[Skip to Navigation]
Sign In
Viewpoint
October 8, 2021

Beyond Security Patches—Fundamental Incentive Problems in Health Care Cybersecurity

Author Affiliations
  • 1Division of General Internal Medicine, Perelman School of Medicine, University of Pennsylvania, Philadelphia
  • 2Department of Medical Ethics and Health Policy, Perelman School of Medicine, University of Pennsylvania, Philadelphia
  • 3Chief Information Security Office, University of Michigan: Michigan Medicine, Ann Arbor
  • 4Harvard Law School, Harvard University, Cambridge, Massachusetts
JAMA Health Forum. 2021;2(10):e212969. doi:10.1001/jamahealthforum.2021.2969

With ransomware attacks now targeting critical US infrastructure, hospitals and health systems are under serious threat. In May 2021, at least 1 US health system and multiple hospitals overseas were victims of ransomware attacks.1 These attacks, which lock up health records and render patient health information inaccessible, force health systems to suspend operations and risk the release of protected health information (PHI) if they do not pay the ransoms. In addition to blocking access to health records, cyberattackers can also disable critical medical devices such as infusion pumps, ventilators, and scanners.

The human and financial costs of cyber breaches and ransomware attacks are substantial. There are already documented ransomware-related delays in chemotherapy treatments, emergency department care, and surgical procedures.2 As attacks intensify3—ransomware attacks increased by more than 80% in 20204—delays in diagnosis, medical treatment, and procedures will cause increasingly more illness and deaths. Health systems will also take a financial hit from lost revenues caused by their inability to deliver care, which totaled $20.8 billion in 2020 alone.4 This amount does not account for other costs, such as replacing damaged computer systems and spiraling premiums for cyber-liability insurance used to pay ransoms and other breach costs. The challenge of protecting patients and preserving the integrity of care in the face of cyberthreats is grave and will likely only grow in the future.

In the wake of recent critical infrastructure attacks, the White House has begun to characterize these attacks as a national security threat. This shift from viewing ransomware attacks as isolated incidents caused by inadequate security efforts of individual organizations to a systemic issue is welcome. As policy makers evaluate novel, broader approaches to cybersecurity, we highlight several structural problems that hinder health system responses to cyber threats.

To begin, it is important to recognize that the problems that underlie cybersecurity risks in health care are not simply technical problems. Although cybersecurity in any sector has always been a game of catch-up following the advances of attackers’ tools, the development of successful security in health care is hampered by anachronistic regulation in this domain.

The dominant regulatory influence in health care cybersecurity is the 1996 Health Insurance Portability and Accountability Act (HIPAA). It has been updated on several occasions, most notably by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. On its face, HIPAA/HITECH and its privacy and security rules appear reasonable. They require “covered entities”—organizations delivering health care, such as health systems, hospitals, and physician practices—as well as their business associates to take measures to protect against the unauthorized disclosure of PHI (eg, names, medical histories, diagnoses). Violators can be fined $50 000 per patient violation. In addition, violators are required to notify affected patients and the US Department of Health & Human Services (HHS) and, under certain conditions, the media.

But these rules were enacted at a time when accidental data breaches occurred through poorly configured systems, casual human error, and laptop thefts. In those cases, improved compliance with security safeguards could have prevented breaches. Today, the threats posed by professional hackers and state-sponsored actors are more formidable, and existing safeguards may not be sufficient.

A central tension is HIPAA’s dual focus on privacy and security, which can create a misalignment of incentives. First, there is no mechanism within HIPAA that mandates the comprehensive reporting of ransomware attacks or cybersecurity incidents affecting health care organizations. This is because organizations are required to report incidents only if there is evidence of a breach involving PHI. Guidance from HHS states that, in the case of ransomware, there is a presumption that such a breach has occurred, but covered entities (and their business associates) need not provide notification if they can demonstrate a low probability that PHI has been compromised.5,6 In practice, this has meant that ransomware incidents are reported only when there is clear evidence that PHI has been exfiltrated. But this typical protocol results in a scanty picture of ransomware threats and impedes regulators adequately learning from ransomware episodes. Furthermore, the safety risks posed by ransomware extend well beyond data extraction; they include life-threatening delays in care and device malfunction as well as infiltration and corruption of patient data. HIPAA’s focus on health privacy and PHI may too tightly circumscribe the regulation required to address health care security concerns.

