Cybersecurity continues to pose a serious issue to players all throughout the healthcare industry. A recent HIPAA ransomware incident targeting Centrelake Medical Group, a network of eight medical imaging and oncology centers in California, only underscores this risk.
The organization is now notifying patients after discovering a computer virus, which may have exposed their protected health information (PHI). PHI is any demographic information that can be used to identify a patient, including names, dates of birth, Social Security numbers, health records, and more.
The computer virus was discovered in February of 2019 when employees could no longer access files on the system. Although it was not mentioned what exactly caused the virus, it does appear to be a form of ransomware.
Ransomware is a targeted kind of malware attack that takes data ‘hostage.’ It infects a computer system and prevents users from accessing their files either by locking the systems’ screen or by encrypting the users’ files, typically until a ransom is paid.
A computer forensics company held an investigation to determine the scope of the HIPAA ransomware attack and whether any protected health information was accessed. The investigation concluded that an unauthorized individual gained access to its servers on January 9, 2019. At that time, the hacker was able to access the servers undetected prior to deploying the virus on February 19, 2019.
It is more common than not for ransomware to be installed on systems after hackers have breached security defenses. However, in this case the forensics company did not uncover any evidence to suggest that any PHI was accessed or exposed. Under HIPAA regulation, any breach of unencrypted ePHI must be reported.
While OCR has not modified any of the HIPAA rules to formally address ransomware protections, guidance from the Department of Health and Human Services (HHS) does “reinforce activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats.” Here are some ways healthcare entities can mitigate risk of a HIPAA ransomware attacks:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a remediation plan to mitigate those identified risks
- Implementing procedures to safeguard against ransomware and malware
- Training authorized users to detect malicious software and reporting such detections
- Limiting access to ePHI to only those persons or software programs requiring access
- Maintaining an overall contingency plan that includes disaster recovery, emergency operation, frequent data backups, and test restorations
- Understanding ransomware, how it works, and knowing how to spot the signs
- Implementing security incident responses and mitigating the consequences of ransomware
Security is an important element for limiting exposure to data breaches and ransomware, but it shouldn’t be the only line of defense that your organization relies on. In order to effectively protect yourself against ransomware, a comprehensive organization-wide compliance plan is necessary.
And Compliancy Group Can Help!
Compliancy Group provides healthcare professionals with the tools they need to effectively address their HIPAA compliance with our web-based HIPAA compliance tracking app, The Guard™. The Guard simplifies HIPAA compliance and allows users to address every element of the regulation.
We have a unique methodology that has made us the industry leaders in simplified compliance. Users are paired with an expert Compliance Coach™ to guide you through each and every step of your compliance program. We answer your questions and give you a compliance program that is truly tailored to the needs of your individual business.
And in the event of a data breach or HIPAA audit, our Audit Response Program™ guides our users through the entire documentation and reporting process. At Compliancy Group, we go above and beyond to help demonstrate your good faith effort toward HIPAA compliance.