•  
  •  
 
Vanderbilt Journal of Entertainment & Technology Law

First Page

49

Abstract

The Change Healthcare cyberattack of 2024 paralyzed the health care system for months, creating an exceedingly far reaching and devastating impact on providers, suppliers, and patients across the country. While the scope of the attack was unprecedented, the cyberattack itself was not new, unique, or isolated. Indeed, this attack came just months after the close of a year in which the United States’ Department of Health and Human Services’ Office for Civil Rights (OCR) recorded the highest number of reported breaches of protected health information and the highest number of breached records. With a medical record fetching nearly four times the cost of a Social Security number and nearly twenty times the cost of a credit card number on the dark web, hackers have turned an increased focus to health care companies that store, maintain, or process protected health information for their activities. As a result, ransomware attacks and other phishing scams now account for the highest cause of data breaches under the Health Insurance Portability and Accountability Act (HIPAA), with OCR realizing a 239 percent increase in hacking-related data breaches since 2018 and 278 percent increase in ransomware attacks during that same time. The reasons for this exponential growth are multifaceted, but one important factor to consider is that although there are aggressive laws criminalizing cyberattacks and theft of electronic data, finding and prosecuting hackers for their activities has become exceedingly complex. Due to the challenges of catching the actual criminal actors, legislators, regulators, and individuals are shifting their focus to the entities experiencing the breach. Certainly, health care companies are not always entirely blameless in these situations, as lack of employee training, challenges with patching known vulnerabilities, and not following industry best practices regarding system security, among other things, ead to system vulnerabilities making it potentially easier for hackers to get into systems. That said, one cannot forget that a sophisticated criminal enterprise with malicious, deliberate intent is the primary “bad actor” in these attacks. In considering statutory, regulatory, and litigation approaches to curb the exponential growth of cyberattacks, there does need to be a focus on the health care companies themselves to ensure they are following applicable security practices to reduce the ongoing criminal activity. These legal approaches should not, however, shift all focus and liability away from capturing and prosecuting the elusive criminal hackers. A shift that assigns all liability to health care companies in a way that adopts a negligence per se approach contrary to the usual principles of premises liability will detract from support that health care companies need to take appropriate action and will result in increased costs in the system, which ultimately impacts patients and the public. Thus, all new legislative, regulatory, and judicial approaches to addressing cyberattacks should strike the right balance between holding health care companies accountable for the great responsibility they have in protecting patient data while not losing sight that fighting the real cause of these attacks—the criminal hacker—will require cooperation and coordination of all parties. This Article provides an overview of the growing problem of ransomware attacks in the health care sector, examining the existing laws utilized most frequently to address these attacks. In considering current regulatory, legislative, and judicial approaches being contemplated, this Article argues that although health care companies should not be seen as victims in the same way as the individuals whose data has been compromised, a statutory, regulatory, or judicial scheme that shifts blame and responsibility entirely to the health care companies will not adequately address the problem and will simply increase costs and expenses to health care consumers. Therefore, any legal approaches to addressing the problem must be balanced—recognizing some responsibility on the part of health care companies in shoring up systems and processes to make their data less vulnerable while simultaneously providing adequate guidance and support to assist entities in combatting cyber risk in coordination with state and federal agencies.

Download

Share

COinS