Over the past year and a half, the healthcare industry has confronted a trifecta of troubles. As if tackling the COVID-19 pandemic weren’t enough, healthcare organizations have also faced a surge of ransomware attacks, evolving legal/regulatory and enforcement considerations, as well as novel, complex issues presented by pandemic- and technology-driven changes.
In light of the current cyber security environment, a better understanding of ransomware attacks, and preventative steps organizations can take, is critical for any health care entity. But first we look at the evolving regulatory and enforcement landscape.
Impact of Evolving Regulations
Telehealth. While fending off cyberthreats, especially ransomware, healthcare organizations also adapted to the disruptions to care delivery associated with the pandemic almost overnight through adoption of telehealth technology. The inherent necessity of this widespread and rapid reliance on telehealth as a modality of care required a drastic relaxation in the often antiquated Federal and State licensure and reimbursement regulations that have typically served as a barrier to telecare. Nearly all states utilized emergency rule-making to lift these regulatory restrictions and ensure reimbursement of services delivered via telehealth thereby revolutionizing the health care landscape and vastly catalyzing the acceptance of telehealth, particularly given the lack of other care delivery options in the midst of the pandemic. The protracted nature of the pandemic has helped to cement telehealth as a seemingly permanent fixture in the health care delivery system and both the Centers for Medicare & Medicaid Services (“CMS”) and many state legislatures have begun the work of modernizing the telehealth regulatory regime from both a licensure and reimbursement standpoint to ensure that this access to care remains intact even after the pandemic ends.
Information Blocking. Ensuring patients’ right of access to their health information has been a significant focus for both the Office of Civil Rights (“OCR”) and the Office of the National Coordinator (“ONC”) as evidenced by the promulgation of the information blocking regulations pursuant to the 21st Century Cures Act that became effective on April 5, 2021, which continues to create a sea change in the healthcare industry as it requires providers to make categories of electronic health information readily available to patients without delay often resulting in the provider and patient having simultaneous access to health information. These regulations have the potential to be a significant disruptor in the way health data is used, disclosed, maintained, and commoditized. However, the pandemic itself in some ways paved the path for information blocking compliance as providers often had little choice but to have health information, such as COVID-19 test results, delivered automatically to patients due to the sheer volume of tests and reliance on remote care, which served as a precursor to the paradigm shift caused by information blocking and helped to normalize this level of access for both patients and the provider community. However, the current lack of enforcement mechanisms in the regulations for providers found to be in violation of information blocking regulations may have dampened the initial momentum of these compliance efforts. ONC has publicly stated on several occasions that efforts are well underway to define these enforcement mechanisms and could be released by year-end.
Safe Harbor. Congress also codified incentives for the health care industry to invest in information security in order to mitigate OCR enforcement penalties through a HITECH amendment passed in January of 2021, which essentially created a “HIPAA Safe Harbor.” The amendment requires OCR to take into consideration whether an entity that is being investigated by the OCR had “recognized security practices” in place prior to the investigation as part of OCR’s determination regarding any fines, audit results, or other remedies that OCR may seek to impose following a security incident or breach. While this HITECH amendment does not provide entities with total immunity from HIPAA enforcement, it provides organizations with substantial incentives to establish or improve their cybersecurity programs, and a chance to mitigate financial penalties and other negative regulatory actions from the OCR that may result from a data breach or security incident. Examples of “recognized security practices” that would be deemed acceptable defenses under this law include the methodologies set forth in the NIST Act and the Cybersecurity Act of 2015. Healthcare organizations looking to build their HIPAA safe harbor defensibility should start by assessing whether their current cybersecurity program/processes fit the definition of “recognized security practices” as set forth in the HITECH amendment and consider additional investments to further mature their information security posture as needed to enable them to rely on this safe harbor. To date, OCR has not publicly addressed whether an entity has utilized adoption of such recognized security practices as a defense in an OCR inquiry or investigation. However, in light of the continued threat of ransomware—the creation of the safe harbor will hopefully mitigate the insult of highly punitive OCR fines following the injury of a devastating ransomware attack.
Recent Developments in OCR Enforcement
As the HIPAA regulations celebrate the 25th anniversary of their initial enactment this year, recent developments provide some insight regarding current priorities of the OCR, which is tasked with enforcing HIPAA, as well as potential defense strategies in enforcement actions.
Patient Right of Access
Under HIPAA, patients have rights to a vast trove of health information about themselves maintained by or for covered entities, including medical records; billing and payment records; insurance information; clinical laboratory test results and medical images. When a patient requests his or herrecords, the general rule is that a covered entity must provide access to the PHI requested without unreasonable delay, but no later than 30 calendar days from receiving the individual’s request.
In 2019, OCR announced its “Right of Access Initiative”, meant to focus on covered entities providing individuals with timely access to their medical records. Since then, OCR has embarked on a significant number of enforcement actions under its initiative. As of August 2021, there have been 20 right of access settlements, with dollar amounts as high as $200,000 and many others close to or over $100,000.
