Hostname: page-component-848d4c4894-2pzkn Total loading time: 0 Render date: 2024-04-30T20:46:16.672Z Has data issue: false hasContentIssue false
  • English
  • Français

Maybe If We Turn It Off and Then Turn It Back On Again? Exploring Health Care Reform as a Means to Curb Cyber Attacks

Published online by Cambridge University Press:  01 January 2021

Deborah R. Farringer
Get access Rights & Permissions [Opens in a new window]

Abstract

The health care industry has moved at a rapid pace away from paper records to an electronic platform across almost all sectors — much of it at the encouragement and insistence of the federal government. Such rapid expansion has increased exponentially the risk to individuals in the privacy of their data and, increasingly, to their physical well-being when medical records are inaccessible through ransomware attacks. Recognizing the unique and critical nature of medical records, the United States Congress established the Health Care Industry Cybersecurity Task Force under the Cybersecurity Information Sharing Act of 2015 for the purpose of reviewing cybersecurity risks within the health care industry and identifying who will lead and coordinate efforts to address such risks among the various agencies. The Task Force has since issued a report setting forth six high-level imperatives that the health care industry needs to achieve in order to combat cybersecurity, and, notably, many of the vulnerabilities plaguing the industry identified in the Report as requiring correction are not necessarily related to specific flaws in the current cybersecurity framework, but rather susceptibilities presented by the infrastructure and associated regulatory regime that has evolved over the last few decades over the health care industry generally. That is, the current health care infrastructure by its nature exacerbates cybersecurity risk. Between a lack of information sharing of industry threats, risks, and mitigations, disparate leadership and governance goals for cybersecurity, the confluence and contradiction of existing federal and state laws, fragmentation in the fee-for-service delivery system, lack of care coordination, and disparate resources across and among sectors, the industry suffers from heightened cyber risk. Solutions that are reactive to problems within the current infrastructure will likely have little long term impact toward reducing cybersecurity vulnerabilities because they do not address the underlying system challenges. All of these confluences causes one to wonder whether if in fact the current health care delivery infrastructure is a contributing factor to the incidents of cybersecurity attacks and the exorbitant costs associated with resolving data breaches, should Congress look not just to curb breach incidents, but to address root cause systematic challenges in the health industry infrastructure that create increased exposure of cybersecurity threats? This article argues that cybersecurity risks will continue to be heightened and more costly to the health care industry as compared to other industries unless and until some general system redesign is achieved that allows for (1) greater sharing of resources among industry participants to ensure the same protections are implemented at all levels of the industry, which can be strengthened through greater interoperability of systems across the health care industry; and (2) increased focus and attention on the importance of cybersecurity issues as a priority among system reforms.

Type
Symposium Articles
Information
Journal of Law, Medicine & Ethics , Volume 47 , Issue S4: Current Topics in Health Law: Papers from the 2019 ASLME Health Law Professors Conference , Winter 2019 , pp. 91 - 102
Copyright
Copyright © American Society of Law, Medicine and Ethics 2019

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Kristof, K., “Identity Theft Has Never Been More Rampant,” CBS News, February 6, 2018, available at <https://www.cbsnews.com/news/identity-theft-hits-record-high/> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
Narendra, M., Study Reports a 500% Increase in Ransomware Attacks against Businesses, PrivSec Report, April 30, 2019, available at <https://gdpr.report/news/2019/04/30/study-reports-a-500-increase-in-ransomware-attacks-against-businesses/> (last visited November 20, 2019); see also Swann, J., “Ransomware Tops List of Health-Care Data Breach Threats,” Bloomberg Law, May 7, 2019, available at <https://news.bloomberglaw.com/health-law-and-business/ransomware-tops-list-of-health-care-data-breach-threats> (last visited November 20, 2019).+(last+visited+November+20,+2019);+see+also+Swann,+J.,+“Ransomware+Tops+List+of+Health-Care+Data+Breach+Threats,”+Bloomberg+Law,+May+7,+2019,+available+at++(last+visited+November+20,+2019).>Google Scholar
Sheridan, K., “Exposed Consumer Data Skyrocketed 126% in 2018,” Dark Reading, February 4, 2019, available at <https://www.darkreading.com/attacks-breaches/exposed-consumer-data-skyrocketed-126–in-2018/d/d-id/1333790> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
