The US Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) has recently come to a settlement with Doctors’ Management Services, a medical management company based in Massachusetts. The settlement amounts to $100,000 and pertains to a ransomware attack that the company endured in 2018.
One of the key factors in this case was the delay in detecting the cyber attack. The breach report filed by Doctors’ Management Services with HHS stated that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, the intrusion was not discovered until December 24, 2018, after ransomware was used to encrypt their files. OCR began its investigation in April 2019.
During the OCR’s investigation, evidence was found indicating potential failures by Doctors’ Management Services to have an analysis in place to determine the risks and vulnerabilities to electronic protected health information. Other findings included inadequate monitoring of health information systems’ activity to protect against cyber attacks and a lack of policies and procedures to implement the requirements of the HIPAA Security Rule.
Ransomware attacks on hospitals and healthcare organizations have become a significant threat to public health and safety. Jan Lovmand, CTO at BullWall, expressed concern over the disruptions caused by these attacks, which can lead to postponed surgeries and treatments, putting patients’ lives at risk. In addition to the immediate risks to patient care, these attacks also compromise the security of sensitive patient information. Lovmand emphasized that the impact of these attacks can be devastating, leaving hospitals struggling to recover their data and regain control of their systems.
The healthcare sector’s heavy reliance on technology makes it an attractive target for cybercriminals. Hospitals and healthcare organizations manage critical patient records and rely on technology to operate effectively. However, their limited resources for investing in cybersecurity measures can make them vulnerable to attacks. In light of the continued threat of ransomware, Lovmand stressed the importance of investing in measures to contain these attacks, avoiding the need for complete shutdowns of IT systems and healthcare services.
Dave Ratner, CEO at HYAS, highlighted the value of data that healthcare providers hold as a motivating factor for attacks. Healthcare organizations are increasingly targeted due to the valuable information they possess. Ratner emphasized the need for organizations to regularly review risks, update policies, and assume that they will be breached. Having the necessary visibility to detect and respond to breaches is essential in ensuring resilience against cyber attacks.
The settlement between HHS OCR and Doctors’ Management Services serves as a reminder of the importance of implementing robust security measures in the healthcare sector. Cyber attacks not only disrupt healthcare services but also compromise patient data security. It is crucial for healthcare organizations to invest in cybersecurity measures to protect patient information and ensure the continuity of essential medical services.