Cybersecurity Challenges and Compliance Issues within the U.S. Healthcare Sector

Authors

  • Derek Mohammed Saint Leo University
  • Ronda Mariani Saint Leo University
  • Shereeza Mohammed Grand Canyon University

DOI:

https://doi.org/10.18533/ijbsr.v5i2.714

Keywords:

Cybersecurity policy, healthcare sector, HIPAA, HITECH, regulatory compliance.

Abstract

Increasingly there are security breaches in U.S. Healthcare organizations that result in billions of dollars of damage to the healthcare system and a high personal cost to individuals whose identifiable and private information is unprotected. The Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH) are three prominent Acts by the federal government that regulate and protect the confidentiality of personal information in the Healthcare system against breaches. This is a case study examining three organizations in the Healthcare Sector using document analysis to ascertain the problems that resulted in information breaches and the consequences of such breaches. It indicates the failures that occur with the inadequate compliance to the above federal Acts and provides recommendations to control future breaches from occurring. The organizations examined are:  The Veterans Administration which lacked basic security controls, the Utah Department of Technology Service that failed to control their personally identifiable information, and private healthcare organizations which revealed shortcomings in HIPAA compliance after data breach disclosures or random audits. Each case results from a lack of proper protection on systems and equipment containing sensitive data. The study recommendations include the need for organizations to lead by example as well as the establishment of tighter regulations and enforcement measures relating to civil fines, and audits to review organizational compliance with federal laws.

Author Biographies

  • Derek Mohammed, Saint Leo University

    Associate Professor

    Department of Computer Science and Information Systems

  • Ronda Mariani, Saint Leo University

    Assistant Professor

    Department of Management

  • Shereeza Mohammed, Grand Canyon University

    Adjunct Professor

    Department of Education 

References

Anderson, H. (2012, April 9). Utah health breach affects 780,000. Data Breach Today. Retrieved from http://www.databreachtoday.com/utah-health-breach-affects-780000-a-4667

Booz Allen Hamilton. (2013). Stemming the rising tide of health privacy breaches revisited. Booz Allen Hamilton Inc. Retrieved from http://www.boozallen.com/content/dam/ boozallen/media/file/stemming-rising-tide-health-care-breaches-vp.pdf

Bowman, S. (2013, October 1). Impact of electronic health record systems on information integrity: Quality and safety implications. National Center for Biotechnology Information (NCBI). Retrieved from http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3797550/

Brady, J. W. (2011). Securing health care: Assessing factors that affect HIPAA security compliance in academic medical centers. Proceedings of the 44th Hawaii International Conference on System Sciences (pp. 1-10). Kauai: IEEE.

Civic Impulse. (2009). H.R. 1 — 111th Congress: American Recovery and Reinvestment Act of 2009. Retrieved from https://www.govtrack.us/congress/bills/111/hr1

Conn, J. (2013, August 13). Advocate data breach highlights lack of encryption, a widespread issue. Modern Healthcare. Retrieved from http://www.modernhealthcare.com/article/ 20130830/NEWS/308309953

DeZabala, T., Saif, I., & Westerman, G. (2011, July 1). Evolve or fail. Deliotte University Press. Retrieved from http://dupress.com/articles/evolve-or-fail-how-security-can-keep-pace-with-strategy/

Doherty, N., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25, 55-63.

Filkins, B. (2014). SANS health care cyberthreat report: widespread compromises detected, compliance nightmare on horizon. Retrieved from http://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735

Gikas, C. (2010). A general comparison of FISMA, HIPPA, ISO 27000 and PCI-DSS standards. Information Security Journal: A Global Perspective, 19(3), 132-141.

Goldfarb, Z. & Lee, C. (2006, June 30). Stolen VA laptop and hard drive recovered. Washington Post. Retrieved from http://www.washingtonpost.com/wp-dyn/content/article/2006/ 06/29/AR2006062900352.html

HITRUST Alliance. (2014, July). Cyber threat intelligence and incident coordination center: Protecting the healthcare industry form cyber-attacks. Health Information Trust Alliance (HITRUST). Retrieved from http://hitrustalliance.net/content/uploads/2014/07/ HiTrustC3Datasheet.pdf

Johnson, M. E., & Goetz, E. (2007). Embedding information security into the organization. IEEE Security & Privacy, 16-24

Judy, H.L., David, S.L., Hayes, B.S., Ritter, J.B., & Rotenberg, M. (2009). Privacy in cyberspace: U.S. and European perspectives. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (5th ed). New York, NY: John Wiley & Sons.

