On October 31, 2023, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing. The $100,000 settlement resolves a large breach report regarding a ransomware attack that affected the electronic protected health information (ePHI) of 206,695 individuals. This marks the first ransomware agreement OCR has reached.
On April 22, 2019, medical management company filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, the company did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation which revealed indications of possible deficiencies within the company’s practices, as they lacked an analysis aimed at identifying potential risks and vulnerabilities to ePHI throughout the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyberattack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of ePHI information.
Under the terms of the settlement agreement, OCR will monitor the company for three years to ensure compliance with HIPAA. In addition, the company has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that it will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of ePHI information, including:
- Review and update its Risk Analysis to identify the potential risks and vulnerabilities to the company’s data to protect the confidentiality, integrity, and availability of ePHI information.
- Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
- Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
- Provide workforce training on HIPAA policies and procedures.
OCR recommends healthcare providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
Compliance Perspective
Issue
Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. Ransomware and hacking are the primary cyber-threats in healthcare. In the past four years, there has been a 239 percent increase in large breaches reported to OCR involving hacking and a 278 percent increase in ransomware. This trend continues in 2023, where hacking accounts for 77 percent of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60 percent increase from last year. The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.
Discussion Points
- Review policies and procedures related to HIPAA, ePHI, and the Security Rule. Ensure that they address how to secure ePHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Security Rule, including the requirements for conducting risk assessments. Train all staff on HIPAA, PHI, and the Privacy Rule upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Security Rule are being followed by all staff, and that each person demonstrates understanding and competency. Also periodically audit to ensure ongoing risk analysis is being conducted.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
