Abstract image of a woman sitting on books and studying on a laptop

GIST 698 Research Paper

Download as DOC, PDF
R
Ryan Flanagan

This document provides a summary of a paper analyzing the roles of the federal government and private sector in improving cybersecurity in healthcare. It discusses how healthcare spending in the US is high but outcomes are worse compared to peer nations. Current federal regulations aim to protect privacy and security of patient data, but increasing technology and connectivity requires more efforts. The paper analyzes stakeholders, technologies like electronic health records, and cybersecurity threats. It argues that while the federal government faces limitations, the private sector must take a leading role to avoid risks to innovation, public health, and patient trust from lack of cybersecurity in healthcare.

1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Ryan Flanagan GIST 698: Capstone Seminar April 9, 2014 CYBERSECURITY’S ROLE IN IMPROVING HEALTH CARE IN THE UNITED STATES Abstract Health care spending per capita in the United States is more than twice the amount of other peer industrialized nations, but health outcomes are still comparatively worse. The global population is becoming increasingly interconnected through globalization, and even more so through the significant increase in individuals connected to the Internet. Federal regulations protecting the privacy and security of patients’ personal data have been mitigating cybersecurity threats since 1996, but the global shift toward technologically-enabled health care will require a significant response from the private sector to improve health care in the United States. This paper analyzes the federal government and private sector’s roles in improving cybersecurity in health care. Table of Contents Introduction 1 Background 3 Electronic Protected Health Information 3 Key Stakeholders 4 Current Health Technologies 6 Electronic Health Records 6 Telemedicine and Networked Medical Devices 7 Biomedical Research 9 The Federal Government’s Role 10 Limitations 10 Cybersecurity Threats to National Security 10 Proposed Solution 12 CDC of Cybersecurity 12 The Private Sector’s Role 15 Incentives 15 Health Care Technology and Innovation 15 Public Health 17 Patient Trust 18 Proposed Solutions 20 Human Resources Approach 20 Data Encryption and Other Technical Solutions 22 Conclusion 24
Introduction Health care costs continue to consume an ever increasing proportion of U.S. spending, significantly outpacing the growth of our economy for each of the last four decades, and recently reaching as high as 18 percent of gross domestic product…according to recent estimates, more than $700 billion of the $2.4 trillion in health care spending could otherwise be avoided through improvements to the health care system.1 As of 2014, the health care industry now accounts for more data breaches than any other industry sector. In 2013, more than 40% of total breaches affecting almost 9 million patient records were reported.2 Data breaches cost the healthcare industry an estimated $6 billion every year.3 In contrast to economic costs, the reputation for both the health care organization and the victim of a data breach, are almost irreparable. The United States federal government has established regulations to secure electronic patient health information (ePHI), but improving cybersecurity in health care will require a significant shift in industry self-regulation. The private sector must take the leading role in improving cybersecurity in health care or risk losing the advancement of health care technology and innovation, the strengthening of public health efforts, and most critically, patient trust. Chapter 1 provides the background of the current legislation regulating ePHI, expands on who the stakeholders are in handling this data, and describes some of the current health 1 West Health Institute, The Value of Medical Device Interoperability: Improving patient care with more than $30 billion in annual health care savings, March 2013. http://www.westhealth.org/institute/interoperability, 5. 2 Identity Theft Resource Center, “2013 Data Breaches,” February 2014. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html. 3 Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 2014. http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and- data-security, 2. 2
care technologies that are at risk. Chapter 2 explains some of the state’s limitations before presenting a few important solutions that would still minimize governmental interference. Chapter 3 proposes the private sector’s major incentives for taking a leading role in improving cybersecurity in health care, and then highlights a few solutions that together would expand the current approach to addressing cybersecurity in health care to create a more multi-faceted approach. 3
Background This chapter begins with the two pieces of legislation that primarily govern cybersecurity in health care, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Next, the major stakeholders and current health technologies affected by the cybersecurity risks in health care are identified. Electronic Protected Health Information (ePHI) President Barack Obama’s goal of forming an electronic health record (EHR) for every American by 2014 is a basic component of the HITECH that was enacted on February 17, 2009. This legislation dramatically expanded federal regulation for the security and privacy of individually identifiable health care information since HIPAA. On January 25, 2013, the Department of Health and Human Services (HHS) issued the long-awaited Omnibus Final Rule consolidating and modifying regulations stemming from HIPAA, the Breach Notification Rule under HITECH, and the Genetic Information Nondiscrimination Act (GINA) and making other proposed changes to HIPAA final. In promulgating the Omnibus Final Rule, the agency was unable to quantify the benefits of the new Omnibus Final Rule, referencing the ‘impossibility of monetarizing the value of [an] individual’s privacy and dignity,’ the lofty goals of the federal regulatory system for health information security and privacy4 Some of the major changes and improvements to the protection of health information included making business associates more directly liable for violations, increasing patient rights 4 Arthur E. Peabody, Jr., “The Evolution of HIPAA: Protecting the Privacy of Individuals in Their Physician’s Office, in the Hospital, at the Lab, as a Subject of Research, and throughout the World,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 144. 4
to obtain an electronic copy of their health information, and increasing the maximum annual penalty to $1.5 million for all violations of an identical provision. One of the largest data breach fines collected by HHS was against WellPoint Inc. after over 600,000 records with ePHI were breached between October 2009 and March 2010. The company was unaware of the data breaches caused by network security weaknesses until a WellPoint applicant filed a lawsuit in California “notifying the company that she could access personal health data of other customers.”5 The Ponemon Institute estimates a single data breach to have an average economic impact of $404,2006 , but “additional recovery actions, such as legal actions, recovery, new security control investments, extended credit protection services for victims and other related costs, actually push the cost much higher…$142,689,666 in the case of the WellPoint incident.”7 Key Stakeholders Figure 1 illustrates the complexity of addressing the cybersecurity issue in health care, by providing only some of the stakeholders, rules/regulations, and information assets involved. Other than the federal/state agencies, the key stakeholders addressed in this paper are the patients, health care providers, payers, medical device manufacturers, and business associates. Prior to HITECH and the Omnibus Final Rule, business associates were broadly defined and included “all those entities having some affiliation with covered entities in the delivery of health 5 Rachel Landen and Joseph Conn, “WellPoint to pay $1.7 million HIPAA penalty,” Modern Healthcare, July 2013, online. http://www.modernhealthcare.com/article/20130711/NEWS/307119954. 6 Ponemon Institute, Fourth Annual Benchmark Study, 8. 7 Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, SANS-Norse, February 2014, http://norse- corp.com/HealthcareReport2014.html, 5. 5
care or the support of health services afforded by the covered entity that have some use or contact with PHI.”8 The current definition is still somewhat inclusive, but increasing direct liability for business associates increased accountability for business associates and the health care providers they work for. Figure 1 Complex Interactions in Cybersecurity Source: Interoperability requirements from Robert J. Michalsky, Protecting and Defending Digital Health Information—What Is at Stake? (Chantilly, VA: NJVC, July 2013), 5. 8 Arthur Peabody, Jr., “The Evolution of HIPAA,” 148. 6
Current Health Technologies Electronic Health Records (EHRs) The United States federal government has created a significant burden for the health care industry by pressuring the adoption of EHRs through Medicare and Medicaid EHR Incentive Programs under the Affordable Care Act (ACA). The adoption of EHRs at a fast rate, from about 12 to 44 percent between 2009 and 2012, has been labeled a success by the federal government. But these statistics do not accurately represent if a health care provider is in the process of adopting a system or if the adopted system allows them to interact with other medical applications they currently use. One of the major barriers to adopting EHRs is cost, which has been suggested to contribute to an increase in physicians leaving their own practices and seeking employment with hospitals or even retiring. The most important risk for the adoption of EHRs, especially without careful planning, is the cybersecurity risk. “Respondents in 69 percent of organizations represented believe the ACA significantly increases (36 percent) or increases (33 percent) risk to patient privacy and security.”9 The World Health Organization recognizes the need for “more detailed information about a patient” and “the need to share information across groups”, but they emphasize that any country must avoid compromising the patient’s trust of their health care provider.10 In Chapter 4, interoperability requires the security of both EHRs and medical devices to save the health care industry almost $30 billion in quantifiable wasteful spending as well as “a number of additional benefits enabled by 9 Ponemon Institute, Fourth Annual Benchmark Study, 3. 10 World Health Organization, Legal frameworks for eHealth: Based on the findings of the second global survey on eHealth (Geneva: World Health Organization, 2012), 67. 7
interoperability which are more difficult to quantify or require additional enabling factors to be realized. Telemedicine and Networked Medical Devices The ageing population worldwide, and especially in the United States, has led to a significant increase in the use of telemedicine to reach a wider patient population and decrease health care costs. Telemedicine has also been the major technology in public health efforts on a global level. “Telehealth, defined as ‘the use of digital technologies to deliver medical care, health education, and public health services, by connecting multiple users in separate locations,’ is expected to grow sixfold by 2017.”11 The reasons for this significant increase are because of 1) the governmental incentives under HITECH for health information technology, 2) the newer method of delivering primary care through patient-centered medical homes (PCMH), 3) the reduction of reimbursement payments by the Centers for Medicare and Medicaid Services (CMS) for patients readmitted within 30 days of discharge related to the previous admission, and 4) the predicted shortage primary care physicians, nurses, and certified diabetes educators.12 Diabetes is by no means the only disease contributing to the $2.4 trillion in US health care spending, but is estimated to have cost a total of $245 billion in 2012. $176 billion was attributed to direct medical costs, while the other $69 billion is due to reduced productivity.13 11 Teresa L. Pearson, “Teleheath: Aiding Navigation Through the Perfect Storm of Diabetes Care in the Era of Health Care Reform.” Diabetes Spectrum 26, no. 4(2013): 221. 12 Ibid., 221-22. 13 William H. Herman, “The Economic Costs of Diabetes: Is It Time for a New Treatment Paradigm?,” Diabetes Care 36, no. 4(2013): 775. 8
These types of medical devices currently face the difficulty of falling in the cracks when trying to identify the federal agency responsible for regulating security and privacy. The Food and Drug Administration (FDA) is responsible for medical device software failures, but they deem “cybersecurity to be a ‘shared responsibility’ between medical device manufacturers and health care providers.”14 Although no cases have been reported of hacked networked medical devices causing injury, “researchers have been able to gain access wirelessly to pacemakers, defibrillators, and insulin pumps.”15 The lack of federal regulation over these devices negates the recent increased direct liability of business associates for data breaches, because “mere connectivity between a device and a health care provider does not render the device manufacturer a business associate.”16 Due to the lack of federal regulation, patients are forced to accept the medical device company’s terms of use since not using the device is often not a choice. The proposed solution to the networked medical devices privacy and security risks is empowering the Federal Trade Commission if industry self-regulation fails.17 However, this will only increase regulation fragmentation and cause medical device manufacturers to prioritize safety or security/privacy using cost-benefit analysis. Biomedical Research Note: This estimate only includes the diagnosed cases of diabetes. 14 David J. Dykeman, Afia K. Asamoah, Jessica A. von Reyn, and Yuaheng “Sally” Wang, “Medical Devices in the Digital Age,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 107-08. 15 Ibid., 107. 16 Joseph L. Hall and Deven McGraw, “For Telehealth To Succeed, Privacy and Security Risks Must Be Identified And Addressed,” Health Affairs 33, no. 2(2014): 218. 17 Ibid., 220. 9
