While technological advances have contributed to the increased quality of patient care and reduced costs in providing care, it has also greatly increased the threat of cyber-attacks. The Department of Health and Human Services (“HHS”) found that “health care has the highest cost for data breaches.” Thus, pursuant to the congressional mandate contained in the Cyber-security Act of 2015, HHS along with partner groups and cyber-security experts have released guidance on what the best practices to address cyber-security threats facing the healthcare industry.
The official position taken is that the practices described are meant for “informational purposes only” and are not “required by nor guarantees compliance with federal, state, or local laws.” While this may be the intention of HHS, under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the implementing regulations, part of the basis for determining the amount a civil penalty assessed against an entity may be after a breach occurred is whether it exercised “reasonable diligence” or whether the cause of the breach “was due to reasonable cause and not to willful neglect.” Thus, compliance with the practices in the HHS Guidance will likely be highly relevant when determining whether an entity’s practices were reasonable when assessing a penalty against an entity for a breach of protected health information (“PHI”).
In recent years there have been numerous stories of health care entities facing cyber-attacks. In one attack in 2016, a private hospital suffered a ransomware attack, freezing all the computers at the hospital.
Patient records, schedules, and documents could not be accessed, and many practitioners were required to revert to pen and paper documentation while the system was down, and many patients had to be transferred. The Hospital was only able to regain access when it paid the ransom demanded, though there is never a guarantee that acquiescing to a malicious actor’s demands will result in regaining control of a system.
In another attack on an orthopedic practice, more than 500 patient profiles were stolen and put up for sale on the dark web.  The data included names, addresses, social security numbers, and other valuable information that can assist in identity theft.
Another case involving a ransomware attack froze a rural hospital’s electronic health record system (“EHR”). While the hospital did not pay the demanded ransom, it did have to replace its entire EHR system. Recently, it has been disclosed that an authorized party had access to a system at a Missouri rehabilitation center that lasted approximately three months and potentially exposed the data of more than 4,000 patients. The breach was not identified for more than a month after it occurred.
HHS identified the five biggest threats facing the healthcare industry, which are: (1) e-mail phishing attacks; (2) ransomware attacks; (3) loss or theft of equipment or data; (4) insider, accidental or intentional data loss; and (5) attacks against connected medical devices that may affect patient safety. HHS defined “threat” as “internal or external activities or events that have the potential to negatively impact the quality, efficiency, and profitability of” an entity. Threats often exploit vulnerabilities in an entity’s system or policies, which “are weaknesses that, if exposed to a threat, may result in harm and, ultimately, some form of loss.”
An e-mail phishing attack is an attempt to trick an entity by sending an email which appears to come from a legitimate source, but which often has a link or attachment that when clicked may attempt to obtain information from the recipient or infect the system with malicious software (“malware”). When an email is received, the recipient should determine whether it came from a legitimate sender, even if the email appears to come from within the entity. The recipient should check to determine if there are any indicators that something is wrong with the email, such as spelling or grammatical errors. By hovering on the email address (but not clicking) the recipient may be able to determine where the email was sent from.
Ransomware is a specific type of malware which denies a user access to data, often through encryption in which only the malicious actor has the key until a ransom is paid. Ransomware may also be used to remove data or install some other form of malware and is often contained in a phishing email.
This can often occur when data is kept on mobile devices, such as laptop, smartphones, tablets, or USB/thumb drives.  Loss or theft of such a device can occur easily but can result in a breach of an entity’s system and breach of patients’ PHI. This has recently occurred in a Michigan when a laptop belonging to a Blue Cross Blue Shield of Michigan employee was stolen and potentially 15,000 customers may have had their data breached
This is a threat that can happen due to an honest mistake, a gap in an entity’s procedures, or negligence. It can also happen when an actor inside the entity is seeking to steal information for malicious reasons, such as identity theft.
Medical devices, such as a heart monitor, may be connected to a computer network for monitoring purposes. However, a malicious actor that gains access to an entity’s network may also be able to cause harm through access to medical devices, such as by turning them off or causing them to reboot.
The extraordinary, and often quickly, changing nature of the technological landscape has allowed for increased patient care, often at reduced costs to an entity. However, the constantly changing landscape has created greater risks in the health care industry to cyber threats and attacks. Having appropriate practices in place to address those threats will allow health care entities to better protect patients and their information and assist an entity in preventing a breach of data or reduce the penalty assessed against that entity should a breach occur.
 Dep’t of Health & Human Servs., Health Industry Cyber-security Practices: Managing Threats and Protecting Patients (Dec. 28, 2018) [hereafter “HHS Guidance.”].  Id. at 2.  45 C.F.R. § 160.404(b)(2)(i).  § 160.404(b)(2)(ii).  Supra note 1 at 7.  Id.  Id.  Id. at 8.  Id.  Id.  Id.  Jessica Davis, Hackers Breach Data of 4,300 Missouri Patients for 3 Months, Health IT Security, Jan. 3, 2019, available at https://healthitsecurity.com/news/hackers-breach-data-of-4300-missouri-patients-for-3-months (last visited Jan. 3, 2019).  Supra note 1 at 14. Id. at 13.  Id.  Id. at 16.  Id. at 18.  Id. at 20.  Jessica Davis, Blue Cross Blue Shield of Michigan Breach Impacts 15,000 Customers, Health IT Security, Dec. 31, 2018, available at https://healthitsecurity.com/news/blue-cross-blue-shield-of-michigan-breach-impacts-15000-customers (last visited Jan. 3, 2019).  Id. at 22.  Id at 24.  Dep’t of Health & Human Servs., Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations, at 7 (Dec. 28, 2018) [hereafter “Volume 1”]; Dep’t of Health & Human Servs., Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations, at 7 (Dec. 28, 2018) [hereafter “Volume 2”].  Supra note 22, Volume 1, at 11.  Id. at 7-9  Id. at 10.  See LabMD, Inc., No. 9357 (July 28, 2016) (finding a corporation liable for a data breach that occurred as a result of an employee downloading the file-sharing program LimeWire on her computer).  Supra note 22 Volume 1, at 12.  See supra note 19.  Id. at 17-18.  Id. at 17.  Id. at 21.  Id. at 22.  Id. at 24; Supra note 22 Volume 2, at 87-99.  Supra note 22 Volume 2,at 89.  Supra note 22 Volume 1, at 25.