Listen to this post

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) imposed a $240,000 civil monetary penalty against Providence Medical Institute in connection with a ransomware attack that revealed vulnerabilities in the Institute’s systems and potential HIPAA violations.

The Institute was the victim of a series of ransomware attacks in 2018 that compromised the protected health information (PHI) of over 85,000 individuals. The Institute reported the breach to OCR, as required by HIPAA, which triggered an investigation. OCR found several potential violations of HIPAA, including that the Institute failed to maintain business associate agreements with its contractors and failed to implement policies and procedures to limit access to PHI to only authorized persons. The Institute did not contest OCR’s findings.

In its press release, OCR emphasized that ransomware is the primary cyber-threat in the healthcare industry and that healthcare entities should stay alert and take appropriate precautions to protect their systems. OCR Director Melanie Fontes Rainer explained, “Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information.”

OCR recommends that healthcare entities and their business associates take the following steps to mitigate and prevent cyber-threats:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize multi-factor authentication to ensure only authorized users are accessing electronic PHI.
  • Encrypt ePHI to guard against unauthorized access to ePHI.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

Sign up to receive Rivkin Rounds at www.RivkinRounds.com.