The goal of individualized medicine has kept geneticists and other biomedical researchers occupied since Watson and Crick’s discovery of the structure of DNA. Biobanks are the storage facilities for human biological material and the related data for biomedical research purposes, and are located on every continent on Earth, including Antarctica. The estimated growth rate of the biobank market is about 20-30% per year to exceed 2.25 billion by 2015. Increased cybersecurity of electronic health records is unavoidable since “the promise of individualized medicine will depend in large part upon the ability of physicians to evaluate a patient’s cellular and genomic traits alongside medical history, and interrogate the data appropriately.”18 However, the issues of informed consent and patient confidentiality complicate combining biobank databases with electronic health records. The relevant cybersecurity risk is caused by Internet access. “Though federal human subject protection law requires all identifying information be removed from data before sharing, true de-identification of medical records may be virtually impossible.”19 The Federal Government’s Role The federal government has attempted to address cybersecurity in the past, but has been unsuccessful because of their narrow focus and incremental implementation.20 18 Christopher Thomas Scott, Timothy Caulfield, Emily Borgelt, and Judy Illes, “Personal medicine—the new banking crisis.” Nature Biotechnology 30, no. 2(2012): 141. 19 Ibid., 145. 20 Richard J. Harknett and James A. Stever, “The New Policy World of Cybersecurity,” Public Administrative Review 71 (May/June 2011): 455. doi: 10.1111/j.1540-6210.2011.02366.x 10
Additionally, cybersecurity threats to other sectors require the federal government’s attention before any further regulation in the health care industry. There is one proposed solution for the federal government that would significantly assist in improving cybersecurity while at the same time allowing the organization to operate with too many constraints. Limitations Cybersecurity Threats to National Security Cybersecurity experts have identified major areas of concern that pose a threat U.S. national security including the Tier 1 ISPs (the ‘backbone’ of the Internet), an insecure power grid, and the Department of Defense’s network.21 “In the first decade of the twenty-first century the number of people connected to the Internet worldwide increased from 350 million to more than 2 billion (it is now over 2.4 billion)…by 2025…if the current pace of technological innovation is maintained, most of the projected eight billion people on Earth will be online.”22 There are hundreds of Internet service provider companies in the United States but only a few major providers own the majority of the fiber-optic cable running across the country and into the undersea fiber-optic cables connecting the entire world. A lack of self-regulation in the telecommunications industry is partly due to the fear of customers suing for any disruption of service, even if it were to prevent further cybercrime. The federal government would also experience difficulties because of increased public distrust from the NSA’s activities exposed by Edward Snowden. Despite concerns, the telecommunications industry must be significantly 21 Richard A. Clarke and Robert K. Knake, Cyberwar: The Next Threat to National Security and What to Do About It (New York: HarperCollins Publishers, 2010), 160-178. 22 Eric Schmidt and Jared Cohen, The New Digital Age: Transforming Nations, Businesses, and Our Lives (New York: Vintage Books, 2014), 4. 11
secure to minimize risks to both national security and the health care industry. The second area of concern is to secure the power grid through federal regulation, despite the resistance from power companies. “In December 2012, denial-of-service attacks (DDOS) made possible by the use of botnets, networks of computers controlled through malware, targeted a German utility. The 5 day attack shut the utility off from communications, including all email.”23 Unfortunately, in the United States, “if the attacks destroy generators, as in the Aurora tests, replacing them can take up to six months, because each must be custom built.”24 The European Union’s mandatory directives regarding cybersecurity compared to the United States’ primarily voluntary approach to cybersecurity have explained this difference between Germany and the United States.25 The third area of concern is the Department of Defense’s network. An average US citizen would assume that the DoD’s network would be comparatively more secure than their personal or work network, but “in November 2008, a Russian-origin piece of spyware began looking around cyberspace for dot-mil addresses, the unclassified NIPRNET. Once the spyware hacked its way into NIPRNET computers, it began looking for thumb drives and downloaded itself onto them.”26 This common cybercrime technique has the negative consequence of connecting the unclassified intranet with the network containing secret-level classified information. The same technique contributes to data breaches in health care organizations and 23 Janine S. Hiller and Roberta S. Russell, “The challenge and imperative of private sector cybersecurity: An international comparison.” Computer Law & Security Review 29, no. 3(2013): 237. 24 Clarke and Knake, Cyberwar: The Next Threat to National Security and What to Do About It, 170. 25 Hiller and Russell, “The challenge and imperative of private sector cybersecurity,” 245. 26 Clarke and Knake, Cyberwar: The Next Threat to National Security and What to Do About It, 171-72. 12
their business associates, but these three areas of concern should be top priorities and be thoroughly before the federal government further increases cybersecurity regulation in the health care industry. Proposed Solutions The Center for Disease Control (CDC) of Cybersecurity Despite the federal government’s preoccupation with cybersecurity threats to national security, there is one solution that would considerably contribute to improving cybersecurity in health care in a more indirect way. Singer and Friedman suggest looking at the cybersecurity issue as parallel to public and health and the CDC. They note that the most common analogy for cybersecurity is the Cold War, but argue that the CDC is a better analogy not only because of the similarity between malware and computer viruses with biological viruses, but also how the public health approach would be a more effective way to address cybersecurity. “Organizations like the CDC play a key role in public health by serving as research organizations, trying to understand emerging threats, as well as trusted clearing houses, transparently sharing information to anyone and everyone who needs it.”27 The suggested model would create a ‘Cyber CDC’ that is linked to a relevant U.S. department, but with enough independence that it is kept separate from the current CYBERCOM and private organizations that have their own motives to be profitable. Just like the CDC and its multiple offices spread across the country to monitor and track outbreaks, the ‘Cyber CDC’ would be spread out both physically and virtually. The ‘Cyber CDC’ would also share 27 P.W. Singer and Allan Friedman, Cybersecurity And Cyberwar: What Everyone Needs To Know, (Oxford: Oxford University Press, 2014), 174. 13
responsibility for action just like the CDC works with local, national, and international organizations. Singer and Friedman suggest an international version like the World Health Organization is possible, but not at this time because of the significant level of cooperation that would be required. Viewing cybersecurity like public health would also allow policy makers to thoroughly analyze the situation, rather than the current proposal from leaders to rush the development of offensive and counteroffensive strategy. The CDC assisted the Soviet deputy health minister during the Cold War to combat smallpox, so a ‘Cyber CDC’ could help deescalate major international tensions. One of the major benefits of the CDC is the research performed to focus on the causal factors and how disease spreads. This would allow health care organizations and even companies providing cybersecurity services to utilize the most cost-effective measures to prevent and resolve cybersecurity issues. The most important way that a ‘Cyber CDC’ would benefit society is the increase in public dialogue and awareness. We are surrounded by the CDC’s advice on preventing the spread of the common cold or are alerted with any outbreak of a disease and what precautions we should take. One of the added benefits of increased public awareness is increased accountability for health care providers and the health care industry. The same kind of ‘cyber hygiene’ and ‘cyber safe’ ethics might be bolstered through similar efforts to help prevent the spread of threats and malware. As Scott Charney, Vice President of Trustworthy Computing at Microsoft explains, ‘Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.’28 28 Ibid., 176. 14
The Private Sector’s Role The federal government will be necessary in improving cybersecurity in health care, but the private sector has too much at stake to fail at self-regulating the health care industry. Individualized medicine, global health efforts to reduce the cost of health care technology, and a more empowered patient are some of the few incentives that the private sector has for 15
making cybersecurity in health care a top priority. One of the best solutions for reducing health care spending in the U.S. will require this effort by the private sector. Although cost is a concern, and quite often an excuse, for improving cybersecurity, there are a few solutions that are more focused on simple rules and increasing employees’ cybersecurity awareness. Incentives Health Care Technology and Innovation The West Health Institute has estimated that medical device interoperability could save about $36 billion in U.S. health care spending each year by reducing adverse events, avoiding redundant testing, increasing clinician productivity, shortening patients’ length of stay, and decreasing the need for customized interfaces between devices. More than 90% of hospitals use at least six types of medical devices that are able to be integrated with EHRs, but only 1/3 actually link medical devices to EHRs. Additionally, the hospitals that are currently integrating medical devices and EHRs are at integrating less than three medical devices on average.29 In addition to the quantified benefits, other benefits not quantified could increase the estimated savings as shown in Figure 2. The majority of the cost-savings will benefit the providers, approximately $33.4 billion, the payers, $2.1 billion, and the rest of the $36 billion is almost split between patients and device vendors. However, the non-quantified benefits may significantly favor the patients, which is why a joint effort between providers and patients could create the push necessary to increase medical device interoperability. Figure 2 Areas of Waste 29 West Health Institute, The Value of Medical Device Interoperability, 10. 16
Source: Areas of Identified Waste and the Primary Stakeholders Benefitting from Medical Device Interoperability from The Value of Medical Device Interoperability: Improving patient care with more than $30 billion in annual health care savings (San Diego, CA: West Health Institute, March 2013), 9. The most significant benefit not quantified comes from the reduction of mortality caused by adverse events. Another significant benefit that comes from commonly adopted standards is the increase in innovation by allowing “small companies to quickly and efficiently create and bring new technologies to market.”30 This would allow providers to have a wider variety of, and more innovative, devices to choose from, likely leading to reduced costs and 30 Ibid., 29. 17
reducing the current substantial barriers a hospital faces when deciding the cost-effectiveness of integrating medical devices and EHRs. Currently, Medtronic Inc., General Electric Company, and St. Jude Medical Inc. control about 32% of the medical device market.31 Interoperability may increase innovation, but it cannot be like the mobile health app movement and other software development which focus on functionality and usually think about security after the development cycle. Public Health Public health efforts may seem irrelevant to the private sector, but a large majority of health care technology and innovation originate from public health efforts. “In 2008, 2.47 billion people lived on the equivalent of less than US$2 a day, and these people live in low- income and middle-income countries with often little access to technology for health.”32 The significant increasing use of electronic health and mobile health (eHealth and mHealth), medical devices utilizing cell phones and the Internet, has mitigated the lack of access to health technology in these countries About 90% of the world’s population has cell phone coverage, and the Internet is used in developing countries than in developed countries. Medical device manufacturers may have about 87% of their sales in high-income countries, but the increasing use of eHealth and mHealth in developing countries may cause them to miss the opportunity for an increased market share. This can be further damaging since donations of health care technology from high-income countries are usually wasted in low-income and middle-income countries, because they are designed for high-income countries with high health spending, 31 Dykeman et al., “Medical Devices in the Digital Age,” 85. 32 Peter Howitt et al., “Technologies for global health,” The Lancet 380 (August 2012): 508. DOI: 10.1016/S0140-6736(12)61127-1 18
