With the proliferation of electronic health records, medical providers are facing new challenges in the form of phishing and ransomware attacks and other cyber threats. Indeed, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has been active recently in settling multiple matters involving cybersecurity breaches and attacks.
Q: What Is Phishing and Are Medical Providers at Risk?
A: Phishing occur when a third-party impersonates a legitimate organization via email or other electronic means, which entices the person to whom the communication is directed to click a link within the email or otherwise allow the third-party to gain access to or steal sensitive information.
Phishing is the most common type of cyberattack likely to result in a data breach and cause major financial implications for health care organizations. For example, on December 7, 2023, OCR announced a settlement related to a cybersecurity breach that affected almost 35,000 patients in Louisiana. The subject of the investigation was the Lafourche Medical Group (Lafourche), which provides emergency and occupational services, and laboratory testing. Lafourche was the victim of a phishing attack involving electronic protected health information (PHI).
Lafourche reported the breach to HHS on May 28, 2021, advising that a third-party had gained access to an email account which contained PHI. OCR investigated and found that Lafourche failed to conduct a risk analysis to identify potential threats or vulnerabilities in its system that could allow for access to PHI. Risk analysis is required under the Health Insurance Portability and Accountability Act (HIPAA). The government also determined that Lafourche failed to implement any policies or procedures to review its electronic system activity to safeguard against cyberattacks. As part of the settlement, Lafourche agreed to pay $480,000 and implement a corrective action plan to establish security measures, develop written policies and procedures to comply with HIPAA, and provide training to staff on HIPAA requirements.
Q: What Is Ransomware and Are There Any Recent HIPAA/OCR Settlements?
A: HHS defines ransomware as “type of malware (malicious software) distinct from other malware,” which “attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.”
Ransomware attacks can be costly for medical providers, as well as result in a breach of HIPAA when disclosure of PHI is implicated. In October, OCR settled a matter with Doctors’ Management Services (DMS), a Massachusetts-based medical management company. On December 24, 2018, DMS identified unauthorized access to its network that occurred over one year prior, on April 1, 2017. DMS waited nearly four months after discovery to report the breach to HHS, in April 2019.
In its investigation, the government found that DMS failed to analyze and ascertain the potential risks and vulnerabilities to PHI maintained within the organization. OCR also found that DMS failed to monitor its activity to guard against a cyberattack, and that the provider neglected to implement policies and procedures to ensure compliance with the HIPAA Security Rule. Pursuant to its settlement with OCR, DMS agreed to pay $100,000 to implement a corrective action plan, implement a risk management plan, develop policies and procedures to comply with the Privacy and Security Rules, and provide training to its employees on HIPAA rules and compliance.
Q: Has HHS Developed Any Steps to Assist Providers with Compliance?
A: Yes, on December 6, 2023, HHS released a concept paper, which outlines its cybersecurity strategy for the health care industry. The paper amplifies the National Cybersecurity Strategy outlined by President Biden and focuses on strengthening resilience for medical providers and patients threatened by cyberattacks.
The December 2023 concept paper outlines four primary actions, including: (1) publishing health care and public health sector cybersecurity performance goals to help institutions implement high-impact cybersecurity practices; (2) providing resources to financially incentivize and implement cybersecurity practices; (3) implementing an agency-wide strategy to support greater enforcement of cybersecurity standards and accountability; and (4) expanding the “one-stop shop” within HHS for health care sector cybersecurity and developing the Administration for Strategic Preparedness and Response’s coordination role as a “one-stop shop” for health care cybersecurity.
Q: How Can I Work Toward Compliance With HIPAA Rules While Ensuring My Networks Are Secure?
A: Start by reviewing current policies and consulting with your IT security provider and attorney to ensure ongoing compliance with HIPAA Privacy and Security Rules. Protect your organization by assessing which assets are vulnerable, implementing appropriate security measures, establishing a regular review process, developing written policies for preventing a breach of PHI, and designing and implementing appropriate training for all staff.
Q: What Should I Do if I Discover a Cybersecurity Attack or Breach?
A: If a breach is discovered, you should consult with your IT services and security provider to secure the network and identify and address any vulnerabilities. You should consult with your attorney as soon as possible to discuss whether unsecured PHI was compromised and, if so, whether a breach report requirement is triggered under HIPAA.
Reprinted with permission from the February/March 2024 issue of The Bulletin from the Monroe County Medical Society and available as a PDF file here.
Ericka B. Elliott is an attorney in Underberg & Kessler LLP’s Health Care and Litigation Practice Groups. She can be reached at eelliott@underbergkessler.com or 585.258.2830.