Zurkus, K., “Texas Hospital Discloses Third-Party Breach,” InfoSecurity, December 13, 2018, available at <https://www.infosecurity-magazine.com/news/texas-hospital-discloses-third/> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
Conner Forrest, “Despite Risks, Only 38% of CEOs Are Highly Engaged in Cybersecurity,” TechRepublic, October 9, 2018, available at <https://www.techrepublic.com/article/despite-risks-only-38-of-ceos-are-highly-engaged-in-cybersecurity/> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
See Health Information Technology for Economic and Clinical Health Act, 42 U.S.C.A. § 300jj-34 (2009).Google Scholar
Medical records contain sensitive personal information including name, birthdate, social security number, and medical condition. Akpan, N., “Has Health Care Hacking Become an Epidemic?” PBS Newshour, March 23, 2016, available at <http://www.pbs.org/newshour/updates/hashealth-care-hacking-become-an-epidemic/> (noting that health data has fewer protections, but more valuable data). See also Slabodkin, G., “Ransomware Emerging as Medical Device Cybersecurity Threat,” Health Data Management, February 20, 2017.+(noting+that+health+data+has+fewer+protections,+but+more+valuable+data).+See+also+Slabodkin,+G.,+“Ransomware+Emerging+as+Medical+Device+Cybersecurity+Threat,”+Health+Data+Management,+February+20,+2017.>Google Scholar
See Ponemon Institute, LLC, 2018 Cost of a Data Breach Study: Global Overview (July 2018): 14. Globally, the health care industry experiences less frequent data breaches than other sectors. Id. (noting that the health care industry is tied for 13th out of 17 in terms of the frequency of data breaches over the previous year). But see Green, M., “Hospitals Are Hit with 88% of All Ransomware Attacks,” Health IT & CIO Review, July 27, 2016, available at <http://www.beckershospitalreview.com/healthcare-information-technology/hospitals-are-hit-with-88-of-all-ransomware-attacks.html> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
Ponemon Institute, LLC, supra note 8, at 13.Google Scholar
Id., at 18. (“Per capita cost is defined as the total cost of data breach divided by the size of the data breach (i.e., the number of lost or stolen records)).” Id.Google Scholar
Id. The “Financial” sector experienced annual costs of $206 per capita. The lowest per capita cost was the “Public” sector, at $75 per capita. Id.Google Scholar
Id., at 17 (defining “abnormal churn” as “the greater than expected loss of customers since the breach occurred”).Google Scholar
Health Care Industry Cybersecurity Task Force, Report on Improving Cybersecurity in the Health Care Industry, 11-12 (June 2017), available at <https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf> (last visited November 20, 2019) [hereinafter the “Report”].+(last+visited+November+20,+2019)+[hereinafter+the+“Report”].>Google Scholar
Cybersecurity Information Sharing Act was passed as part of the Consolidated Appropriations Act of 2016, Pub. L. No. 114-113, 129 Stat. 2242 (Dec. 18, 2015).Google Scholar
6 U.S.C. § 1533(b) (2015).Google Scholar
See generally Report, supra note 13. The Task Force has also issued a one-year update regarding its ongoing activities. See U.S. Dep't of Health & Hum. Servs., Public Health Emergency, Year One Activity Update, available at <https://www.phe.gov/Preparedness/planning/CyberTF/Pages/OneYearUpdate.aspx> (last visited November 20, 2019). (last visited November 20, 2019).' href=https://scholar.google.com/scholar?q=See+generally+Report,+supra+note+13.+The+Task+Force+has+also+issued+a+one-year+update+regarding+its+ongoing+activities.+See+U.S.+Dep't+of+Health+&+Hum.+Servs.,+Public+Health+Emergency,+Year+One+Activity+Update,+available+at++(last+visited+November+20,+2019).>Google Scholar
Id.; see also Raths, D., “Legislating Cybersecurity: Breaches Grab Lawmakers' Attention,” Government Technology, October 12, 2016, available at <https://www.govtech.com/security/Legislating-Cybersecurity-Breaches-Grab-Lawmakers-Attention.html> (last visited November 20, 2019). (last visited November 20, 2019).' href=https://scholar.google.com/scholar?q=Id.;+see+also+Raths,+D.,+“Legislating+Cybersecurity:+Breaches+Grab+Lawmakers'+Attention,”+Government+Technology,+October+12,+2016,+available+at++(last+visited+November+20,+2019).>Google Scholar
See generally Report, supra note 13.Google Scholar
Report, supra note 13, at 50-52.Google Scholar
Id., at 22-27.Google Scholar
Id., at 15-16.Google Scholar
Terry, N. P., “Pit Crews with Computers: Can Health Information Technology Fix Fragmented Care?” Houston Journal of Health Law & Policy 14 (2014): 129, 148 (examines our fragmented system's effects on IT in healthcare).Google Scholar
See Report, supra note 13, at 31 (suggesting in Action Item 2.3.8 that “Industry and government should consider issuing a grand challenge, soliciting from stakeholders novel incentive structures that could be leveraged to address cybersecurity challenges specific to securing legacy systems, SDL, strategic and architectural approaches, and holistic data flow and system requirements for EHRs…”).Google Scholar
