It is notable in that it is the first settlement the HHS’s Office for Civil Rights (OCR) has reached with an organization affected by ransomware, under its HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.
Doctor’s Management Services (DMS), a Massachusetts medical management company that provides medical billing and payor credentialing, was attacked by the now-defunct GandCrab ransomware gang in April 2017, but the intrusion was not detected until late December the following year, after the group encrypted their files. The $100,000 settlement resolves a large breach reporting failure regarding a ransomware attack that affected the electronic protected health information of 206,695 individuals.
OCR’s investigation found evidence of potential failures by DMS to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.
Increased Threat of Ransomware
Ransomware and hacking are the primary cyber-threats in health care. In the past four years, there has been a 239 percent increase in large breaches reported to OCR involving hacking and a 278 percent increase in ransomware, according to HHS. This trend continues in 2023, where hacking accounts for 77 percent of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60 percent increase from last year.
“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.
Mandated Reforms to Comply with HIPAA
Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that Doctors’ Management Services will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information, including:
- Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
- Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
- Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
- Provide workforce training on HIPAA policies and procedures.
OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
HHS’s OCR says it “is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.” Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website. 