58 Journal of Regulatory Compliance Vol. I
penalties for violating the Security Rule, but unfortunately the threat is very
real and substantial. As set forth below, substandard cybersecurity practices
are systemic in the healthcare industry, which is exacerbated by the value of
e-PHI to cyber criminals. The industry is sorely in need of new and stringent
legal incentives to improve the situation, which can be accomplished by
amending the HIPAA rules to re-categorize fundamental cybersecurity
controls and process from “addressable” standards to mandatory compliance
a. The Nature of the Cyber Threat in the Healthcare Industry
In order to understand how to incentivize best practices in the health
information cybersecurity realm through regulation, it is important to first
understand the nature and scope of the threat relative to the current
cybersecurity practices in the industry. Perhaps the most thorough
assessment of the cyber threats facing the healthcare industry comes from a
February 2014 report84 released by the SANS Institute85 (the “SANS report”).
The SANS report was authored by Senior SANS Analyst and Healthcare
Specialist Barbara Filkins and is based on an examination of a cyberthreat
intelligence data sample collected between September 2012 and October
2013.86 The intelligence data analyzed was derived from information
collected on high-risk internet traffic worldwide—specifically, from
“darknets” ( i.e., “places on the internet where bad actors gather”) 87—and
included 49,917 unique malicious events from 723 sources (IP addresses),
which compromised 375 healthcare-related organizations in the United
States. 88 From this sheer volume, the SANS report extrapolated that millions
of healthcare organizations were compromised. 89 Roughly one-third of the
compromised organizations were small providers, and the remainder were
“clearinghouses, health plans, pharmaceutical companies and other types of
medical organizations” (including large “renowned research centers and
COMPROMISES DETECTED, COMPLIANCE NIGHTMARE ON THE HORIZON (2014). This SANS
report was sponsored by Norse Corp., a cybersecurity threat intelligence vendor. See id.
85. The SANS Institute is a private research and education cooperative that provides the
largest global network of cybersecurity training, certification and research information. See
86. Id. at 2. The data was collected by Norse Corp., through its intelligence
infrastructure—”a global network of sensor and honeypots that process and analyze over 100
terabytes of [internet] traffic daily….” Id. at 3.
87. Id. at 24.
88. Id. at 3.
89. Id. at 4.