Bunnell, S. et al., HHS Releases Cybersecurity Task Force Report, O'Melveny, June 12, 2017, available at <https://www.omm.com/resources/alerts-and-publications/alerts/hhs-releases-cybersecurity-task-force-report/?sc_lang=ko-KR> (last visited November 20, 2019) (criticizing the Report for “largely avoiding recommending prescriptive regulation”). (last visited November 20, 2019) (criticizing the Report for “largely avoiding recommending prescriptive regulation”).' href=https://scholar.google.com/scholar?q=Bunnell,+S.+et+al.,+HHS+Releases+Cybersecurity+Task+Force+Report,+O'Melveny,+June+12,+2017,+available+at++(last+visited+November+20,+2019)+(criticizing+the+Report+for+“largely+avoiding+recommending+prescriptive+regulation”).>Google Scholar
As will be discussed in more detail infra, interoperability can be seen as both a positive in the fight against cybersecurity risk for its ability to assure sufficient resource allocation across industry players (e.g., large hospital systems to small physician offices) to ensure a consistent prioritization of cybersecurity as a necessary focus, and a negative because of the increased risks posed by having even larger amounts of consolidated data subject to exposure. This Article posits that the benefits of resource allocation will outweigh the risks of data consolidation so long as the technology utilized to achieve interoper-ability contains appropriate mitigation tools. Thus, interoper-ability as a potential solution to cybersecurity risk is suggested with the understanding that interoperability must contemplate data protection as one of its primary goals.Google Scholar
42 U.S.C. § 300gg; §§ 1320d et seq.; 29 U.S.C. §§ 1181-1183.Google Scholar
Initially promoted with the enactment of HIPAA, Congress later enacted the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C. §§ 300jj to jj-51 et seq. to further spur use of EHRs. See Blumenthal, D. and Tavenner, M., “The “Meaningful Use” Regulation for Electronic Health Records,” New England Journal of Medicine 363 (2010): 501, 501; see also Charles, D., et al., Adoption of Electronic Health Record Systems among U.S. Federal Acute Care Hospitals: 2008-2014, Off. of the Nat'l Coord. for Health Info. Tech., 23 ONC Data Brief 1 (April 2015), available at <https://www.healthit.gov/sites/default/files/data-brief/2014HospitalAdoptionDataBrief.pdf> (last visited November 20, 2019).CrossRefGoogle Scholar
A report issued by the Office of the National Coordinator for Health Information Technology (ONC) tracked use of EHRs over time and noted that by 2008 only 9.4% of hospitals had adopted a basic EHR. See Charles, supra note 27, at 1.Google Scholar
Centers for Disease Control, National Health Records Survey: Table. Percentage of Office-Based Physicians Using Any Electronic Health Record (EHR)/Electronic Medical Record (EMR) System and Physicians That Have a Certified EHR/EMR System, by U.S. State (2017), available at <https://www.cdc.gov/nchs/data/nehrs/2017_NEHRS_Web_Table_EHR_State.pdf> (last visited November 20, 2019). The HITECH Act provided incentive payments (and later imposed penalties) for adoption of “certified” EHR technology (CEHRT). CEHRT is technology that “stores data in a structured format” in accordance with certain established standards for use in the Centers for Medicare and Medicaid Services' (CMS) Promoting Interoperability Programs. See Centers for Medicare and Medicaid Services, “Certified EHR Technology,” CMS.gov, available at <https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Certification.html> (last visited November 20, 2019). (last visited November 20, 2019).' href=https://scholar.google.com/scholar?q=Centers+for+Disease+Control,+National+Health+Records+Survey:+Table.+Percentage+of+Office-Based+Physicians+Using+Any+Electronic+Health+Record+(EHR)/Electronic+Medical+Record+(EMR)+System+and+Physicians+That+Have+a+Certified+EHR/EMR+System,+by+U.S.+State+(2017),+available+at++(last+visited+November+20,+2019).+The+HITECH+Act+provided+incentive+payments+(and+later+imposed+penalties)+for+adoption+of+“certified”+EHR+technology+(CEHRT).+CEHRT+is+technology+that+“stores+data+in+a+structured+format”+in+accordance+with+certain+established+standards+for+use+in+the+Centers+for+Medicare+and+Medicaid+Services'+(CMS)+Promoting+Interoperability+Programs.+See+Centers+for+Medicare+and+Medicaid+Services,+“Certified+EHR+Technology,”+CMS.gov,+available+at++(last+visited+November+20,+2019).>Google Scholar
Health IT Dashboard, “Non-Federal Acute Care Hospital Electronic Health Record Adoption,” Off. of the Nat'l Coord. for Health Info. Tech. (2017), available at <https://dashboard.healthit.gov/quickstats/pages/FIG-Hospital-EHR-Adoption.php> (last visited November 20, 2019) (citing source data as the ONC/American Hospital Association (AHA), AHA Annual Survey Information Technology Supplement). (last visited November 20, 2019) (citing source data as the ONC/American Hospital Association (AHA), AHA Annual Survey Information Technology Supplement).' href=https://scholar.google.com/scholar?q=Health+IT+Dashboard,+“Non-Federal+Acute+Care+Hospital+Electronic+Health+Record+Adoption,”+Off.+of+the+Nat'l+Coord.+for+Health+Info.+Tech.+(2017),+available+at++(last+visited+November+20,+2019)+(citing+source+data+as+the+ONC/American+Hospital+Association+(AHA),+AHA+Annual+Survey+Information+Technology+Supplement).>Google Scholar
