On May 8, 2024, a large health system based in Missouri was subjected to a cybersecurity incident which caused their main electronic health records system to be taken offline. Services which were interrupted included some phone systems, and various systems utilized to order certain tests, procedures, and medications. In addition, their “MyChart” system, which enables patients to view their medical records and communicate with their providers, was also taken offline.
The company said there was ongoing disruption to clinical operations, and some non-emergent elective procedures, tests, and appointments were temporarily paused. Several of the company’s hospitals were put on diversion for emergency medical services in order to ensure emergency cases were triaged immediately.
The company’s press release advises patients to bring notes on their symptoms and a list of current medications and prescription numbers or prescription bottles to their appointments so their care team can call in medication needs to pharmacies.
A company spokesperson said that the investigation and restoration work will take time to complete. The company is working around the clock with internal and external advisors to investigate, contain, and restore their systems following a thorough validation and screening process.
On May 9, the US Department of Health and Human Services (HHS) issued a statement saying that they were aware of the cyber incident and were in communication with the health system’s leadership.
The statement also said that this incident serves as an important reminder of the urgency of strengthening cybersecurity resiliency in healthcare, and that they encourage all providers, technology vendors, payers, and members of the healthcare ecosystem to double down on cybersecurity. Please visit the HPH Cyber Performance Goals website for more details on steps to stay protected.
Compliance Perspective
Issue
Cyber incidents affecting hospitals and health systems have led to extended care disruptions, patient diversions to other facilities, and delayed medical procedures, all putting patient safety at risk. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule specifically focuses on safeguarding the confidentiality, integrity, and availability of electronic protected health information (ePHI). All HIPAA-regulated entities must comply with the requirements of the Security Rule. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.
Discussion Points
- Review policies and procedures related to HIPAA, ePHI, and the Security Rule. Ensure that they address how to secure ePHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train all staff on HIPAA, ePHI, and the Security Rule, including how to avoid phishing schemes, malware exposures, and unauthorized release of ePHI. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, ePHI, and Security are being followed by all staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
