October was National Cybersecurity Month. As part of its ongoing focus on HIPAA Security Rule awareness and compliance, the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), published its HIPAA Security Rule Incident Procedures newsletter (the “Newsletter”) to inform and “educate stakeholders on cybersecurity awareness and how best to protect the privacy and security of confidential data.” The Newsletter noted that cybersecurity incidents and data breaches are increasing across all industries, including healthcare. In 2020, HHS OCR received notice of 663 breaches of unsecured PHI affecting 500 or more individuals. In 2021, that number increased to 714. Moreover, the Newsletter noted that 74 percent of the breaches reported to the agency involved hacking or IT incidents. HHS OCR accurately notes that a “timely response to a cybersecurity incident is one of the best ways to prevent, mitigate and recover from cyberattacks.”
What You Need to Know:
- Consider forming a security incident response team that is organized and trained to respond when a security incident occurs that would, among other things, establish relationships and lines of staffing and identify internal and external key contacts.
- Focus on mitigating the harmful effects of a security incident, documenting the security incident, and understanding the covered entity’s breach reporting obligations.
- Remember that a timely response to a cybersecurity incident will help prevent, mitigate, and recover from cyberattacks.
A recent example of such a breach occurred in October when CommonSpirit Health, the nation’s second-largest nonprofit hospital chain with 142 hospitals, experienced a debilitating security incident. The incident, which was later confirmed to be a ransomware attack, disabled the health system for several weeks and forced CommonSpirit to take certain IT systems, including electronic health records, offline. Medical operations were disrupted in twenty-one states.
To combat and be adequately prepared for the rise in health care cyberattacks, the Newsletter suggests that entities consider forming a security incident response team that is organized and trained to respond when a security incident occurs. HHS OCR recommends several areas to consider if creating a security incident team, including structure and staffing, establishing relationships and lines of staffing, identifying internal and external key contacts, and determining the services the incident team should provide.
The Newsletter highlights the processes involved in identifying and responding to security incidents, mitigating the harmful effects of a security incident, documenting the security incident (which is very important), and understanding the covered entity’s breach reporting obligations.
Finally, the Newsletter provides a summary of a recent incident affecting the Oklahoma State University – Center for Health Sciences – relating to a hacker who gained unauthorized access to a web server that contained electronic PHI and the resulting two-year OCR corrective action plan and $875,000 settlement.
A few days following the release of the Newsletter, Sen. Mark Warner (D-VA) — a co-founder of the Senate Cybersecurity Caucus — released a policy document focused on cybersecurity efforts in the health care sector. The document is titled “Cybersecurity is Patient Safety, Policy Options in the Health Care Sector” and offers several policy recommendations for the federal government. Senator Warner’s document notes that, similar to the Newsletter, the health care sector has been increasingly prone to cybersecurity attacks causing leaks of sensitive personal information, delays of treatment, and rises in rates of mortalities.
The document notes, “When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic the consequences.” Senator Warner’s document notes that more than 45 million people were affected by health care cybersecurity attacks in 2021.
Senator Warner’s document suggests improving federal leadership related to health care cybersecurity, including designating an HHS point person responsible for cybersecurity. The document includes an illustrative chart of the “The Health Care Cybersecurity Ecosystem” which identifies the various federal agencies with oversight on these important issues. Senator Warren’s report suggests creating financial incentives and specific requirements for health care systems to combat cyber threats. With respect to the Federal Anti-Kickback Statute and the Stark Law, the report states, “… these laws should be clear and should not prevent stakeholders in legitimate partnerships from working together on cybersecurity improvements that would protect the health care system collectively and not introduce financial risk in the Medicare program.” Senator Warner’s document also suggests several policy solutions to help address the frequency of cyberattacks including having the Centers for Medicare and Medicaid Services direct facilities to consider cyberattacks in the same category as other hazardous emergencies and to develop specific preparedness procedures.
Senator Warner is seeking feedback from interested parties prior to December 1,2022. Comments should be provided to cyber@warner.senate.gov.
Health care cybersecurity remains a very important issue for HIPAA-covered entities and their business associates. Committing adequate resources and maintaining vigilance are important and necessary steps to protect patient data.
Saul Ewing LLP attorneys regularly assist covered entities and business associates with HIPAA compliance, state-based privacy laws, and helping organizations respond to breach situations.
One last civic request. Tuesday November 8 is election day. Please vote via mail or drop box (if permitted where you live) or in-person. Foreign cyber threats and adversaries would probably like nothing more than to disrupt our democratic ideals.