Second, under HIPAA, health care covered entities are held responsible for security breaches, but they are largely dependent on software vendors, who face fewer incentives to update their software with the latest protections. Although some vendors are considered business associates and thus regulated under HIPAA, many are not because their machines do not directly handle identifiable patient information. Infusion pumps and electrocardiogram monitors are hooked up directly to the patient and contain no PHI. Electronic health record systems that do contain PHI are often not directly affected by ransomware attacks; rather, it is the less secure workstations and file servers that are targeted, and access to them is blocked, preventing staff from accessing the electronic health record system. In principle, hospitals could include, in their service contracts, provisions to hold vendors accountable. But renegotiating long-term service agreements is costly, and vendors have been reluctant to assume responsibility or provide indemnification against security failures. Smaller facilities have particularly little leverage. Consequently, many health systems, hospitals, and physician practices are still operating with old, legacy systems with known vulnerabilities.7

Third, under the current regime, the penalties that a covered entity faces for a data breach resulting from a ransomware attack are not tied to whether the ransom is paid or rejected. The result is that where the benefits of paying the ransom outweigh its costs, covered entities will pay the ransom, typically through insurance. Paying a ransom may be beneficial in the case of a particular hospital and its goals of protecting patients, but over the long term, paying ransoms in effect “feeds the beast” and incentivizes more attacks. A better penalty regime would incentivize the refusal to pay ransoms by lowering penalties for systems that can, through backups and other systems, quickly restore system functioning and mitigate patient harm without acceding to ransoms.

As part of the much-needed redoubling of cybersecurity efforts, policy makers should consider revising the existing security rule or developing separate security regulations that account for risks extending beyond privacy. This could include more comprehensive notification of cybersecurity incidents at health care facilities, especially those involving ransomware, which do not always pose a privacy risk. The definition of business associate could also be expanded to include a broader range of device and software vendors, not only those that handle PHI. Monetary penalties could be better directed at punishing and deterring preventable breaches and structured to thwart the vicious cycle of ransomware payments.

More broadly, policy makers should develop and implement a national-level plan that takes a panoptic view of health care cybersecurity. This plan would simplify the existing inefficient patchwork of federal and state regulations; distinguish security risks from privacy risks; and develop coordinated but distinct strategies to protect patient health information, health care delivery, and patient safety, and ensure public health preparedness. Although the US health care system cannot foresee and prevent all cyberattacks directed at it, it can and should do more to ensure the safe and secure functioning of its systems.

Back to top
Article Information

Published: October 8, 2021. doi:10.1001/jamahealthforum.2021.2969

Open Access: This is an open access article distributed under the terms of the CC-BY License. © 2021 Kanter GP et al. JAMA Health Forum.

Corresponding Author: Genevieve P. Kanter, PhD, Perelman School of Medicine, Division of General Internal Medicine, University of Pennsylvania, 423 Guardian Dr, Blockley Hall, 12th Floor, Philadelphia, PA 19104 (gpkanter@pennmedicine.upenn.edu).

Conflict of Interest Disclosures: Mr Cohen reported serving as a bioethics consultant for Otsuka America Pharmaceutical on its Abilify MyCite product, being a member of the Illumina ethics advisory board, and serving as an ethics consultant for DawnLight. No other disclosures were reported.

Additional Contributions: We thank Eric A. Packel, JD, partner in the Digital Assets and Data Management group at the law firm BakerHostetler, for his input and suggestions. He received no financial compensation.

References
1.
Perlroth  N, Satariano  A. Irish hospitals are latest to be hit by ransomware attacks: hospitals in Ireland, New Zealand and Scripps Health in San Diego are reeling from digital extortion attacks. New York Times. May 20, 2021. Updated June 2, 2021. Accessed July 31, 2021. https://www.nytimes.com/2021/05/20/technology/ransomware-attack-ireland-hospitals.html
2.
Poulsen  K, Evans  M. The ruthless hackers behind ransomware attacks on US hospitals: ‘they do not care.’ Wall Street Journal. June 10, 2021. Accessed July 31, 2021. https://www.wsj.com/articles/the-ruthless-cyber-gang-behind-the-hospital-ransomware-crisis-11623340215
3.
McCoy  TH  Jr, Perlis  RH.  Temporal trends and characteristics of reportable health data breaches, 2010-2017.   JAMA. 2018;320(12):1282-1284. doi:10.1001/jama.2018.9222PubMedGoogle ScholarCrossref
4.
Bischoff  P. Ransomware attacks on US healthcare organizations cost $20.8bn in 2020. Accessed July 31, 2021. https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/
5.
US Department of Health & Human Services. HIPAA Breach Notification Rule. 45 CFR §§ 164.400-414 (2009).
6.
US Department of Health & Human Services. Fact sheet: ransomware and HIPAA. Accessed July 31, 2021. https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
7.
Health Care Industry Cybersecurity Task Force. Report on improving cybersecurity in the health care industry. June 2017. Accessed September 7, 2021. https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf
×