Digital Health Information and the Threat of Cyberattack V. 1

1 1 (September 19, 2016)

$handle is hein.crs/govcevr0001 and id is 1 raw text is: 01;0i E~$~ & September 19, 2016 Digital Health Information and the Threat of Cyberattack The number of cyberattacks targeting sensitive health information maintained by health care providers and health plans has increased significantly in the past two years. This trend is raising concerns about the vulnerability of electronic health data. Cybersecurity experts predict that the number of cyberattacks involving health information will continue to grow because the data are so valuable. Health information often contains a rich set of personal identifiers. These can be used to create false identities for various illegal purposes, including submitting fraudulent insurance claims. Stolen health data fetches higher prices than stolen credit card numbers, which can be quickly deactivated. Health care cybersecurity involves more than just safeguarding patient data from medical identity theft. Many hackers are now using ransomware to attack hospitals and other health care facilities in an effort to extort money by disrupting their daily operations. Ransomware is a type of malicious software that prevents the victim from accessing their data-usually by encrypting the data using a key known only to the hacker-until a ransom is paid. By denying a health care facility access to its own data, ransomware attacks may put patients' lives at risk. Health care facilities also are concerned about the cybersecurity of medical devices used to monitor and support patients. Increasingly, such devices are connected to the Internet and other networks. Health care providers and health plans that handle health information in electronic form (as opposed to paper-based records) are subject to the Health Insurance Portability and Accountability Act (HIPAA) security standards. Information security experts question whether the HIPAA security standards are sufficiently protective of electronic health data. They argue that the standards fail to address modern cybersecurity challenges. The HIPAA standards are administered and enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). OCR is working with other HHS agencies to provide guidance and compliance tools for HIPAA-covered entities. ~ At~ect~o'by Hk:Ith Car'' -er. ac~ Any breach of unsecured health information affecting 500 or more individuals must be reported to OCR. A breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the [HIPAA privacy standards] which compromises [its] security or privacy. Information is unsecured if it is not rendered unusable, unreadable, or indecipherable to unauthorized persons, for example, by using encryption. Figure 1 shows the cumulative number of breaches reported and number of individuals affected, by type of breach, since reporting began in October 2009. Figure I. Breaches of HIPAA-Protected Health Data Source: CRS analysis of HHS/OCR data through August 24, 2016. To date, almost half of all reported breaches have been the result of theft-either theft of equipment and devices (e.g., servers, laptops, flash drives) that store electronic health information, or theft of paper records. Breaches due to theft account for 738 (45%) of the total of 1,627 reported breaches. However, these incidents have affected only about 24 million (14%) of the more than 167 million individuals who have been affected by all types of reported breaches. By comparison, breaches due to a hacking/IT incident (i.e., cyberattack)-in which electronic health information is impermissibly accessed through technical intrusion using malicious software to attack or penetrate a system- represent a relatively small percentage of reported breaches. But some of these cyberattacks have affected millions of individuals, far more than other types of breaches. Altogether, the 217 hacking/IT incidents (13 %) have affected almost 126 million individuals, or about 75% of the total number of affected individuals. Breaches also occur as a result of loss of equipment or paper records, unauthorized access to (and disclosure of) health information that does not involve technical intrusion, as well as by other means (e.g., improper disposal). The cumulative data on hacking/IT incidents mask an important trend. A majority of these incidents were reported in the past two years. During the same period, the number of reports of some of the other types of breaches (e.g., theft, loss, improper disposal) has been declining. .O 'T p\w -- , gn'a', goo mppm qq\ a , q 's I 11LULANJILiN,$

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.

Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most

What Is HeinOnline?

Purchase Access

Log In

NEED HELP?

CONTACT US

Get started

Subscribe to our Newsletter