HHS OCR Breach Investigators Identify Recurring Issues with Risk Analysis Failures
In a significant revelation, investigators from the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) have once again underscored the pressing issue of inadequate security risk analyses within the healthcare sector. Four healthcare entities have collectively incurred fines totaling $1.7 million due to their failure to adequately protect against ransomware attacks, leading to breaches of electronic protected health information (ePHI) compromising approximately 427,000 individuals.
The entities penalized include a medical imaging provider, a women’s healthcare group, a health plan, and a third-party insurance administrator. The investigation into these organizations revealed a troubling pattern of either conducting their risk assessments ineffectively or not at all, which ultimately resulted in serious security vulnerabilities. The breaches, attributed to ransomware attacks, exposed sensitive patient information such as names, birth dates, addresses, Social Security numbers, and medical details.
HHS OCR has consistently emphasized the necessity of thorough, timely, and meticulous risk assessments as mandated by the Health Insurance Portability and Accountability Act (HIPAA) security rule. Despite this, instances of weak security risk analyses are frequently noted in the context of HIPAA violations. Stakeholders advocate that these assessments should serve as proactive measures rather than mere bureaucratic exercises, especially given the escalating threat posed by ransomware within the healthcare sector.
Paula Stannard, the director of OCR, stated, “Hacking and ransomware are the most frequent types of large breaches reported to OCR.” She highlighted the importance of implementing the HIPAA security rule as a preventive measure, reiterating that compliance is not only a legal obligation but also essential for mitigating the detrimental impacts of cyberattacks.
Among the settlements announced by HHS OCR, Assured Imaging Affiliated Covered Entities, a provider of medical imaging services, faced a particularly severe penalty of $375,000. The organization experienced a ransomware attack in 2020, carried out by the PYSA ransomware gang, that affected nearly 245,000 individuals. HHS OCR identified that Assured Imaging had “never conducted a compliant risk analysis.”
Other entities facing sanctions included Regional Women’s Health Group, which operates under the Axia Women’s Health label, along with Star Group, L.P. Health Benefits Plan, and Consociate Health, which serves as a third-party administrator for employee-sponsored benefit programs. These organizations faced penalties ranging from $225,000 to $320,000, in conjunction with mandatory corrective action plans monitored by HHS OCR over a two-year timeframe.
The corrective action plans obligate the penalized entities to conduct and document comprehensive risk assessments addressing security vulnerabilities related to all ePHI systems. They must also implement necessary security measures to rectify the deficiencies identified in these assessments.
Challenges in Security Risk Analysis
The recurrent failures in the execution of effective security risk analyses necessitate a deeper understanding of the common pitfalls encountered by HIPAA-regulated entities. A notable issue is the failure to conduct any risk analysis at all, or, when assessments are performed, the lack of proper documentation or follow-through on remediation actions. Typically, organizations may confuse a compliance gap assessment with a substantive risk analysis. Keith Fricke, a principal consultant at tw-Security, clarified, “OCR will not recognize a gap assessment as a risk analysis.”
A robust HIPAA risk analysis must thoroughly encompass all systems that store, process, or transmit ePHI, an aspect frequently overlooked in basic gap assessments. Additionally, risks that are carried over from year to year without resolution can result in heightened financial penalties, especially if breaches occur due to known vulnerabilities.
Despite the availability of a complimentary security risk analysis tool provided by HHS OCR—designed to walk users through the assessment process—many organizations struggle with conducting thorough analyses due to limited resources or lack of expertise. For smaller healthcare entities, budget constraints often impede their ability to perform required security assessments adequately.
Fricke noted that organizations are aware of their obligations but may neglect them, leading to accusations of willful neglect. The cost associated with hiring external assessors varies significantly based on the organization’s size and the complexity of its IT landscape.
Stakeholders emphasize the critical nature of risk identification for safeguarding patient data. Kerry McConnell, also from tw-Security, urged organizations to maintain a detailed inventory of all ePHI systems, assessing them against potential threats while documenting any existing controls and vulnerabilities. He encourages starting small, seeking help when necessary, and ceasing the tendency to adopt a complacent mindset regarding compliance.
Frequent failures in conducting risk analyses indicate an urgent need for a proposed update to the HIPAA Security Rule, which aims to stipulate more detailed requirements for what a risk analysis must entail. However, HHS OCR has yet to clarify how it intends to move forward with these proposals, which were introduced in the final days of the Biden administration.
In summary, as the healthcare sector continues to face escalating cyber threats, the importance of effective risk management and compliance with HIPAA requirements cannot be overstated. The current fines serve not just as penalties but as pivotal reminders for healthcare entities about the critical importance of safeguarding ePHI through diligent risk assessment practices.