Author: Jamie Dolley

Cyber Warfare and the HIPAA Security Rule: Protecting Health Data in an Era of Geopolitical Conflict 

Modern warfare has extended into the digital domain, where cyberattacks against private companies and critical infrastructure are increasingly used as tools in geopolitical conflict. The healthcare sector, which heavily relies on digital systems for storing sensitive patient information, is a particularly vulnerable target. This vulnerability, which can be increased during times of international conflict, was recently illustrated during the cyberattack against Stryker—a major U.S. medical device manufacturer. This event raises broader questions of whether the existing Health Insurance Portability and Accountability Act (HIPAA) Security Rule is sufficient in protecting personal health information (PHI). In an era where cyberwarfare more commonly targets healthcare companies, it raises the question of who will bear the financial responsibility for heightened security measures to safeguard this data. 

The Stryker Cyberattack

Stryker, a U.S. medical device company with ties to Israel through its acquisition of OrthoSpace, manufactures products ranging from artificial joints to surgical instruments. This month, Stryker experienced a cyberattack attributed to a pro-Iranian hacking group amid escalating tension between the U.S. and Iran. The hacker group stated the attack was retaliation for recent military actions involving the U.S. and its allies. The cyberattack disrupted Stryker’s global operations—affecting systems used for order processing, manufacturing, and shipment of medical devices—while reports indicate the hackers wiped thousands of systems and claimed to have extracted large quantities of company data. 

Although Stryker stated that its medical devices and patient services were not directly compromised, the cyberattack caused widespread operational disruptions and highlights the vulnerability of healthcare companies during geopolitical conflicts. Cybersecurity experts have warned that such attacks may represent a broader escalation in cyberwarfare targeting critical infrastructure, which includes healthcare companies. As a result, private healthcare companies are becoming indirect participants in geopolitical conflicts due to their strategic importance in national infrastructure and the expansive amounts of sensitive information they maintain.

Implications for PHI and HIPAA

The cyberattack against Stryker is not an isolated incident. Healthcare organizations have long been targets of cyberattacks, reflecting persistent vulnerabilities within the sector. The U.S. Department of Health and Human Services (HHS) Breach Reporting Portal has documented thousands of breaches involving PHI, affecting millions of individuals. The healthcare industry is a prime target for cybercriminals because it maintains extensive databases containing highly sensitive information—such as Social Security Numbers, medical histories, insurance information, and billing records—which can be monetized through ransomware, identity theft, and insurance fraud. 

Cybersecurity issues are not new, healthcare entities have already faced threats even during times of relative geopolitical calm. However, as cyber-attacks become commonplace in geopolitical conflict, the frequency of attacks may rise, exacerbating existing vulnerabilities and intensifying risks to PHI and patient care

Under the HIPAA Security Rule, covered entities and business associates must implement administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of electronic protected health information (ePHI). This rule requires security measures that are reasonable and appropriate to reduce risks and vulnerabilities to ePHI, effectively establishing a baseline security standard.

Cyberattacks that breach systems directly undermine these core objectives by exposing patient information for financial exploitation, intelligence gathering, or political purposes. In more severe incidents, such attacks can disrupt access to medical records and clinical systems, directly impacting patient safety and the delivery of care. 

The HIPAA Security Rule was developed in the early 2000s, before the emergence of modern cyber warfare used in geopolitical conflict. As cyber threats quickly evolve, health organizations may need to adopt increasingly advanced cybersecurity strategies more commonly used in national defense. However, implementing these advanced security protections often impose significant financial and operational burdens on healthcare entities. 

In light of these challenges, enhanced federal support, guidance, and coordination are necessary to assist healthcare organizations in strengthening their defenses. While the HIPAA Security Rule establishes baseline security requirements, it provides limited specificity regarding how organizations should respond to emerging and escalated threats such as those currently arising from geopolitical conflicts.

Recognizing these risks, federal agencies have begun providing some additional resources. For example, HHS has published materials such as the Security Risk Assessment Tool, the Security Rule Risk Analysis Requirement, and the Security Rule Guidance Material—to address the increased cybersecurity occurrences and provide material for entities to assess security vulnerabilities to ePHI. Similarly, the Federal Bureau of Investigation recently launched a Campaign Against Cybersecurity Part 1, this February, providing healthcare entities with recommendations for defending against cyber threats.

