Skip to Content

Your Doctor’s Office Is Vulnerable to Hackers, but Congress Could Change That

Creating exceptions to two anti-fraud laws could improve security for smaller health-care facilities ill-equipped to fend off cyber threats.
June 12, 2017

Small health-care facilities like doctors' offices are uniquely vulnerable to cyberattacks due to the sensitive information on their networks, and because many lack the resources to defend themselves. Congress could help change that by adjusting two laws designed to prevent improper business arrangements between doctors and hospitals.

That’s according to a new report by the Health Care Industry Cybersecurity Task Force, a group of 21 private sector and government cybersecurity experts and administrators convened by Congress as part of the landmark Cybersecurity Act of 2015.

Among other things, the report recommends that Congress explore changes to the so-called Physician Referral Law and the Anti-Kickback statute, which prevent doctors from receiving any kind of payment from a hospital or clinic in exchange for patient referrals or other business, like lab work, that is reimbursed by federal health-care programs including Medicare and Medicaid. According to the task force, many hospitals would like to help smaller business partners purchase cybersecurity tools so that they do not become a liability, but are afraid that would violate these laws.

Hackers commonly target health-care facilities, thanks to the valuable information on their networks as well as their historically lax security practices. Facilities all over the world are vulnerable to attacks like the WannaCry ransomware attack that occurred last month. Last year, a ransomware attack disabled the medical-records system of a Los Angeles Hospital and forced it to transfer patients elsewhere (see “With Hospital Ransomware Infections, the Patients Are at Risk”).

One reason for the problem, according to the task force, is that many smaller facilities simply can’t afford to retain in-house cybersecurity expertise and maintain the necessary technological infrastructure. The group “strongly” recommends that Congress amend the Physician Self-Referral Law and the Anti-Kickback Statute to account for this by allowing more cybersecurity technology sharing between hospitals and their smaller partners.

If Congress doesn’t act, the department of Health and Human Services could pursue new regulations that would make exceptions to these laws. In fact, a model already exists for this. Regulatory exceptions and safe harbor provisions make it legal for hospitals and clinics to donate electronic health records technology to doctors’ offices and other business partners.

These exceptions exist because when hospitals began adopting electronic records in the mid-2000s, many physicians who sent patients to those hospitals could not afford to purchase interoperable technology for their offices. Just like today with cybersecurity, hospitals wanted to be able to buy this technology for them, says Bernadette Broccolo, a health-care attorney at the law firm McDermott Will & Emery.

Clearing the way for hospitals to buy cybersecurity technology for doctors’ offices without the threat of legal trouble would help reduce the overall risk, but it is only one piece of a complicated puzzle that policymakers must solve in order to truly fix health care’s cybersecurity woes. While many of the rules governing cybersecurity in health care are “well-meaning and individually effective,” write the report’s authors, “Taken together they can impose a substantial legal and technical burden on health-care organizations.”

Keep Reading

Most Popular

The Steiner tree problem:  Connect a set of points with line segments of minimum total length.
The Steiner tree problem:  Connect a set of points with line segments of minimum total length.

The 50-year-old problem that eludes theoretical computer science

A solution to P vs NP could unlock countless computational problems—or keep them forever out of reach.

section of Rima Sharp captured by the LRO
section of Rima Sharp captured by the LRO

The moon didn’t die as early as we thought

Samples from China’s lunar lander could change everything we know about the moon’s volcanic record.

conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other
conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other

Forget dating apps: Here’s how the net’s newest matchmakers help you find love

Fed up with apps, people looking for romance are finding inspiration on Twitter, TikTok—and even email newsletters.

ASML machine
ASML machine

Inside the machine that saved Moore’s Law

The Dutch firm ASML spent $9 billion and 17 years developing a way to keep making denser computer chips.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.