The number of ransomware attacks impacting critical services, compromising personal information and attackers requesting higher and higher ransoms continue to rise. Today, we discuss this pressing issue, implications of ransomware attacks, the ethical considerations of paying ransoms, and the urgent need for preventative measures.
In this episode:
Ban Ransomware Payments? – Ep 441
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
The HIPAA Privacy and Security Boot Camp
3.5 day In Person Event
April 9, 10, 11 and 12, 2024
PriSecBootCamp.com
HIPAA Say What!?!
[06:41] A new settlement to start off the year. HHS OCR announced a resolution agreement was reached with Optum Medical Care of New Jersey, P.C. (formerly known as Riverside Pediatric Group, P.C. d/b/a Riverside Medical Group) over patient access to medical records. The group is a large private multi-specialty physician group with approximately 150 locations serving patients throughout New Jersey and Southern Connecticut.The case goes back to fall of 2021 when 6 complaints were filed within a short period of time. On October 5, October 18, October 22, November 1, November 17 and November 18, 2021, OCR received a new individual complaint about not getting records.
The investigation found in each case they were violating timely access rules. It isn’t clear exactly what happened but it involved their Care Coordination Center’s email account but also 4 physical locations.
The resolution amount of $160,000 plus the corrective action plan is only for a year so they must have made some changes already. At least, that was the case in previous resolutions with less than normal CAPs. Although being just one year it also includes reporting every 90 days:
Here are the specific reports required:
- Within ninety (90) calendar days of HHS’s approval of the Policies and Procedures required by Section V.A.1, and every ninety (90) days thereafter while under the Term of this CAP, OMCNJ shall submit to HHS a report which includes a monthly count of all requests for access to PHI received by OMCNJ via all submission modalities except via its business associate, Ciox. The report shall also include:
- the date the request was received,
- the date OMCNJ provided written notice that OMCNJ is extending the thirty (30)-day time period for OMCNJ to respond to the request (if applicable),
- the date the request was fulfilled, the format requested, the format provided,
- the number of pages (if provided in paper format), fee charged (if any), excluding postage,
- and – if records were emailed to the requestor – whether OMCNJ either
- confirmed the requestor’s receipt of the emailed records, or
- has no indication that its email(s) to the requestor were not received.
- If OMCNJ denied any request for access, in whole or in part, OMCNJ shall submit to HHS all documentation consistent with 45 C.F.R. § 164.524(d).
It may be worth it for CEs to create similar reports and review them internally on a regular basis. I would strongly consider it.
Ban Ransomware Ransom Payments?
[16:17]The State of Ransomware in the U.S.: Report and Statistics 2023
Emsisoft Malware Labs published this report just after the New Year. They gathered details from different published sources. Which means we get a huge rabbit hole to go down checking all the details.
Emsisoft’s report goes right for the core discussion we hear many times, don’t allow organizations to pay any ransom and the bad guys will have no choice but to move on. They pointed out that the average payment in 2018 was $5K but by 2023 it was up 29,900% to $1.5m. It is not getting better out there. That money goes to funding investment in new approaches and methods of attack. They aren’t the only ones bringing this up. The Path to Banning Ransomware Payments published in Dec by the Center for Cybersecurity Policy and Law.
The first thing they hit you with is a quote from an article in Stat New’s First Opinion: We tried to quantify how harmful hospital ransomware attacks are for patients. Here’s what we found.
The referenced article opens with discussing a CT hospital that dealt with a ransomware attack in August. The researchers pointed out that what we know usually happens actually did happen. They diverted ambulances, canceled elective surgeries, lost access to their tools like the EHR and x-rays and scans and had to go back to paper. They also pointed out that it took almost 6 weeks to get all services back and running. This was a big ransomware attack that hit 16 hospitals and other Healthcare facilities all at the same time. they were asking for 1.3 million dollars from one medical Holdings company. So this made the author’s question how this impacts patient care. They did the research and published a paper on it.
Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients
It is an interesting read. With several really good points. Along with their quote on Medicare death estimates they also say this:
We have discussed before the broad impact of an attack isn’t just on that organization but also to all the surrounding area that has to handle things being rerouted to them. They have no idea it is coming either so they get overwhelmed quickly. Yes, we have learned about that impact recently but their point is very interesting. If we ask how many hospitals were hit by ransomware you hear numbers like less than 5%. That doesn’t sound good but not as bad as you would expect. Change that perspective to address the broad blast radius of that attack and you get to a whole new consideration. 25% of all hospital markets have been impacted by a ransomware attack.
Still more disturbing is the acknowledgement that the criminals will continue to become more aggressive. We discussed the case before where they reported a victim for not reporting the attack as they are required. This is by far the worst one I have seen. I sincerely hope it doesn’t become the new standards like data exfiltration has become. They threatened to SWAT the patients in the data stolen from a cancer center.
[28:32] Which brings us to the question of how you do this. The Center for Cybersecurity Policy and Law’s proposal for getting started banning payments was to include more regulations on what kind of cybersecurity protections must be in place. Also, other things but we are about those regulations around here. That brings us back to what we have been talking about since HHS published their cybersecurity strategy. States are also acting and NY just proposed a new set of cybersecurity requirements designed “to supplement existing HIPAA security and privacy requirements”. New York proposes cybersecurity regulations for hospitals | Nixon Peabody LLP, The proposed rules have a lot of the things we talk about all of the time. But the one that will be the most concerning is the one that requires a hospital CISO (also required to have one) to report a cybersecurity incident within 2 hours to the state health department. If you are in NY the comment period is still open until Feb 5. If approved we have 1 year to comply with the requirements except the 2 hour thing would take effect immediately. [35:44] This year is shaping up to be one loaded with all kinds of security requirements. Especially because of this Report: Attackers Move Lightning Fast to Capitalize on Vulnerabilities. The hackers are getting more money to invest in getting better and faster because they are making a lot of money.What’s on the horizon for 2024? Well, AI is bringing all kinds of great new features, but also new challenges. HHS is talking about making changes to the HIPAA Security Rule, first time ever since its initial release. States are coming up with their own new security requirements. NIST is set to release its Cybersecurity Framework 2.0, most likely this year and it will now include governance. And more….
We can’t just coast our way through cybersecurity or just do the minimum to protect our networks, data and patients. There are a lot of resources out already to help you improve your cybersecurity posture and more coming soon. But, we can’t assume or rely on IT solving this problem alone. We have to realize that everybody is on the cybersecurity team and everybody must play their part to help prevent becoming a victim!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