Notably, in a number of these settlements, OCR initially issued a technical assistance letter to the healthcare provider following a patient complaint and later issued a fine when the patient filed a second complaint after they still had not received the requested records. This highlights the importance of carefully reviewing technical assistance letters to ensure that any issues identified therein have been remediated.
In the latest settlement, OCR’s press statement noted that it took almost two years for the records in question to be released and were then only released after OCR initiated an investigation due to a complaint. OCR stated that “it should not take a federal investigation before a HIPAA covered entity” provides access to requested medical records. “Covered entities owe it to their patients to provide timely access to medical records.” Accordingly, to avoid being a target of OCR’s initiative, covered entities should review their policies and procedures for providing records and ensure they are handled in a timely fashion.
M.D. Anderson vs. HHS
OCR has issued some notoriously punitive monetary fines in recent years, including a number of multi-million-dollar settlements. However, OCR suffered a recent setback in its regulatory enforcement authority. In early 2021, there was a rare court decision related to civil monetary penalties issued by OCR following a data breach incident. While this decision may have limited application outside the 5th Circuit, it provides some potential guidance for defending against OCR enforcement actions.
The entire saga began with a stolen laptop (in 2012) and a lost thumb drive (in 2013) at M.D. Anderson Cancer Center. Both devices were unencrypted and together contained PHI for over 30,000 patients. The incidents led to HHS imposing a penalty of over $4 million against the provider. The penalty was based on the disclosure of PHI and also the failure to implement a mechanism to encrypt the devices.
After winding its way through two levels of administrative appeals unsuccessfully, M.D. Anderson petitioned the Fifth Circuit for review, arguing that the penalty was arbitrary and capricious. Significantly, in holding that the penalty violated the Administrative Procedure Act, the Fifth Circuit found that:
- The HIPAA regulations require only that a covered entity implement a “mechanism” for encryption, not that it provide a warrant that its mechanism is “bulletproof protection” for all systems containing PHI. M.D. Anderson had such a mechanism in place and thus satisfied the regulatory requirement, “even if the Government now wishes it had written a different [regulation].”
- Simply having devices stolen or lost is not an affirmative “disclosure” of PHI under HIPAA. “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.”
- HHS did not penalize other covered entities that also lost unencrypted devices. There was no reasoned justification given by the government for imposing zero penalties on one covered entity and millions in penalties on another for similar circumstances. An agency must “treat like cases alike.”
Since many ransomware matters involve data theft, the holding in M.D. Anderson is instructive and may be useful in defending against an enforcement action arising from a ransomware incident and the “disclosure” of PHI, since the data is stolen in such incident, and not affirmatively disclosed. It remains to be seen how OCR will take enforcement action going forward, since many reported incidents, ransomware and otherwise, are based on theft of data by hackers rather than intentionally disclosed by the provider.
The Scourge of Ransomware
Toward the end of 2019, the health care industry saw a growing wave of ransomware attacks. This trend continued throughout 2020 until present day at an alarming rate. While ransomware has been around for years, more recent attacks on consumer-facing companies and critical infrastructure, including healthcare organizations, have brought an increased awareness to the issue (as well as the panic buying of gas and meat in the wake of attacks on these industries).
Healthcare is by far one of (if not the) most targeted industries. A June 2021 Sophos report found that more than 1/3 of healthcare organizations were the victim of a ransomware attack in 2020 alone. At BakerHostetler, the healthcare industry represented 20% of the 1,250+ incidents we handled in 2020. There are various factors for why this might be the case. For example, the operational disruption and everything else that comes with an unplanned, forced downtime due to encrypted and inaccessible data—such as paper charting, missed grant deadlines, and (very) irritated patients—makes healthcare organizations more likely to make a ransom payment, as this may be the quickest option to decrypt data and return to serving their communities.
Another factor is attributable to the lack of IT resources and funding. Many healthcare organizations focus investments on patient care and clinical technology, leaving a limited budget for even basic IT enhancements. Additionally, healthcare organizations often continue the use of legacy and end-of-life systems and applications, which are obviously more susceptible to compromise. Further, healthcare organizations require support from more third-party service providers than organizations in other industries, and these third-parties typically require access to the network to perform the contracted for services. Notably, its these service accounts, which are always afforded administrative privileges and not audited nearly enough, that are commonly leveraged by threat actors to gain access to an environment.
Also motivating cybercriminals is the amount and sensitivity of data that healthcare organizations maintain. It’s no longer a surprise when, in addition to encrypting data, a threat actor also steals sensitive patient information from the network they are attacking and threatens to publish it online. With this tactic, which took off in 2020 and is now the norm for nearly all ransomware matters we see, came much higher demands and, in turn, higher payments and longer downtime.
The following graphic from BakerHostetler’s 2021 Data Security Incident Response Report shows various statistics associated with the nearly 50 healthcare organizations we counseled through ransomware attacks in 2020.
In 2020, the highest initial ransom demand was $60 million from the threat actor group behind the Sodinokibi (aka REvil) ransomware variant; the largest ransom paid was just over $7 million to the threat actor group known as Conti; and the longest period of downtime was 8 weeks following a .WAITING ransomware attack.
