Providence Medical Institute, the Southern California-based physician services arm of the seven-state Providence Health System, will pay a $240,000 civil penalty to resolve potential HIPAA violations after ransomware attack It's planned.
Why is it important?
The U.S. Department of Health and Human Services Office for Civil Rights announced the fine on October 3 following an investigation into a ransomware attack breach report regarding Providence Medical Research Institute's compliance with HIPAA security rules.
In 2018, OCR indicated that the provider's IT systems were affected by a series of ransomware attacks that allegedly affected the protected electronic health information of approximately 85,000 people between February and March of the same year. The investigation began after receiving a breach report in April.
Investigation revealed that the server containing ePHI had been encrypted with ransomware three times. OCR says it has discovered two potential violations of the HIPAA Security Rule. These include “failure to enter into business associate agreements and to have policies and procedures in place to allow only authorized persons or software programs to access ePHI.”
The Security Rule establishes national standards for protecting electronic personal health information “created, received, used, or maintained” by HIPAA covered entities. Beyond these guardrails, appropriate administrative, physical, and technical safeguards are also required to ensure the confidentiality, integrity, and security of ePHI.
OCR Director Melanie Fontes Reiner said in a statement: “Failure to fully implement all of the requirements of the HIPAA Security Rule will result in HIPAA-covered companies and business partners being forced to sacrifice the privacy and security of patient health information. It leaves them vulnerable to cyberattacks.”
In March, OCR proposed civil monetary penalties against Providence Medical Institute, but Providence Medical Institute waived its right to a hearing and did not contest OCR's findings. OCR said the investigation was resolved with a $240,000 fine.
bigger trends
Ransomware has become perhaps the leading cybersecurity threat in the healthcare sector since its unwanted presence was first widely felt about a decade ago. BakerHostetler reported earlier this year that it was used in over 70% of network intrusions in 2023.
In fact, OCR notes that there has been a 264% increase in large-scale ransomware-based breaches reported to OCR since the Providence incident was reported in 2018.
HHS has emphasized and re-emphasized the importance of HIPAA security rules in providing at least basic protection against the onslaught of ransomware.
We are asking health care providers, health insurance plans, payment institutions, and their business partners to take the following mitigation steps:
Review vendor and contractor relationships to ensure business associate agreements are in place and address obligations for breaches/security incidents.
Integrate risk analysis and management into business processes and perform them regularly and when new technologies or business operations are planned.
Ensure that audit controls are in place to record and examine information system activity.
Conduct regular reviews of information system activities.
Implement multi-factor authentication to ensure only authorized users can access ePHI.
Encrypt your ePHI to prevent unauthorized access to your ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide regular training specific to your organization and job responsibilities. Reinforce employees' critical role in protecting privacy and security.
And recently, OCR has stepped up its enforcement efforts after it was discovered that lax security controls caused ransomware incidents. The Providence case is the fifth such financial penalty to date. Others include a settlement earlier this year in which a Maryland behavioral health worker paid $40,000 after a ransomware attack compromised the ePHI of 14,000 people.
Some lawmakers say this is still not enough, and are frustrated by the constant flow of ransom-based breaches.
For example, this summer, Sen. Mark Warner (D-Va.) sent a letter to Department of Health Secretary Xavier Becerra and Deputy National Security Adviser Ann Neuberger, calling for minimum cybersecurity requirements for the healthcare industry. They called for expediting the development and publication of standards.
Last month, Warner, along with Sen. Ron Wyden, D-Ore., introduced the Health Infrastructure Security and Accountability Act, a bill that includes “common sense reforms” aimed at thwarting destructive cyberattacks. The bill would mandate certain basic cybersecurity protocols, increase funding to help small and rural hospitals meet new standards, and protect health care executives who lied about their organizations' cyber hygiene. It also allows for severe penalties.
Meanwhile, HHS continues to provide numerous resources to help HIPAA covered entities mitigate ransomware and other cybersecurity threats.
On record
“The healthcare sector needs to get serious about cybersecurity and HIPAA compliance,” Fontes Reiner said of the Providence fine. “OCR remains committed to protecting patient privacy and ensuring the security of everyone's health information. On behalf of OCR, I urge all healthcare providers to remain vigilant and ensure that their systems remain secure. We urge you to take all precautions and measures to protect yourself from “cyber attacks.'' ”
The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31st to November 1st in Washington, DC. Check the details and register.
Mike Miliard is the Editor-in-Chief of Healthcare IT News
Email the author: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.
