On July 2, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with Heritage Valley Health System (Heritage Valley), a healthcare provider operating in Pennsylvania, Ohio, and West Virginia. This is the OCR’s third ransomware settlement and is based on allegations of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule following a ransomware attack. With ransomware continuing to decimate the healthcare sector, it is crucial for organizations to prioritize cybersecurity to protect patient data and ensure continuity of care.
Ransomware and hacking have continue to be some of the most common types of cyberattacks in the healthcare sector. Since 2018, there has been a staggering 264% increase in large breaches reported to the OCR involving ransomware attacks. This alarming trend highlights the urgent need for healthcare entities to implement the necessary measures to safeguard patient protected health information.
In the case of Heritage Valley, OCR’s investigation revealed multiple potential violations, including the failure to conduct a compliant risk analysis, implement a contingency plan to respond to emergencies like ransomware attacks, and restrict access to authorized users.
Settlement and Corrective Action Plan
To resolve the potential violations, Heritage Valley has agreed to pay a settlement of $950,000 and implement a three-year corrective action plan monitored by the OCR. The plan includes conducting an accurate risk analysis, implementing a risk management plan, reviewing and revising policies and procedures to comply with HIPAA Rules, and providing comprehensive training to the workforce on HIPAA policies and procedures.
Recommended Proactive Measures to Prevent Cyber Threats
OCR recommends several proactive steps that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA can take to mitigate or prevent cyber threats. These steps include the following:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing electronic protected health information (ePHI).
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
To learn more about the resolution agreement and corrective action plan, visit: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hvhs-ra-cap/index.html
See also: Health System to Pay $950,000 to Resolve HHS Privacy Violations