OCR Announces First Ever Ransomware-Related HIPAA Settlement
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first-ever HIPAA settlement to resolve an investigation of a ransomware attack. Doctors’ Management Services agreed to settle the HIPAA compliance investigation, pay a $100,000 financial penalty, and adopt a corrective action plan (CAP) that includes several requirements for improving security and ensuring future compliance with the HIPAA Rules.
OCR opened an investigation of the Massachusetts-based medical management company in response to an April 22, 2019, report of a breach of the protected health information of 206,695 individuals. Doctors’ Management Services fell victim to a GandCrab ransomware attack. that was detected on December 24, 2018; however, the forensic investigation revealed there had first been unauthorized access to its network 20 months previously on April 1, 2017. The breach of its systems was only detected when the ransomware gang started encrypting files on its network.
OCR’s investigators found evidence of a failure to conduct a comprehensive, organization-wide risk analysis to identify risks and vulnerabilities to electronic protected health information. The length of time taken to identify an intrusion indicated a failure to effectively monitor logs of system activity, and there was a lack of policies and procedures for implementing the requirements of the HIPAA Security Rule. These failures were deemed to be of sufficient severity to warrant a financial penalty for non-compliance. Doctors’ Management Services opted not to contest the findings and chose to settle the investigation with no admission of wrongdoing.
The CAP includes several requirements for improving security, including a comprehensive risk analysis, managing identified risks and reducing them to a low and acceptable level, reviewing and revising policies and procedures to comply with all provisions of the HIPAA Privacy and Security Rules, and providing further workforce HIPAA training. OCR will monitor Doctors’ Management Services for 3 years to ensure compliance with the HIPAA Rules and the CAP.
Ransomware is one of the biggest threats faced by the healthcare industry. OCR’s data indicates there has been a 278% increase in ransomware attacks in the past four years and a 239% increase in large data breaches. The latest data from NCC Group indicates healthcare experienced an 86% month-over-month increase in ransomware attacks in September and there are no signs of ransomware attacks decreasing. Most likely they will continue to increase.
“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
To counter ransomware and other cyberattacks, OCR recommends the following:
- Conduct reviews of relationships with vendors and contractors and ensure that business associate agreements are in place and cover breach/security incident obligations
- Ensure that risk analysis and risk management are integrated into business processes, and are conducted when new technologies and business operations are planned
- Implement audit controls to record and examine information system activity, and regularly review logs of system activity
- Implement multi-factor authentication
- Encrypt ePHI
- Incorporate lessons learned from incidents into the overall security management process
- Provide training specific to job responsibilities regularly and reinforce workforce members’ critical role in protecting privacy and security