The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the second settlement in four months resulting from a ransomware attack on a healthcare business. Maryland-based Green Ridge Behavioral Health has filed a 4-year hiatus after an investigation revealed potential violations of Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. agreed to pay $10,000 and implement a corrective action plan.
The settlement comes as ransomware has emerged as a significant threat to healthcare organizations and regulators are prioritizing enforcement of cybersecurity standards, which will require medical billing to be implemented in October 2023. This is highlighted by the announcement of a $100,000 settlement related to an attack on the company and a recent investigation into cyberattacks by OCR. About Change Healthcare, a medical billing clearing house.
background
Green Ridge is a behavioral health clinic that provides psychiatric evaluations, medication management, and psychotherapy. In February 2019, Green Ridge notified her OCR that its network servers were infected with ransomware, resulting in encrypted patient health records and company files. OCR launches investigation into Green Ridge's HIPAA compliance and finds evidence that Green Ridge failed to conduct proper risk assessments, implement appropriate security measures, or adequately monitor IT systems to protect against cyber-attacks did.
In addition to the fine and implementation of a remediation plan, Greenridge agreed to have its plan monitored by OCR for three years. Corrective actions identified in the settlement announcement include:
- “Conduct a comprehensive and thorough analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information.
- Design a risk management plan to address and mitigate security risks and vulnerabilities found in the risk analysis.
- Review and, as necessary, develop or revise written policies and procedures to comply with HIPAA regulations.
- Provide employee training on HIPAA policies and procedures.
- Where applicable, we conduct an audit of all third party agreements to ensure that appropriate business collaboration agreements are in place.and
- Report employee non-compliance with HIPAA to OCR. ”
The settlement highlights the increased focus on cybersecurity and HIPAA compliance in the wake of ransomware attacks. OCR Director Melanie Fontes Reiner explains in a press release about the Green Ridge Settlement:
Ransomware has grown as one of the most common cyberattacks, leaving patients extremely vulnerable. These attacks cause distress to patients who do not have access to their medical records and may be unable to make accurate decisions about their health and well-being. Healthcare providers must understand the seriousness of these attacks and take steps to ensure that their patients' protected health information is not exposed to cyberattacks such as ransomware.
The White House also acknowledges the seriousness of this threat and is working with HHS to consider possible legislation and mandatory cybersecurity standards for health care providers.
In December 2023, HHS released a concept paper detailing the department's current and planned steps to improve cyber resiliency in the healthcare sector. This document publishes voluntary security goals for providers, develops financial support and incentives for hospitals to improve cybersecurity, and plans to strengthen accountability through new enforceable cybersecurity standards. It outlines. In the paper's release, Deputy National Security Advisor for Cyber and Emerging Technologies Ann Neuberger said the administration is “establishing strong cybersecurity standards for healthcare organizations and working with Congress to provide financial support.” “We are ramping up resources to improve cyber resiliency across the healthcare sector.” Support for hospitals. ”
In light of this evolving situation, healthcare providers should be vigilant in strengthening their cybersecurity programs. Staying informed about the latest threats, implementing robust data security protocols, and developing a comprehensive incident response plan are all important steps. Taking proactive steps can protect patients and potentially avoid fines under stricter regulations.
Key Point
- Growing attention to ransomware: This is the second settlement focused on ransomware breaches in the healthcare sector and highlights HHS' growing concerns.
- HIPAA compliance is extremely important. This settlement highlights the importance of implementing and maintaining a robust HIPAA compliance program. This includes conducting regular risk assessments, ensuring safeguards are in place to protect patient data, and training staff on HIPAA policies.
- Enforcement action for non-compliance: HHS actively investigates and enforces HIPAA violations. Providers found to be non-compliant may face financial penalties and corrective action plans.
Recommendations
- Review your HIPAA compliance program to ensure it addresses current security threats such as ransomware.
- Review all vendor and contractor relationships to ensure appropriate business collaboration agreements are in place and address breach/security incident obligations.
- Perform a thorough risk assessment to identify vulnerabilities in your IT systems.
- Implement appropriate safeguards to protect patient data, such as encryption and multi-factor authentication.
- Ensure that audit controls are in place to record and examine information system activity.
- Regularly monitor your system for suspicious activity.
- Train your staff on HIPAA policies and procedures, including how to identify and report potential violations.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended to be, and should not be construed as, legal advice. there is no. This Memorandum is considered advertising under applicable state law.