stable energy supply, and a large quantity of trained health-care workers.33 One of the suggestions is to develop more frugal technologies, a technology “specifically developed to meet the needs of the world’s poorest people.”34 It is suggested that multinational corporations who manufacture products in India and China will most likely develop frugal technologies. The global pressure on high-income countries to adopt frugal technologies may worsen consequences for medical device manufacturers, especially the 19 out of 30 top companies headquartered in the United States, if the frugal technologies increase cybersecurity vulnerabilities. The same concern has been expressed with the wireless network equipment that is almost entirely produced in China. Patient Trust A loss of patient trust is possibly the most important incentive that the private sector has for increasing cybersecurity in health care. At the global level, “the most significant impact of the spread of communication technologies will be the way they help reallocate the concentration of power away from states and institutions and transfer it to individuals” because of greater agency.35 The U.S. health care industry can learn from the European Union (EU) and their cybersecurity legislation for network and information security that “gaining and maintaining the trust and buy-in of citizens that their data is secure and protected represents a potential risk to the future development and take up of innovative technologies and higher value added online 33 Ibid., 509. 34 Ibid., 509. 35 Schmidt et al., The New Digital Age, 6. 19
services.”36 These risks are the same for health care organizations in the United States, but despite federal regulation of ePHI, the data reflects that cybersecurity is not a high priority. In a globally interconnected world, decreased patient trust in the United States will not go unnoticed by businesses and governments around the world. This is already true as seen in the WHO’s global surveys on eHealth. The WHO emphasizes the importance of a legal framework to protect patient privacy in EHRs, and points out that the United States does have a considerable amount of privacy legislation but that ‘informational privacy’, according to the U.S. Supreme Court, is not a federally-protected constitutional right and is ultimately the citizens’ responsibility.37 It is true that “ensuring security of information ‘at rest’ and ‘in motion’…helps preserve consumer confidence in and goodwill toward the health care provider from a business or operational standpoint,”38 but, as the WHO recognizes, the provider and patient relationship has reached the limits of a “simple fiduciary trust relationship.”39 The increased use of telemedicine in patient care will require substantially more patient trust than the traditional setting. Proposed Solutions The private sector must recognize and address cybersecurity in health care as a multi- faceted issue just like public health has done. Cybersecurity must be viewed as having “both 36 European Union Agency for Network and Information Security, “Data Breach Notifications,” accessed March 26, 2014, http://www.enisa.europa.eu/activities/identity-and-trust/risks-and- data-breaches/dbn (accessed March 26, 2014). 37 World Health Organization, Legal frameworks for eHealth, 34. 38 Lee Kim, “Electronic Health Records: Selecting the EHR Solution and Negotiating the License Agreement,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 20. 39 World Health Organization, Legal frameworks for eHealth, 67. 20
technical and nontechnical factors that work to prevent governments, corporations, and even individuals from securing their systems.”40 The following proposed solutions address some of the technical and nontechnical factors. Human Resource Approach The human resource approach differs from the traditional structural approach, by focusing “on the positive aspects of human nature” and identifying “technological and organizational vulnerabilities that create windows of opportunities to carry out malicious acts.”41 Proper barriers must be in place in order to cybersecurity incidents, and because this is the responsibility of management, the user cannot be blamed for accidental incidents. Figure 3 shows the various organizational aspects that influence individual information security behavior. Technology can include a variety of technical solutions. Formal structures are the daily operating procedures and job responsibilities of an organization. “How management is performed is an important ingredient”42 of the interactions within an organization. The social relations include both the informal, collegial relations, and the formal, professional relations. Awareness, values, and norms are important because they affect “how people interpret situations and choose their actions, thus influencing work practices and norms. The attributes are maintained by formal structures, interactions, and relations.”43 However, organizational aspects still require simple actions by users to prevent cybersecurity issues such as proper 40 Simson L. Garfinkel, “The Cybersecurity Risk,” Communications of the ACM 55 (June 2012): 30. doi: 10.1145/2184319.2184330 41 Eirik Albrechtsen and Jan Hovden, “Information Security Management—From Regulations to End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes (Boca Raton: CRC Press, 2012), 300-301. 42 Ibid., 302-303. 43 Ibid., 303. 21
password etiquette and being cautious when using the Internet or electronic communications. Figure 3 The Influence of Organizational Aspects on Individual Information Security Behavior Source: Eirik Albrechtsen and Jan Hovden, “Information Security Management—From Regulations to End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes (Boca Raton: CRC Press, 2012), 302. Safety psychology argues that establishing cybersecurity measures directed at users are most effective if performed in a certain order. Measures should adopted in the following order: working conditions, improving skills and knowledge, improving attitudes, improving behavior, and selection of personnel. Employee participation in the process of creating and modifying cybersecurity measures can have both positive and negative consequences. Some of the positive consequences include reducing the gap between cybersecurity experts and employees and creating a more democratic work environment. The negative consequences of employee participation could be a concern for health care organizations since it may jeopardize the need- to-know principle, which is guided by HIPAA regulations. “However, a participative approach 22
does not necessarily imply contact with sensitive information. Rather it is the process behind the participation that is important for creating improved support for decision making among the security managers as well as improving awareness among users.”44 Creating a cybersecurity culture within health care organizations would balance the technical-administrative systems to the social context of the organization. Data Encryption and Other Technical Solutions Technical solutions can mitigate the consequences of cybersecurity incidents within a health care organization, but this should be secondary to the administrative/HR approach. Sharon Klein, head of the privacy, security and data protection practice at the law firm Pepper Hamilton, notes that, in the United States, there are 47 different sets of (inconsistent) data breach regulations and multiple regulatory frameworks. If there are overarching standards, they come from the National Institute of Standards and Technology, Klein says, noting the Office for Civil Rights and Department of Health and Human Services have "consistently" used NIST standards.45 The National Institute of Standards and Technology (NIST) encryption standards are used in multiple other industries other than health care including the financial industry. Health care organizations and the public were alarmed though last year when the National Security Agency was able to discover a backdoor to the same NIST encryption algorithm used to protect ePHI. The NSA denied accessing any ePHI, but the NIST was responsible and recalled the encryption algorithm earlier this year. It is also very encouraging to see the Department of Defense has 44 Ibid., 307. 45 Brian Eastwood, “Will Healthcare Ever Take IT Security Seriously?” CIO, February 26, 2014, http://www.cio.com/article/748810/Will_Healthcare_Ever_Take_IT_Security_Seriously_ 23
adopted NIST standards and “will now embrace a combination of more heavily risk- management-focused approaches…including standards for assessment and authorization, risk assessment, risk management, and dynamic continuous monitoring practices”46 in order to reduce costs by not having companies follow both the DoD and national standards. Health care organizations must understand that NIST security standards are best practices, so just like in patient care, adhering to the best practices is only a starting point. Conclusion HIPAA and HITECH have significantly increased cybersecurity in health care, but they have also created a burden for health care organizations to implement EHRs without the freedom to thoroughly analyze their needs before adopting a system. The United States federal government has been attempting to establish national cybersecurity legislation, but any such measures have been very narrow and slow in implementation. Additionally, the federal government has higher priorities with cybersecurity threats to national security. The Department of Defense’s adoption of NIST security standards is comparatively little progress, but still deserves recognition for moving in the right direction. An ageing population across the 46 Leonard T. Marzigliano, “Defense Department Adopts NIST Security Standards,” InformationWeek, March 14, 2014, http://www.informationweek.com/government/cybersecurity/defense-department-adopts- nist-security-standards/d/d-id/1127706. 24
globe is just the beginning of the transitioning of patient care from the traditional setting to telemedicine and networked medical devices. This change is already in progress in the United States, but the significant majority of the Baby Boomer generation has yet to retire. Telemedicine will also play a significant role in health care technology and innovation and in public health efforts on a global level. The current global interconnectedness will increase exponentially within the next few decades, which will increase the pressure on health care providers to continue improving patient privacy and at least maintaining patient trust. Communication technologies will also empower individuals even more, but may come with increased risks if individuals do not follow simple cybersecurity measures to prevent any incidents. Improving cybersecurity in health care will be a significantly difficult joint effort between the patient and health care organizations, but it is a task that cannot be avoided. Bibliography Albrechtsen, Eirik and Jan Hovden, “Information Security Management—From Regulations to End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes, 281-314. Boca Raton: CRC Press, 2012. Clarke, Richard A. and Robert K. Knake, Cyberwar: The Next Threat to National Security and What to Do About It. New York: HarperCollins Publishers, 2010. Dykeman, David J., Afia K. Asamoah, Jessica A. von Reyn, and Yuaheng “Sally” Wang, “Medical Devices in the Digital Age,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 83-109. Chicago: American Bar Association, 2013. Eastwood, Brian. “Will Healthcare Ever Take IT Security Seriously?” CIO. February 26, 2014. http://www.cio.com/article/748810/Will_Healthcare_Ever_Take_IT_Security_Seriously_ 25
Filkins, Barbara. Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, SANS-Norse, February 2014, http://norse- corp.com/HealthcareReport2014.html. Garfinkel, Simson L., “The Cybersecurity Risk,” Communications of the ACM 55 (2012): 29-32. doi: 10.1145/2184319.2184330 Hall, Joseph L. and Deven McGraw, “For Telehealth To Succeed, Privacy and Security Risks Must Be Identified And Addressed,” Health Affairs 33, no. 2(2014): 2186-221. Harknett, Richard J. and James A. Stever, “The New Policy World of Cybersecurity,” Public Administrative Review 71 (2011): 455-460. doi: 10.1111/j.1540-6210.2011.02366.x Herman, William H. “The Economic Costs of Diabetes: Is It Time for a New Treatment Paradigm?,” Diabetes Care 36, no. 4(2013): 775-776. Hiller, Janine S. and Roberta S. Russell, “The challenge and imperative of private sector cybersecurity: An international comparison.” Computer Law & Security Review 29, no. 3 (2013): 236-245. Howitt, Peter, Ara Darzi, Guang-Zhong Yang, Hutan Ashrafian, Rifat Atun, James Barlow, Alex Blakemore, Anthony MJ Bull, Josip Car, Lesong Conteh, Graham S Cooke, Nathan Ford, Simon AJ Gregson, Karen Kerr, Dominic King, Myutan Kulendran, Robert A Malkin, Azeem Majeed, Stephen Matlin, Robert Merrifield, Hugh A Penfold, Steven D Reid, Peter C Smith, Molly M Stevens, Michael R Templeton, Charles Vincent, and Elizabeth Wilson, “Technologies for Global Health.” The Lancet 380 (2012): 507-535. DOI: 10.1016/S0140-6736(12)61127-1 Identity Theft Resource Center, “2013 Data Breaches,” February 2014. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html. Kim, Lee. “Electronic Health Records: Selecting the EHR Solution and Negotiating the License Agreement,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 15-26. Chicago: American Bar Association, 2013. Landen, Rachel and Joseph Conn, “WellPoint to pay $1.7 million HIPAA penalty,” Modern Healthcare, July 2013, online. Marzigliano, Leonard T. “Defense Department Adopts NIST Security Standard.” InformationWeek. March 14, 2014. http://www.informationweek.com/government/cybersecurity/defense-department- adopts-nist-security-standards/d/d-id/1127706. 26
Peabody Jr., Arthur E. “The Evolution of HIPAA: Protecting the Privacy of Individuals in Their Physician’s Office, in the Hospital, at the Lab, as a Subject of Research, and throughout the World,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 141-175. Chicago: American Bar Association, 2013. Pearson, Teresa L. “Teleheath: Aiding Navigation Through the Perfect Storm of Diabetes Care in the Era of Health Care Reform.” Diabetes Spectrum 26, no. 4 (2013): 221-225. Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 2014. http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient- privacy-and-data-security Schmidt, Eric and Jared Cohen, The New Digital Age: Transforming Nations, Businesses, and Our Lives. New York: Vintage Books, 2014. Scott, Christopher Thomas, Timothy Caulfield, Emily Borgelt, and Judy Illes, “Personal medicine —the new banking crisis.” Nature Biotechnology 30, no. 2(2012): 141-147. Singer, P.W. and Allan Friedman, Cybersecurity And Cyberwar: What Everyone Needs To Know. Oxford: Oxford University Press, 2014. West Health Institute, The Value of Medical Device Interoperability: Improving patient care with more than $30 billion in annual health care savings, March 2013. http://www.westhealth.org/institute/interoperability World Health Organization, Legal frameworks for eHealth: Based on the findings of the second global survey on eHealth. Geneva: World Health Organization, 2012. 27