See Yanamadala, S., et al., “Electronic Health Records and Quality of Care: An Observational Study Modeling Impact on Mortality, Readmissions, and Complications,” Medicine 95 (2016): 1, 1-2, available at <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4902473/pdf/medi-95-e3332.pdf> (last visited November 20, 2019).CrossRefGoogle Scholar
See, e.g., Freudenheim, M., “The Ups and Downs of Electronic Medical Records,” New York Times, October 8, 2012; Arndt, B.G., et al., “Tethered to the EHR: Primary Care Physician Workload Assessment Using EHR Event Log Data and Time-Motion Observations,” Annals of Family Medicine 15 (2017): 419, available at <http://www.annfammed.org/content/15/5/419.full.pdf+html> (last visited November 20, 2019).Google Scholar
See Solove, D.J., “HIPAA Turns 10: Analyzing the Past, Present and Future Impact,” Journal of American Health Information Management Association 84 (April 2013): 22, available at <https://library.ahima.org/doc?oid=106325#.XWgDbuNKiUl> (last visited November 20, 2019).Google Scholar
See Zetter, K., “Hacker Lexicon: A Guide to Ransomware, the Scary Hack That's on the Rise,” Wired, September 17, 2015, available at <https://www.wired.com/2015/09/hacker-lexicon-guide-ransomware-scaryhack-thats-rise/>; see also Farringer, D.R., “Send Us the Bitcoin or Patients Will Die: Addressing the Risks of Ransomware Attacks on Hospitals,” Seattle University Law Review 40 (2017): 937, 954 (noting that the invention of online currency Bitcoin has made ransomware attacks significantly easier for criminals and more difficult to prevent due to the anonymity of the payment).Google Scholar
See Report, supra note 13, at 9.Google Scholar
Tran, J. L., “Navigating the Cybersecurity Act of 2015,” Chapman Law Review 19 (2016): 483, 483.Google Scholar
S. 754-Cybersecurity Information Sharing Act of 2015, Senate Republican Pol'y Committee (Aug. 3, 2015), available at <http://www.rpc.senate.gove/legislative-notices/s-754_cyber-security-inforamtion-sharing-act-of-2015>..' href=https://scholar.google.com/scholar?q=S.+754-Cybersecurity+Information+Sharing+Act+of+2015,+Senate+Republican+Pol'y+Committee+(Aug.+3,+2015),+available+at+.>Google Scholar
Cybersecurity Information Sharing Act (CISA) was passed as part of the Consolidated Appropriations Act of 2016, Pub. L. No. 114-113, 129 Stat. 2242 (2015); see also Tran, supra note 36, at 485 (noting the purpose of the act to “provide liability protections for information sharing between corporate entities, between corporate entities and the government, and between different government agencies”).Google Scholar
6 U.S.C. § 1533(b). Congress directed the Task Force to (a) analyze approaches of other industries to cybersecurity threats; (b) analyze the challenges and barriers that private entities face in connection with cyber risks; (c) consider challenges related to devices and software that connection to EHRs; (d) provider HHS with educational materials on cybersecurity risks for industry dissemination; (e) establish plan for sharing of information regarding cybersecurity threats; and (f) report to Congress on findings and recommendations. Id.Google Scholar
The six imperatives are: “1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity. 2. Increase the security and resilience of medical devices and health IT. 3. Develop the health care work-force capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. 4. Increase health care industry readiness through improved cybersecurity awareness and education. 5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure. 6. Improve information sharing of industry threats, weaknesses, and mitigations.” Id., at 21.Google Scholar
Id., at 1 (“The health care industry in the United States is a mosaic, including very large health systems, single physician practices, public and private payors, research institutions, medical device developers and software companies, and a diverse and widespread patient population.”).Google Scholar
Id., at 16.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id., at 17.Google Scholar
Id.Google Scholar
See Miliard, M., “State and Regional HIEs: ‘Don't Count Us Out Just Yet!’” Healthcare IT News, January 28, 2019, available at <https://www.healthcareitnews.com/news/state-and-regional-hies-dont-count-us-out-just-yet> (last visited November 20, 2019). (last visited November 20, 2019).' href=https://scholar.google.com/scholar?q=See+Miliard,+M.,+“State+and+Regional+HIEs:+‘Don't+Count+Us+Out+Just+Yet!’”+Healthcare+IT+News,+January+28,+2019,+available+at++(last+visited+November+20,+2019).>Google Scholar
See Report, supra note 13, at 18.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id., at 23.Google Scholar
Id., at 21.Google Scholar
Id.Google Scholar
Id.Google Scholar
See Office of the Nat'l Coord. For Health Info. Tech, Trusted Exchange Framework and Common Agreement (Draft 2), HealthIT.gov, July 7, 2019, available at <https://www.heal-thit.gov/sites/default/files/page/2019-04/FINALTEFCAQTF41719508version.pdf> [hereinafter the “Trusted Exchange Framework”]. [hereinafter the “Trusted Exchange Framework”].' href=https://scholar.google.com/scholar?q=See+Office+of+the+Nat'l+Coord.+For+Health+Info.+Tech,+Trusted+Exchange+Framework+and+Common+Agreement+(Draft+2),+HealthIT.gov,+July+7,+2019,+available+at++[hereinafter+the+“Trusted+Exchange+Framework”].>Google Scholar
