With Cybersecurity Awareness Month looming, data security should be top of mind for any organization that handles sensitive information. This is further highlighted by the announcement of the most recent Office for Civil Rights (OCR) settlement involving a ransomware incident.
After receiving a complaint that Cascade Eye and Skin Centers allegedly suffered a ransomware incident, OCR launched an investigation into the healthcare provider. During the investigation, it was found that the attack compromised the electronic protected health information (ePHI) of 291,000 patients. OCR also uncovered multiple potential HIPAA Security Rule violations.
According to a statement released by OCR, Cascade allegedly failed to:
- Conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems
- Have sufficient monitoring of its health information systems’ activity to protect against a cyberattack
“Cybercriminals continue to target the heath care sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm,” said OCR Director Melanie Fontes Rainer.
“Ensuring the confidentiality of electronic protected health information is critical to protect health information privacy and integral to our national security in the health care sector. OCR urges all health care entities to take the essential precautions and stay vigilant to safeguard their systems from cyberattacks.”
The OCR Settlement
On September 26, 2024, OCR announced that it had settled with Cascade Eye and Skin Centers to resolve potential Security Rule violations. By agreeing to the settlement, Cascade paid $250,000 to OCR, will implement a corrective action plan (CAP), and is subject to two years of monitoring by OCR.
The CAP requires Cascade to:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI
- Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis
- Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
- Develop policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI
- Develop written procedures to assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI
- Review and revise written policies and procedures to comply with the HIPAA Privacy and Security Rules
How Compliancy Group Can Help
Healthcare organizations that use Compliancy Group’s healthcare compliance tracking software, the Guard, are better equipped to prevent, manage, and recover from security incidents.
Our software enables organizations to:
- Conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to ePHI
- Mitigate risk through a risk management plan
- Develop policies and procedures through templates that include limiting access to, tracking access of, and reporting access to ePHI
We also provide employee cybersecurity training, reducing the risk of human error that often leads to ransomware incidents, and give employees the means to report incidents anonymously should they occur. Healthcare organizations that use our software can provide complete documentation of their “good faith effort” to meet HIPAA Rules in the case of an OCR audit. Had Cascade used our software to manage its compliance program prior to suffering a ransomware incident, they likely could have prevented it from occurring and would not be facing a $250,000 civil monetary penalty.