More Related Content

DOCX
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
PDF
Obamacare sectoral-winners-and-losers
Aranca
 
PPT
Responding To The Opportunity
guest7042c6
 
DOCX
Patient Privacy Protections
kwittman
 
PDF
HIPAA and HITECH : What you need to know
Shred-it
 
PDF
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Hybrid Cloud
 
PDF
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Patton Boggs LLP
 
PDF
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
mosmedicalreview
 
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
Obamacare sectoral-winners-and-losers
Aranca
 
Responding To The Opportunity
guest7042c6
 
Patient Privacy Protections
kwittman
 
HIPAA and HITECH : What you need to know
Shred-it
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Hybrid Cloud
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Patton Boggs LLP
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
mosmedicalreview
 

What's hot (20)

PDF
September Newsletter
mikewojcik
 
PDF
Hitech for HIPAA
dkarpinsky
 
PDF
Health e-world (healthy world)
Bukmarker
 
PDF
lauren_rosen_compliance_article
Lauren Rosen
 
PDF
HITECH Act
GuardEra Access Solutions, Inc.
 
PPTX
Governance healthcare financial lever
ACCESS Health Digital
 
PDF
The American Health Care System - Long Paper
Divya Kothari
 
PDF
The New Era of Individual Responsibility in Health Care Fraud and Abuse
Samuel M. Shapiro
 
PDF
Fourth Annual Benchmark Study on Patient Privacy & Data Security
- Mark - Fullbright
 
PDF
Fourth Annual Benchmark Study on Patient Privacy & Data Security
- Mark - Fullbright
 
PDF
October Newsletter
mikewojcik
 
PPTX
Affordable Healthcare For Americans
hmdevaughn
 
PDF
AIS Article
Shaun Greene
 
PDF
Digital Health Data
Shahidul Islam Khan Nayeem
 
PPT
Compliance in medical practices
Jose Ivan Delgado, Ph.D.
 
PDF
Matthew Nachreiner Health Economics Research Paper
Matthew Nachreiner
 
PDF
4 Digital Health Trends Affecting Your Revenue Cycle
Meduit
 
PPT
EMR 101
Jack Shaffer
 
PDF
The Affordable Care Act and Its Impact on Workers’ Compensation
Cognizant
 
PDF
Tobi_NwHIN Privacy and Security final Paper
Olatunji Oloruntobiloba
 
September Newsletter
mikewojcik
 
Hitech for HIPAA
dkarpinsky
 
Health e-world (healthy world)
Bukmarker
 
lauren_rosen_compliance_article
Lauren Rosen
 
HITECH Act
GuardEra Access Solutions, Inc.
 
Governance healthcare financial lever
ACCESS Health Digital
 
The American Health Care System - Long Paper
Divya Kothari
 
The New Era of Individual Responsibility in Health Care Fraud and Abuse
Samuel M. Shapiro
 
Fourth Annual Benchmark Study on Patient Privacy & Data Security
- Mark - Fullbright
 
Fourth Annual Benchmark Study on Patient Privacy & Data Security
- Mark - Fullbright
 
October Newsletter
mikewojcik
 
Affordable Healthcare For Americans
hmdevaughn
 
AIS Article
Shaun Greene
 
Digital Health Data
Shahidul Islam Khan Nayeem
 
Compliance in medical practices
Jose Ivan Delgado, Ph.D.
 
