hasten health information platforms; as a result, large swaths of highly
personal data are now stored and transmitted by healthcare entities. This
likely added needed efficiency to the healthcare system from an operational
and delivery standpoint, but it also presents new opportunities for external
cyber-attacks on e-PHI within health IT infrastructure.
The healthcare industry is at a critical juncture given its recent arrival to
the digital records era and the vulnerability of e-PHI. Serious security
concerns must be addressed to instill confidence in consumers—who are
increasingly aware of a company’s network security reputation—that
healthcare providers and other health records custodians are capable of
protecting e-PHI from external breaches to the fullest extent possible. The
methods of cyber criminals are constantly evolving and it is impossible to
completely negate any risk of an external data breach, but the healthcare
industry’s cybersecurity strategies and controls are well behind where they
should be as the industry becomes increasingly digitized.
As an example of the cybersecurity challenge of how laws and regulations
can keep up with a rapidly evolving online age, this article focuses on the
statutory framework governing e-PHI, the current HIPAA compliance
environment as it relates to cybersecurity, and what the federal government’s
heightened concerns surrounding cybersecurity mean for the heavily
regulated healthcare industry. This article also proposes key reforms to
prevent, or at a minimum deter, external cyber-attacks; namely, amendments
to the HIPAA Security Rule to change certain safeguards targeted at
cybersecurity from “addressable” to “required,” which is necessary given the
current risks facing every healthcare entity and will also provide needed
clarity to the industry regarding HIPAA compliance.
II. BACKGROUND – HIPAA AND HITECH
A vital aspect of any patient-clinician relationship is trust that information
conveyed to the physician, and subsequently stored or transmitted by the
clinician or an affiliated corporate entity, will be kept private and secure. 11
Indeed, without trust the patient’s health is at stake because the completeness
and accuracy of information disclosed to a clinician can impact diagnoses
and the subsequent course of treatment. 12 In recognition of this essential
element of a functioning healthcare system, Congress incorporated patient
information security and privacy protections into HIPAA when it was passed
in 1996.13 The privacy and security dimension of HIPAA serves three
11. Gordon Gnatt, Jr., Hacking Health Care: Authentication Security in the Age of
Meaningful Use, 27 J.L. & HEALTH 232, 235 (2014).
12. Varick D. Love, Privacy Ethics in Healthcare, 13 J. HEALTH CARE COMPLIANCE 17,
13. Eric S. Pasternack, HIPAA in the Age of Electronic Health Records, 41 RUTGERS L.J.