HIPAA fines and more…

 

A recent cybersecurity analysis reported by mid-year 2020 we had surpassed the total number of cyberattacks that occurred in the US in 2019. While the increase was expected, the pace far exceeded expectations. Not only has the volume of attacks increased, but their effectiveness has as well. Most recently was the attack on the hospital system Universal Health Services (UHS), which manages over 400 hospitals in the US and the UK. Their network was hit with the common ransomware strain known as RYUK, reverting them to paper and keeping their electronics offline for days. So far this year, over 53 healthcare organizations have been hit with cyberattacks, and they’ll be more. To read more about these attacks, here are two articles:

https://www.zdnet.com/article/uhs-hospital-network-hit-by-ransomware-attack/
https://www.nbcnews.com/tech/security/cleveland-area-hospital-goes-offline-after-apparent-cyberattack-n1241408?&web_view=true

On top of the threats we’re facing on the cyber front, OCR – the Office for Civil Rights, has been actively enforcing HIPAA violations. Five violations were handed down to organizations addressing a patient’s right to access. With these fines, OCR Chief Roger Severino made it clear that providers cannot choose what patient information they can share, when they share it, or how they share it once the patient requests it. Ultimately this is good for all of us, but the transition is painful and fraught with security pitfalls. It’s critical you have proper policies and procedures in place to meet this requirement. We can help. Here’s more information on these violations:
https://www.jdsupra.com/legalnews/office-for-civil-rights-settles-five-24792/

OCR has also taken action against a broad swathe of Covered Entities and Business Associates. The actions, taken against a BA, a health plan, and an orthopedic group, all stemmed from breaches caused by cyberattacks. The theme for each entity was delayed reaction, inadequate preparation, and a corrective action plan to be monitored by OCR. If this doesn’t sound like an experience you’d enjoy for the next couple of years, we can help.
Here’s additional information on these violations:
https://www.natlawreview.com/article/ocr-imposes-fines-health-plan-business-associate-and-physician-group-related-to

Finally, here’s a surprise – Microsoft has some vulnerabilities! Actually, if your Windows operating system is out of date, or you aren’t actively ensuring your Windows devices have up to date patches, then they could be vulnerable to attacks through known weaknesses. Patch management across all of your devices is a critical part of your cyber defenses. Not sure if you’re on top of it? Our network scan can detect any vulnerabilities, both internal and external, that may become the vector of a cyber attack.

Click smart or not at all.


If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.