Matthew Nachreiner Health Economics Research Paper
Matthew Nachreiner
 
4 Digital Health Trends Affecting Your Revenue Cycle
Meduit
 
EMR 101
Jack Shaffer
 
The Affordable Care Act and Its Impact on Workers’ Compensation
Cognizant
 
Tobi_NwHIN Privacy and Security final Paper
Olatunji Oloruntobiloba
 
Ad

Viewers also liked (18)

PPTX
Keluarga Berencana
hapidlohsani
 
DOCX
Resume_Rishiraj Goswami
Rishiraj Goswami
 
PPTX
Keluarga Berencana
hapidlohsani
 
PDF
symintec profile
Nancy Symintec
 
PDF
Materi PAI
hapidlohsani
 
DOCX
Rpp bab-2 (iman kepada allah)
hapidlohsani
 
PPTX
Project Final
Rishiraj Goswami
 
DOCX
Rpp bab-13 (khulafa'urrasyidin)
hapidlohsani
 
PDF
A dialogue manager in a converged world
Jaydip Chowdhury
 
DOCX
Rpp bab-8 (ketaatan malaikat)
hapidlohsani
 
DOCX
Rpp bab-7 (ikhlas, sabar, pema'af)
hapidlohsani
 
PPT
Ppt tekpend
hapidlohsani
 
DOCX
Rpp bab-12 (hijrah ke madinah)
hapidlohsani
 
DOCX
Rpp bab-1 (cinta ilmu pengetahuan)
hapidlohsani
 
DOCX
Rpp bab-6 (selamat datang nabi kekasihku)
hapidlohsani
 
PPTX
Semua bersih hidup jadi nyaman
hapidlohsani
 
DOCX
Rpp bab-3 (kejujuran)
hapidlohsani
 
DOCX
Rpp bab-11 (shalat jamak dan qashar)
hapidlohsani
 
Keluarga Berencana
hapidlohsani
 
Resume_Rishiraj Goswami
Rishiraj Goswami
 
Keluarga Berencana
hapidlohsani
 
symintec profile
Nancy Symintec
 
Materi PAI
hapidlohsani
 
Rpp bab-2 (iman kepada allah)
hapidlohsani
 
Project Final
Rishiraj Goswami
 
Rpp bab-13 (khulafa'urrasyidin)
hapidlohsani
 
A dialogue manager in a converged world
Jaydip Chowdhury
 
Rpp bab-8 (ketaatan malaikat)
hapidlohsani
 
Rpp bab-7 (ikhlas, sabar, pema'af)
hapidlohsani
 
Ppt tekpend
hapidlohsani
 
Rpp bab-12 (hijrah ke madinah)
hapidlohsani
 
Rpp bab-1 (cinta ilmu pengetahuan)
hapidlohsani
 
Rpp bab-6 (selamat datang nabi kekasihku)
hapidlohsani
 
Semua bersih hidup jadi nyaman
hapidlohsani
 
Rpp bab-3 (kejujuran)
hapidlohsani
 
Rpp bab-11 (shalat jamak dan qashar)
hapidlohsani
 
Ad

Similar to GIST 698 Research Paper (20)

PDF
Protecting Patient Health Information in the HITECH Era
Rapid7
 
DOCX
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
honey690131
 
DOCX
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
karlhennesey
 
PDF
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
ijsptm
 
PDF
Managing the Information Security Issues of Electronic Medical Records
ClaraZara1
 
PDF
Course Point account for the nursing.pdf
sdfghj21
 
PDF
Why merging medical records, hospital reports, and clinical trial data is a v...
Arete-Zoe, LLC
 
DOCX
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
mccormicknadine86
 
DOCX
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
vannagoforth
 
DOCX
Industry and Firm Analysis
Ashley Leonzio
 
PPT
Long Term Care - Improving Patient care and decreasing costs through EHRs
shawtho2
 
DOCX
Apa format450 words1 biblical integration34 minutes ago
aman341480
 
PDF
What are the major challenges for managing health care information t.pdf
fsenterprises
 
PDF
Medicare Spending Report
Denise Enriquez
 
PDF
Redspin PHI Breach Report 2012
Redspin, Inc.
 
PDF
DHS Analysis of healthcsare sector cyber interdependecies
David Sweigert
 
PDF
Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
PDF
Suraj_Jaladanki_Research_Paper_Cost_Effective_Health_Care
Suraj Jaladanki
 
PDF
HIM-I 6-1 Stanzer Ed
nstanzer
 
DOCX
Evolution of Health Care Paper and TimelineThere are specifi.docx
SANSKAR20
 
Protecting Patient Health Information in the HITECH Era
Rapid7
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
honey690131
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
karlhennesey
 
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
ijsptm
 
Managing the Information Security Issues of Electronic Medical Records
ClaraZara1
 
Course Point account for the nursing.pdf
sdfghj21
 
Why merging medical records, hospital reports, and clinical trial data is a v...
Arete-Zoe, LLC
 
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
mccormicknadine86
 
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
vannagoforth
 
Industry and Firm Analysis
Ashley Leonzio
 
Long Term Care - Improving Patient care and decreasing costs through EHRs
shawtho2
 
Apa format450 words1 biblical integration34 minutes ago
aman341480
 
What are the major challenges for managing health care information t.pdf
fsenterprises
 
Medicare Spending Report
Denise Enriquez
 
Redspin PHI Breach Report 2012
Redspin, Inc.
 
DHS Analysis of healthcsare sector cyber interdependecies
David Sweigert
 
Nicolas Terry, "Big Data, Regulatory Disruption, and Arbitrage in Health Care"
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
Suraj_Jaladanki_Research_Paper_Cost_Effective_Health_Care
Suraj Jaladanki
 