21st Century Cures Act, Pub. L. No. 114-255, 130 Stat. 1033 (2016).Google Scholar
The law has myriad goals, other than that purpose specifically listed above. See Loumbas, E. Zacharakis, Esq., “21st Century Cures Act: A Myriad of Health Law Remedies,” Health Lawyer 29, no. 5 (June 2017): 31 (noting that the Cures Act was for the purpose of “funding biomedical research and speed the approval of new drugs and medical devices” along with improvements to behavior health coverage and child and family support services).Google Scholar
See Trusted Exchange Framework, supra note 56, at 4.Google Scholar
Sullivan, T., “Why EHR Data Interoperability is Such a Mess in 3 Charts,” Healthcare IT News, May 16, 2018, available at <https://www.healthcareitnews.com/news/why-ehr-data-interoperability-such-mess-3-charts> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
Trusted Exchange Framework, supra note 56, at 4. Information blocking is effectively when individuals, clinicians, or payers might block access to certain electronic health information even when there are not restrictions, such as HIPAA or HITECH, that would prevent such information from being shared. Id.Google Scholar
Id.Google Scholar
Id. The Trusted Exchange Framework is to establish a common set of principles for data exchange and the Common Agreement is to set forth terms by which health HINs will voluntarily be governed. Id., at 9.Google Scholar
Id., at 17. While suggested, no common framework has been required or is mandatory, but merely voluntary.Google Scholar
See Gering, S.R., “Electronic Health Records: How to Avoid Digital Disaster,” Michigan State University Journal of Medicine & Law 16 (2012): 297, 310 (noting the consequences of the theft of a single laptop for two large federal agencies).Google Scholar
Id. (recognizing the value of allowing those entities with available resources to dedicate such resources to proper security measures and share those resources across sectors).Google Scholar
Id. This can be evidenced by its reference to release of drafts of the Trusted Exchange Framework and Common Agreement as an achievement in the one year update. See U.S. Dep't of Health and Hum. Servs., Health Care Industry Cybersecurity Task Force Year One Activity Update, available at <https://www.phe.gov/Preparedness/planning/CyberTF/Pages/One-YearUpdate.aspx> (last visited November 20, 2019) [hereinafter, “One Year Update”]. Since publication of the update, ONC has released a second draft both documents. See “Trusted Exchange Framework and Common Agreement,” HealthIT.gov, Office of the Nat'l Coordinator for Health Info. Tech., available at <https://www.healthit.gov/topic/interoperability/trusted-exchange-framework-and-common-agreement> (last visited November 20, 2019). (last visited November 20, 2019) [hereinafter, “One Year Update”]. Since publication of the update, ONC has released a second draft both documents. See “Trusted Exchange Framework and Common Agreement,” HealthIT.gov, Office of the Nat'l Coordinator for Health Info. Tech., available at (last visited November 20, 2019).' href=https://scholar.google.com/scholar?q=Id.+This+can+be+evidenced+by+its+reference+to+release+of+drafts+of+the+Trusted+Exchange+Framework+and+Common+Agreement+as+an+achievement+in+the+one+year+update.+See+U.S.+Dep't+of+Health+and+Hum.+Servs.,+Health+Care+Industry+Cybersecurity+Task+Force+Year+One+Activity+Update,+available+at++(last+visited+November+20,+2019)+[hereinafter,+“One+Year+Update”].+Since+publication+of+the+update,+ONC+has+released+a+second+draft+both+documents.+See+“Trusted+Exchange+Framework+and+Common+Agreement,”+HealthIT.gov,+Office+of+the+Nat'l+Coordinator+for+Health+Info.+Tech.,+available+at++(last+visited+November+20,+2019).>Google Scholar
Id. The Task Force reported approximately two to three updates for each imperative.Google Scholar
The Task Force also noted the release of the Medical Device Safety Action Plan and a plan of action related specifically to the development of a “bill of materials” for each piece of medical technology in order to react to malware attacks in a more targeted way. See One Year Update, supra note 67. See also Snell, E., “Healthcare Cybersecurity Threats Require HHS Bill of Materials,” Health IT Security, available at <https://healthit-security.com/news/healthcare-cybersecurity-threats-require-hhs-bill-of-materials> (last visited November 20, 2019) (noting the importance of understanding which medical devices leverage certain protocols to appropriately quarantine devices following a ransomware attack).+(last+visited+November+20,+2019)+(noting+the+importance+of+understanding+which+medical+devices+leverage+certain+protocols+to+appropriately+quarantine+devices+following+a+ransomware+attack).>Google Scholar
Id.Google Scholar
See Freudenheim, supra note 32.Google Scholar
See Report, supra note 13, at 22.Google Scholar
Id. at 14.Google Scholar
See, e.g., id., at 22, 37.Google Scholar
