By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The Office for Civil Rights is stepping up its attention to cyberattacks impacting healthcare organizations. After years of attacks impacting operations and the privacy of patient information, OCR is now flexing its HIPAA enforcement muscles on that front. First OCR entered into a settlement because of a ransomware attack and now there is a new settlement stemming from a phishing incident.
The Background and the Settlement
What happened in the most recent instance? As usual, OCR offers a bare minimum of detail about the situation giving rise to the settlement. The available facts note that Lafourche Medical Group (LMG) notified OCR of a data breach impacting the patient information under its control on May 28, 2021. LMG revealed that it learned about an individual gaining access to an email account of an LMG owner through a phishing attack. LMG could only determine that protected health information was present in the email account, but not the specific portion of its patient population whose information was present. Given the inability to suss out the specifics, LMG notified all of its patients about the phishing incident.
Over half a year after receiving notification of the breach, OCR initiated an investigation into the incident on January 13, 2022. Arguably that setup is intentionally a little sensationalist because OCR is often overwhelmed by the number of breaches being reported and any incident should create an expectation that an investigation will follow. OCR reported in the resolution agreement that its investigation found two primary issues of non-compliance.
Specifically, OCR stated that LMG never conducted a risk analysis as required by the Security Rule prior to the phishing attack in 2021. Second, LMG never implemented a process to review records of system activity, which could enable LMG to spot and respond to suspicious activity that would be the sign of a system compromise.
What did this one incident cost LMG? $480,000. That is a pretty big figure for what appears on the surface to be a relatively run of the mill phishing incident. It is very possible that any number of similar incidents could be found just by googling “healthcare,” “phishing,” and “data breach.” Why the big dollar settlement and why in this instance? As always, those questions won’t be answered, but also as is usually the case, there are some important lessons to take from the settlement.
OCR is Serious About Cybersecurity
It should go without saying at this point that all organizations should be focused on improving and solidifying cybersecurity. OCR is certainly focusing on the issue and setting a higher bar for what it expects of organizations. Reports and guidance about cybersecurity are produced by different agencies in HHS and the government more broadly on a pretty steady basis. OCR’s announcement about the LMG settlement includes the following examples of available materials:
- An instance of OCR’s quarterly email series with guidance on how to defend against cyberattacks;
- A recent webinar on ways that the Security Rule can prepare an organization to defend against a cyberattack; and
- A one pager specifically about email phishing attacks.
The thrust of all the materials is to provide education and guidance that focuses on preparing for the inevitable cyberattack. OCR does not want to be in a position of chasing organizations after an attack. Instead, OCR would clearly prefer that organizations take proactive steps ahead of time that decrease the likelihood of an attack occurring. Given that backdrop, organizations should take advantage of the information and materials distributed by OCR and other agencies. The information is often informative and designed to increase awareness of current top priority threats or provide suggestions on how to strengthen defenses. It is clearly a design to promote privacy and security, not find a means of assessing a punitive punishment.
With all of those materials available, it is also no surprise that OCR is getting more active in pursuing resolution agreements with organization following a cyberattack. The threats and fallout have been well publicized at this point in time with headlines coming on at least a daily basis. If carrots aren’t working, then the sticks will follow, especially when dealing with the government.
Time to Train and Educate
What is an organization to do in the face of all of these headwinds? Take time to train and educate all members of the workforce. No individual in an organization is immune or insulated from having to worry about the issues of phishing or any other cybersecurity problem. In case the summary of the LMG resolution didn’t grab attention deeply, one of the key points is that an owner was victimized by the phishing attack. Other examples in the headlines can be a person from anywhere in the hierarchy of an organization. Everyone will get suspicious emails and should not freely click on links or following actions in the email.
How can desired actions be promoted? Provide examples and constant reminders about what constitutes a suspicious email and how to respond. Be critical of almost every message and take a breath or two before acting on the contents of a message. Not rushing into an action called for in a message can save a lot of headaches down the road. It is also important to look at the fine details. It can be easy to look past an extra letter or other marker in an email that would show it to be less than honest. By regularly putting that information in front of individuals, the lesson can sink in more and become a consistent habit.
In addition to the regular reminders, phishing should be a component of annual training, if it hasn’t been included already. The annual training is the minimum that HIPAA looks for on the training front and provides an opportunity to potentially get a little bit more in depth since it ostensibly is longer and sets the base for a solid year of understanding.
Regardless of the approach taken, it is necessary at a baseline to focus on the effort of training and educating. It is a relatively easy step to take that can readily set an organization up for success. Overlooking is just missing a way to get a solid win and also provide evidence of the organization taking appropriate measures in the event of an incident.
Do the Basics
The other issue from the LMG settlement is the unfortunately usual finding that the required risk analysis did not occur. If a risk analysis is skipped or skimped on, how does an organization know what the risks are? The truth is that it doesn’t know the answer to that question. Since lack of a risk analysis is included in almost every HIPAA resolution announced by OCR, one would think that it should be a top priority.
The risk analysis can take some time and attention, but it also sets an organization up for good security practices. Taking a step back and regularly reviewing not only where sensitive information is located, but the threats to it as well can help a security program evolve and adapt to changing circumstances. Doesn’t that sound like a positive?
If previous resolutions weren’t a wake up call, heed the callout now. The size of the settlement with LMG suggests that the complete absence of a risk analysis was an important factor in the seemingly large settlement.
This article was originally published on The Pulse blog and is republished here with permission.