Hacking health care: authentication security in the age of meaningful use.

AuthorGantt, Gordon, Jr.
  1. INTRODUCTION II. BACKGROUND A. The Role of HIPAA B. HITECH Amendments to HIPAA C. HIPAA: The Final Rule III. DISCUSSION A. The Nature of the Threat B. The Value of the Threatened Information C. HIPAA Security Requirements D. Federal Security Standards in the Financial Industry IV. PROPOSED MODIFICATIONS V. CONCLUSION I. INTRODUCTION

    In the summer of 2012, at a small surgical practice located outside of Chicago, an employee tried to log into the practice's secure server, but instead was greeted by an odd message. (1) The message stated that the data on the server, which included thousands of individual electronic health records and confidential emails, had been encrypted and could only be accessed by a password. (2) That password would be provided, the message explained, for a fee. (3)

    On June 25, 2012, the Surgeons of Lake County, located in Libertyville, Illinois, became one of the latest victims of a growing phenomenon: electronic health record extortion. (4) The ploy is simple. A hacker gains access to a large store of personal medical records on a "secure" server. (5) The hacker simply removes or encrypts the data, then holds it for ransom. (6) The thief does not break windows, kick in doors, or even have to leave the comfort of his own home. While sophisticated extortion scams are still rare, (7) they are sober reminders of the vulnerability of the highly valuable and personal information patients share with their health care providers.

    Over the last few years, adoption of electronic health records (EHRs) increased. (8) In part, this is a result of increased pressure by regulators to adopt EHR technology to improve the efficiency and quality of medical care. (9) In years to come, Medicare and Medicaid reimbursement will be determined in part by the provider's use or nonuse of EHR. (10) In the twenty-first century, it seems unlikely that government incentives would be necessary to spark interest in adopting new technology, but the health care industry lags behind other industries in terms of electronic records utilization. (11) This is in part because of the unique character of the information contained in medical records. Protected Health Information (PHI) carries a substantial privacy interest because EHRs hold vast amounts of personal information; not only is a patient's private medical history at risk, but names, addresses, birth dates, and social security numbers in electronic form are also vulnerable. (12) That private data is collected with thousands, sometimes millions, of other patient records onto a single server. (13) Many healthcare providers were reluctant to place electronic Protected Health Information (ePHI) in what they perceived to be the vulnerable, virtual realm. (14) Ironically, this delay in conversion might have made ePHI even more susceptible.

    As the health care industry plays catch-up, it runs the risk of advancing too quickly and falling prey to a highly sophisticated population of hackers. While providers may feel the sting of regulators for failing to keep up with rapidly advancing online security norms, it is the patients that are the real victims. The breach at the Surgeons of Lake County was relatively small. (15) Only a little over 7,000 patient records were compromised in that case. (16) But the numbers can run much higher. In March and April 2012, hackers breached the Utah Department of Health servers and gained access to roughly 800,000 individual electronic health records. (17)

    The rapid adoption of EHRs, to store and communicate highly personal data, raises serious concerns in terms of privacy, security, and civil and criminal liability. This note will examine the current statutory framework for addressing electronic breaches in the health care context, examine the vulnerabilities of EHRs, and look to the established world of online banking for possible legislative and practical solutions to the challenge of keeping private health information private. Finally, this note will propose key amendments to the Health Insurance Portability and Accountability Act (HIPAA) regulations to enhance authentication security.

  2. BACKGROUND

    Medical records are the principal repository for a patient's health and health care history. (18) Traditionally, these records were paper documents that were passively used by providers for historical reference. (19) EHR technology provides capabilities and improved efficiencies that paper records could never achieve. (20) The ability to share patient information contained in EHRs promises to revolutionize the practice of medicine by turning what was once a historical reference into a tool that can proactively prevent harmful drug interactions and allergies, reduce the chances that a clinician's orders will be misread or illegible, and facilitate the coordination of care across multiple providers. (21)

    The many benefits of EHR technology are inherently counterbalanced by the increased threat to patient privacy. As one scholar put it, "[a]s society has progressed and grown to new digital heights ... it also has become more vulnerable to unwanted intrusions of privacy." (22) These intrusions negatively impact patient confidence in their providers' ability to secure their private data. (23) A survey by the National Partnership for Women and Families found that fifty-nine percent of patients who see a doctor that uses EHR technology feel that widespread adoption of EHR technology will lead to more personal information being lost or stolen. (24)

    The level of trust and comfort a patient has with his clinician has a direct relationship with the quality of care the patient receives. (25) A breach of trust between a patient and clinician can result in irreparable physical harm to the patient. (26) The amount of information a patient is willing to disclose to his or her clinician can impact the accuracy of diagnoses and the course of treatment recommended. (27) Thus, patient/clinician trust is not just beneficial to quality care, but essential.

    1. The Role of HIPAA

      Congress recognized the importance of patient information security to health care through the Health Insurance Portability and Accountability Act of 1996 (HIPAA). (28) Despite its nebulous label, HIPAA's most well-known provisions address the privacy and security of patient health information (PHI). (29) The HIPAA privacy rule has three major purposes:

      1. To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; 2. To improve the quality of health care in the United States by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and 3. To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals. (30)

      These purposes are achieved by establishing a demanding federal standard for the electronic maintenance and storage of PHI. (31) The Act applies only to "covered entities" which include health plans, health care clearinghouses, and health care providers that transmit PHI in electronic form. (32) The general rule set forth by HIPAA is that covered entities must obtain patient authorization before releasing PHI. However, this otherwise simple rule is complicated by numerous exceptions that permit, or even compel, disclosure, even in the absence of such authorization. (33) Notably, HIPAA does not provide patients with a private cause of action for unlawful disclosure of PHI, but is instead enforced through civil and criminal proceedings originated by the Department of Health and Human Services and the Department of Justice. (34)

      Given the narrow scope and limited remedies provided in HIPAA, it has been criticized for focusing too much on patient consent and ignoring the technological realities presented by a growing number of non-covered entities that maintain electronic PHI. (35) These criticisms may explain why Congress took additional action in 2009 through the Health Information Technology for Economic and Clinical Health Act (HITECH). (36)

    2. HITECH Amendments to HIPAA

      HITECH had two overarching purposes: (1) to incentivize the adoption of health information technology, including EHRs, and (2) to increase the privacy and security protections originally provided in HIPAA. (37) To this end, HITECH makes federal funds immediately available to providers to help pay for EHR technology and to conduct training and education to develop the "best practices" of EHR utilization. (38) On the security side, the Act obligates covered entities to disclose breaches of EHRs to the individuals affected. (39) A breach occurs when unsecured PHI is acquired, accessed, used, or disclosed by an unauthorized individual and the privacy or security of the PHI is, or may be, compromised. (40) HITECH also requires covered entities' business associates to comply with HIPAA security regulations. (41)

      HITECH still does not provide for a private cause of action to those affected by data breaches; however, it does permit a state attorney general to bring a civil action on behalf of state residents to enjoin a violation of HITECH and to obtain statutory damages on behalf of affected residents. (42) Generally, while HITECH provides some enhanced penalties (43) and expands liability under the act to business associates and employees of covered entities, the Act is still narrowly tailored and forces affected individuals to rely on action by federal and state regulators to seek remedies for breaches of EHRs. (44)

    3. HIPAA: The Final Rule

      On January 17, 2013, the Department of Health and Human Services released the long-awaited HIPAA final rule. (45) The new rule officially adopted many of the changes called for in HITECH and the Genetic...

To continue reading

Request your trial