Despite these efforts, the financial and operational costs associated with implementing robust cybersecurity protections appear to remain with healthcare entities. As cyberattacks become more prevalent with geopolitical conflict, policymakers may need to consider whether existing regulations adequately address large-scale cyber threats. Federal financial and technical assistance should be considered to ensure that healthcare organizations can effectively protect ePHI during periods of geopolitical instability.

The cyberattack against Stryker underscores the growing intersection between geopolitical conflict and healthcare cybersecurity, demonstrating that healthcare organizations are now potential targets in modern cyber warfare. This incident raises critical questions regarding if the current HIPAA Security Rule provides adequate protection for healthcare entities or if enhanced safeguards are necessary. As healthcare organizations face growing pressure to implement advanced cybersecurity measures to defend against international cyber threats, policymakers must also address the practical and financial burdens of compliance to ensure the protection of ePHI.

From Protests to Policy Change: Applying the AIDS Activist Playbook to Future Pandemics

Early in the U.S. AIDS epidemic, government inaction allowed the crisis to escalate, leaving affected communities without support. In response,  AIDS activists organized to force national attention on the epidemic and reshape public awareness, treatment development, and federal policy.

The history of AIDS activism demonstrates how marginalized communities can turn a stigmatized public health emergencies into a playbook for overcoming institutional resistance. This analysis highlights the history of AIDS activism, the AIDS activism playbook, and strategies that can continue to serve as effective health advocacy in future pandemics.

  1. History of AIDS Activism & Its Impact On Policy

The AIDS epidemic first gained national attention in 1981, when the CDC reported five cases of a rare pneumonia in young gay men. As cases and deaths rapidly increased, the federal government remained largely silent, influenced by the political conservatism and homophobia. This denial, paired with labels like “gay cancer,” deepened public stigma and delayed research funding and education campaigns.

Anger and grief sparked the rise of activism, through groups like ACT UP, demanding treatment access and government accountability. The 1988 FDA headquarters protest— pressured agencies to adopt accelerated drug approval processes. Activists shaped clinical research by pushing for patient inclusion, alternative trial designs, and the use of surrogate markers like CD4 counts. Activism assisted in redefining AIDS, pressuring executive orders, influenced policy change, and national public education campaigns. AIDS activism transformed the nation’s response to AIDS and established a lasting playbook for public health activism.

  1. The AIDS Activist Playbook

The AIDS activist playbook shows how affected communities can drive policy change through seven key strategies.

  1. Humanize Marginalized Community

AIDS activists countered stigma by humanizing those affected. Early messages urged people to reject “othering,” while visibility events like the 1983 Candlelight March and the AIDS Memorial Quilt transformed grief into collective power and reframed people with AIDS as loved ones—not outsiders.

  1. Self-Educated Experts

Activists became self-educated experts to advocate and educate their communities and challenged institutions. ACT UP’s committees trained non-scientists to understand medical literature, FDA procedures, and trial design. They became indispensable in policy discussions and helped accelerated access to lifesaving treatments, proving knowledge can be a powerful form of activism.

  1. Offer Solutions

Instead of demanding action, AIDS activists proposed research-based solutions. ACT UP developing the “parallel track” for drug approvals, proposing this to the FDA to adopt faster drug approval processes. Solution-driven advocacy demonstrated the power of mastering science to influence policy change within agencies.

  1. Community Education and Engagement

AIDS activists engaged and educated communities to reduce risk, dispel myths, increase awareness, and provide update treatment options. Activists guided communities on harm-reduction through safe-sex education and illicitly operated clean-needle exchanges—deliberately risked arrest so they could challenge New York’s laws in court and establish a legal precedent for their constitutionality.

  1. Use Inside/Outside Strategies

ACT UP paired disruptive “outside” protestors demanding the “inside” group speak with officials to present detailed policy proposals. This dual strategy pressured agencies to speed up drug approvals, revise trial protocols, and include patients in decision-making, illustrating how confrontation with negotiation can drive policy change.

  1. Nonviolent, Media-Savvy Protests

Activists used nonviolent, media-savvy protests to raise awareness and pressure policymakers. Theatrical demonstrations—like the St. Patrick’s Cathedral protest featuring a condom balloon, a “Jesus” news anchor, and activists lying on the floor to symbolize death from inaction—captured national attention and underscored the message that safe-sex saves lives. By coordinating with journalists, issuing press releases, and covering damages, activists avoided being dismissed as extremists.

  1. Inserting Activists Into Decision-Making

Guided by the Denver Principles, activists insisted on full inclusion in research, treatment, and prevention decisions. ACT UP developed the National AIDS Treatment Research Agenda to influence every level of clinical trial design and national research priorities, proving that community expertise and inclusive decision-making are essential to effective public health responses. Their involvement helped shaped approvals of drugs like AZT, DDI, and later combination therapies.