The added data exfiltration component has also resulted in a significant increase in the number of ransomware attacks leading to patient and OCR notifications per HIPAA regulations. This is because, despite making a payment for the return and/or destruction of the acquired data, a healthcare entity cannot “undo” the fact that an unauthorized access and acquisition occurred. Additionally, the threat actors behind these attacks are extremely sophisticated and are regularly successful at stealing not just a few files but multiple terabytes of data. As a result, instead of spending the time and money to review each file purportedly acquired by a threat actor, a healthcare organization may be better off simply notifying their entire master patient index (“MPI”). With these large notification populations, however, have come increased scrutiny from both federal and state regulators as well as from patients, resulting in extensive regulatory investigations and class-action lawsuits.
What Can Health Care Entities Do? – Preparing and Planning for a Ransomware Attack
The most critical preventive steps include:
- Enabling multifactor authentication for all services and programs;
- Encrypting data at rest and leveraging an enterprise key management solution to enforce compliance;
- Deploying an endpoint threat detection and response tool (e.g., SentinelOne, Carbon Black) to detect the type of unauthorized activity that easily evades traditional antivirus programs;
- Maintaining both offline and offsite backups;
- Limiting the amount of access provided to IT and service accounts; and
- Auditing Active Directory to ensure accounts no longer in use (especially those with elevated privileges) are disabled and undergo a password reset.
All of the above measures are increasingly (if not already) becoming industry standard. In light of the amendments to HITECH, the failure to implement these measures increases regulatory risk.
Today, organizations are cognizant of the risk ransomware presents, but unless they’ve already experienced such an event, it’s difficult to understand what to expect, and thus, what to prepare for. When it comes to preparing your organization for a ransomware attack, some important and less obvious considerations include:
- Creating a Ransomware Playbook. Unlike other security incidents, ransomware attacks often involve external communications with third parties during the initial response and investigation phases. This can include the media, regulators, patients, insurance partners, and more. Accordingly, it is now more critical than ever for organizations to have a single comprehensive ransomware playbook that defines everything from immediate action items to Day 1 steps to key stakeholders responsible for undertaking specific activities to external and internal reporting requirements.
- Practicing downtime procedures. It is critical to train workforce members on downtime procedures. This includes everything from patient communications to paper charting to post-downtime data entry and claims processing.
- Establishing processes for ambulatory diversion. Does your business continuity plan establish procedures for diverting critical care/ER patients during an emergency? This extends beyond establishing relationships and procedures with nearby hospitals, but also includes understanding how insurance may be impacted (if, for example, the hospital accepting the diversion is out of network).
- Preparing for early preservation issues. In the middle of responding to an incident and restoring operations, the last thing IT personnel are thinking about is a potential lawsuit down the road and the need to preserve encrypted evidence. Having blank drives available to retain copies of encrypted systems will help ensure relevant evidence is preserved for potential litigation without slowing down the restoration process.
- Better understanding what data is stored where. Organizations are usually stunned to learn about the amount of unencrypted PHI that is stored outside the EMR/EHR and ancillary programs, as well as how dated the information is. Consider where large pockets of PHI may be stored, such as backup files used during database migration projects or file exports from one application to another, which often save copies of the export locally. Such a review would afford a number of benefits, including the opportunity to clean up as much data as possible as well as identifying where stricter access controls need to be implemented. Additionally, having an understanding of what data is stored where could be of critical use during an incident, and help focus the response and investigation efforts.
- Outlining a plan to help streamline notification. In the event of an incident requiring notification to thousands of individuals, how will you pull addresses to mail letters? What databases will be used? What identifiers are needed to verify patients? For your LGBTQ+ community, what steps can you take to ensure the letter is properly addressed to individuals using their preferred pronouns and correct names? When an organization is under a regulatory deadline, there is very little time to locate, validate, and finalize information for the mailing. Take time to consider the different methods needed to complete this task, and then determine how to make it more efficient without compromising quality control.
Eric Packel is a partner with BakerHostetler in Philadelphia, and a member of the firm’s Healthcare Privacy and Compliance team. He applies his analytical skills and knowledge of healthcare privacy compliance and HIPAA, as well as U.S. state laws and the GDPR, to assist clients in the evolving sector of data privacy. Eric has significant experience counseling corporations, large health systems, healthcare providers and other entities on compliance with applicable regulations, data breach notification laws, as well as assisting with data incidents and HIPAA compliance.
Vimala Devassy is a partner with BakerHostetler in Atlanta. Part of the firm’s national healthcare group and Co-Chair of the Healthcare Technology Team, her practice focuses on health care privacy and regulatory matters for healthcare industry clients. She has a wealth of experience in negotiating a broad spectrum of industry relevant contracts and complex transactions, advising clients on day-to-day regulatory and compliance matters, including health information laws, and helping clients navigate Federal and state privacy and security laws as they consider innovative new technologies, data use issues and business opportunities.
Courtney Litchfield is an associate with BakerHostetler in Chicago. Courtney is part of the firm’s Digital Assets and Data Management group, primarily working with the Healthcare Privacy and Compliance team. Her practice is devoted to healthcare privacy and data security, breach response, regulatory defense, and compliance with HIPAA.