It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR
Kate Stewart is an Associate in the firm’s Boston office. Kate’s practice involves a variety of regulatory and transactional matters for healthcare providers, including hospitals, physician groups, clinical laboratories, retail health clinics, and pharmacies. Kate counsels health care clients on HIPAA compliance, telemedicine practice, licensure and scope of practice issues, clinical trial compliance, physician contracting and the federal Physician Payments Sunshine Act.
While your business may indeed be a “victim” when hit by a phishing attack, your enterprise can also be responsible for violations of law associated with the incident. Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.
In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures.
The MCPH settlement underscores the importance of risk analyses and workforce training to avoid phishing scams. Additionally, it is crucial that entities regulated by HIPAA conduct an enterprise-wide HIPAA risk analysis, update that analysis to address new threats, and implement policies and training based on identified risks. Failure to comply with these essential HIPAA requirements can turn a relatively routine breach investigation into a $400,000 settlement.
A copy of the MCPN resolution agreement and corrective action plan is available here. OCR’s press release on the settlement is available here. General Security Rule guidance from OCR is available here.
The FBI has issued new guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode. FTPs are routinely used to transfer information between network hosts. As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients. In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity.
The FBI provides the following specific guidance, which Covered Entities and Business Associates should heed:
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.
Coupled with recent advice from FBI Director James B. Comey on ransomware, which we blogged about here, this latest guidance from the FBI demonstrates the seriousness the potential cybersecurity threats facing healthcare entities.
The HHS Office for Civil Rights (“OCR”) officially launched the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.
Why Audits? Why Now?
The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2. Continue Reading Phase 2 HIPAA Audits Coming to You: Check Your Spam Filter!
We have seen many variations of the ransomware attacks on the increase lately. Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.
Details of the HPMC Incident
On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:
- Backing up data onto segmented networks or external devices and making sure backups are current. That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc. If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.
- Don’t be the low-hanging fruit: Ensuring software patches and anti-virus are current and updated will certainly help. Many attacks rely on exploiting security bugs that already have available fixes.
- Installing pop-up blockers and ad-blocking software.
- Implementing browser filters and smart email practices.
Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams. If you are a HIPAA-covered entity, you should be checking in with Mintz’s Health Law & Policy Matters blog on a regular basis.
FBI on Ransomware
One of the big questions arising out of the HPMC and other ransomware cases is: do we pay? If your business is about to grind to a halt, you likely have no choice. However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips. Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.
When in Doubt, Don’t Be a Click Monkey!
Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:
- A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.
- A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.
- A bank with whom you do not do business asking you to reset your password.
- A message with an attachment but no text in the body.
All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.