We know by now that protected health information (PHI) and other personal information is vulnerable to hackers. Last week, the Washington Times reported that the Department of Health and Human Services (HHS), the agency responsible for HIPAA enforcement, had suffered security breaches at the hands of hackers in at least five separate divisions over the past three years. The article focused on a House Committee on Energy and Commerce report that described the breaches as having been relatively unsophisticated and the responsible security officials as having been unable to provide clear information regarding the security incidents.
We know it’s not a question of “if” sensitive information maintained electronically will be compromised by a hacking or other type of cyber security incident, but “when” — regardless of who maintains it — and how destructive an incident it will be. Even HHS and its operating divisions, which include both the Office of Civil Rights (OCR), charged with protecting PHI privacy and security, and the Food and Drug Administration (FDA), the country’s principal consumer protection and health agency, are vulnerable.
Just one day before its coverage of the House Committee report on the cyber security vulnerabilities that exist within the very government agencies charged with protecting us, the Washington Times reported on an even more alarming cyber security risk: the vulnerability of common medical devices, such as x-ray machines and infusion pumps, to hacks that could compromise not just the privacy and security of our health information, but our actual physical health.
This report brought to mind a recent report on the ability of hackers to remotely access the control systems of automobiles. While the thought of losing control of my car while driving is terrifying, the realization that medical devices are vulnerable to hackers while being used to diagnose or treat patients is particularly creepy. The two situations may present equally dangerous scenarios, but hacking into a medical device is like hacking into one’s physical being.
So while it’s one thing to have PHI or other sensitive information compromised by a hacking incident, it’s much more alarming to think that one’s health status, itself, could be compromised by a hacker.