Cybersecurity and Digital Health Information (CRS Report for Congress)
| Release Date |
Revised Dec. 4, 2024 |
| Report Number |
IF12591 |
| Report Type |
In Focus |
| Authors |
Nora Wells; Amanda K. Sarata |
| Source Agency |
Congressional Research Service |
| Older Revisions |
-
Premium Feb. 12, 2024 (3 pages, $24.95)
add
|
Summary:
As the technologies used in health care expand, so too do
cybersecurity vulnerabilities. Increasingly, health care
actors use electronic health records (EHRs), artificial
intelligence (AI) technologies, and telehealth services to
provide and facilitate care. While these technologies have
their advantages, stakeholders have noted they also increase
the number of potential cybersecurity vulnerabilities an
entity may be exposed to through greater technological
complexity and the number of actors with which an entity
may interact.
Cyberattacks targeting sensitive health information
maintained by health care providers and health plans have
sharply increased over the past decade. Health care data and
information are valuable and therefore are an attractive
target for cyberattacks. Cybersecurity experts predict that
cyberattacks involving health information will continue to
affect a growing number of people in the future.
Health care providers, health plans, and health care
clearinghouses that hold or transmit electronic protected
health information (e-PHI) are subject to the Health
Insurance Portability and Accountability Act (HIPAA; P.L.
104-191) Security Rule and Breach Notification Rule.
These HIPAA rules are administered and enforced by the
Office for Civil Rights (OCR) within the Department of
Health and Human Services (HHS). OCR works with other
HHS agencies to provide guidance and compliance tools for
HIPAA-covered entities.
Any breach of unsecured protected health information
(PHI) must be reported to OCR pursuant to the Breach
Notification Rule. A breach is the “acquisition, access, use,
or disclosure of protected health information in a manner
not permitted under the [HIPAA Rules] which
compromises [its] security or privacy.” Protected health
information is unsecured if it “is not rendered unusable,
unreadable, or indecipherable to unauthorized persons”
(such as through encryption).
There are generally five types of digital breaches reported
to OCR: a hacking or information technology (IT) incident
of electronic equipment or a network server, unauthorized
access to or disclosure of records containing PHI, theft of
electronic equipment/portable devices, loss of electronic
media, and improper disposal of PHI. During 2022, OCR
was notified of 626 breaches where each affected 500 or
more people, the majority of which were hacking incidents.
Over 41 million people were affected by these breaches.
OCR was notified of 63,966 breaches affecting fewer than
500 people during the same period, with the most common
cause being unauthorized access to, or disclosure of, PHI.
257,105 people were affected by these breaches.
