Cybersecurity Vulnerability in Healthcare Organizations: Consequences and Collaborative Solutions

Monday, March 14, 2016
By Miles Indest, J.D./M.B.A candidate at Tulane University

A recent cyber-attack on a prominent hospital has drawn significant attention to cybersecurity vulnerability within the healthcare industry. Last month, Hollywood Presbyterian Medical Center was forced to pay hackers $17,000 in bitcoin in order to unlock its computer systems that were controlled by “ransomware.” Healthcare organizations with lax cybersecurity protocols have more to fear than disgruntled patients or private lawsuits; they may face prosecution from the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Justice (DOJ).

Healthcare Regulators Punish Hospitals for Lax Cybersecurity Protocols.

Lax cybersecurity protocols are a growing target of federal regulation and enforcement. According to the HHS, the two most common compliance issues investigated are (1) impermissible uses and disclosures of protected health information, and (2) lack of safeguards of protected health information. As of December 30, 2015, HHS has resolved 119,964 HIPAA complaints, many of which either required that the healthcare entity take corrective action or pay a civil monetary penalty. The HHS has referred 566 cases to the DOJ for criminal investigation.

Cyber-Attacks Negatively Impact Both Healthcare Organizations and Patients.

Cyber-attacks on healthcare organizations affect not only its reputation and financial health, but also the health and safety of its patients. Medical identity theft has caused delayed or improper treatments, misdiagnoses, and incorrect drug prescriptions, according to the Ponemon Institute’s 2013 Survey on Medical Identity Theft.

Nevertheless, hackers that steal patient health record data may be the least of a vulnerable hospital’s concerns, because hackers that alter patient data could cause much more serious consequences. For example, the hacker could alter, or block access to, health record data regarding a patient’s blood type, allergies, or other relevant health risks. Such threats during emergency procedures or critical operations could unfortunately result in patient injury or death.

Effective Cybersecurity Requires Collaboration Within, and Among, Healthcare Organizations.

The digitalization of the healthcare industry has streamlined organizations, increased connectivity, and promoted patient-provider collaboration. Nevertheless, the same digitalization has increased the threats to protected health information. Healthcare organizations can proactively address these risks “by viewing cybersecurity not as a novel issue but rather by making it part of the hospital’s existing governance, risk management and business continuity framework,” stated the American Hospital Association (AHA).

Interestingly, the recently enacted Cybersecurity Information Sharing Act of 2015 encourages the healthcare industry to share and implement best practices and methodologies to address cyber-threats. It is uncertain whether this federal legislation will impact the healthcare industry’s pursuit of meaningful cybersecurity protocols. Ultimately, the healthcare industry as a whole must ensure that its cybersecurity strategy “remains flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged,” stated the AHA. Healthcare organizations that fail to meet industry-wide standards of cybersecurity protocol can certainly expect increased scrutiny from its stakeholders and federal investigators.

Contact Experienced Health Law Attorneys.

The Health Law Firm routinely represents physicians, pharmacists, pharmacies, optometrists, nurses, health facilities, healthcare related businesses, and other health providers in investigations, regulatory matters, licensing issues, civil and administrative litigation, defense of HIPAA complaints and violations, regulatory matters, inspections and audits involving the Drug Enforcement Administration (DEA), Federal Bureau of Investigation (FBI), Department of Health (DOH), matters involving the Centers for Medicare and Medicaid Services (CMS), the Food and Drug Administration (FDA), the Agency for Health Care Administration (AHCA), and other regulatory and law enforcement agencies. Its attorneys include those who are board certified by The Florida Bar in Health Law as well as licensed health professionals who are also attorneys.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our

website at

About the Author: Miles Indest, J.D./M.B.A. candidate, will graduate in May 2016 from Tulane University Law School and the Freeman School of Business. He has served three years as a member of Tulane Law Review, and currently serves as the Writing Skills Chair of Tulane Moot Court.


“Cybersecurity.” America Hospital Association. (2016). Web.

Heather Caspi. “What the Controversial CISA Means For Healthcare.” HealthcareDIVE. (January 7, 2016). Web.

Thomas Rohback & Patricia Carreiro. “How 3 Agencies Prosecute Lax Cybersecurity.” Law 360. (March 2, 2016). Web.

KeyWords: medical records data breach attorney, cyber-attack, cyber-security, securing patient data, ransomware, Hollywood Presbyterian Medical Center, data hackers, health care IT attorneys, how to protect patient information, healthcare defense attorney, lawyer for health facilities, healthcare provider legal counsel, data breach defense counsel, stolen patient data, patient privacy information, health law attorney, health law, medical records security, The Health Law Firm

The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999. Copyright © 2016 The Health Law Firm. All rights reserved.

Like this blog? Add your public comments:

Items in bold indicate required information.