Cybersecurity Challenges and Compliance Issues within the U.S. Healthcare Sector


  • Derek Mohammed Saint Leo University
  • Ronda Mariani Saint Leo University
  • Shereeza Mohammed Grand Canyon University



Cybersecurity policy, healthcare sector, HIPAA, HITECH, regulatory compliance.


Increasingly there are security breaches in U.S. Healthcare organizations that result in billions of dollars of damage to the healthcare system and a high personal cost to individuals whose identifiable and private information is unprotected. The Privacy Act of 1974, Health Insurance Portability and Accountability Act (HIPAA), and Health Information Technology for Economic and Clinical Health Act (HITECH) are three prominent Acts by the federal government that regulate and protect the confidentiality of personal information in the Healthcare system against breaches. This is a case study examining three organizations in the Healthcare Sector using document analysis to ascertain the problems that resulted in information breaches and the consequences of such breaches. It indicates the failures that occur with the inadequate compliance to the above federal Acts and provides recommendations to control future breaches from occurring. The organizations examined are:  The Veterans Administration which lacked basic security controls, the Utah Department of Technology Service that failed to control their personally identifiable information, and private healthcare organizations which revealed shortcomings in HIPAA compliance after data breach disclosures or random audits. Each case results from a lack of proper protection on systems and equipment containing sensitive data. The study recommendations include the need for organizations to lead by example as well as the establishment of tighter regulations and enforcement measures relating to civil fines, and audits to review organizational compliance with federal laws.

Author Biographies

Derek Mohammed, Saint Leo University

Associate ProfessorDepartment of Computer Science and Information Systems

Ronda Mariani, Saint Leo University

Assistant ProfessorDepartment of Management

Shereeza Mohammed, Grand Canyon University

Adjunct ProfessorDepartment of Education 


Anderson, H. (2012, April 9). Utah health breach affects 780,000. Data Breach Today. Retrieved from

Booz Allen Hamilton. (2013). Stemming the rising tide of health privacy breaches revisited. Booz Allen Hamilton Inc. Retrieved from boozallen/media/file/stemming-rising-tide-health-care-breaches-vp.pdf

Bowman, S. (2013, October 1). Impact of electronic health record systems on information integrity: Quality and safety implications. National Center for Biotechnology Information (NCBI). Retrieved from

Brady, J. W. (2011). Securing health care: Assessing factors that affect HIPAA security compliance in academic medical centers. Proceedings of the 44th Hawaii International Conference on System Sciences (pp. 1-10). Kauai: IEEE.

Civic Impulse. (2009). H.R. 1 — 111th Congress: American Recovery and Reinvestment Act of 2009. Retrieved from

Conn, J. (2013, August 13). Advocate data breach highlights lack of encryption, a widespread issue. Modern Healthcare. Retrieved from 20130830/NEWS/308309953

DeZabala, T., Saif, I., & Westerman, G. (2011, July 1). Evolve or fail. Deliotte University Press. Retrieved from

Doherty, N., & Fulford, H. (2006). Aligning the information security policy with the strategic information systems plan. Computers & Security, 25, 55-63.

Filkins, B. (2014). SANS health care cyberthreat report: widespread compromises detected, compliance nightmare on horizon. Retrieved from

Gikas, C. (2010). A general comparison of FISMA, HIPPA, ISO 27000 and PCI-DSS standards. Information Security Journal: A Global Perspective, 19(3), 132-141.

Goldfarb, Z. & Lee, C. (2006, June 30). Stolen VA laptop and hard drive recovered. Washington Post. Retrieved from 06/29/AR2006062900352.html

HITRUST Alliance. (2014, July). Cyber threat intelligence and incident coordination center: Protecting the healthcare industry form cyber-attacks. Health Information Trust Alliance (HITRUST). Retrieved from HiTrustC3Datasheet.pdf

Johnson, M. E., & Goetz, E. (2007). Embedding information security into the organization. IEEE Security & Privacy, 16-24

Judy, H.L., David, S.L., Hayes, B.S., Ritter, J.B., & Rotenberg, M. (2009). Privacy in cyberspace: U.S. and European perspectives. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (5th ed). New York, NY: John Wiley & Sons.

Keizer, G. (2006). FBI Recovers Stolen Veterans Affairs Laptop. Retrieved from

Kwon, J. & Johnson, M. E. (2013). Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association, 20(1), 44-47.

McCann, E. (2014, October 6). Missed Ebola diagnosis leads to debate. Healthcare IT News. Retrieved from

McDavid, S. (2014, March). A primer on cybersecurity litigation for the not-so-tech-savvy attorney. American Bar Association, 3(8), 17-19. Retrieved from

McGrory-Dixon, A. (2013). HHS toughens HIPAA violation penalties. BenefitsPro. Retrieved from

Micro, T. (2013). VA records breach shows difficulty of balancing cyber security, physical security. Retrieved from

Moore, J. (2014, July 24). Health care providers look to improve security incident response. iHealthBeat. Retrieved from

Paganini, P. (2014, September 16). Risks and cyber threats to the healthcare industry. Infosec Institute. Retrieved from

Peters, S. (2014, August 20). Heartbleed not only reason for health systems breach. Information Week Dark Reading. Retrieved from

Ragan, S. (2014, August 14). Community health systems blames China for recent data breach. CSO. Retrived form

Schultz, D. (2012). As patients’ records go digital, theft and hacking problems grow. Kaiser Health News. Retrieved from June/04/electronic-health-records-theft-hacking.aspx

Stewart, K. (2013, April 29). Report: Utah’s health data breach was a costly mistake. The Salt Lake Tribune. Retrieved from

Study: Utah health breach could approach $406M. (2013, May 1). Insurance Journal. Retrieved from

The Ponemon Institute (2014). Fourth annual benchmark study on patient privacy & data security. Retrieved from privacy-data-security

U.S. Department of Veterans Affairs. (2014). History - Department of Veterans Affairs. Retrieved from

U.S. Government Accountability Office. (2014). Information Security VA Needs to Address Identified Vulnerabilities. Retrieved from

Verizon. (2014). 2014 Data breach investigations report. Verizon. Retrieved from

Vijayan, J. (2012, May 16). Utah CTO takes fall for data breach. Computerworld. Retrieved from

Webb, G. (2013, August 9). What’s changed since hackers breached a state Medicaid server? Utah Business. Retrieved from the_state_of_security