecurity/defense-department-adopts-
nist-security-standards/d/d-id/1127706.
24
25. globe is just the beginning of the transitioning of patient care from the traditional setting to
telemedicine and networked medical devices. This change is already in progress in the United
States, but the significant majority of the Baby Boomer generation has yet to retire.
Telemedicine will also play a significant role in health care technology and innovation and in
public health efforts on a global level. The current global interconnectedness will increase
exponentially within the next few decades, which will increase the pressure on health care
providers to continue improving patient privacy and at least maintaining patient trust.
Communication technologies will also empower individuals even more, but may come with
increased risks if individuals do not follow simple cybersecurity measures to prevent any
incidents. Improving cybersecurity in health care will be a significantly difficult joint effort
between the patient and health care organizations, but it is a task that cannot be avoided.
Bibliography
Albrechtsen, Eirik and Jan Hovden, “Information Security Management—From Regulations to
End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes,
281-314. Boca Raton: CRC Press, 2012.
Clarke, Richard A. and Robert K. Knake, Cyberwar: The Next Threat to National Security and
What to Do About It. New York: HarperCollins Publishers, 2010.
Dykeman, David J., Afia K. Asamoah, Jessica A. von Reyn, and Yuaheng “Sally” Wang, “Medical
Devices in the Digital Age,” in Health care IT: the essential lawyer’s guide to health
information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 83-109. Chicago:
American Bar Association, 2013.
Eastwood, Brian. “Will Healthcare Ever Take IT Security Seriously?” CIO. February 26, 2014.
http://www.cio.com/article/748810/Will_Healthcare_Ever_Take_IT_Security_Seriously_
25
26. Filkins, Barbara. Health Care Cyberthreat Report: Widespread Compromises Detected,
Compliance Nightmare on Horizon, SANS-Norse, February 2014, http://norse-
corp.com/HealthcareReport2014.html.
Garfinkel, Simson L., “The Cybersecurity Risk,” Communications of the ACM 55 (2012): 29-32.
doi: 10.1145/2184319.2184330
Hall, Joseph L. and Deven McGraw, “For Telehealth To Succeed, Privacy and Security Risks Must
Be Identified And Addressed,” Health Affairs 33, no. 2(2014): 2186-221.
Harknett, Richard J. and James A. Stever, “The New Policy World of Cybersecurity,” Public
Administrative Review 71 (2011): 455-460. doi: 10.1111/j.1540-6210.2011.02366.x
Herman, William H. “The Economic Costs of Diabetes: Is It Time for a New Treatment
Paradigm?,” Diabetes Care 36, no. 4(2013): 775-776.
Hiller, Janine S. and Roberta S. Russell, “The challenge and imperative of private sector
cybersecurity: An international comparison.” Computer Law & Security Review 29, no. 3
(2013): 236-245.
Howitt, Peter, Ara Darzi, Guang-Zhong Yang, Hutan Ashrafian, Rifat Atun, James Barlow, Alex
Blakemore, Anthony MJ Bull, Josip Car, Lesong Conteh, Graham S Cooke, Nathan Ford,
Simon AJ Gregson, Karen Kerr, Dominic King, Myutan Kulendran, Robert A Malkin,
Azeem Majeed, Stephen Matlin, Robert Merrifield, Hugh A Penfold, Steven D Reid, Peter
C Smith, Molly M Stevens, Michael R Templeton, Charles Vincent, and Elizabeth Wilson,
“Technologies for Global Health.” The Lancet 380 (2012): 507-535. DOI:
10.1016/S0140-6736(12)61127-1
Identity Theft Resource Center, “2013 Data Breaches,” February 2014.
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html.
Kim, Lee. “Electronic Health Records: Selecting the EHR Solution and Negotiating the License
Agreement,” in Health care IT: the essential lawyer’s guide to health information
technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 15-26. Chicago: American Bar
Association, 2013.
Landen, Rachel and Joseph Conn, “WellPoint to pay $1.7 million HIPAA penalty,” Modern
Healthcare, July 2013, online.
Marzigliano, Leonard T. “Defense Department Adopts NIST Security Standard.”
InformationWeek. March 14, 2014.
http://www.informationweek.com/government/cybersecurity/defense-department-
adopts-nist-security-standards/d/d-id/1127706.
26
27. Peabody Jr., Arthur E. “The Evolution of HIPAA: Protecting the Privacy of Individuals in Their
Physician’s Office, in the Hospital, at the Lab, as a Subject of Research, and throughout
the World,” in Health care IT: the essential lawyer’s guide to health information
technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 141-175. Chicago: American
Bar Association, 2013.
Pearson, Teresa L. “Teleheath: Aiding Navigation Through the Perfect Storm of Diabetes Care in
the Era of Health Care Reform.” Diabetes Spectrum 26, no. 4 (2013): 221-225.
Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security, March
2014. http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-
privacy-and-data-security
Schmidt, Eric and Jared Cohen, The New Digital Age: Transforming Nations, Businesses, and Our
Lives. New York: Vintage Books, 2014.
Scott, Christopher Thomas, Timothy Caulfield, Emily Borgelt, and Judy Illes, “Personal medicine
—the new banking crisis.” Nature Biotechnology 30, no. 2(2012): 141-147.
Singer, P.W. and Allan Friedman, Cybersecurity And Cyberwar: What Everyone Needs To Know.
Oxford: Oxford University Press, 2014.
West Health Institute, The Value of Medical Device Interoperability: Improving patient care with
more than $30 billion in annual health care savings, March 2013.
http://www.westhealth.org/institute/interoperability
World Health Organization, Legal frameworks for eHealth: Based on the findings of the second
global survey on eHealth. Geneva: World Health Organization, 2012.
27