HIM-I 6-1 Stanzer Ed
nstanzer
 
Evolution of Health Care Paper and TimelineThere are specifi.docx
SANSKAR20
 

GIST 698 Research Paper

  • 1. Ryan Flanagan GIST 698: Capstone Seminar April 9, 2014 CYBERSECURITY’S ROLE IN IMPROVING HEALTH CARE IN THE UNITED STATES Abstract Health care spending per capita in the United States is more than twice the amount of other peer industrialized nations, but health outcomes are still comparatively worse. The global population is becoming increasingly interconnected through globalization, and even more so through the significant increase in individuals connected to the Internet. Federal regulations protecting the privacy and security of patients’ personal data have been mitigating cybersecurity threats since 1996, but the global shift toward technologically-enabled health care will require a significant response from the private sector to improve health care in the United States. This paper analyzes the federal government and private sector’s roles in improving cybersecurity in health care. Table of Contents Introduction 1 Background 3 Electronic Protected Health Information 3 Key Stakeholders 4 Current Health Technologies 6 Electronic Health Records 6 Telemedicine and Networked Medical Devices 7 Biomedical Research 9 The Federal Government’s Role 10 Limitations 10 Cybersecurity Threats to National Security 10 Proposed Solution 12 CDC of Cybersecurity 12 The Private Sector’s Role 15 Incentives 15 Health Care Technology and Innovation 15 Public Health 17 Patient Trust 18 Proposed Solutions 20 Human Resources Approach 20 Data Encryption and Other Technical Solutions 22 Conclusion 24
  • 2. Introduction Health care costs continue to consume an ever increasing proportion of U.S. spending, significantly outpacing the growth of our economy for each of the last four decades, and recently reaching as high as 18 percent of gross domestic product…according to recent estimates, more than $700 billion of the $2.4 trillion in health care spending could otherwise be avoided through improvements to the health care system.1 As of 2014, the health care industry now accounts for more data breaches than any other industry sector. In 2013, more than 40% of total breaches affecting almost 9 million patient records were reported.2 Data breaches cost the healthcare industry an estimated $6 billion every year.3 In contrast to economic costs, the reputation for both the health care organization and the victim of a data breach, are almost irreparable. The United States federal government has established regulations to secure electronic patient health information (ePHI), but improving cybersecurity in health care will require a significant shift in industry self-regulation. The private sector must take the leading role in improving cybersecurity in health care or risk losing the advancement of health care technology and innovation, the strengthening of public health efforts, and most critically, patient trust. Chapter 1 provides the background of the current legislation regulating ePHI, expands on who the stakeholders are in handling this data, and describes some of the current health 1 West Health Institute, The Value of Medical Device Interoperability: Improving patient care with more than $30 billion in annual health care savings, March 2013. http://www.westhealth.org/institute/interoperability, 5. 2 Identity Theft Resource Center, “2013 Data Breaches,” February 2014. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html. 3 Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 2014. http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and- data-security, 2. 2
  • 3. care technologies that are at risk. Chapter 2 explains some of the state’s limitations before presenting a few important solutions that would still minimize governmental interference. Chapter 3 proposes the private sector’s major incentives for taking a leading role in improving cybersecurity in health care, and then highlights a few solutions that together would expand the current approach to addressing cybersecurity in health care to create a more multi-faceted approach. 3
  • 4. Background This chapter begins with the two pieces of legislation that primarily govern cybersecurity in health care, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Next, the major stakeholders and current health technologies affected by the cybersecurity risks in health care are identified. Electronic Protected Health Information (ePHI) President Barack Obama’s goal of forming an electronic health record (EHR) for every American by 2014 is a basic component of the HITECH that was enacted on February 17, 2009. This legislation dramatically expanded federal regulation for the security and privacy of individually identifiable health care information since HIPAA. On January 25, 2013, the Department of Health and Human Services (HHS) issued the long-awaited Omnibus Final Rule consolidating and modifying regulations stemming from HIPAA, the Breach Notification Rule under HITECH, and the Genetic Information Nondiscrimination Act (GINA) and making other proposed changes to HIPAA final. In promulgating the Omnibus Final Rule, the agency was unable to quantify the benefits of the new Omnibus Final Rule, referencing the ‘impossibility of monetarizing the value of [an] individual’s privacy and dignity,’ the lofty goals of the federal regulatory system for health information security and privacy4 Some of the major changes and improvements to the protection of health information included making business associates more directly liable for violations, increasing patient rights 4 Arthur E. Peabody, Jr., “The Evolution of HIPAA: Protecting the Privacy of Individuals in Their Physician’s Office, in the Hospital, at the Lab, as a Subject of Research, and throughout the World,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 144. 4
  • 5. to obtain an electronic copy of their health information, and increasing the maximum annual penalty to $1.5 million for all violations of an identical provision. One of the largest data breach fines collected by HHS was against WellPoint Inc. after over 600,000 records with ePHI were breached between October 2009 and March 2010. The company was unaware of the data breaches caused by network security weaknesses until a WellPoint applicant filed a lawsuit in California “notifying the company that she could access personal health data of other customers.”5 The Ponemon Institute estimates a single data breach to have an average economic impact of $404,2006 , but “additional recovery actions, such as legal actions, recovery, new security control investments, extended credit protection services for victims and other related costs, actually push the cost much higher…$142,689,666 in the case of the WellPoint incident.”7 Key Stakeholders Figure 1 illustrates the complexity of addressing the cybersecurity issue in health care, by providing only some of the stakeholders, rules/regulations, and information assets involved. Other than the federal/state agencies, the key stakeholders addressed in this paper are the patients, health care providers, payers, medical device manufacturers, and business associates. Prior to HITECH and the Omnibus Final Rule, business associates were broadly defined and included “all those entities having some affiliation with covered entities in the delivery of health 5 Rachel Landen and Joseph Conn, “WellPoint to pay $1.7 million HIPAA penalty,” Modern Healthcare, July 2013, online. http://www.modernhealthcare.com/article/20130711/NEWS/307119954. 6 Ponemon Institute, Fourth Annual Benchmark Study, 8. 7 Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, SANS-Norse, February 2014, http://norse- corp.com/HealthcareReport2014.html, 5. 5
  • 6. care or the support of health services afforded by the covered entity that have some use or contact with PHI.”8 The current definition is still somewhat inclusive, but increasing direct liability for business associates increased accountability for business associates and the health care providers they work for. Figure 1 Complex Interactions in Cybersecurity Source: Interoperability requirements from Robert J. Michalsky, Protecting and Defending Digital Health Information—What Is at Stake? (Chantilly, VA: NJVC, July 2013), 5. 8 Arthur Peabody, Jr., “The Evolution of HIPAA,” 148. 6
  • 7. Current Health Technologies Electronic Health Records (EHRs) The United States federal government has created a significant burden for the health care industry by pressuring the adoption of EHRs through Medicare and Medicaid EHR Incentive Programs under the Affordable Care Act (ACA). The adoption of EHRs at a fast rate, from about 12 to 44 percent between 2009 and 2012, has been labeled a success by the federal government. But these statistics do not accurately represent if a health care provider is in the process of adopting a system or if the adopted system allows them to interact with other medical applications they currently use. One of the major barriers to adopting EHRs is cost, which has been suggested to contribute to an increase in physicians leaving their own practices and seeking employment with hospitals or even retiring. The most important risk for the adoption of EHRs, especially without careful planning, is the cybersecurity risk. “Respondents in 69 percent of organizations represented believe the ACA significantly increases (36 percent) or increases (33 percent) risk to patient privacy and security.”9 The World Health Organization recognizes the need for “more detailed information about a patient” and “the need to share information across groups”, but they emphasize that any country must avoid compromising the patient’s trust of their health care provider.10 In Chapter 4, interoperability requires the security of both EHRs and medical devices to save the health care industry almost $30 billion in quantifiable wasteful spending as well as “a number of additional benefits enabled by 9 Ponemon Institute, Fourth Annual Benchmark Study, 3. 10 World Health Organization, Legal frameworks for eHealth: Based on the findings of the second global survey on eHealth (Geneva: World Health Organization, 2012), 67. 7
  • 8. interoperability which are more difficult to quantify or require additional enabling factors to be realized. Telemedicine and Networked Medical Devices The ageing population worldwide, and especially in the United States, has led to a significant increase in the use of telemedicine to reach a wider patient population and decrease health care costs. Telemedicine has also been the major technology in public health efforts on a global level. “Telehealth, defined as ‘the use of digital technologies to deliver medical care, health education, and public health services, by connecting multiple users in separate locations,’ is expected to grow sixfold by 2017.”11 The reasons for this significant increase are because of 1) the governmental incentives under HITECH for health information technology, 2) the newer method of delivering primary care through patient-centered medical homes (PCMH), 3) the reduction of reimbursement payments by the Centers for Medicare and Medicaid Services (CMS) for patients readmitted within 30 days of discharge related to the previous admission, and 4) the predicted shortage primary care physicians, nurses, and certified diabetes educators.12 Diabetes is by no means the only disease contributing to the $2.4 trillion in US health care spending, but is estimated to have cost a total of $245 billion in 2012. $176 billion was attributed to direct medical costs, while the other $69 billion is due to reduced productivity.13 11 Teresa L. Pearson, “Teleheath: Aiding Navigation Through the Perfect Storm of Diabetes Care in the Era of Health Care Reform.” Diabetes Spectrum 26, no. 4(2013): 221. 12 Ibid., 221-22. 13 William H. Herman, “The Economic Costs of Diabetes: Is It Time for a New Treatment Paradigm?,” Diabetes Care 36, no. 4(2013): 775. 8
  • 9. These types of medical devices currently face the difficulty of falling in the cracks when trying to identify the federal agency responsible for regulating security and privacy. The Food and Drug Administration (FDA) is responsible for medical device software failures, but they deem “cybersecurity to be a ‘shared responsibility’ between medical device manufacturers and health care providers.”14 Although no cases have been reported of hacked networked medical devices causing injury, “researchers have been able to gain access wirelessly to pacemakers, defibrillators, and insulin pumps.”15 The lack of federal regulation over these devices negates the recent increased direct liability of business associates for data breaches, because “mere connectivity between a device and a health care provider does not render the device manufacturer a business associate.”16 Due to the lack of federal regulation, patients are forced to accept the medical device company’s terms of use since not using the device is often not a choice. The proposed solution to the networked medical devices privacy and security risks is empowering the Federal Trade Commission if industry self-regulation fails.17 However, this will only increase regulation fragmentation and cause medical device manufacturers to prioritize safety or security/privacy using cost-benefit analysis. Biomedical Research Note: This estimate only includes the diagnosed cases of diabetes. 14 David J. Dykeman, Afia K. Asamoah, Jessica A. von Reyn, and Yuaheng “Sally” Wang, “Medical Devices in the Digital Age,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 107-08. 15 Ibid., 107. 16 Joseph L. Hall and Deven McGraw, “For Telehealth To Succeed, Privacy and Security Risks Must Be Identified And Addressed,” Health Affairs 33, no. 2(2014): 218. 17 Ibid., 220. 9
