The following is a guest article by Dotty Bollinger, JD, Healthcare Compliance Consultant, Compliancy Group
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement with Doctors’ Management Services after the healthcare vendor succumbed to a ransomware attack. The settlement, announced in a press release on the HHS site, resulted in a $100,000 fine, two years of OCR monitoring, and the requirement to adopt a corrective action plan.
“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches,” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”
According to the HHS, there has been a 239% increase in hacking incidents reported and a 278% increase in ransomware attacks. In 2023 so far, the breaches reported have affected 88 million patients, already a 60% increase compared to last year.
The Repercussions for Lack of Compliance
This recent HHS settlement, and others, should serve as a stark reminder of how a lack of compliance can negatively affect patients, your reputation, and your wallet. Healthcare organizations that have a track record for compliance failures often suffer from long-term backlash.
In extreme cases, a healthcare breach can bankrupt a business, as was the case with the American Medical Collection Agency (AMCA). In 2018, AMCA suffered a breach affecting 21 million patients. The breach led to an investigation by the Attorneys General of Indiana, Texas, Connecticut, and New York. A lawsuit was then filed by 41 states and AMCA was ordered to pay a $21 million penalty, which ultimately led them to file for bankruptcy.
In a statement released at the time of the settlement, Connecticut Attorney General William Tong urged businesses to take note, “AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way.”
In another settlement announced in 2017, 21st Century Oncology, Inc. (21CO) faced a $2.3 million OCR fine resulting from a remote attack that affected 2.2 million patients, and had to file for bankruptcy as well. In a press release issued at the time of the settlement, then OCR Director, Roger Severino stated, “People need to trust that their private health information will remain exactly that; private. It’s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it’s what the law requires.”
How Compliance Supports Your Security Posture
Regulatory compliance requirements facilitate cybersecurity in several ways.
- Security risk assessments identify weaknesses and vulnerabilities in data protections
- Administrative, physical, and technical safeguards protect sensitive information
- Policies, procedures, and training reinforce how patient information should be handled and protected
- Business associate agreements ensure healthcare vendors handle information securely
- Swift incident tracking, reporting, and response limit the severity of incidents
OCR Advice for Improved Cybersecurity
To mitigate the risk of cyberattacks, OCR recommends that healthcare organizations:
- Ensure business associate agreements are in place as appropriate and address breach/security incident obligations
- Integrate risk analysis and risk management into business processes
- Ensure audit controls are in place to record and examine information system activity
- Implement regular review of information system activity
- Utilize multi-factor authentication to ensure only authorized users are accessing electronic protected health information (ePHI)
- Encrypt ePHI to guard against unauthorized access to ePHI
- Incorporate lessons learned from incidents into the overall security management process
- Provide training specific to the organization and job responsibilities on a regular basis; reinforce workforce members’ critical role in protecting privacy and security
About Compliancy Group
Solve healthcare compliance challenges quickly and confidently with Compliancy Group’s simplified software. Whether you need HIPAA, OSHA, SOC 2, or all three, your compliance program is fully customizable. Remove the complexities and stress of compliance, increase patient loyalty and the profitability of your business, and reduce risk. Endorsed by top medical associations, clients can be confident in their compliance program.
