Enter to open, tab to navigate, enter to select
In Its Second-Ever HIPAA Settlement on Ransomware, HHS Offers Best Practices for Avoiding Cyberattacks
Practical Law Legal Update w-042-3700 (Approx. 8 pages)
In Its Second-Ever HIPAA Settlement on Ransomware, HHS Offers Best Practices for Avoiding Cyberattacks
by Practical Law Employee Benefits & Executive Compensation
| Published on 26 Feb 2024 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has announced a settlement of potential Privacy and Security Rule violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement involved a Maryland-based provider of mental health services (and HIPAA covered entity (CE)). The provider must pay $40,000 to HHS and comply with a three-year corrective action plan (CAP) that HHS will monitor.
HHS has issued a settlement agreement with a Maryland-based provider of outpatient mental health services (and HIPAA covered entity (CE)) for potential violations of HIPAA's Privacy and Security Rules (see HIPAA Privacy, Security, and Breach Notification Toolkit) (Resolution Agreement (Feb. 21, 2024); see related press release). The provider offers services that include psychiatric evaluations, medication management, and psychotherapy.
Under the agreement, the provider must:
- Pay $40,000 to HHS to resolve the action.
- Comply with a three-year corrective action plan (CAP) that HHS will oversee.
The settlement is HHS's second-ever settlement agreement involving a ransomware attack (see Legal Update, HHS Reaches Its First HIPAA Settlement Agreement Involving a Ransomware Attack).
Ransomware Attack on Network Server
HHS began investigating the provider in December 2019 after receiving a breach notification from the provider indicating that its servers had been infected by ransomware that encrypted its data (see Practice Note, HIPAA Breach Notification Rules). The ransomware attack involved the protected health information (PHI) of more than 14,000 individuals. As background, ransomware is a form of malware (malicious software) that:
- Blocks access to an entity's data (typically by encrypting the data with a key controlled by the hacker that launched the attack).
- Requires payment of a ransom for access to be restored.
HHS's investigation revealed that the provider potentially violated HIPAA's Privacy and Security Rules by:
- Failing to perform an accurate and comprehensive risk analysis of potential risks and vulnerabilities related to the confidentiality, integrity, and availability of ePHI held by the provider (45 C.F.R. § 164.308(a)(1)(ii)(A)).
- Failing to implement security measures for reducing risks and vulnerabilities to a reasonable level (45 C.F.R. § 164.308(a)(1)(ii)(B)).
- Failing to adopt policies and procedures to periodically review records of information system activity (for example, audit logs, access reports, and security incident tracking) (45 C.F.R. § 164.308(a)(1)(ii)(A)).
- Impermissibly disclosing ePHI (45 C.F.R. § 164.502(a); see Practice Note, HIPAA Privacy Rule: Permitted and Prohibited Uses and Disclosures of Health Information).
Corrective Action Plan Addresses Security Rule Standards
Besides the $40,000 payment, the provider must comply with a three-year CAP that includes requirements relating to risk analysis and management, HIPAA policies and procedures, and training. HHS will oversee the provider's progress in complying with the CAP.
Risk Analysis, Inventory, and Risk Management Plan
Regarding security management process requirements under HIPAA's Security Rule, the provider must perform a thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI in its possession. The risk analysis must cover all of the provider's rented or owned facilities. Before starting its risk analysis, the provider must develop a complete inventory of all electronic equipment, data systems, facilities, and applications that contain or store ePHI. This ePHI inventory must then be incorporated in the provider's risk analysis.
The provider also must create and adopt an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis. The risk management plan must contain a process and timeline for the provider's implementation, evaluation, and updating of its risk remediation activities.
The risk analysis and risk management plan are subject to HHS approval.
HIPAA Policies and Procedures Include Extensive Minimum Content Requirements
The CAP also requires the provider to develop (or update) its HIPAA policies and procedures. As revised, the policies and procedures must address—at a minimum—a lengthy set of issues under HIPAA's Privacy and Security Rules, including:
- Risk analysis and risk management (45 C.F.R. § 164.308(a)(1)(ii)(A)-(B); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Management Process).
- Review of information system activity (45 C.F.R. § 164.308(a)(1)(ii)(D); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Management Process).
- Assigned security responsibility, including identifying a security official that is responsible for the provider's policies and procedures under the Security Rule (45 C.F.R. § 164.308(a)(2); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Assigned Security Responsibility).
- Security awareness and training (45 C.F.R. § 164.308(a)(5); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Awareness and Training).
- Password management (for example, policies for creating, changing, and protecting passwords) (45 C.F.R. § 164.308(a)(5)(ii)(D); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Management Process).
- Access and audit controls (45 C.F.R. § 164.312(a)(1), (b); see Practice Note, HIPAA Security Rule: Physical Safeguards, Technical Safeguards, and Other Issues: Access Control and Audit Controls).
- Business associate (BA) agreements, including provisions for documenting BA-related satisfactory assurances to safeguard PHI (45 C.F.R. § 164.308(b); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Business Associate Contracts and Other Arrangements).
- Privacy Rule requirements (for example, permitted uses and disclosures of PHI) (45 C.F.R. § 164.530; see Practice Note, HIPAA Privacy Rule).
The above-referenced access control procedures must address, among other issues:
- Access between systems (for example, network or portal segmentation).
- Provisions that restrict access to ePHI to individuals and software programs that are granted access rights.
- Enforcement of password management requirements (for example, password age, encryption, and decryption).
Policies and Procedures Must Be Distributed
The provider must submit its revised HIPAA policies and procedures to HHS for approval. Once the policies and procedures are approved, the provider must:
- Finalize and adopt the approved policies and procedures.
- Timely distribute them to all workforce members and BAs with access to ePHI.
- Obtain from each workforce member and BA a written or electronic certification stating that the workforce member or BA has read, understands, and will comply with the policies and procedures.
The provider's revised policies and procedures must be distributed to newly hired workforce members and new BAs who have access to PHI within 30 days of their start dates.
A workforce member or BA who has not provided this certification is not allowed to access the provider's PHI.
Inventory of Business Associate Agreements
The CAP also requires the provider to review all of its vendors and third-party service providers to identify BAs. The provider must then provide HHS:
- A comprehensive accounting of the BAs that includes the BAs' names, a description of the services, the dates the BAs began providing services, and a description of how the BAs handle or interact with the provider's PHI.
- Copies of any BA agreements (see Standard Document, HIPAA Business Associate Agreement).
Training
Regarding training, the CAP requires the provider to:
- Furnish its existing HIPAA training materials (for both the provider's workforce members and its BAs that have access to PHI) to HHS for review.
- Revise its training materials for any changes required by HHS.
- Timely provide training (and annual retraining) to existing workforce members—and new workforce members and BAs who have access to PHI (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).
- Obtain a certification, in written or electronic form and reflecting the training date, from each workforce member stating that the individual received the training.
- Annually review and, if necessary, update its training materials.
Reportable Events and Other CAP Requirements
A section of the CAP addressing reportable events requires the provider to promptly investigate and report any information it receives about workforce members' or BAs' noncompliance with the provider's HIPAA policies and procedures (as revised). The provider also must inform HHS of the sanctions it imposes on workforce members who do not comply with the policies and procedures.
The provider must satisfy additional requirements under the CAP, including submission of annual reports for the CAP's duration. The CAP also requires the provider to document its compliance with the CAP for six years.
Best Practices for Preventing or Mitigating Cyber-Threats
In announcing this second-ever, ransomware-focused settlement, HHS identified several best practices that CEs and BAs should adopt to prevent or mitigate cyber-threats. These best practices include:
- Reviewing all vendor and contractor relationships to ensure BA agreements are in place as appropriate—and that the agreements address breach/security incident obligations.
- Integrating risk analysis and risk management procedures into business processes and ensuring that they are performed regularly (especially when new technologies and business operations are planned).
- Adopting audit controls to record and analyze information system activity.
- Implementing periodic reviews of information system activity.
- Using multi-factor authentication (MFA) so that only authorized users can access PHI.
- Encrypting PHI to prevent unauthorized access.
- Incorporating lessons from prior incidents into the CE's or BA's broader security management process.
- Regularly providing training specific to organization and job responsibilities.
- Emphasizing the role of workforce members in protecting privacy and security.
Practical Impact
HHS's best practices on cyber-threats are especially timely in light of last month's cyberattack against a division of a major US health insurer that has disrupted hospitals' and pharmacies' ability to process claims and receive payments (the Change Healthcare cyberattack). The attack has resulted in potentially significant cash flow issues for affected providers. According to an HHS press release (Mar. 5, 2024), HHS is engaged with the insurer in assessing the attack's consequences and the effectiveness of the insurer's response efforts.
In another development, HHS—in coordination with the National Institute of Standards and Technology (NIST)—recently issued an updated HIPAA Security Rule Guide that includes core Security Rule requirements and related sample questions to help CEs and BAs comply with HIPAA. For example, regarding the Security Rule standards for password management (one of the standards at issue in this ransomware enforcement action), the updated guide includes the following questions about how CEs and BAs can assess their compliance:
- Are workforce members aware that login attempts can be monitored?
- For workforce members of a CE or BA who monitor login attempts, do the individuals know where (and to whom) any identified discrepancies should be reported?
- Do workforce members know how to choose passwords of appropriate strength, protect their passwords, and change passwords that have been compromised (or are suspected of having been compromised)?
- Has the CE or BA implemented policies to prohibit workforce members from sharing passwords with others?
- Do workforce members understand the importance of timely applying system patches to guard against malicious software, which may exploit vulnerabilities (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Ransomware and the Security Management Process Standard: Cybersecurity Defense)?
For more information, see Legal Update, In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics.