.st0{fill:#FFFFFF;}

Podcast

A Bloody Mess – Ep 471 

 August 16, 2024

By  Donna Grindle

Share0
Tweet0
Share0

Navigating healthcare cybersecurity is like walking through a minefield—you never know which step could trigger the next explosion. In this episode, we’re diving headfirst into the bloody mess of ransomware attacks that have turned hospitals and blood banks into a logistical nightmare. Amidst the chaos, Health-ISAC and the American Hospital Association are urging special consideration for critical supply chain entities. It’s a wild ride through the chaos that one click can unleash on healthcare, and how the ripple effects can leave everyone scrambling to pick up the pieces.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

A Bloody Mess – Ep 471

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Say What!?!

[02:36]

American Medical Response Notice of Final Determination

American Medical Response Notice of Proposed Determination

OCR’s 49th HIPAA Right of Access Enforcement Action against American Medical Response (AMR) for failure to provide timely access. This one is a CMP not a settlement with a CAP which is what we normally see. That is why it is $115,200.

“HIPAA gives patients a right to timely access to their medical records,” said OCR Director Melanie Fontes Rainer. “OCR will continue to enforce this right through investigations, and when necessary, by imposing civil money penalties.”

This one goes way back. It looks like there was a touch of animosity involved. Not sure how this one got so bad but here is what happened:

October 31, 2018 patient sent a request via fax to AMR asking that a copy of their medical records including, “all billing records pertaining to treatment rendered for 9/15/2015 injury date; Patient Balance Verification; all medical records pertaining to treatment rendered for 9/15/2015 injury date” be sent in electronic format to them. They got confirmation the fax arrived at the required number for AMR.

On November 8, 2018, the patient mailed a copy of their October 31, 2018, access request to AMR’s Seattle, Washington office via certified mail to an address that AMR does not dispute belongs to AMR’s Seattle office. They received confirmation from the USPS that the access request was successfully delivered on November 13, 2018.

On January 24, 2019, they sent two follow-up access requests. One access request was sent to AMR’s Los Angeles office via certified mail and the other was sent to Centrex, AMR’s Business Associate (BA), via a fax number belonging to the BA. The patient received confirmation that their fax transmission was successful. Both AMR and their BA confirm they got the requests then.

March 1, 2019, 121 days after the initial request, AMR sent the patient an invoice requiring payment before AMR would provide the requested records.

March 18, 2019, patient sent a follow-up letter that reiterated the multiple requests and asked for it in electronic format within 7 days or they were going to contact OCR.

July 29, 2019 the complaint was filed with OCR. They obviously had a lot of details about the situation when they did it.

Oct 9, 2019 OCR notified AMR and asked for copies of the patent access policies and procedures.

When OCR got the response explaining how they were managing these requests it was a convoluted mess. You were supposed to submit requests to the Seattle office, as the patient did, then they would send it to the LA office who would then send it to Centrex for processing. Clearly that wasn’t working but then the patient had to send it to LA and to Centrex. That didn’t work either. Wow, processes were a mess!

After , AMR said our bad and they “amended its internal procedures to streamline and better track access requests”. They finally sent the patient records to them on November 5, 2019, which was 370 days after the request. Over one year later.

Then, things get a bit weird according to the proposed determination. Clearly, this was a huge failure to meet their obligations for patient access. They confirmed it was their own procedures that failed to meet deadlines.

Then, 2020 happened……

  • August 3, 2021, OCR notified AMR of the results of OCR’s investigation and offered AMR an opportunity to resolve the matter informally.
  • August 9, 2021, AMR responded to OCR through counsel asking OCR to “reconsider its position.” But, they didn’t provide any kind of counter offer or engage in any negotiations with OCR. It seems like they meant you shouldn’t do anything?
  • April 15, 2022, OCR sent a Letter of Opportunity (LOO) that said we found you failed to comply with the Privacy Rule. They asked AMR to submit written evidence of mitigating factors or affirmative defenses for them to consider to support a waiver of a CMP.
  • May 16, 2022, they sent information back but OCR determined that the information and arguments submitted by AMR do not support an affirmative defense.
    • AMR asserted that HIPAA’s affirmative defense bars any CMP, as a matter of law, because any violation was not due to willful neglect and was timely corrected.

OCR said AMR did not timely correct the violation in this matter. They pointed out that the patient sent a valid request twice to their offices. They still didn’t send the records to the patient until Nov 2019.

Looks like it has been going back and forth since then.

How did they get to the penalty amount included these details:

The appropriate penalty tier for this violation from December 1, 2018, to February 28, 2019, is Reasonable Cause, as follows:

Calendar Year 2018: 31 days from December 1, 2018, to December 31, 2018, at $1,280 per day (CMP of $39,680)

Calendar Year 2019: 59 days from January 1, 2019, to February 28, 2019, at $1,280 per day (CMP of $75,520)

Total CMP: $115,200

If you want to understand how they look at things this proposed determination letter includes a lot more details.

This is the 49th case on the right of access initiative. They have plenty of information on the SRA initiative that has started.

But, as we have to explain when people ask why don’t they make them do these things. That is not an easy task with very few resources and constantly reducing their enforcement tools.

A Bloody Mess

[12:39]

Southeast hospitals impacted by cyberattack on OneBlood; AHA, Health-ISAC post updated advisory on cyberattacks against health care suppliers | AHA News

They keep finding ways to impact patient care. You can’t get blood and labs!

American Hospital Association and Health-ISAC Joint Threat Bulletin –

The recent ransomware attacks on OneBlood, Synnovis, and Octapharma by Russian cybercrime ransomware gangs resulted in a massive disruption to patient care. The outcomes of these attacks highlight the need to incorporate mission-critical and life-critical third-party suppliers into enterprise risk management and emergency management plans to maintain resiliency and redundancy in the modern digitally connected healthcare ecosystem.
Attack #1: On July 30, 2024, Florida-based blood supplier, OneBlood, experienced a software outage that is impacting their ability to ship blood products to hospitals in the region. The outage, caused by a ransomware attack, has forced the organization to resort to manual labeling of blood samples.

There are so many blood samples in the OneBlood inventory that taking the time to manually process them is causing major shipping delays. The resulting blood shortage is so severe that the Florida Hospital Association (FHA) has recommended that affected hospitals begin to activate critical blood shortage protocols.

Attack #2: On June 3, 2024, the pathology provider Synnovis was attacked by the QiLin ransomware gang resulting in multiple London hospitals being unable to provide healthcare services. The disruption caused numerous hospitals to reschedule appointments and postpone operations.
According to the United Kingdom’s National Health Service (NHS), the attack delayed more than 800 planned operations, and 700 outpatient appointments needed to be rescheduled. The attack caused thousands of O-negative and O-positive blood donations to be destroyed because of a lack of connectivity to electronic health records (EHR), making it too difficult to rapidly identify a patient’s blood type.
Attack #3: On April 15, 2024, the BlackSuit ransomware gang attacked blood plasma provider Octapharma through a vulnerable VMWare system, resulting in the closure of over 190 plasma donation centers in 35 U.S. states. According to the BlackSuit cybercriminals, the group was able to steal sensitive donor information as well as donor-protected health information (PHI) during the attack. It is speculated that BlackSuit is a rebrand of the ransomware gang Royal. The attack also closed facilities that manufactured plasma, delaying the transfer of life-saving plasma to hospitals across the U.S. and EU. The U.S. Octapharma centers accounted for nearly 75% of the supply of plasma used in Octapharma therapies. Because of this, the shutdown of the U.S.-based supply of plasma likely caused a major disruption to patient care in both the U.S. and the EU.
Health-ISAC and the AHA recommend that special consideration be given to critical supply chain entities. These elements can be identified through three criteria:

  • being essential to the healthcare mission,
  • having catastrophic consequences if they fail, and
  • the lack of suitable alternatives.
The following specific recommendations are provided to assist healthcare organizations prepare for the impact of mission and life-critical third parties and supply chains:

  • Develop and implement a multi-disciplinary Third-Party Risk Management (TPRM) governance committee and program in which each represented function identifies, on an ongoing basis, those third parties and supply chain which are life-critical, mission critical and business-critical for each function. Assess strategic and technical risk for each.
  • Develop continuity procedures for each to sustain a loss of those critical services and supplies for 30 days or longer. Developed with the objective to sustain business operations and to continue safe and quality care
  • Thoroughly document, test and update continuity plans and downtime procedures for each, at least annually.
  • Risk prioritize and stratify identified entities on an enterprise level and include other criteria such as:
    • Storage or access to sensitive data
    • Network access – privileged access
    • Foreign operations and subcontractor risk
    • Technical cybersecurity posture currently and ongoing monitoring
    • Consider aggregate risk from the third parties for multiple services provided
    • Develop customized risk-based cybersecurity requirements for each
    • Develop customized risk-based cyber insurance requirements for each
    • Breach notification and responsibility requirements
    • All risk-based requirements should be contractual and included in business associate agreements and third-party contracts

It doesn’t look like it will be getting better soon.

[27:54]

Record-Breaking $75 Million Ransom Paid To Dark Angels Gang

The Zscaler ThreatLabz researchers stated they had tracked an increase in ransomware attacks of 18% year-on-year, with healthcare, manufacturing and technology being the hardest hit by the cybercrime gangs. Manufacturing saw more than twice as many attacks as the other two industry groups put together.

When it comes to geographical targeting, the U.S. attracts almost half of all ransomware attacks, with the U.K. right behind. Year-on-year, the U.S. has seen an astonishing 93% rise in the number of ransomware attacks, the researchers said.

National Public Data Breach Exposes 2.9 Billion Sensitive Records Of U.S. Citizens – Dataconomy

The national public data breach involved National Public Data, a background check and person verification company based in Coral Springs, Florida. This company provides API data lookups to other organizations, acting as a low-key data broker. The breach was alarming not only due to the sheer volume of records but also because of the depth of information included.

The leaked data was verified to be authentic, with details such as first names, last names, addresses, address histories spanning three decades, social security numbers, and familial relationships.

For those who ask why someone isn’t doing something.

[44:06]

FBI Flies 65-Strong Cyber Action Team Across Globe To Fight Hackers

Meet the Cyber Action Team — FBI

IT Hero!

[46:20]

How a cheap barcode scanner helped fix CrowdStrike’d Windows PCs in a flash

Go to top

Just like a single crack can shatter an entire windshield, one overlooked vulnerability can bring a healthcare system to its knees. It’s clear that ransomware isn’t just a digital headache—it’s a full-blown crisis with real-world consequences, from blood shortages to delayed surgeries. The message is loud and clear: when it comes to protecting critical supply chains, especially in healthcare, there’s no room for complacency. One click can create chaos, but with the right precautions, we can keep things from turning into a bloody mess.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: