HIPAA and Cybersecurity Round-Up: November 2020

Warnings from government agencies and experts, coupled with recent HHS-OCR settlements, place HIPAA and cybersecurity compliance at the top of one’s “to do” list.

Despite the 2020 Election, the second-half of October presented the healthcare industry with alerts and financial penalties that should not be ignored. It’s not new that healthcare (and hospitals) in particular are “target rich” environments for cybercriminals. According to The Hill, “[h]ospitals and health care institutions preparing for a fall wave of coronavirus cases are bracing for more cyberattacks after hackers seeking to take advantage of the pandemic launched several successful attacks this year that severely disrupted patient services.” What is even more concerning is the possible end result of the cyberattacks—patient deaths. “There are hundreds of cases we have now seen where we can draw a direct line between the cyberattack and deaths.” This is because if the protected health information (PHI) is not available or if the integrity of the data has been altered, then there is a highly probable chance of a clinical error, which results in a patient harm, including death.

On October 28, 2020, the Cybersecurity & Infrastructure Security Agency (CISA), released Alert (AA20-302A) – Ransomware Activity Targeting Healthcare and Public Health Sector. This joint advisory was authored by CISA, the FBI and HHS. Two findings to highlight are:

• CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
• These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

By deploying these newer forms of ransomware, cybercriminals are more nimble, which leads to increased ease, speed, and profitability of the victims. This means that regardless of the size of the covered entity or business associate, the IT person needs to stay abreast of new forms of attacks, training, and software patches/updates. And, as a reminder, both individuals and organizations should be cautious before paying a ransomware demand, as it may cause additional legal woes in the form of an illegal act – running afoul of Office of Foreign Asset Control (OFAC) regulations.

The final part of the “HIPAA Round Up” focuses on two HHS OCR settlements. The October 28, 2020 settlement with Aetna is notable for three reasons: (1) the $1 million amount; (2) the settlement involved three separate incidents affecting significantly more than 500 individuals; and (3) in addition to the impermissible disclosures, Aetna failed to implement the requisite technical, administrative, and physical safeguards.

The October 30, 2020 settlement with the City of New Haven, CT is noteworthy for the following reasons: (1) a former employee continued to have access, even after being terminated; (2) the employee not only returned after being terminated, but returned to the work site and downloaded PHI onto a USB drive; and (3) New Haven recklessly disregarded its technical, physical, and administrative safeguards. Not conducting an enterprise-wide risk analysis annually was a fundamental item, which was overlooked.

The bottom line is that HIPAA and cybersecurity compliance are not going away. The harm to patients, legal liability, and financial costs are quite real. In sum, it is incumbent upon every person who creates, receives, maintains, and/or transmits PHI to do so in a prudent way – regardless of the size of the organization and whether he/she is at home or at work.

_{About the Author}

_{Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.}