  • 10. The goal of individualized medicine has kept geneticists and other biomedical researchers occupied since Watson and Crick’s discovery of the structure of DNA. Biobanks are the storage facilities for human biological material and the related data for biomedical research purposes, and are located on every continent on Earth, including Antarctica. The estimated growth rate of the biobank market is about 20-30% per year to exceed 2.25 billion by 2015. Increased cybersecurity of electronic health records is unavoidable since “the promise of individualized medicine will depend in large part upon the ability of physicians to evaluate a patient’s cellular and genomic traits alongside medical history, and interrogate the data appropriately.”18 However, the issues of informed consent and patient confidentiality complicate combining biobank databases with electronic health records. The relevant cybersecurity risk is caused by Internet access. “Though federal human subject protection law requires all identifying information be removed from data before sharing, true de-identification of medical records may be virtually impossible.”19 The Federal Government’s Role The federal government has attempted to address cybersecurity in the past, but has been unsuccessful because of their narrow focus and incremental implementation.20 18 Christopher Thomas Scott, Timothy Caulfield, Emily Borgelt, and Judy Illes, “Personal medicine—the new banking crisis.” Nature Biotechnology 30, no. 2(2012): 141. 19 Ibid., 145. 20 Richard J. Harknett and James A. Stever, “The New Policy World of Cybersecurity,” Public Administrative Review 71 (May/June 2011): 455. doi: 10.1111/j.1540-6210.2011.02366.x 10
  • 11. Additionally, cybersecurity threats to other sectors require the federal government’s attention before any further regulation in the health care industry. There is one proposed solution for the federal government that would significantly assist in improving cybersecurity while at the same time allowing the organization to operate with too many constraints. Limitations Cybersecurity Threats to National Security Cybersecurity experts have identified major areas of concern that pose a threat U.S. national security including the Tier 1 ISPs (the ‘backbone’ of the Internet), an insecure power grid, and the Department of Defense’s network.21 “In the first decade of the twenty-first century the number of people connected to the Internet worldwide increased from 350 million to more than 2 billion (it is now over 2.4 billion)…by 2025…if the current pace of technological innovation is maintained, most of the projected eight billion people on Earth will be online.”22 There are hundreds of Internet service provider companies in the United States but only a few major providers own the majority of the fiber-optic cable running across the country and into the undersea fiber-optic cables connecting the entire world. A lack of self-regulation in the telecommunications industry is partly due to the fear of customers suing for any disruption of service, even if it were to prevent further cybercrime. The federal government would also experience difficulties because of increased public distrust from the NSA’s activities exposed by Edward Snowden. Despite concerns, the telecommunications industry must be significantly 21 Richard A. Clarke and Robert K. Knake, Cyberwar: The Next Threat to National Security and What to Do About It (New York: HarperCollins Publishers, 2010), 160-178. 22 Eric Schmidt and Jared Cohen, The New Digital Age: Transforming Nations, Businesses, and Our Lives (New York: Vintage Books, 2014), 4. 11
  • 12. secure to minimize risks to both national security and the health care industry. The second area of concern is to secure the power grid through federal regulation, despite the resistance from power companies. “In December 2012, denial-of-service attacks (DDOS) made possible by the use of botnets, networks of computers controlled through malware, targeted a German utility. The 5 day attack shut the utility off from communications, including all email.”23 Unfortunately, in the United States, “if the attacks destroy generators, as in the Aurora tests, replacing them can take up to six months, because each must be custom built.”24 The European Union’s mandatory directives regarding cybersecurity compared to the United States’ primarily voluntary approach to cybersecurity have explained this difference between Germany and the United States.25 The third area of concern is the Department of Defense’s network. An average US citizen would assume that the DoD’s network would be comparatively more secure than their personal or work network, but “in November 2008, a Russian-origin piece of spyware began looking around cyberspace for dot-mil addresses, the unclassified NIPRNET. Once the spyware hacked its way into NIPRNET computers, it began looking for thumb drives and downloaded itself onto them.”26 This common cybercrime technique has the negative consequence of connecting the unclassified intranet with the network containing secret-level classified information. The same technique contributes to data breaches in health care organizations and 23 Janine S. Hiller and Roberta S. Russell, “The challenge and imperative of private sector cybersecurity: An international comparison.” Computer Law & Security Review 29, no. 3(2013): 237. 24 Clarke and Knake, Cyberwar: The Next Threat to National Security and What to Do About It, 170. 25 Hiller and Russell, “The challenge and imperative of private sector cybersecurity,” 245. 26 Clarke and Knake, Cyberwar: The Next Threat to National Security and What to Do About It, 171-72. 12
  • 13. their business associates, but these three areas of concern should be top priorities and be thoroughly before the federal government further increases cybersecurity regulation in the health care industry. Proposed Solutions The Center for Disease Control (CDC) of Cybersecurity Despite the federal government’s preoccupation with cybersecurity threats to national security, there is one solution that would considerably contribute to improving cybersecurity in health care in a more indirect way. Singer and Friedman suggest looking at the cybersecurity issue as parallel to public and health and the CDC. They note that the most common analogy for cybersecurity is the Cold War, but argue that the CDC is a better analogy not only because of the similarity between malware and computer viruses with biological viruses, but also how the public health approach would be a more effective way to address cybersecurity. “Organizations like the CDC play a key role in public health by serving as research organizations, trying to understand emerging threats, as well as trusted clearing houses, transparently sharing information to anyone and everyone who needs it.”27 The suggested model would create a ‘Cyber CDC’ that is linked to a relevant U.S. department, but with enough independence that it is kept separate from the current CYBERCOM and private organizations that have their own motives to be profitable. Just like the CDC and its multiple offices spread across the country to monitor and track outbreaks, the ‘Cyber CDC’ would be spread out both physically and virtually. The ‘Cyber CDC’ would also share 27 P.W. Singer and Allan Friedman, Cybersecurity And Cyberwar: What Everyone Needs To Know, (Oxford: Oxford University Press, 2014), 174. 13
  • 14. responsibility for action just like the CDC works with local, national, and international organizations. Singer and Friedman suggest an international version like the World Health Organization is possible, but not at this time because of the significant level of cooperation that would be required. Viewing cybersecurity like public health would also allow policy makers to thoroughly analyze the situation, rather than the current proposal from leaders to rush the development of offensive and counteroffensive strategy. The CDC assisted the Soviet deputy health minister during the Cold War to combat smallpox, so a ‘Cyber CDC’ could help deescalate major international tensions. One of the major benefits of the CDC is the research performed to focus on the causal factors and how disease spreads. This would allow health care organizations and even companies providing cybersecurity services to utilize the most cost-effective measures to prevent and resolve cybersecurity issues. The most important way that a ‘Cyber CDC’ would benefit society is the increase in public dialogue and awareness. We are surrounded by the CDC’s advice on preventing the spread of the common cold or are alerted with any outbreak of a disease and what precautions we should take. One of the added benefits of increased public awareness is increased accountability for health care providers and the health care industry. The same kind of ‘cyber hygiene’ and ‘cyber safe’ ethics might be bolstered through similar efforts to help prevent the spread of threats and malware. As Scott Charney, Vice President of Trustworthy Computing at Microsoft explains, ‘Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.’28 28 Ibid., 176. 14
  • 15. The Private Sector’s Role The federal government will be necessary in improving cybersecurity in health care, but the private sector has too much at stake to fail at self-regulating the health care industry. Individualized medicine, global health efforts to reduce the cost of health care technology, and a more empowered patient are some of the few incentives that the private sector has for 15
  • 16. making cybersecurity in health care a top priority. One of the best solutions for reducing health care spending in the U.S. will require this effort by the private sector. Although cost is a concern, and quite often an excuse, for improving cybersecurity, there are a few solutions that are more focused on simple rules and increasing employees’ cybersecurity awareness. Incentives Health Care Technology and Innovation The West Health Institute has estimated that medical device interoperability could save about $36 billion in U.S. health care spending each year by reducing adverse events, avoiding redundant testing, increasing clinician productivity, shortening patients’ length of stay, and decreasing the need for customized interfaces between devices. More than 90% of hospitals use at least six types of medical devices that are able to be integrated with EHRs, but only 1/3 actually link medical devices to EHRs. Additionally, the hospitals that are currently integrating medical devices and EHRs are at integrating less than three medical devices on average.29 In addition to the quantified benefits, other benefits not quantified could increase the estimated savings as shown in Figure 2. The majority of the cost-savings will benefit the providers, approximately $33.4 billion, the payers, $2.1 billion, and the rest of the $36 billion is almost split between patients and device vendors. However, the non-quantified benefits may significantly favor the patients, which is why a joint effort between providers and patients could create the push necessary to increase medical device interoperability. Figure 2 Areas of Waste 29 West Health Institute, The Value of Medical Device Interoperability, 10. 16
  • 17. Source: Areas of Identified Waste and the Primary Stakeholders Benefitting from Medical Device Interoperability from The Value of Medical Device Interoperability: Improving patient care with more than $30 billion in annual health care savings (San Diego, CA: West Health Institute, March 2013), 9. The most significant benefit not quantified comes from the reduction of mortality caused by adverse events. Another significant benefit that comes from commonly adopted standards is the increase in innovation by allowing “small companies to quickly and efficiently create and bring new technologies to market.”30 This would allow providers to have a wider variety of, and more innovative, devices to choose from, likely leading to reduced costs and 30 Ibid., 29. 17
  • 18. reducing the current substantial barriers a hospital faces when deciding the cost-effectiveness of integrating medical devices and EHRs. Currently, Medtronic Inc., General Electric Company, and St. Jude Medical Inc. control about 32% of the medical device market.31 Interoperability may increase innovation, but it cannot be like the mobile health app movement and other software development which focus on functionality and usually think about security after the development cycle. Public Health Public health efforts may seem irrelevant to the private sector, but a large majority of health care technology and innovation originate from public health efforts. “In 2008, 2.47 billion people lived on the equivalent of less than US$2 a day, and these people live in low- income and middle-income countries with often little access to technology for health.”32 The significant increasing use of electronic health and mobile health (eHealth and mHealth), medical devices utilizing cell phones and the Internet, has mitigated the lack of access to health technology in these countries About 90% of the world’s population has cell phone coverage, and the Internet is used in developing countries than in developed countries. Medical device manufacturers may have about 87% of their sales in high-income countries, but the increasing use of eHealth and mHealth in developing countries may cause them to miss the opportunity for an increased market share. This can be further damaging since donations of health care technology from high-income countries are usually wasted in low-income and middle-income countries, because they are designed for high-income countries with high health spending, 31 Dykeman et al., “Medical Devices in the Digital Age,” 85. 32 Peter Howitt et al., “Technologies for global health,” The Lancet 380 (August 2012): 508. DOI: 10.1016/S0140-6736(12)61127-1 18
  • 19. stable energy supply, and a large quantity of trained health-care workers.33 One of the suggestions is to develop more frugal technologies, a technology “specifically developed to meet the needs of the world’s poorest people.”34 It is suggested that multinational corporations who manufacture products in India and China will most likely develop frugal technologies. The global pressure on high-income countries to adopt frugal technologies may worsen consequences for medical device manufacturers, especially the 19 out of 30 top companies headquartered in the United States, if the frugal technologies increase cybersecurity vulnerabilities. The same concern has been expressed with the wireless network equipment that is almost entirely produced in China. Patient Trust A loss of patient trust is possibly the most important incentive that the private sector has for increasing cybersecurity in health care. At the global level, “the most significant impact of the spread of communication technologies will be the way they help reallocate the concentration of power away from states and institutions and transfer it to individuals” because of greater agency.35 The U.S. health care industry can learn from the European Union (EU) and their cybersecurity legislation for network and information security that “gaining and maintaining the trust and buy-in of citizens that their data is secure and protected represents a potential risk to the future development and take up of innovative technologies and higher value added online 33 Ibid., 509. 34 Ibid., 509. 35 Schmidt et al., The New Digital Age, 6. 19