Squires, D. and Blumenthal, D., “Do Small Physician Practices Have a Future?” The Commonwealth Fund, May 26, 2016, available at <https://www.commonwealthfund.org/blog/2016/do-small-physician-practices-have-future> (last visited November 20, 2019) (“But an important study…revealed that patients of physicians practicing in solo and small practices have lower rates of preventable readmissions than those in larger practices. Furthermore, many patients and physicians deeply value the personal relationships that smaller settings can cultivate.”)+(last+visited+November+20,+2019)+(“But+an+important+study…revealed+that+patients+of+physicians+practicing+in+solo+and+small+practices+have+lower+rates+of+preventable+readmissions+than+those+in+larger+practices.+Furthermore,+many+patients+and+physicians+deeply+value+the+personal+relationships+that+smaller+settings+can+cultivate.”)>Google Scholar
See Report, supra note 13, at 35.Google Scholar
Id., at 35-36.Google Scholar
See id., at 11, 14.Google Scholar
For example, the Task Force noted that laws like the Physician Self-Referral Law and the Anti-kickback Statute inhibit sharing of resources and information among providers. Id. at 27. Competition is another factor that hinders collaboration, but coordination and sharing of resources across sectors could ease some of these business realities.Google Scholar
See, Hush, T., “ACO Success: Reaching the Tipping Point,” Becker's Hospital Review, May 10, 2018, available at <https://www.beckershospitalreview.com/accountable-care-organizations/aco-success-reaching-the-tipping-point.html> (last visited November 20, 2019) (noting metrics and care coordination are cultural shifts that have hindered widespread adoption). (last visited November 20, 2019) (noting metrics and care coordination are cultural shifts that have hindered widespread adoption).' href=https://scholar.google.com/scholar?q=See,+Hush,+T.,+“ACO+Success:+Reaching+the+Tipping+Point,”+Becker's+Hospital+Review,+May+10,+2018,+available+at++(last+visited+November+20,+2019)+(noting+metrics+and+care+coordination+are+cultural+shifts+that+have+hindered+widespread+adoption).>Google Scholar
42 U.S.C. § 18001 et seq. (2010).Google Scholar
42 U.S.C. § 1395nn (2018).Google Scholar
42 U.S.C. § 1320a-7b(b) (2018).Google Scholar
31 U.S.C. § 3729 et seq. (2018).Google Scholar
See Report, supra note 13, at 27.Google Scholar
Id.Google Scholar
84 Fed. Reg. 55766 (Oct. 17, 2019).Google Scholar
Id.Google Scholar
84 Fed. Reg. at 55824-55825.Google Scholar
See Report, supra note 13, at 27; see also 42 C.F.R. § 411.355-357; 42 C.F.R. § 1001.952. Rather than utilize safe harbors or exceptions, many hospitals have chosen to purchase physician practices and/or employ physicians directly to avoid compliance concerns regarding compliance requirements. Greaney, T.L. and Ross, D., “Navigating Through the Fog of Vertical Merger Law: A Guide to Counseling Hospital-Physician Consolidation under the Clayton Act,” Washington Law Review 91 (2016): 199, 200.Google Scholar
See NCSL Briefs for State Legislators, Combating Health Care Fraud and Abuse, Health Cost Containment and Efficiencies (September 2010): 3, Table 2, available at <http://www.ncsl.org/portals/1/documents/health/Fraud-2010.pdf> (last visited November 20, 2019). CMS is aware of this issue and has included in its current proposed rules to the Stark Law information blocking as one of the restrictions that would be placed on those who donate EHR software or hardware or, potentially under the proposed regulations, cybersecurity software. See 84 Fed. Reg. at 55824.CrossRef+(last+visited+November+20,+2019).+CMS+is+aware+of+this+issue+and+has+included+in+its+current+proposed+rules+to+the+Stark+Law+information+blocking+as+one+of+the+restrictions+that+would+be+placed+on+those+who+donate+EHR+software+or+hardware+or,+potentially+under+the+proposed+regulations,+cybersecurity+software.+See+84+Fed.+Reg.+at+55824.>Google Scholar
Report, supra note 13, at 27.Google Scholar
Id.Google Scholar
42 U.S.C. § 1899 (as added by Section 3022 of the ACA) (establishing the Medicare Shared Savings Program).Google Scholar
See 42 C.F.R. § 425 et seq. Established in 2012 under the ACA, the Medicare Shared Savings Program has been amended in various ways since enactment. See 83 Fed. Reg. 67816, 67819 (Dec. 31, 2018). There are currently about 1,000 ACOs in operation, with varying success rates. See Bleser, W.K., et al., “Following Medicare's ACO Program Overhaul, Most ACOs Stay — But Physician-Led ACOs Leave at a Higher Rate,” Health affairs, March 15, 2019; Castellucci, M., “Fewer ACOs Joining Medicare Shared Savings Program,” Modern Healthcare (July 17, 2019), available at <https://www.modernhealthcare.com/accountable-care/fewer-acos-joining-medicare-shared-savings-program?utm_source=modern-healthcare-am-thursday&utm_medium=email&utm_campaign=20190718&utm_content=article2-headline> (last visited November 20, 2019). (last visited November 20, 2019).' href=https://scholar.google.com/scholar?q=See+42+C.F.R.+§+425+et+seq.+Established+in+2012+under+the+ACA,+the+Medicare+Shared+Savings+Program+has+been+amended+in+various+ways+since+enactment.+See+83+Fed.+Reg.+67816,+67819+(Dec.+31,+2018).+There+are+currently+about+1,000+ACOs+in+operation,+with+varying+success+rates.+See+Bleser,+W.K.,+et+al.,+“Following+Medicare's+ACO+Program+Overhaul,+Most+ACOs+Stay+—+But+Physician-Led+ACOs+Leave+at+a+Higher+Rate,”+Health+affairs,+March+15,+2019;+Castellucci,+M.,+“Fewer+ACOs+Joining+Medicare+Shared+Savings+Program,”+Modern+Healthcare+(July+17,+2019),+available+at++(last+visited+November+20,+2019).>Google Scholar
