The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has agreed to a $250,000 settlement with Cascade Eye and Skin Centers after investigating a ransomware attack that exposed electronic protected health information (PHI).
The ransomware settlement is the fourth the OCR has agreed to, after a reported 264% increase in ransomware breaches since 2018.
What happened
The OCR began its investigation after a ransomware attack left Cascade Eye and Skin Centers with about 291,000 files containing PHI exposed. The investigation revealed several HIPAA Security Rule violations, including the healthcare provider’s failure to conduct a comprehensive risk analysis and adequately monitor their electronic health record (EHR) system.
The case was eventually settled once Cascade agreed to pay a fee of $250,000 and implement improved risk management procedures and security protocols.
Going deeper
Over the next two years, the OCR will manage Cascade’s corrective plans including:
- Conducting thorough risk analysis regarding the vulnerabilities and risks, or both, to the confidentiality, integrity, and availability of its electronic PHI (ePHI).
- Implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis.
- Developing a written process to regularly review records of information system activity, for example, audit logs, access reports, and security incident tracking reports.
- Implementing policies and procedures to respond to an emergency or other occurrence that damages systems that contain ePHI.
- Implementing written procedures to assign a unique name and/or number to identify and track user identity in its systems that contain ePHI.
- Regularly reviewing and revising written policies and procedures to comply with the HIPAA Privacy and Security Rules.
What was said
OCR Director Melanie Fontes Rainer stated, “Cybercriminals continue to target the healthcare sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm."
In the know
The HIPAA Security Rule sets national standards for safeguarding PHI. It requires covered entities to implement administrative, physical, and technical safeguards. Administrative safeguards involve risk analysis and the development of security management policies; while physical safeguards require that access to facilities and equipment where ePHI is stored be protected.
Technical safeguards mandate that user authentication must be appropriately secure, and data must be encrypted, for example, using a HIPAA compliant solution, like Paubox, which automatically encrypts outgoing communications.
Read also:
Why it matters
Due to the increasing rate of cyber threats in healthcare, there is a greater need for adherence to these security safeguards. Ransomware, which is a kind of cyberattack that encrypts a victim's data and then requests money for a decryption key, has become one of the main risks to patient privacy today.
Apart from significant financial fines, entities found violating the HIPAA Security Rule also face reputational damage since breaches will undermine patient confidence in their ability to safeguard PHI.
The bottom line
Covered entities must regularly conduct risk assessments, monitor their systems, and implement access controls to avoid data breaches. Moreover, continued vigilance will help protect patients’ PHI and maintain HIPAA compliance.
FAQs
Why is ransomware a threat to healthcare organizations?
Health organizations process large quantities of protected health information (PHI), making it an appealing target for this type of attack. Aside from disrupting healthcare operations, a ransomware incident could lead to financial fines under the HIPAA Security Rule and reputational damage for the organization.
How can healthcare organizations protect themselves against ransomware?
Healthcare organizations must regularly conduct assessments of risks, have strong access controls, and actively monitor their systems to prevent unauthorized access. Furthermore, using a HIPAA compliant platform, like Paubox, helps mitigate the risk of these cyberattacks.
What is the OCR’s role in investigating a ransomware attack?
OCR investigates breaches to determine whether the covered entity adhered to HIPAA’s Privacy, Security, and Breach Notification Rules at the time of the breach. The investigation involves reviews of risk analyses, security policies and procedures, and breach response protocols. Entities found non-compliant could be fined and required to develop corrective action plans.
Go deeper: Who is responsible for enforcing HIPAA?
