‍

Introduction

The recent settlement announced by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) regarding a ransomware attack on Doctors’ Management Services has highlighted the growing threat of ransomware attacks in the healthcare industry.

Background on the Recent HIPAA Settlement

The settlement involved Doctors’ Management Services, a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing. The HIPAA Privacy, Security, and Breach Notification Rules guide entities for protecting health information. The incident, which affected the electronic protected health information of 206,695 individuals, led to a $100,000 settlement. This case marks OCR's first ransomware agreement.

Ransomware and its Impact on Healthcare

Ransomware is a type of malware that denies access to a user’s data, usually by encrypting the data with a key only known to the hacker. The user's data is held hostage until a ransom is paid. This particular type of attack has an increasing impact on the healthcare sector.

Increase in Ransomware Attacks in the Healthcare Industry

Over the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. In 2023 alone, hacking accounted for 77% of the large breaches reported to OCR.

OCR's Efforts to Improve Data Security

OCR Director, Melanie Fontes Rainer highlighted the importance of identifying and addressing cybersecurity vulnerabilities regularly. She stressed the need for healthcare systems to proactively review risks, records, and update policies to prevent future attacks.

Details of the Doctors' Management Services Case

On April 22, 2019, Doctors’ Management Services filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; but, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files.

OCR's Investigation Findings

OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule.

Terms of the Settlement Agreement

Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan.

Recommendations to Mitigate Cyber-Threats

OCR recommends health care providers, health plans, clearinghouses, and business associates to review all vendor and contractor relationships, conduct regular risk analysis and management, ensure audit controls are in place, implement regular review of information system activity, utilize multi-factor authentication, encrypt ePHI, incorporate lessons learned from incidents into the overall security management process, and provide training specific to the organization and job responsibilities.

OCR's Guidance and Support for Data Privacy and Security

OCR regularly provides guidance and information to the health care industry to support data privacy and security. In October, which is Cybersecurity Awareness month, OCR did the following to support improved cybersecurity.

As we conclude, it's crucial for healthcare organizations to identify and address cybersecurity vulnerabilities, review risks regularly, and update policies to prevent future attacks. Accountable is committed to helping medical-related businesses mitigate cyber-threats and ensure HIPAA compliance.

‍