See Report, supra note 13, at 10-11. (noting challenges posed by connecting devices that were not originally established to connect).Google Scholar
See, e.g., Dep't of Health and Hum. Servs., HHS Extends Comment Period for Proposed Rules to Improve the Interoperability of Electronic Health Information, Press Release, April 19, 2019 (extending the deadline for comment to June 3, 2019). Unlike insurance reforms and payment reforms contained within the ACA, laws promoting EHR interoperability appear to have been less political and easier to move forward in Congress. See Pittman, D., “Bipartisan Worry on Federal Health IT,” Politico, July 24, 2014; see also Senator Angus King, King, Kaine, Isakson Introduce Bipartisam Bill to Modernize Public Health Data Systems, Press Release, June 12, 2019.Google Scholar
See Office of the Nat'l Coordinator for Health Info. Tech., Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap, Final Version 1.0, at vi-vii, available at <https://www.healthit.gov/sites/default/files/hieinteroperability/nationwide-interoperability-roadmap-final-version-1.0.pdf> (last visited November 20, 2019) (providing a timeline of all interoperability efforts). (last visited November 20, 2019) (providing a timeline of all interoperability efforts).' href=https://scholar.google.com/scholar?q=See+Office+of+the+Nat'l+Coordinator+for+Health+Info.+Tech.,+Connecting+Health+and+Care+for+the+Nation:+A+Shared+Nationwide+Interoperability+Roadmap,+Final+Version+1.0,+at+vi-vii,+available+at++(last+visited+November+20,+2019)+(providing+a+timeline+of+all+interoperability+efforts).>Google Scholar
See Tschider, C.A., “Enhancing Cybersecurity for the Digital Health Marketplace,” Annals of Health Law 26 (2017): 1, 4-5. The FDA describes “digital health” to include “mobile health, health information technology, wearable devices, telehealth, telemedicine, and personalized medicine.” Id. While the NIST Framework does provide some guidance, it is voluntary and there is not widespread adoption across the industry of NIST standards.Google Scholar
See Report, supra note 13, at 17. See also Shackelford, S.J., et al., “Securing the Internet of Healthcare,” Minnesota Journal of Law, Science & Technology 19 (2017): 405, 409-410.Google Scholar
See Report, supra note 13, at 22.Google Scholar
U.S. Dep't of Health and Human Servs., Food and Drug Admin., Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff, at 6 (December 28, 2016) [hereinafter, “FDA Postmarket Guidance”].Google Scholar
See Report, supra note 13, at 10.Google Scholar
See Id., at 11.Google Scholar
See supra notes 96-98.Google Scholar
Food and Drug Administration, “About FDA,” available at <https://www.fda.gov/about-fda/what-we-do> (last visited July 26, 2019); see Tschider, supra note 99, at 16-17.+(last+visited+July+26,+2019);+see+Tschider,+supra+note+99,+at+16-17.>Google Scholar
See Wellington, K. Booth, “Cyberattacks on Medical Devices and Hospital Networks: Legal Gaps and Regulatory Solutions,” Santa Clara High Technology Law Journal 30 (2014): 139, 158.Google Scholar
71 Fed. Reg. 8389, 8391 (Feb. 16, 2006).Google Scholar
Id. The HITECH amends HIPAA and thus penalties are imposed by the Office for Civil Rights.Google Scholar
See 42 U.S.C. § 1395nn (2018); 42 U.S.C. § 1395nn (2018); 15 U.S.C. § 1 (2018) (The Sherman Act); 15 U.S.C. § 18 (2018) (The Clayton Act).Google Scholar
See Dep't of Health and Hum. Servs., Office for Civil Rights, HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, available at <https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf> (last visited November 20, 2019); FDA Postmarket Guidance, supra note 102, at 6. (last visited November 20, 2019); FDA Postmarket Guidance, supra note 102, at 6.' href=https://scholar.google.com/scholar?q=See+Dep't+of+Health+and+Hum.+Servs.,+Office+for+Civil+Rights,+HIPAA+Security+Rule+Crosswalk+to+NIST+Cybersecurity+Framework,+available+at++(last+visited+November+20,+2019);+FDA+Postmarket+Guidance,+supra+note+102,+at+6.>Google Scholar
See Report, supra note 13, at 21.Google Scholar
Id.Google Scholar
This article is not suggesting that the authors of the Report intend for the Report to be a manual for industry participants to stop cyberattacks. On the contrary, the Task Force acknowledges in the Report that some of the suggested changes must be legislative and/or administrative in nature. This article is suggesting, however, that having identified the necessary issues — some of which are systemic to the health care industry more generally — other steps must be adopted that do not feature cybersecurity as the driving force.Google Scholar
While most details about Medicare for All have been very high level, there has been little mention of cybersecurity or interoperability as one of the goals. See, e.g., H.R. 676, “The United States Nat'l Health Care Act,” or “Expanded & Improved Medicare For All” (2019).Google Scholar
