OCR fines Providence $240,000 in ransomware case
Photo: Andrew Brookes/Getty Images
Providence Medical Institute, a Southern California-based physician services division of the seven-state Providence health system, will pay a $240,000 civil monetary penalty to settle potential HIPAA violations after a ransomware attack.
WHY IT MATTERS
The U.S. Department of Health and Human Services' Office for Civil Rights announced the penalty on October 3, following a ransomware attack breach report investigation into Providence Medical Institute's compliance with the HIPAA Security Rule.
OCR launched the probe after receiving an April 2018 breach report suggesting that the providers' IT systems had been impacted by a series of ransomware attacks that allegedly affected the electronic protected health information of some 85,000 individuals between February and March of that year.
The investigation found that servers containing ePHI were encrypted with ransomware three times. OCR says it uncovered two potential violations of the HIPAA Security Rule – including "failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI."
The security rule sets national standards to protect electronic personal health information that is "created, received, used, or maintained by" a HIPAA covered entity. Beyond those guardrails, it also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI
"Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information," said OCR Director Melanie Fontes Rainer, in a statement.
This past March, OCR issued a proposal that it would impose a civil money penalty on Providence Medical Institute – which waived its right to a hearing and did not contest OCR’s findings. The penalty of $240,000 resolves the investigation, says OCR.
THE LARGER TREND
Since it first made its unwelcome presence felt on a wide scale about a decade ago, ransomware has become perhaps the primary cybersecurity threat in healthcare. A BakerHostetler report from earlier this year that it was used in more than 70% of network intrusions in 2023.
Indeed, OCR notes that there has been a whopping 264% increase in large ransomware-based breaches reported to OCR since the Providence case was reported in 2018.
HHS has been emphasizing and reemphasizing the importance of the HIPAA Security Rule in helping offer at least a baseline defense against the ransomware onslaught.
It's calling on providers, health plans, clearinghouses and their business associates to take mitigations steps, such as:
-
Reviewing vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
-
Integrating risk analysis and risk management into business processes, conducted regularly and when new technologies and business operations are planned.
-
Ensuring audit controls are in place to record and examine information system activity.
-
Implementing regular review of information system activity.
-
Deploying multifactor authentication to ensure only authorized users are accessing ePHI.
-
Encrypting ePHI to guard against unauthorized access to ePHI.
-
Incorporating lessons learned from incidents into the overall security management process.
-
Providing training specific to organization and job responsibilities and on a regular basis; reinforce workforce members’ critical role in protecting privacy and security.
And recently, OCR has been stepping up its enforcement after incidents where ransomware incidents have been found to result from lax security controls. The Providence case was the fifth such monetary penalty so far. Others include a settlement earlier this year, where a behavioral health practice in Maryland paid $40,000 after a ransomware attack compromised the ePHI of 14,000 people.
Some lawmakers say that's still not enough, and are getting impatient with the steady drumbeat of ransom-based breaches.
This summer, for example, U.S. Sen. Mark Warner, D-Va., wrote to the HHS Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger and asked them to expedite the development and publication of mandatory minimum cybersecurity standards for the healthcare industry.
This past month, Warner, along with Sen. Ron Wyden, D-Ore., introduced the Health Infrastructure Security and Accountability Act, a bill with "commonsense reforms" aimed at stemming disruptive cyberattacks. The legislation would mandate certain basic cybersecurity protocols while increasing funding to help small and rural hospitals meet the new standards – and also allow for stiff penalties for healthcare executives who lie about their organizations' cyber hygiene.
Meanwhile, HHS continues to offer many resources to help HIPAA covered entities mitigate ransomware and other cybersecurity threats.
ON THE RECORD
"The health care sector needs to get serious about cybersecurity and complying with HIPAA," said Fontes Rainer about the Providence penalty. "OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks."
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.
Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.