In-Depth: Who's in charge of overseeing hospital cybersecurity systems?

Massive cyberattack cripples businesses worldwide
Posted at 5:32 PM, May 13, 2021
and last updated 2021-05-13 20:58:01-04

SAN DIEGO (KGTV) - Friday will mark two weeks since Scripps Health was first targeted in a debilitating cyberattack and questions still remain about patient privacy and who's responsible for preventing these types of attacks on hospitals.

Marc Haskelson is the CEO of Compliancy Group, which helps healthcare companies prove that they made a good faith effort to satisfy the federal law over patient privacy, commonly known as HIPAA.

“What has changed so rapidly is the risks for cybersecurity. Unfortunately, HIPAA law is really not up to speed with them,” he said.

HIPAA is administered under the Department of Health and Human Services' enforcement arm, known as the Office of Civil Rights, which can audit hospitals.


Haskelson said that HIPAA only gives guidelines, so it's up to each hospital to self-manage or bring in third-party cybersecurity experts. He added that having adequate technology is only part of the challenge. The human element is just as important.

“What we find is that 80% of the remediation really comes down to good policies and procedures and training of your staff so that your staff is not to make these mistakes and 20% is the technology that's being deployed,” Haskelson explained.

Scripps Health has said that some patient care locations such as emergency rooms remain open. The hospital reports that a team is working nonstop to get the system back online. It still hasn’t said whether patient records were stolen or who may be responsible for the attack.