healthcare providers may not be inclined to devote resources to retrofit
hardware, software, and IT policies and procedures with robust cybersecurity
protections. It is also understandable that healthcare leaders are focused
primarily on operations in order to deliver high quality care, as opposed to
technical security risks that most people find difficult to even comprehend.
But the “it will never happen to me” mentality places the entire healthcare
industry, and the public that relies on the industry to instill trust, at risk for
the reasons outlined in this Article.
Accordingly, it is necessary to incentivize the adoption of sophisticated
cybersecurity controls and processes by changing the regulatory framework
governing the security of e-PHI to reflect the practical cybersecurity risks on
the ground. The healthcare industry is not a stranger to government
regulation and the need to strictly comply with various laws in order to
minimize risk. Cybersecurity mandates under HIPAA would be no different
– rather than allow covered entities to choose how to comply with the law
and justify their decision based on a risk assessment, the industry and those
who regulate it are in need of clear, black-and-white standards that must be
met to achieve compliance.