Yolanda Sims, JD, MHA
Loss Prevention and Risk Management Advisor

Overview of Ransomware Attacks in Healthcare

In October, the U.S. Department of Health and Human Services (HHS) released a new video to raise awareness about ransomware trends in the healthcare industry. The guidance is timely given the Office of Civil Rights (OCR) has reported a 264% increase in large ransom breaches since 2018, leading to significant risks for HIPAA compliance.

The most recent OCR settlement published on September 26, 2024, involved Cascade Eye & Skin Centers, PC, a privately owned healthcare provider in the state of Washington, following a ransomware attack. The case highlights the need for strong cybersecurity protocols in the healthcare industry to protect sensitive patient information.

Cascade Eye & Skin Centers’ Ransomware Settlement

OCR’s investigation revealed 291,000 files containing electronic protected health information (e-PHI) were affected. OCR identified multiple potential violations of the HIPAA Security Rule, including:

• Lack of compliance risk analysis to determine the potential risks and vulnerabilities.

• Insufficient monitoring of its health information systems’ activities,
  leaving ePHI unprotected against a cyber-attack.
  

Under the terms of the settlement, Cascade agreed to:

• Pay a $250,000 fine

• Implement a two-year corrective action plan to take steps towards protecting and securing protected health information.

This case serves as a cautionary reminder that HIPAA-regulated entities must abide by obligations mandated by HIPAA rules, even in the wake of a ransomware attack.

OCR Recommendations & Resources for Healthcare Cybersecurity

The HHS video highlights best practices to help healthcare providers prevent, contain, and respond to ransomware attacks. Furthermore, OCR recommends these essential steps for healthcare providers, health plans, clearinghouses, and business associates:

• Review all business associate agreements with vendors to ensure security obligations are met.
• Conduct regular risk analysis and risk management for new technologies and business operations.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Implement multi-factor authentication to restrict access to ePHI.
• Encrypt ePHI to guard against unauthorized access to ePHI.
• Incorporate lessons learned from incidents into the overall security management process.
• Provide regular training specific to the organization and job responsibilities; reinforce workforce members’ critical role in protecting privacy and security.

KAMMCO Cybersecurity Tip: To further strengthen your organization’s approach to cyber risk management, access KAMMCO’s cybersecurity resources. Visit the Cyber Risk Management Resource page on the KAMMCO website to access the Breach Solutions Website resource. Should you need additional assistance, contact Yolanda Sims, Loss Prevention and Risk Management Advisor at ysims@kammco.com or 1-800-232-2259.

Closing Thoughts on Ransomeware Preparedness for Kansas Healthcare Providers

As the end of the year approaches, now is an excellent time to revisit your organization’s cybersecurity strategies to prevent and respond to cyber incidents. The HHS video on ransomware awareness provides valuable guidance on preparing for potential attacks and safeguarding patient information. Staying informed on OCR recommendations and investing in strong cybersecurity measures can help your organization remain HIPAA-compliant.

---

Health and Human Services. (2024, Sept. 26) HHS-Office of Civil Rights Settles Ransomware Cybersecurity Investigation Under HIPAA Security Rule. [Press Release]. Retrieved from https://www.hhs.gov/about/news/2024/09/26/hhs-office-civil-rights-settles-ransomware-cybersecurity-investigation-under-hipaa-security-rule-250-000.html