Keizer, G. (2006). FBI Recovers Stolen Veterans Affairs Laptop. Retrieved from http://www.informationweek.com/fbi-recovers-stolen-veterans-affairs-laptop/d/d-id/1044759?

Kwon, J. & Johnson, M. E. (2013). Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association, 20(1), 44-47.

McCann, E. (2014, October 6). Missed Ebola diagnosis leads to debate. Healthcare IT News. Retrieved from http://www.healthcareitnews.com/news/epic-pushes-back-against-ebola-ehr-blame-shifting

McDavid, S. (2014, March). A primer on cybersecurity litigation for the not-so-tech-savvy attorney. American Bar Association, 3(8), 17-19. Retrieved from http://www.americanbar.org/publications/gpsolo_ereport/2014/march_2014/primer_cybersecurity_litigation_for_not-so-tech-savvy_attorney.html

McGrory-Dixon, A. (2013). HHS toughens HIPAA violation penalties. BenefitsPro. Retrieved from http://www.benefitspro.com/2013/04/09/hhs-toughens-hipaa-violation-penalties

Micro, T. (2013). VA records breach shows difficulty of balancing cyber security, physical security. Retrieved from http://blog.trendmicro.com/va-records-breach-shows-difficulty-balancing-cyber-security-physical-security/

Moore, J. (2014, July 24). Health care providers look to improve security incident response. iHealthBeat. Retrieved from http://www.ihealthbeat.org/insight/2014/health-care-providers-look-to-improve-security-incident-response

Paganini, P. (2014, September 16). Risks and cyber threats to the healthcare industry. Infosec Institute. Retrieved from http://resources.infosecinstitute.com/risks-cyber-threats-healthcare-industry/

Peters, S. (2014, August 20). Heartbleed not only reason for health systems breach. Information Week Dark Reading. Retrieved from http://www.darkreading.com/heartbleed-not-only-reason-for-health-systems-breach/d/d-id/1298157

Ragan, S. (2014, August 14). Community health systems blames China for recent data breach. CSO. Retrived form http://www.csoonline.com/article/2466084/data-protection/community-health-systems-blames-china-for-recent-data-breach.html

Schultz, D. (2012). As patients’ records go digital, theft and hacking problems grow. Kaiser Health News. Retrieved from http://www.kaiserhealthnews.org/Stories/2012/ June/04/electronic-health-records-theft-hacking.aspx

Stewart, K. (2013, April 29). Report: Utah’s health data breach was a costly mistake. The Salt Lake Tribune. Retrieved from http://www.sltrib.com/sltrib/news/56210404-78/security-breach-health-data.html.csp

Study: Utah health breach could approach $406M. (2013, May 1). Insurance Journal. Retrieved from http://www.insurancejournal.com/news/west/2013/05/01/290357.htm

The Ponemon Institute (2014). Fourth annual benchmark study on patient privacy & data security. Retrieved from http://www.ponemon.org/library/fourth-annual-benchmark-study-on-patient- privacy-data-security

U.S. Department of Veterans Affairs. (2014). History - Department of Veterans Affairs. Retrieved from http://www.va.gov/about_va/vahistory.asp

U.S. Government Accountability Office. (2014). Information Security VA Needs to Address Identified Vulnerabilities. Retrieved from http://www.gao.gov/assets/670/666900.pdf

Verizon. (2014). 2014 Data breach investigations report. Verizon. Retrieved from http://www.verizonenterprise.com/DBIR/2014/

Vijayan, J. (2012, May 16). Utah CTO takes fall for data breach. Computerworld. Retrieved from http://www.computerworld.com/article/2504542/security0/utah-cto-takes-fall-for-data-breach.html

Webb, G. (2013, August 9). What’s changed since hackers breached a state Medicaid server? Utah Business. Retrieved from http://utahbusiness.com/articles/view/ the_state_of_security

Downloads

Published

2015-02-20

Issue

Vol. 5 No. 2 (2015): February

Section

Article

License

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  • Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).