OCR settles with DMS for ransomware breach
Photo: Ekaterina Bolovtsova/Pexels
Following an investigation into the breach of the protected health information of 206,695 individuals, the U.S. Health and Human Services and the Office of Civil Rights announced a settlement with Doctors’ Management Services – which provides medical billing, payor credentialing and other third-party healthcare services to several covered entities.
WHY IT MATTERS
Massachusetts-based DMS reported in April 2019 that an unauthorized third party gained access to its network on April 1, 2017, and was active in its system until it deployed ransomware on December 24, 2018.
According to OCR, the breach report filed with HHS stated that PHI was exposed when its network server was infected with GandCrab ransomware.
OCR's investigation of the incident under HIPAA Privacy, Security and Breach Notification Rules found evidence of potential failures, insufficient system monitoring to protect against a cyberattack and a lack of HIPAA policies and procedures to implement privacy requirements of the HIPAA.
The agency said as a business associate of covered entities, DMS did not have adequate measures in place to protect the confidentiality, integrity and availability of electronic PHI.
"DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports," HHS said in a statement Tuesday.
Monitoring and numerous other cybersecurity best practices should be employed regularly across an enterprise to prevent future attacks, according to OCR Director Melanie Fontes Rainer.
The corrective action plan DMS agreed to identifies the steps it must take to protect ePHI and maintain compliance with HIPAA, and include:
- Review and update its risk analysis to identify the potential risks and vulnerabilities to data within 180 days of the plan's effective date.
- Update the company's enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the approved risk analysis within 90 days of the latter's approval.
- Review and revise written policies and procedures to comply with HIPAA within 60 days from the approval of the updated risk management plan.
- Provide each workforce member who has access to PHI with training on approved HIPAA policies and procedures within 60 days and then every 12 months.
DMS must provide annual reports on compliance with the three-year CAP.
THE LARGER TREND
"Over the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware," according to HHS. Hacking has already increased 60% from last year, the agency added, and has affected more than 88 million individuals in 2023.
For several years, the cybersecurity practices of business associates have been known to cause healthcare data breaches.
GandCrab targeted older Windows PCs no longer supported by Microsoft with Server Message Block vulnerabilities.
SMB allowed Microsoft Windows computers to share files, serial ports and printers across a network on legacy systems. Using the National Security Agency EternalBlue exploit – the same hacking tools used in WannaCry and Petya – GandCrab spread through spam email, fake software cracking sites and malicious WordPress sites.
"If we are lazy about patching and upgrading our systems sector-wide, GandCrab will be (somewhat) problematic for the healthcare sector," said Lee Kim, HIMSS senior principal of cybersecurity and privacy.
"But, it’s not the 1990s anymore and many healthcare organizations are a bit more proactive with their cybersecurity programs,” she told Healthcare IT News in July 2018.
Third-party cybersecurity risks from business associates like DMS have required healthcare organizations to prioritize security in procurement, review every contract regularly, deploy identity- and access-management software throughout networks and systems, implement best practices for cyber hygiene, and much more.
ON THE RECORD
"Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system," Rainer said in the announcement. "This leaves hospitals and their patients vulnerable to data and security breaches.
"In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities, along with proactively and regularly review risks, records and update policies," she added.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.