Why U.S. health care cybersecurity laws are better at protecting a corpse’s privacy than patients’ lives

Two days into a cyberattack on his hospital system, Nate Couture reached the end of his cyber incident plan.

“We make these incident response plans and we feel great about them,” Couture, the University of Vermont Health Network chief information security officer, told other heath care cyber professionals at a recent conference. “At the end of them, they have a box that usually says something like, ‘And then IT recovers the systems.’”

But it would be 24 more days from where the plan ended until the Vermont health system was able to bring its electronic medical record system back online. It would be 110 days until they finished restoring software applications. And more than 200 days later, they’d still be dealing with the backlog of paper records.

STAT+ Exclusive Story

Already have an account? Log in

This article is exclusive to STAT+ subscribers

Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.

Already have an account? Log in

Already have an account? Log in

Individual plans

Group plans

Monthly

$39

Totals $468 per year

$39/month Get Started

Totals $468 per year

Starter

$30

for 3 months, then $39/month

$30 for 3 months Get Started

Then $39/month

Annual

$399

Save 15%

$399/year Get Started

Save 15%

11+ Users

Custom

Savings start at 25%!

Request A Quote Request A Quote

Savings start at 25%!

2-10 Users

$300

Annually per user

$300/year Get Started

$300 Annually per user

View All Plans

Get unlimited access to award-winning journalism and exclusive events.

Subscribe

Log In