United Kingdom's public health care system, the National Health Service (NHS), experienced the breach referenced herein.Google Scholar
Field, M., WannaCry Cyber Attack Cost the NHS £92m as 19,000 appointments cancelled, The Telegraph (Oct. 11, 2018).Google Scholar
See id.; see also Page, C., “NHS Admits Windows XP Is Still Running on More Than 2,000 Systems,” The Inquirer, July 17, 2019.Google Scholar
See Newdick, C., “Resource Allocation in the National Health Service,” American Journal of Law & Medicine 23 (1997): 291, 291-295. See also Maguire, D., “Interoperability and the NHS: Are They Incompatible?” The King's Fund, August 8, 2016, available at <https://www.kingsfund.org.uk/blog/2016/08/interoperability-and-nhs> (last visited November 20, 2019).Google Scholar
Furrow, B.R. et al., Health Law: Cases, Materials and Problems, 8th ed. (West Academic Publishing, 2008): at 931-32, 964-65.Google Scholar
See Kane, K., “How Much Does Quality Cost? Analyzing the Patient Protection and Affordable Care Act's Value-Based Purchasing Provision and How It Could Affect the Delivery of Care by Hospitals,” Duquesne Business Law Journal 14 (2011): 69, 74.Google Scholar
Admittedly, having a comprehensive cybersecurity program will not prevent attacks, but may reduce expense in responding to the attack and shutting an attack down more quickly.Google Scholar
See supra notes 76-80.Google Scholar
42 U.S.C. § 1395jjj.Google Scholar
See Bires, S. et al., “Clinically Integrated Networks: Guidelines and Common Barriers for Establishment,” Medical Economics, March 27, 2019, available at <https://www.medicaleconomics.com/business/clinically-integrated-networks-guidelines-and-common-barriers-establishment> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
This should include not just small providers, but also safety net institutions that provide services to indigent populations. Current access issues for indigent populations further reiterates the ultimate argument of this article that system reform is a necessary first step to truly addressing cybersecurity, as providers are unlikely to include these safety net providers in proposed care delivery models due to the challenges of payor mix in making such models financially viable. See Meidell, M., “ACOs Face the Demographics Dilemma of Managed Care,” Annals of Health Law Advance Directive 25 (2015): 14, 20-21.Google Scholar
U.S. Dep't of Health and Hum. Servs., “Defining the PCMH,” Agency for Healthcare Research and Quality, available at <https://pcmh.ahrq.gov/page/defining-pcmh> (last visited November 20, 2019). (last visited November 20, 2019).' href=https://scholar.google.com/scholar?q=U.S.+Dep't+of+Health+and+Hum.+Servs.,+“Defining+the+PCMH,”+Agency+for+Healthcare+Research+and+Quality,+available+at++(last+visited+November+20,+2019).>Google Scholar
See Bates, D.W., “Physicians and Ambulatory Electronic Health Records,” Health Affairs 24 (Sept. 1, 2005): 105, available at <https://www.healthaffairs.org/doi/full/10.1377/hlthaff.24.5.1180> (last visited November 20, 2019).CrossRefGoogle Scholar
This is not to say that ACOs are the means by which cybersecurity can be addressed most effectively. Rather, it is to point out that reform efforts exist that could help ease some of the risk because the function of the ACO infrastructure will allow for sharing and collaboration of data without running afoul of existing regulatory and statutory limitations.Google Scholar
42 C.F.R. § 425 et seq. While interoperability is not a requirement for ACOs or CINs, studies indicate that ACOs that have a single EHR throughout the ACO prove more effective in meeting quality metrics and thus maximizing the amount of possible shared savings. See Cohen, J. Kim, “Separate EHRs Pose Care Coordination Challenge for ACOs, OIG Finds,” Modern Healthcare (May 22, 2019), available at <https://www.modernhealthcare.com/operations/separate-ehrs-pose-care-coordination-challenge-acos-oig-finds?utm_source=modern-healthcare-am-wednesday&utm_medium=email&utm_campaign=20190522&utm_content=article2-headline> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
Ponemon Institute, LLC, supra note 8, at 7.Google Scholar
See Ctrs. for Medicare and Medicaid Servs., “Accountable Care Organizations (ACOs): General Information,” available at <https://innovation.cms.gov/initiatives/aco/> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar
Nussbaum, G.M., et al., “Securing Connected Devices in Health Care: Taking Proactive Action,” Journal of Health & Life Sciences Law 12 (2019): 84, 87-93.Google Scholar
See supra note 92.Google Scholar
See Livingston, S., Successful Medicare ACOs Engage Physicians, Patients, Federal Report Finds, Modern Healthcare (July 24, 2019), available at <https://www.modernhealthcare.com/accountable-care/successful-medicare-acos-engage-physicians-patients-federal-report-finds?utm_source=modern-healthcare-am-wednesday&utm_medium=email&utm_campaign=20190724&utm_content=article1-headline> (last visited November 20, 2019).+(last+visited+November+20,+2019).>Google Scholar