  1. Applying the Activism Playbook to Future Pandemics

The strategies of AIDS activism provided a playbook for responding to future pandemics, particularly during political division and stigmatization that leads to government inaction. Even adopting select elements can help ensure marginalized communities shape meaningful policy change. Although not every tactic transfers directly, the core principles have already strengthened other movements, such as breast cancer awareness. Contemporary politicized health movements—including reproductive rights and gender affirming care—facing escalating restrictions at the federal and state level, make them well positioned to draw on lessons from the AIDS activism playbook. By humanizing the individual stories making it a family issue, expanding community education around medical care access, and using the inside/ outside activism strategies to assist with public pressure, these movements can better resist politicization and drive meaningful reform to healthcare access.

Ultimately, the central lesson is clear: when affected communities become empowered partners in the response, activism can catalyze scientific progress and lasting policy reform.

Bird Flu: How Federal Cuts Have Left the Nation Vulnerable

Avian influenza (H5N1), or bird flu, is a highly contagious virus that primarily affects birds but has recently mutated more quickly and spread more aggressively enhancing its ability to infect a wider range of species. Bird flu has adapted to impact mammals, including cattle, felines, raccoons, and sea lions, signaling its potential to cause a broader health crisis. 

One of the most concerning developments is bird flu’s impact on cattle. Infections have been reported in over 950 herds across 16 states, with reinfections in Idaho cattle farms demonstrating the virus’s ability to persist and evolve. These newer mutations raise concerns about bird flu’s ability to spread from cattle to humans.

Scientists worry that further mutations of bird flu could enable increased transmission from human to human. A recent study found that a single mutation significantly increased the virus’s ability to infect human cells. While human infections remain relatively rare, 70 cases of H5N1 have been reported, with one fatality. Most cases present mild symptoms like eye redness, low fever, cough, and muscle aches. However, severe cases—including symptoms of high fever, respiratory distress, altered consciousness, and seizures—have been documented. Symptoms typically appear between 2 to 7 days after exposure. The exact duration of contagiousness remains unclear, though individuals are believed to be most contagious during the early stages, with severe cases potentially contagious for several weeks.

The impact of the bird flu is already being felt in the U.S., particularly in the egg industry, where outbreaks have led to major production losses and price spikes. However, the country’s ability to respond has been weakened by cuts made during the Trump administration, which undermined pandemic preparedness. Key public health programs were scaled back, and the Centers for Disease Control and Prevention (CDC) recently lost one-tenth of its workforce, including staff in the Epidemic Intelligence Service, which monitors disease outbreaks. The National Institute of Health (NIH) also suffered cuts, losing 1,500 employees. Additionally, a Trump-era policy restricting public communications from health agencies delayed the release of crucial information regarding the bird flu outbreak by several weeks.

These federal cuts have left the U.S. vulnerable, with fewer experts monitoring potential outbreaks and limited stockpiles of antiviral medications and vaccines. While a federal stockpile of bird flu vaccines exists, experts warn that they may be outdated and insufficient for large-scale immunization. 

Beyond public health concerns, the bird flu outbreak has significant economic and policy implications. The bipartisan Healthy Poultry Assistance and Indemnification Act (HPAI Act), introduced by Senators Chris Coons and Roger Wicker, aims to provide fair compensation to poultry farmers. The HPAI Act seeks to expand compensation to all affected farms with confirmed infections to include all affected farms in control areas, ensuring equitable relief and strengthening the poultry supply chain.

Regulatory agencies are responding to emerging threats as well. The FDA, under the Food Safety Modernization Act, now requires pet food manufacturers to reassess safety plans for products containing raw poultry or dairy due to bird flu contamination risks. 

Continued collaboration between the USDA, FDA, and CDC remains essential to mitigate risks to both human and animal health. Despite these efforts, administrative failures continue to hinder preparedness. The USDA recently admitted to mistakenly firing key employees involved in the avian flu response, exacerbating concerns about the federal government’s ability to manage the outbreak effectively.

The warning signs of another potential pandemic are evident. The U.S. cannot afford to repeat past mistakes—delays in data, inadequate testing, and slow government response, all echoes of the COVID-19 crisis, are already emerging. Without swift action to restore pandemic preparedness, enhance disease surveillance, and improve public communication, the nation is vulnerable to another health crisis.