November 13, 2020
Several government agencies have reported that cybercrime directed at hospitals, healthcare providers, and medical devices is increasing. Healthcare records are more valuable to hackers than other types of data, and cybercrime groups have increased their focus on the healthcare sector.
Some of the more common ransomware attacks and data theft begin with an email that appears legitimate, but contains an attachment with malware or a link to a malicious website. For example, an email may have a familiar display name but the email address has a small change; or a link may appear very similar to a trusted domain name.
These attacks can result in exposing patient and employee records, passwords, and sensitive heath data. Since providers are legally and contractually required to secure data, data breaches may result in lawsuits from patients impacted or government actions for compliance violations.Providers may be subject to penalties if the U.S. Department of Health and Human Services, Office for Civil Rights determines that the provider did not take appropriate steps to secure patient data. The penalty amount depends on the level of culpability, but providers may face a fine of up to $1.5 million per violation. Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, 84 Fed. Reg. 18151 (May 30, 2019).
Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) recently issued a joint cybersecurity advisory recommending that healthcare organizations not delay in implementing prevention and response measures. The advisory recommends that providers take certain actions, including:
- Awareness and training for employees regarding ransomware and phishing scams;
- Establishing and training employees on a mitigation strategy if an attack does occur;
- Maintaining encrypted backups of data online using the 3-2-1 rule;
- Creating and implementing a cyber-incident response plan; and
- Planning for a situation where systems will be inaccessible for extended time periods.
The good news is that if providers take reasonable security measures, they may be able to lower their potential legal liability for these attacks. Providers may want to evaluate their awareness and prevention strategies, and consider investing time training their employees and vendors on the current threat and how to respond.
If a provider is ultimately targeted, agencies have recommended not to pay ransoms and to follow the legal requirements for reporting data breaches. WJN attorneys would be happy to assist you in providing training to your employees, evaluating your risk, advising on security best practices, and advising on harm mitigation and response after an attack.