A major health system recently identified how ransomware attackers significantly disrupted approximately 140 hospitals across the United States. The health system was hit with a cyberattack on May 8, 2024, that caused major delays in lab and test results, and made electronic health records (EHR) unavailable for weeks.
On June 12, the health system posted an update on its website which said that they identified how the attacker gained access to their systems. An individual working in one of their facilities accidentally downloaded a malicious file that they thought was legitimate. The health system said that they believe it was an honest mistake.
They also said that they have no evidence that data was taken from their EHR and other clinical systems, where their full patient records are securely stored.
The attackers were able to take files from seven of the approximately 25,000 servers across its network. The health system said that they are still investigating, but they believe that some of those files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, although the specific data may differ from individual to individual.
The update also said that the health system does not yet know precisely which patients’ data was potentially affected. However, they are offering complimentary credit monitoring and identity theft protection services to any patients or associates who request it, free of charge, regardless of whether their data was actually involved in this incident.
Compliance Perspective
Issue
Phishing is a form of social engineering in which a cyber threat actor poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing sensitive information or network access. The lures can come in the form of an email, text message, or even a phone call. If successful, this technique could enable threat actors to gain initial access to a network and affect the targeted organization and related third parties. The result can be a data breach, data or service loss, identity fraud, malware infection, or ransomware. The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of protected health information (PHI), and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
