Halloween HIPAA Headline The Pulse
pOn Halloween 2023 the Office for Civil Rights dropped news of what could be seen as a treat to OCR but a trick on the impacted entity The announcement was the most recent settlement of a HIPAA issue which was another ransomware based incident As always it is helpful to summarize the situation and then see what lessons might be drawn from the circumstancesppThe settlement was between OCR and Doctors Management Services DMS DMS is a business associate as it provides practice management support and solutions for practices OCR initiated its investigation into DMS after the voluntary and compliant submission of a data breach notice by DMS on April 22 2019 In its notice to OCR DMS stated that its network first suffered an intrusion on April 1 2017 However in what should be a warning to other companies DMS did not detect the intrusion until December 24 2018 Interestingly the data breach notice specified the particular ransomware variant that caused the issue though that may have been included in the pop up notice that occurred following encryption Inserting some initial questions where were the security operations Were networks being scanned or other activities undertaken to assess activity on the network Going over a year and a half between initial intrusion and detection is a recipe for a big problemppLeaving aside the commentary for the moment DMS revealed that the intrusion was detected on December 24 2018 because ransomware was deployed that encrypted DMS files As already suggested there is no explanation as to why it took encryption of files for DMS to discover the intrusion into its systems The bare minimum facts suggest a significant breakdown in security operations to the extent that processes or tools were in place to find a problemppWith the factual background set OCR investigated the incident The investigation found that over records for over 200000 patients were impacted OCR also as is its common practice detailed a number of findings that it asserted demonstrated actions inconsistent with expectations under HIPAA The findings wereppThe gist of OCRs findings was an overall approach to compliance that did not set DMS up for success Implicit in the findings were that too many gaps were allowed to exist that made it hard to satisfy compliance obligations All of the findings and activity resulted in a 100000 settlement paymentppBuilding on some of the commentary already started when describing the facts the biggest issue in this latest HIPAA settlement is an apparent fundamental misalignment of operation with obligations under HIPAA While a finding focuses on inadequate risk analyses is quite common and appears in almost every HIPAA settlement the third finding is the biggest one That finding implies that DMS did not have sufficient policies and procedures to drive compliance across all areas of the Security Rule ppAdmittedly the policies and procedures required by HIPAA can become just an exercise in drafting paper but that process is an important one for level setting actions within an organization In an organization where security efforts are humming along the procedures called for by HIPAA can affirm what is already occurring or often opportunities for refinement The Security Rule does not create a full set up for securing data or systems in the current modern environment but it does create the framework to able to do thatppFurther writing policies and procedures required by HIPAA should be viewed as table stakes for operating in the healthcare industry Despite the somewhat valid argument that writing all of the policies can be a headache again that process offers an opportunity for introspection and review of operations Every time policies are initially drafted or reviewed it is a chance to assess what is working what could be refined or what is not working Those results should then inform how an ever evolving compliance and security stance can be changed and made stronger Avoiding the process altogether cannot happenppThe other key takeaway is that systems have to be monitored Even though the conduct in the settlement is from a few years ago letting an intruder wander through systems for over a year and a half is highly problematic That suggests data were continually exposed and not just data from a point in time were subject to the violation of privacy Further only finding the intrusion because ransomware was finally deployed makes it worse The timing of the ransomware deployment suggests that the attacker extracted a lot of value from the data and then took the final step to see if it could get another payday out of the situationppActive monitoring and assessment of systems and networks should be able to find a problem more quickly than having it thrown in an organizations face Attackers are constantly updating and changing tactics making it probably near impossible to stop every attack but being able to cut off the impact as quickly as possible is definitely something that needs to occur The response to a breach or security incident can be a key factor in determining whether the problem becomes just a blip on the radar or an event that becomes a major inflection point for the organization The clear preference should be the blip Setting the stage for that outcome calls for a robust security process that is in constant operationppNo organization seeks to become the next target for a HIPAA settlement with OCR However certain steps can be taken to help with that avoidance or make an OCR investigation proceed more smoothly The obvious steps should be increasing awareness and understanding of the requirements imposed by HIPAA building those compliance obligations into the fabric of an organization and then taking serious ongoing steps to fulfill and go beyond those requirements It has become a bit of a trope but security can never rest because the threats certainly do not It is a tough environment but not one that needs to be fatalisticppMatt is General Counsel for Carium a telehealth platform company Matt is responsible for all legal functions in the company and helps to ensure that operations meet the requirements of applicable healthcare laws and regulations Matt works to find creative solutions when needed and keeps an eye on the complications that can come up from working in the healthcare industry Prior to joining Carium Matt practiced for over a dozen years at a midsize law firm where Matt advised clients across the healthcare spectrum on healthcare laws and regulations as well as general business mattersppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppEnter your email address to follow this blog and receive notifications of new posts by emailpp
Email Address
pp
Follow
ppMatt is General Counsel for Carium a telehealth platform company Matt is responsible for all legal functions in the company and helps to ensure that operations meet the requirements of applicable healthcare laws and regulations Matt works to find creative solutions when needed and keeps an eye on the complications that can come up from working in the healthcare industry Prior to joining Carium Matt practiced for over a dozen years at a midsize law firm where Matt advised clients across the healthcare spectrum on healthcare laws and regulations as well as general business matterspp
View Full Profile pp
2023 The Pulse
pp
Create a free website or blog at WordPresscom
p
Email Address
pp
Follow
ppMatt is General Counsel for Carium a telehealth platform company Matt is responsible for all legal functions in the company and helps to ensure that operations meet the requirements of applicable healthcare laws and regulations Matt works to find creative solutions when needed and keeps an eye on the complications that can come up from working in the healthcare industry Prior to joining Carium Matt practiced for over a dozen years at a midsize law firm where Matt advised clients across the healthcare spectrum on healthcare laws and regulations as well as general business matterspp
View Full Profile pp
2023 The Pulse
pp
Create a free website or blog at WordPresscom
p
