far in 2016, organizations like CareFusion have responded more
productively, actively owning and driving remediation of research-identified
vulnerabilities. 57 Despite improved organizational awareness to medical
device vulnerabilities, organizations have resisted proactive vulnerability
disclosure and risk management. 58
Taken together, the presence of a variety of new digital health technologies
against a backdrop of lucrative health data sales on the black market appears
to have created an ideal scenario for data exposure and increasingly exploited
vulnerabilities. 59 In lieu of market-driven improvements in cybersecurity for
the digital health marketplace, regulatory schemes could effectively drive
cybersecurity improvements. 60 The HIPAA and the Food, Drug, and
Cosmetic Act (FDCA) with associated regulatory activity from the OCR and
the FDA could provide appropriate oversight for digital health cybersecurity
PART II: CYBERSECURITY REGULATORY ACTIVITY
A. Health Insurance Portability and Accountability Act
The U.S. Department of Health & Human Services’ (HHS) OCR actively
drives privacy and cybersecurity requirements in the digital health market for
entities subject to HIPAA. 61 HIPAA, updated in 2003, and the Health
Information Technology Economic and Clinical Health (HITECH) Act,
passed in 2009, establish a compliance framework for a limited subset of
digital health providers: Covered Entities (CE) and corresponding Business
Associates (BA). 62
57. See Mezher, supra note 56 (explaining that researchers found 1418 vulnerabilities in
one tool, the Pyxis SupplyStation, and half of which are considered “high severity” according
to commonly accepted Common Vulnerability Scoring System (“CVSS”) ranking); see NVD
Common Vulnerability Scoring System Support v2, NAT’L INST. STANDARDS & TECH. (Aug.
25, 2016), https://nvd.nist.gov/cvss.cfm (explaining that CVSS is a standard measuring system
used to determine vulnerability impact scores and is used by public and private enterprises).
58. Mezher, supra note 56.
59. See supra notes 44–58 and accompanying text (discussing the financial incentives for
hackers to capitalize on the security vulnerabilities in the digital health marketplace).
60. See, e.g., Health Privacy: HIPAA Basics, PRIVACY RIGHTS CLEARINGHOUSE (Feb.
1, 2015), https://www.privacyrights.org/content/health-privacy-hipaa-basics#coveredentities
[hereinafter HIPAA Basics].
61. Health Insurance Portability and Accountability Act of 1996 (HIPAA), P.L. No. 104-
191, 110 Stat. 1938 (1996); HIPAA Basics, supra note 60.
62. Health Insurance Portability and Accountability Act (HIPAA) of 1996, 45 C.F.R. §
160 et seq. (1996); Health Insurance Technology for Economic and Clinical Health (HITECH)
Act of 2009, 42 U.S. C. § 17921 (2016); 42 U.S. C. §§ 17934–40 (2010); HIPAA Basics, supra
note 60; Vadim Schick, After HITECH: HIPAA Revisions Mandate Stronger Privacy and
Security Safeguards, 37 J. C. & U.L. 403, 408–18 (2011). HITECH’s contributions included
expansion of BA HIPAA compliance responsibilities (including execution of Business