On October 31, 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $500,000 settlement with Plastic Surgery Associates of South Dakota (PSASD), for several potential HIPAA Security Rule violations, after an extensive cybersecurity investigation. The settlement marks OCR’s sixth ransomware enforcement action. Details of the settlement are provided below.
Ransomware Cybersecurity Investigation: Access Easily Obtained
In July of 2017, PSASD filed a required breach report with OCR. PSASD, in its report, noted that it had discovered five months earlier that nine workstations and two servers were infected with ransomware. Hackers had accessed the PSASD network with credentials obtained through a brute force attack to the remote desktop protocol (RDP). RDP is a type of remote desktop software. Remote desktop software enables healthcare professionals to access office computers remotely. A brute force attack is a hacking method that uses trial and error to “guess” RDP credentials (e.g., passwords, login information, etc.).
Ransomware Cybersecurity Investigation: Keys to the Entire Picture
Once PSASD discovered the breach, it realized that it was unable to restore the affected servers from backup. To retrieve the PHI of approximately 10,000 individuals, PSASD decided to bargain with the hackers, paying them two bitcoin ransomware payments totaling slightly over $27,000 in exchange for decryption keys.
Ransomware Cybersecurity Investigation: Widespread Noncompliance
OCR’s cybersecurity investigation of the breach report revealed significant HIPAA Security Rule noncompliance on the part of PSASD, including:
1. Failure to implement policies and procedures to prevent, detect, contain, and correct security violations (that is, failure to have an effective security management process).
2. Failure to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
3. Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (that is, failure to implement risk management).
4. Failure to establish and implement policies and procedures for regularly reviewing activity on information systems that contain ePHI (that is, failure to implement information system activity review procedures).
5. Failure to implement policies and procedures to address security incidents (that is, failure to develop security incident procedures).
Ransomware Cybersecurity Investigation: Capping it Off
OCR, upon completion of its cybersecurity investigation, entered into a resolution agreement and corrective action plan with PSASD. The agreement requires PSASD to pay $500,000 to OCR, and to submit to a two-year corrective action plan (CAP). The CAP requires PSASD to take measures to resolve potential Security Rule violations and to protect the security of ePHI.
The measures PSASD is required to take under the CAP include these administrative safeguard measures:
1. Performing a risk analysis.
2. Implementing a written risk management plan to address and mitigate security risks and vulnerabilities found in the risk analysis.
3. Adopting policies and procedures to address security incidents, including a process for identifying and responding to suspected or known security incidents; mitigating, to the extent practicable, harmful effects of security incidents that are known to PSASD; and documenting security incidents and their outcomes.
4. Implementing policies and procedures to establish methods to create and maintain retrievable exact copies of ePHI (that is, implementing a data backup plan).
Technical safeguard measures that PSASD must take under the CAP include:
1. Implementing policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed (that is, implementing authentication measures).
2. Implementing access controls, which are policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.
The CAP also requires that PSASD implement a basic Privacy Rule measure: PSASD must revise its policies and procedures related to PHI use and disclosure to ensure the workforce (1) understands when PHI may be used and disclosed; (2) is able to identify situations that constitute impermissible PHI use and disclosure; and (3) knows how and when to report situations that might constitute impermissible uses and/or disclosures of PHI.
The CAP also requires that PSASD implement a HIPAA breach notification rule measure. PSASD must revise its breach notification policies and procedures to ensure its workforce members understand that, following a breach of unsecured PHI, affected individuals must be notified without delay and in no case later than 60 calendar days after the breach; and that notification must be made to the HHS Secretary and, in certain instances, to the media.
Finally, under the CAP, PSASD must provide training to its workforce on HIPAA policies and procedures.
How Can Compliancy Group Help Organizations Manage Their Compliance?
Compliancy Group’s healthcare compliance tracking software solution, The Guard, contains written program controls – specific compliance actions a HIPAA-covered entity can take to establish an effective compliance program. The Guard also contains Quickstart guides that identify key compliance initiatives and how to meet these; templated policies; an incident management tool; a vendor management tool; an asset management tool; and training courses, all of which can be used by organizations to develop and maintain an effective compliance program.
