Recent Report Underscores Hospitals and Healthcare Providers Remain Attractive Ransomware Targets
In October 2020, Frier Levitt described how the Cybersecurity and Infrastructure Security Agency (“CISA”) and the FBI announced an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” Since that time, substantial ransomware attacks have affected the Colonial Pipeline and meatpacker JBS USA, Inc.
Recently, a Wall Street Journal article addressed how cyberattacks have affected the healthcare industry. According to the report, since 2018, one ransomware group alone has targeted over 235 hospitals and inpatient facilities. Similarly, a recent New York Times article describes how numerous hospitals in Ireland and New Zealand, and a health system in California, have all faced ransomware attacks and, as a result, suffered from sustained system outages. Moreover, a Becker’s Hospital Review article notes that a Florida health system has had to revert to using paper records, after the health system disconnected certain computers as a result of unusual network activity that was first identified in May.
In healthcare, ransomware attacks have proven to be highly disruptive events for a variety of healthcare providers who are, at times, reliant on technology to render and/or document care. Of note, without access to computer systems, providers have had to delay providing care, and a major regional hospital even had to temporarily divert incoming ambulances while responding to an attack.
Given the continued risk that cyberattacks pose, healthcare providers must take steps to prepare for such an attack and implement measures to prevent likely threats. Specifically, the Health Insurance Portability and Accountability Act (“HIPAA”) requires covered entities and their business associates to conduct regular risk analyses and implement safeguards accordingly. A risk analysis is intended to cause the organization to document its comprehensive practices, evaluate areas of risk, and to proactively protect against identified vulnerabilities. Risk analyses must be conducted on a regular basis, including when internal protocols change or are updated, to account for novel risks and to reevaluate the reasonableness of existing safeguards.
An analysis, however, is not enough. Pursuant to HIPAA, entities must maintain comprehensive disaster contingency plans detailing how they will continue to operate in the event of an attack or disaster. An effective response plan must have clear reporting structures to enable efficient responses to security incidents.
As underscored by the FBI’s announcement from last year, and reiterated by recent news reports, healthcare providers and their business associates are attractive targets for a variety of cyber criminals. These organizations must act accordingly to protect their systems and data, prevent these attacks, and ensure their adherence with HIPAA. Moreover, in light of the recent cyberattacks that have disrupted the operations of a variety of entities, healthcare providers should adopt plans setting forth how the provider will continue operating and rendering care in the event a ransomware attack causes or necessitates a sustained system outage.
How Frier Levitt Can Help
From small medical practices, to large hospitals and online-only telehealth platforms, Frier Levitt has advised various clients in developing compliant HIPAA policies and procedures, including disaster recovery plans that enumerate the steps to be taken in the event of a natural or man-made disasters such as cyberattacks. Contact us for assistance with proactive HIPAA compliance plans and risk analyses, and response coordination when addressing violations or cyberattacks.