Abstract

The health care industry has moved at a rapid pace away from paper records to an electronic platform across almost all sectors — much of it at the encouragement and insistence of the federal government. Such rapid expansion has increased exponentially the risk to individuals in the privacy of their data and, increasingly, to their physical well-being when medical records are inaccessible through ransomware attacks. Recognizing the unique and critical nature of medical records, the United States Congress established the Health Care Industry Cybersecurity Task Force under the Cybersecurity Information Sharing Act of 2015 for the purpose of reviewing cybersecurity risks within the health care industry and identifying who will lead and coordinate efforts to address such risks among the various agencies. The Task Force has since issued a report setting forth six high-level imperatives that the health care industry needs to achieve in order to combat cybersecurity, and, notably, many of the vulnerabilities plaguing the industry identified in the Report as requiring correction are not necessarily related to specific flaws in the current cybersecurity framework, but rather susceptibilities presented by the infrastructure and associated regulatory regime that has evolved over the last few decades over the health care industry generally. That is, the current health care infrastructure by its nature exacerbates cybersecurity risk. Between a lack of information sharing of industry threats, risks, and mitigations, disparate leadership and governance goals for cybersecurity, the confluence and contradiction of existing federal and state laws, fragmentation in the fee-for-service delivery system, lack of care coordination, and disparate resources across and among sectors, the industry suffers from heightened cyber risk. Solutions that are reactive to problems within the current infrastructure will likely have little long term impact toward reducing cybersecurity vulnerabilities because they do not address the underlying system challenges. All of these confluences causes one to wonder whether if in fact the current health care delivery infrastructure is a contributing factor to the incidents of cybersecurity attacks and the exorbitant costs associated with resolving data breaches, should Congress look not just to curb breach incidents, but to address root cause systematic challenges in the health industry infrastructure that create increased exposure of cybersecurity threats? This article argues that cybersecurity risks will continue to be heightened and more costly to the health care industry as compared to other industries unless and until some general system redesign is achieved that allows for greater sharing of resources among industry participants to ensure the same protections are implemented at all levels of the industry, which can be strengthened through greater interoperability of systems across the health care industry; and increased focus and attention on the importance of cybersecurity issues as a priority among system reforms.