By: Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered.  It seems to be business as usual, as your health care organization continues to digitize its operations.  You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices.  However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive patient information.

Unfortunately, this scenario is commonplace, and brings with it hefty costs.  To the extent electronic protected health information (“e-PHI”) is compromised in a cyber security breach, health care entities can expect to spend on average $233 per record to clean up the problem.  As health care operations digitize, organizations should be cognizant of the cyber security risks impacting the data that flows through their systems.  Further, health care entities need to understand how to assess and manage these risks to meet Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”) requirements.

The facts of “cyber” life…

Although health care organizations have not always been a primary target for a cyber-attack, hackers are recognizing the value of data held by health care companies.  Research indicates that electronic data in the health care sector is among the most vulnerable. Additionally, health care entities account for the highest percentage of incidents, more than one-third of all data breaches in the country.  In one report 94% of health care entities have experienced security breaches impacting their data.  Moreover, patients have experienced over a 19% increase in medical identity theft due to cyber security breaches over the last year.

Even given what we know, much of cyber security related breaches remains uncertain.  There are namely two reasons for this uncertainty:

  1. Most cyber security breaches go undetected; and
  2. Many cyber security breaches go unreported.

Across all industries, one report asserted that approximately 69% of cyber security breaches go undetected.  Of those breaches that are detected, 94% are unreported until months or longer until finally being discovered.  Yet, there is one certainty in this climate—There are only two types of organizations:  those that have already been hacked and those that will be at some point . . . .

Why cyber security is important now more than ever…

Recently, there has been increased scrutiny given the increased risk of data breaches.  The Health and Human Services, Office of Civil Rights (“OCR”) has responded to data breaches by aggressively enforcing HIPAA, which reinforces that compliance with HIPAA requirements is a top priority.  Chiefly, the HIPAA breach notification rule was amended to lower the reporting threshold from a “risk of harm” standard to a “probability of compromise” standard.  As a result, the health care industry will see increased breach reporting, which will likely result in increased enforcement for noncompliance.  This is bad news for health care companies because penalties for noncompliance with HIPAA have also been ramped up under the HIPAA Final Rule promulgated under HITECH.

With an increased focus on data breaches under HIPAA and HITECH, health care organizations don’t want to be the last to know how their e-PHI is being compromised.  Not understanding the organizations cyber security threats can be:

  • Bad for patients because it can lead to identity theft;
  • Bad for the organization because regulators may use that as evidence of noncompliant security practices; and
  • Lead to noncompliance with reporting obligations under HIPAA and HITECH.

In addition to increased enforcement on the part of OCR, the FBI has joined the effort to investigate cyber security breaches.  For example, in October 2013, the FBI opened an investigation of a cyber security breach affecting a network of hospitals and clinics, in which someone gained unauthorized access to the medical records of up to 1,800 patients.

The FBI also recognized that collaborative efforts are needed to solve the cyber security problem.  These include investigating insider threats, detecting external threats, and informing the health care industry of cyber security threats.  However, even with these collaborative efforts, health care organizations must be cognizant that assistance from the FBI could lead to increased scrutiny about the organization’s security practices.  As such, proactive cyber security risk management is the best approach to ensure compliance with HIPAA and HITECH.

What can you do…

The stakes are getting higher regarding cyber security and HIPAA compliance.  However, there are several steps health care organizations can take to protect against cyber security data breaches.  Further, taking these steps can protect health care companies in the context of increasing investigatory activity on the part of OCR and other agencies, such as the FBI.

First, organizations should conduct periodic risk analyses to determine cyber security related risks.  The risk analysis can help organizations to:

  • Identify key systems and locations;
  • Determine where e-PHI is located;
  • Identify vulnerabilities and threats;
  • Evaluate security safeguards; and
  • Evaluate risk to e-PHI.

Second, health care organizations should evaluate whether the draft cyber security framework established by the National Institute of Standards and Technology (“NIST”) can improve the organization’s risk management process. The NIST cyber security framework contains five core elements, which help an organization:

  1. Identify critical infrastructure,
  2. Protect the organization’s critical infrastructure using appropriate safeguards,
  3. Detect cyber security events,
  4. Respond to cyber security events using pre-defined and prioritized activities, and
  5. Recover from cyber security events  to restore critical infrastructure.

The framework’s core elements then further subdivide into categories and subcategories and provide cross-references to a number of different standards from industry and government that address each subcategory within those functions.  Health care organizations can review these references and select the standard that best addresses the organization’s particular needs.  Note that the cyber security framework is currently open for discussion, which means the components may change when the framework is finalized.

Ultimately, as the health care industry continues to digitize, organizations must be cognizant of the cyber security risks affecting their networks, systems and data.  Further, as the number of cyber security related breaches increases, health care companies must prepare to identify and report such breaches as required by HIPAA and HITECH.  Yet, to avoid the pain and cost of recovering from a breach and also paying hefty fines for noncompliance with HIPAA, health care companies should proactively leverage HIPAA risk analyses (potentially incorporating the NIST cyber security framework) to identify, prioritize, mitigation and monitor risk affecting ePHI.

Follow Alaap Shah on Twitter: @HealthITLawyers

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.