By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
On September 26, 2024, the Office for Civil Rights announced another settlement stemming from a ransomware attack. The settlement is just the latest one imposed by OCR stemming from a cyberattack. It may feel like rubbing salt in a wound, but the details behind the settlement (at least the minimum ones available) provide a little bit more insight.
The Settlement Details
The settlement involved Cascade Eye and Skin Centers, P.C. (Cascade). As indicated by OCR, information was received by OCR on May 26, 2017 that Cascade experienced a ransomware attack in March of 2017. The settlement does not state how OCR received the information. Did Cascade voluntarily report the ransomware attack? Did a news article reveal the issue? Did some individual drop a dime about the issue? Knowing how OCR learned about the attack would be more informative in understanding what happened following OCR learning about the attack.
The other point worth noting is that Cascade’s settlement stems from a ransomware attack in 2017. While the pace of attacks had been picking up at that time, ransomware was not necessarily an unfortunately roughly daily occurrence at that point. Remember, the number of ransomware and other cyber attacks increased significantly following the advent of the COVID-19 pandemic. Did this one stand out because the number of attacks was not quite as frequent in 2017?
Moving beyond those questions, OCR pointed out two specific alleged deficiencies in Cascade’s implementation of HIPAA requirements. The instances of non-compliance identified by OCR were: (i) failing to conduct the required risk analysis and (ii) not regularly reviewing system activity records. Both of those alleged failings fed into not being prepared for and not more quickly mitigating the effects of the ransomware attack.
The end result for Cascade from the attack was a settlement payment of $250,000 after what seems to be a 7 year long investigation and resolution process. What happened during that period of time in the interactions between OCR and Cascade? Was there some lack of cooperation that played into the settlement? Those questions won’t be known unless either Cascade or OCR (really unlikely) want to get into any more of the details.
What to Takeaway
As so often, the biggest takeaway from the settlement is that every organization must regularly conduct its risk analysis. The missing risk analysis is one of the most consistently identified non-compliance findings in the numerous HIPAA settlements that OCR has now reached. Hopefully, this reminder is not necessary, but a risk analysis is a fundamental piece of complying with the HIPAA Security Rule. As laid out in the Security Rule, it is arguably very difficult to fully implement all of the required and addressable elements of the Security Rule. How can organization specific policies and procedures be developed and implemented if the actual issues that that organization faces aren’t known? To OCR (and arguably the HIPAA regulations), compliance cannot occur without that risk analysis.
To the extent a healthcare organization has never conducted a risk analysis or hasn’t done one for a bit of time, run to do it right now. Since the risk analysis is really the first part of the Security Rule, it has to be done or OCR will just find an easy target to hang a settlement on when a reportable issue inevitably arises. Tools are available to enable the risk analysis to be conducted. That can include resources to help an organization do the analysis internally or have an outsider come in and optimistically get beyond unintentional blind spots.
The second alleged failing noted in the settlement is also important when it comes to assessing a cyberattack. Monitoring network activity is a key component of being able to detect when a problem may exist. If a system is subject to thorough monitoring, likely both automated and manual, then the likelihood of detecting suspicious activity earlier can be increased. If suspicious activity is detected, then appropriate measures can be taken to cut off the issues if the suspicion is borne out to be a real problem.
Conversely, if a system is not monitored (as allegedly occurred with Cascade), then an intrusion can continue for a longer period of time and compromise more information. That is problematic in many ways, not just from a HIPAA viewpoint.
Since network monitoring is essential, appropriate tools must be utilized and warnings not ignored. Both of those, along with other actions, call for a serious investment of time, resources, and money. While it may be difficult to ascertain the return on those investments, it should be clear that protecting privacy and security is the return in and of itself. If an organization cannot prevent others taking patient data, then the impact will be felt for years to come.
What’s Next?
Determining what further actions OCR will take from all of the cyberattacks that have been reported is probably a fruitless task in guesswork. OCR will go its own way and leave the industry to grasp at straws as to why one organization faced a settlement and another did not. That won’t stop speculation. Leaving aside the speculating, it is still important to see the areas of non-compliance that OCR identifies in every settlement and use that as a reminder to check one’s own compliance program and plan to make sure no element is missed.
This article was originally published on The Pulse blog and is republished here with permission.