Hardly Private and Heavily Attacked: An Analysis of the Health Insurance Portability and Accountability Act’s Regulations and Cybersecurity Measures for Digitally Vulnerable Healthcare Data

Abstract

The United States Healthcare system is experiencing an unprecedented amount of cyberattacks. When a healthcare system is breached, it can cause detrimental effects on patient care and safety. Cybersecurity defenses within healthcare have been largely absent; healthcare was slow to adapt to the digital revolution of the late 1990s and 2000s and accordingly fell behind on implementing cyber-defense mechanisms. As policymakers aimed to keep patient data private in modern technological times, the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Moving into later years and greater technological advancement, HIPAA was amended to include the Privacy Rule, Security Rule, HITECH Act, and Breach Notification Act, which further established HIPAA as the first and only comprehensive privacy focused piece of legislation for healthcare. Now, considering modern challenges to healthcare, healthcare providers, cybersecurity experts, healthcare organizations, and others question the framework of HIPAA and its ability to protect patient data from cyberattacks.

What may be the gaps in the framework of HIPAA that would produce vulnerabilities to cyberattacks in protected health information, and how can policymakers address those gaps? Through the assessment of the Health Insurance Portability and Accountability Act (HIPAA), the history and political implications of digitized forms of record keeping, evaluation of cybersecurity issues and best practices, and a qualitative multiple-case study, this thesis concluded that the HIPAA Security Rule is missing key cybersecurity best practices that would mandate concrete forms of security for organizations to meet HIPAA compliance standards. As the United States looks towards the future of patient care, policymakers must reassess how patient data is secured so that patients are not put at risk.