  • 20. services.”36 These risks are the same for health care organizations in the United States, but despite federal regulation of ePHI, the data reflects that cybersecurity is not a high priority. In a globally interconnected world, decreased patient trust in the United States will not go unnoticed by businesses and governments around the world. This is already true as seen in the WHO’s global surveys on eHealth. The WHO emphasizes the importance of a legal framework to protect patient privacy in EHRs, and points out that the United States does have a considerable amount of privacy legislation but that ‘informational privacy’, according to the U.S. Supreme Court, is not a federally-protected constitutional right and is ultimately the citizens’ responsibility.37 It is true that “ensuring security of information ‘at rest’ and ‘in motion’…helps preserve consumer confidence in and goodwill toward the health care provider from a business or operational standpoint,”38 but, as the WHO recognizes, the provider and patient relationship has reached the limits of a “simple fiduciary trust relationship.”39 The increased use of telemedicine in patient care will require substantially more patient trust than the traditional setting. Proposed Solutions The private sector must recognize and address cybersecurity in health care as a multi- faceted issue just like public health has done. Cybersecurity must be viewed as having “both 36 European Union Agency for Network and Information Security, “Data Breach Notifications,” accessed March 26, 2014, http://www.enisa.europa.eu/activities/identity-and-trust/risks-and- data-breaches/dbn (accessed March 26, 2014). 37 World Health Organization, Legal frameworks for eHealth, 34. 38 Lee Kim, “Electronic Health Records: Selecting the EHR Solution and Negotiating the License Agreement,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. (Chicago: American Bar Association, 2013), 20. 39 World Health Organization, Legal frameworks for eHealth, 67. 20
  • 21. technical and nontechnical factors that work to prevent governments, corporations, and even individuals from securing their systems.”40 The following proposed solutions address some of the technical and nontechnical factors. Human Resource Approach The human resource approach differs from the traditional structural approach, by focusing “on the positive aspects of human nature” and identifying “technological and organizational vulnerabilities that create windows of opportunities to carry out malicious acts.”41 Proper barriers must be in place in order to cybersecurity incidents, and because this is the responsibility of management, the user cannot be blamed for accidental incidents. Figure 3 shows the various organizational aspects that influence individual information security behavior. Technology can include a variety of technical solutions. Formal structures are the daily operating procedures and job responsibilities of an organization. “How management is performed is an important ingredient”42 of the interactions within an organization. The social relations include both the informal, collegial relations, and the formal, professional relations. Awareness, values, and norms are important because they affect “how people interpret situations and choose their actions, thus influencing work practices and norms. The attributes are maintained by formal structures, interactions, and relations.”43 However, organizational aspects still require simple actions by users to prevent cybersecurity issues such as proper 40 Simson L. Garfinkel, “The Cybersecurity Risk,” Communications of the ACM 55 (June 2012): 30. doi: 10.1145/2184319.2184330 41 Eirik Albrechtsen and Jan Hovden, “Information Security Management—From Regulations to End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes (Boca Raton: CRC Press, 2012), 300-301. 42 Ibid., 302-303. 43 Ibid., 303. 21
  • 22. password etiquette and being cautious when using the Internet or electronic communications. Figure 3 The Influence of Organizational Aspects on Individual Information Security Behavior Source: Eirik Albrechtsen and Jan Hovden, “Information Security Management—From Regulations to End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes (Boca Raton: CRC Press, 2012), 302. Safety psychology argues that establishing cybersecurity measures directed at users are most effective if performed in a certain order. Measures should adopted in the following order: working conditions, improving skills and knowledge, improving attitudes, improving behavior, and selection of personnel. Employee participation in the process of creating and modifying cybersecurity measures can have both positive and negative consequences. Some of the positive consequences include reducing the gap between cybersecurity experts and employees and creating a more democratic work environment. The negative consequences of employee participation could be a concern for health care organizations since it may jeopardize the need- to-know principle, which is guided by HIPAA regulations. “However, a participative approach 22
  • 23. does not necessarily imply contact with sensitive information. Rather it is the process behind the participation that is important for creating improved support for decision making among the security managers as well as improving awareness among users.”44 Creating a cybersecurity culture within health care organizations would balance the technical-administrative systems to the social context of the organization. Data Encryption and Other Technical Solutions Technical solutions can mitigate the consequences of cybersecurity incidents within a health care organization, but this should be secondary to the administrative/HR approach. Sharon Klein, head of the privacy, security and data protection practice at the law firm Pepper Hamilton, notes that, in the United States, there are 47 different sets of (inconsistent) data breach regulations and multiple regulatory frameworks. If there are overarching standards, they come from the National Institute of Standards and Technology, Klein says, noting the Office for Civil Rights and Department of Health and Human Services have "consistently" used NIST standards.45 The National Institute of Standards and Technology (NIST) encryption standards are used in multiple other industries other than health care including the financial industry. Health care organizations and the public were alarmed though last year when the National Security Agency was able to discover a backdoor to the same NIST encryption algorithm used to protect ePHI. The NSA denied accessing any ePHI, but the NIST was responsible and recalled the encryption algorithm earlier this year. It is also very encouraging to see the Department of Defense has 44 Ibid., 307. 45 Brian Eastwood, “Will Healthcare Ever Take IT Security Seriously?” CIO, February 26, 2014, http://www.cio.com/article/748810/Will_Healthcare_Ever_Take_IT_Security_Seriously_ 23
  • 24. adopted NIST standards and “will now embrace a combination of more heavily risk- management-focused approaches…including standards for assessment and authorization, risk assessment, risk management, and dynamic continuous monitoring practices”46 in order to reduce costs by not having companies follow both the DoD and national standards. Health care organizations must understand that NIST security standards are best practices, so just like in patient care, adhering to the best practices is only a starting point. Conclusion HIPAA and HITECH have significantly increased cybersecurity in health care, but they have also created a burden for health care organizations to implement EHRs without the freedom to thoroughly analyze their needs before adopting a system. The United States federal government has been attempting to establish national cybersecurity legislation, but any such measures have been very narrow and slow in implementation. Additionally, the federal government has higher priorities with cybersecurity threats to national security. The Department of Defense’s adoption of NIST security standards is comparatively little progress, but still deserves recognition for moving in the right direction. An ageing population across the 46 Leonard T. Marzigliano, “Defense Department Adopts NIST Security Standards,” InformationWeek, March 14, 2014, http://www.informationweek.com/government/cybersecurity/defense-department-adopts- nist-security-standards/d/d-id/1127706. 24
  • 25. globe is just the beginning of the transitioning of patient care from the traditional setting to telemedicine and networked medical devices. This change is already in progress in the United States, but the significant majority of the Baby Boomer generation has yet to retire. Telemedicine will also play a significant role in health care technology and innovation and in public health efforts on a global level. The current global interconnectedness will increase exponentially within the next few decades, which will increase the pressure on health care providers to continue improving patient privacy and at least maintaining patient trust. Communication technologies will also empower individuals even more, but may come with increased risks if individuals do not follow simple cybersecurity measures to prevent any incidents. Improving cybersecurity in health care will be a significantly difficult joint effort between the patient and health care organizations, but it is a task that cannot be avoided. Bibliography Albrechtsen, Eirik and Jan Hovden, “Information Security Management—From Regulations to End Users,” in A Multidiscipinary Introduction to Information Security, Stig F. Mjolsnes, 281-314. Boca Raton: CRC Press, 2012. Clarke, Richard A. and Robert K. Knake, Cyberwar: The Next Threat to National Security and What to Do About It. New York: HarperCollins Publishers, 2010. Dykeman, David J., Afia K. Asamoah, Jessica A. von Reyn, and Yuaheng “Sally” Wang, “Medical Devices in the Digital Age,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 83-109. Chicago: American Bar Association, 2013. Eastwood, Brian. “Will Healthcare Ever Take IT Security Seriously?” CIO. February 26, 2014. http://www.cio.com/article/748810/Will_Healthcare_Ever_Take_IT_Security_Seriously_ 25
  • 26. Filkins, Barbara. Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, SANS-Norse, February 2014, http://norse- corp.com/HealthcareReport2014.html. Garfinkel, Simson L., “The Cybersecurity Risk,” Communications of the ACM 55 (2012): 29-32. doi: 10.1145/2184319.2184330 Hall, Joseph L. and Deven McGraw, “For Telehealth To Succeed, Privacy and Security Risks Must Be Identified And Addressed,” Health Affairs 33, no. 2(2014): 2186-221. Harknett, Richard J. and James A. Stever, “The New Policy World of Cybersecurity,” Public Administrative Review 71 (2011): 455-460. doi: 10.1111/j.1540-6210.2011.02366.x Herman, William H. “The Economic Costs of Diabetes: Is It Time for a New Treatment Paradigm?,” Diabetes Care 36, no. 4(2013): 775-776. Hiller, Janine S. and Roberta S. Russell, “The challenge and imperative of private sector cybersecurity: An international comparison.” Computer Law & Security Review 29, no. 3 (2013): 236-245. Howitt, Peter, Ara Darzi, Guang-Zhong Yang, Hutan Ashrafian, Rifat Atun, James Barlow, Alex Blakemore, Anthony MJ Bull, Josip Car, Lesong Conteh, Graham S Cooke, Nathan Ford, Simon AJ Gregson, Karen Kerr, Dominic King, Myutan Kulendran, Robert A Malkin, Azeem Majeed, Stephen Matlin, Robert Merrifield, Hugh A Penfold, Steven D Reid, Peter C Smith, Molly M Stevens, Michael R Templeton, Charles Vincent, and Elizabeth Wilson, “Technologies for Global Health.” The Lancet 380 (2012): 507-535. DOI: 10.1016/S0140-6736(12)61127-1 Identity Theft Resource Center, “2013 Data Breaches,” February 2014. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html. Kim, Lee. “Electronic Health Records: Selecting the EHR Solution and Negotiating the License Agreement,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 15-26. Chicago: American Bar Association, 2013. Landen, Rachel and Joseph Conn, “WellPoint to pay $1.7 million HIPAA penalty,” Modern Healthcare, July 2013, online. Marzigliano, Leonard T. “Defense Department Adopts NIST Security Standard.” InformationWeek. March 14, 2014. http://www.informationweek.com/government/cybersecurity/defense-department- adopts-nist-security-standards/d/d-id/1127706. 26
  • 27. Peabody Jr., Arthur E. “The Evolution of HIPAA: Protecting the Privacy of Individuals in Their Physician’s Office, in the Hospital, at the Lab, as a Subject of Research, and throughout the World,” in Health care IT: the essential lawyer’s guide to health information technology and the law, ed. Arthur E. Peabody, Jr., 1st ed. 141-175. Chicago: American Bar Association, 2013. Pearson, Teresa L. “Teleheath: Aiding Navigation Through the Perfect Storm of Diabetes Care in the Era of Health Care Reform.” Diabetes Spectrum 26, no. 4 (2013): 221-225. Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 2014. http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient- privacy-and-data-security Schmidt, Eric and Jared Cohen, The New Digital Age: Transforming Nations, Businesses, and Our Lives. New York: Vintage Books, 2014. Scott, Christopher Thomas, Timothy Caulfield, Emily Borgelt, and Judy Illes, “Personal medicine —the new banking crisis.” Nature Biotechnology 30, no. 2(2012): 141-147. Singer, P.W. and Allan Friedman, Cybersecurity And Cyberwar: What Everyone Needs To Know. Oxford: Oxford University Press, 2014. West Health Institute, The Value of Medical Device Interoperability: Improving patient care with more than $30 billion in annual health care savings, March 2013. http://www.westhealth.org/institute/interoperability World Health Organization, Legal frameworks for eHealth: Based on the findings of the second global survey on eHealth. Geneva: World Health Organization, 2012. 27