70 Journal of Regulatory Compliance Vol. I
the courts of the state in which the court sits.”151 Accordingly, if suspicions
are confirmed that foreign nationals carried out the Anthem attack, from a
deterrent standpoint the CFAA and its harsh penalties were entirely
irrelevant, and it will continue to be irrelevant into the future. Of course, the
problems associated with prosecuting cyber criminals under the CFAA
equally apply to other potential legal deterrents, such as tort actions or
prosecutions under alternative criminal statutes.152
Aside from the problems prosecuting foreign bad actors, prosecuting
domestic defendants also presents difficulties. Even assuming the perpetrator
can be identified, “the complexity of Internet routing creates jurisdictional
conflicts among the localities [and] states. . .that wish to exercise jurisdiction
over transient information packets.”153 Absent an obvious path for
prosecutors to follow through to a conviction, such as a public admission of
fault as occurred in the McGraw case, into the future there is no indication
the government has the necessary tools to reliably prosecute and convict
sophisticated cyber criminals.154
Given the lack of viable alternatives, the most effective means to protect
healthcare entities from cyber-attacks must come from within the industry.
The industry has proven its inability to self-regulate its cybersecurity
practices in order to stay up-to-speed with current threats. Fortunately, an
applicable legal regime—HIPAA—already exists and, while there are
currently gaps in the legal framework tailored to cybersecurity, tightening
certain mandates will put the healthcare industry on a sound path.
d. Cybersecurity Gaps in the HIPAA Legal Framework
As discussed in Section II of this Article, the HIPAA framework to secure
and protect e-PHI centers on administrative, physical, and technical
implementation specifications. These specifications include some “required”
standards and some “addressable” standards. The “required” implementation
specifications—as set forth in the HIPAA Security Rule—must be
implemented or the covered entity has not complied with the law. While the
“addressable” designation does not mean an implementation specification is
optional, it does permit the covered entity to conduct a risk assessment and
determine whether the addressable implementation is “reasonable and
appropriate” based on the entity’s unique circumstances. If the measure is
151. Point Landing, Inc. v. Omni Cap. Int’l, Ltd., 795 F. 2d 415, 419 (5th Cir. 1986); see
Fed. R. Civ. P. 4(e).
152. See generally, Wellington, supra note 138.
153. Michael Lee et al., Electronic Commerce, Hackers, and the Search for Legitimacy:
A Regulatory Proposal, 14 BERKELEY TECH. L.J. 839, 873 (1999).
154. See generally Duncan B. Hollis, An E-SOS for Cyberspace, 52 HARV. INT’L L.J. 373,
397–404 (2011) (discussing reasons why it is difficult to identify actors behind cyber-attacks).