.st0{fill:#FFFFFF;}

Podcast

First OCR Ransomware Settlement – Ep 432 

 November 10, 2023

By  Donna Grindle

Share0
Tweet0
Share0

OCR just announced its first ransomware settlement, emphasizing the importance of proactive cybersecurity measures and the implications for business associates. Ransomware threats are increasingly common, evolving rapidly and continue to target the healthcare industry which highlights the importance of healthcare organizations and their business associates to prioritize cybersecurity.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

First OCR Ransomware Settlement – Ep 432

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

[03:16] Do BAs have to worry about the Breach Notification Rule?

Yes. BAs do not always get to just notify their clients of a data breach and walk away. As a matter of fact when you go to report a breach on the OCR breach portal, it asks if you are a BA reporting it or a CE. Also, many times if a BA caused a data breach, the CE will have the BA report it because they don’t want their name attached to something you caused. And sometimes there is language in the BAA that states that if the BA causes a data breach, then they will be responsible for the notifications to all parties necessary.

BAs need to understand and have policies regarding the Breach Notification Rule so that they know what could be expected of them when it comes to documenting their evaluations of potential breaches. Also, they need to understand what work and costs could be incurred if they are responsible for reporting and notifying patients, OCR and/or the media of a data breach.

First OCR Ransomware Settlement

[05:38]

HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation

Doctors’ Management Services, Inc. Resolution Agreement and Corrective Action Plan | HHS.gov

Doctor’s Management Services is a BA headquartered in MA. They have the honor of being the first published settlement after a ransomware attack on their network. Here’s what we learned in that settlement agreement and announcement.

First, the press release gives us the message OCR is trying to send with this case. This press release was different from usual ones. They are normally short and sweet. This one has the normal stuff, but then a lot of other information about CSAM and OCR Ransomware guidance. The amount of the settlement is $100k but the CAP is 3 years.

Here is the quote from OCR Director Melanie Fontes Rainer:

Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches. In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.OCR Director, Melanie Fontes Rainer

On April 22, 2019, OCR opened an investigation based on a breach report from DMS, a practice management company that acts as a business associate to several covered entities. The report stated that approximately 206,695 individuals were affected when the DMS network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, DMS did not detect the intrusion until December 24, 2018 after ransomware was used to encrypt their files.

[20:01] The three year CAP shows, as usual, you must start at the risk analysis. First part of the CAP is security management:

Prior to updating the Risk Analysis, DMS shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis. DMS shall provide documentation supporting a review of current security measures and level of risk to its ePHI associated with the following: network segmentation; network infrastructure; vulnerability scanning; logging and alerts; and patch management.

For those who think all the BA should worry about is the security rule:

DMS shall review and revise, if necessary, its written policies and procedures to comply with the Federal standards that govern the security standards for the protection of electronic protected health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules) DMS’ updated policies and procedures shall specifically address the Minimum Content set forth in Section V.D.1.

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI to guard against unauthorized access to ePHI.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide training specific to organization and job responsibilities and on a regular basis; reinforce workforce members’ critical role in protecting privacy and security.
[34:07] If you think ransomware isn’t that big of a problem, you haven’t been watching out for the latest updates on what is targeting healthcare like these:

HC3 Analysis: 8Base Ransomware

HC3 Analysis: NoEscape Ransomware

HC3 Analysis: AI-Augmented Phishing and the Threat to the Health Sector

[40:16] A sample of Ransomware protection recommendations from HICP include:

  • Enable multi-factor authentication (MFA) — Deploy multi-factor authentication (MFA) before enabling access to your email system. MFA can prevent hackers who have obtained a legitimate user’s credentials from accessing your system. Make sure that MFA is in place for web access and your local client access. It’s popular to want to use IMAP or POP3 protocols, but these might not support MFA and can leave a back door open to your email mailboxes. (1.S.A)
  • Phishing awareness training — Train your employees how to report suspicious messages. These should be reported to the person responsible for maintaining your IT system. That individual or service provider can then advise the employee regarding disposition of the suspicious message (1.S.A,1.S.B) For additional practices check out our “How To” covering cyber workforce training.
  • Secure your email system — Configure your email system to tag messages that are sent from outside of your organization as “EXTERNAL”. Consider implementing a tag that advises the user to be cautious when opening such emails, for example, “Stop. Read. Think. This is an External Email.” (1.S.A)
  • User management — It is recommended to have a robust Identity and access management (IAM) program that encompasses the processes, people, technologies, and practices relating to granting, revoking, and managing user access. Given the complexities associated with healthcare environments, IAM models are critical for limiting the security vulnerabilities that can expose organizations. A common phrase used to describe these programs is “enabling the right individuals to access the right resources at the right time.” (3.M.A)
  • Ensure your endpoints are patched — Patching (i.e., regularly updating) systems removes vulnerabilities that can be exploited by attackers. Each patch modifies a software application, mitigating a vulnerability that has been exposed. Configure endpoints to patch automatically and ensure third-party applications are patched as soon as possible. Automatically update and distribute patches to third- party applications that are known to be vulnerable, such as internet browsers (e.g., Adobe Flash, Acrobat Reader, Java). (7.S.A)(2.M.A) For additional practices check out our “How To” on patching for Small & Medium organizations.
  • Restrict inbound Internet access — Limit the amount of connectivity to only those services needed to be exposed to the Internet, and ensure all remote access systems have MFA enabled such as VPNs, VDI and so forth. Organizations should deploy firewall capabilities in the following areas: on wide area network (WAN) pipes to the internet and perimeter, across data centers, in building distribution switches, in front of partner WAN/VPN connections, and over wireless networks (6.M.A).
  • Establish data back-up — It is equally important to have a backup strategy in the event of cybersecurity incidents. There will be events that cause an asset, or multiple assets, to be thoroughly compromised. During these events, routine backups can be the only way to ensure proper execution of the recovery phase of your IR process. Fully decommissioning affected assets and restoring them to a time before the compromise occurred is the best method to neutralize the compromise. (4.M.D)
  • Establish an incident response process — Create a large-scale cybersecurity incident response plan in coordination with your emergency management and business continuity teams. This large-scale response is designed to allow for the continuity of operations of the business during a cyber-attack. (8.M.B)

HHS/OCR Ransomware Fact Sheet (2016)

FACT SHEET: Ransomware and HIPAA

405(d) Have You Heard – Ransomware

https://405d.hhs.gov/Documents/HYH-Ransomware-R.pdf

405(d) Prepare, React, Recover – Ransomware

https://405d.hhs.gov/Documents/405d-PrepareReactRecover-Ransomware.pdf

Go to top

In the face of increasing ransomware threats, it is important to be proactive, rather than reactive, when it comes to cybersecurity. Healthcare organizations and their business associates must remain vigilant, proactive, and adaptive in their approach to cybersecurity measures. The first OCR ransomware settlement serves as a pivotal reminder of the stakes involved and why healthcare organization’s must implement robust cybersecurity measures and training to fortify their defenses and uphold the trust and well-being of the patients they serve.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: