Following an investigation into the breach of the protected health information of 206,695 individuals, the Office of Civil Rights has announced a settlement with Doctors’ Management Services – which provides third-party medical billing, payment information and other health care services to several covered entities.
WHY IT MATTERS
Massachusetts-based DMS reported in April 2019 that an unauthorized third party gained access to its network on April 1, 2017 and was active in its system until ransomware was deployed on December 24, 2018.
According to OCR, the breach report filed with US Health and Human Services noted that PHI was exposed when the network server was infected with GandCrab ransomware.
OCR’s investigation of the incident under the HIPAA Privacy, Security, and Breach Notification Rules found evidence of potential errors, insufficient system monitoring to protect against a cyberattack, and a lack of HIPAA policies and procedures implementing HIPAA’s privacy requirements .
The agency said DMS, as a business associate of the affected entities, did not have adequate measures in place to protect the confidentiality, integrity and availability of electronic PHI.
“DMS has failed to implement procedures to regularly review information system activity data, such as audit logs, access reports, and security incident tracking reports,” HHS said in a statement Tuesday.
Monitoring and many other cybersecurity best practices should occur regularly within an enterprise to prevent future attacks, said OCR Director Melanie Fontes Rainer.
The corrective action plan agreed to by DMS identifies the steps it must take to protect ePHI and maintain HIPAA compliance, including:
- Review and update the risk assessment to identify potential risks and vulnerabilities to data within 180 days of the plan effective date.
- Update the company’s enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the approved risk assessment within 90 days of its approval.
- Review and revise written policies and procedures to comply with HIPAA within 60 days of approval of the updated risk management plan.
- Provide training on approved HIPAA policies and procedures to each staff member with access to PHI within 60 days and every 12 months thereafter.
DMS must report annually on compliance with the three-year CAP.
THE BIG TREND
“Over the past four years, there has been a 239% increase in major breaches reported to OCR involving hacking and a 278% increase in ransomware,” HHS said. According to OCR, hacking has already increased by 60% compared to last year, affecting more than 88 million people by 2023.
It has been known for years that the cybersecurity practices of business partners cause healthcare data breaches.
GandCrab targeted older Windows PCs that are no longer supported by Microsoft with Server Message Block vulnerabilities.
SMB allowed Microsoft Windows computers to share files, serial ports, and printers over a network on older systems. Using the National Security Agency’s EternalBlue exploit (the same hacking tools used in WannaCry and Petya), GandCrab spread via spam email, fake software cracking sites, and malicious WordPress sites.
“If we are lazy about patching and upgrading our systems across the industry, GandCrab will be (somewhat) problematic for the healthcare industry,” said Lee Kim, senior director of cybersecurity and privacy at HIMSS.
“But it’s not the 1990s anymore and many healthcare organizations are being a little more proactive with their cybersecurity programs,” she said. Healthcare IT news in July 2018.
Third-party cybersecurity risks from business partners like DMS have required healthcare organizations to prioritize security in procurement, regularly review every contract, implement identity and access management software across networks and systems, implement cyber hygiene best practices, and more.
ON THE RECORD
“Our settlement highlights how ransomware attacks are becoming more common and targeting the healthcare system,” Rainer said in the HHS announcement. “This makes hospitals and their patients vulnerable to data and security breaches.
“In this ever-evolving space, it is critical that our healthcare system takes steps to identify and address cybersecurity vulnerabilities, along with proactively and regularly assessing risk, data and updating policies,” she added to it.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.