Is your organization a business associate? You could be subject to enforcement action if you fail to protect health information within your control from ransomware attacks.  

In October, for the first time, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement agreement with a Health Insurance Portability and Accountability Act (HIPAA) business associate that was the victim of a ransomware attack. The business associate paid $100,000 to resolve allegations that it had failed to sufficiently protect the privacy and security of health information within its control.

Doctors’ Management Services (DMS), a medical practice management company that provides services such as medical billing and payor credentialing, acts as a business associate to several covered entities. On April 22, 2019, DMS informed HHS that DMS’s network server had been infected with GandCrab ransomware, affecting the electronic protected health information (e-PHI) of approximately 200,000 individuals. Although the initial intrusion occurred on April 1, 2017, DMS apparently did not detect the intrusion until December of the following year, when the ransomware was used to encrypt DMS’s files.

OCR’s investigation found evidence that DMS had failed to appropriately monitor its health information systems’ activity (for example, through audit logs, access reports and security incident tracking reports) and had failed to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule.

Under the settlement agreement, DMS agreed to pay $100,000 and to submit to a Corrective Action Plan under which DMS must update its Risk Analysis regarding the potential risks to the confidentiality, integrity and availability of e-PHI held by DMS, and provide documentation supporting a review of its current security measures and the level of risk to its e-PHI associated with network segmentation, network infrastructure, vulnerability scanning, logging and alerts and patch management. DMS must also provide workforce HIPAA training (among other things). OCR will monitor DMS for three years to ensure compliance.

In a press release announcing the settlement, OCR stated that in the past four years, there has been a 239% increase in large hacking-related breaches reported to OCR, and a 278% increase in ransomware. This settlement underscores that ignorance is no excuse; ransomware and hacking are a critical concern in health care, and entities subject to HIPAA have an affirmative obligation to understand and defend protected health information (PHI) against such cyber threats. Failure to do so may expose your organization to enforcement action – even when it is the victim, not the perpetrator, of a ransomware attack.

Best practices to mitigate or prevent cyber threats include (1) actively and regularly identifying and addressing your system’s cybersecurity vulnerabilities and (2) reviewing vendor and contractor relationships to ensure business associate agreements are in place (where appropriate) and that those agreements address breach/security incident obligations.