Boo! On Halloween, HHS’ Office for Civil Rights (OCR) announced a settlement with a Massachusetts business associate (BA) for $100,000. This is the first ransomware agreement OCR has reached.
The Attack and the Settlement
After filing a breach report with OCR in 2019 reporting a ransomware attack that compromised the protected health information (PHI) of 206,695 patients, the OCR launched an investigation into the BA’s HIPAA compliance.
OCR’s investigation determined that Doctors’ Management Services, the business associate in question, potentially:
- Failed to conduct a security risk assessment to identify risks and vulnerabilities to electronic protected health information across the organization
- Had insufficient monitoring of its health information systems’ activity
- Lacked policies and procedures to protect the confidentiality, integrity, and availability of electronic protected health information
“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
In addition to agreeing to pay a $100,000 fine, Doctors’ Management Services will undergo three years of OCR monitoring and implement a corrective action plan.
As part of the corrective action plan, they must:
- Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information
- Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis
- Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules
- Provide workforce training on HIPAA policies and procedures
OCR Recommended Cybersecurity Best Practices
Ransomware and hacking are very real threats faced by the healthcare industry, and the threat continues to grow. OCR has seen a 239% increase in large breaches reported involving hacking, with a 278% increase in ransomware incidents.
In 2023, hacking incidents accounted for 77% of the large breaches reported. So far, the breaches reported this year have affected 88 million patients, representing a 60% increase from last year.
To mitigate the risk of cyberattacks, OCR recommends that healthcare organizations:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations
- Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned
- Ensure audit controls are in place to record and examine information system activity
- Implement regular review of information system activity
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI
- Encrypt ePHI to guard against unauthorized access to ePHI
- Incorporate lessons learned from incidents into the overall security management process
- Provide training specific to the organization and job responsibilities on a regular basis; reinforce workforce members’ critical role in protecting privacy and security