July 3, 2024 Did you know that ransomware attacks are becoming increasingly common in healthcare? Since 2018, there has been a whopping 264% increase in large ransomware breaches. The devastating impact of a ransomware breach on an organization is wide-reaching, regardless of its size, as seen with the Change Healthcare breach. It’s imperative to take the proper precautions to ensure that Protected Health Information (PHI) is secure against hacking attempts. At the center of the latest fine, Heritage Valley Health System (HVHS), which operates in Pennsylvania, Ohio, and West Virginia, fell victim to ransomware attacks. These attacks infected HVHS systems, affecting sensitive patient information. As the Office for Civil Rights (OCR) reviewed the major data breach, several pieces of required documentation, such as a Security Risk Analysis (SRA) and an emergency plan, were absent. This missing documentation has led to a $950,000 fine and three years of corrective monitoring. Let’s explore what you can do to prevent this nearly million-dollar mistake. Importance of an SRA The purpose of the SRA is to review your risks and vulnerabilities regarding the management of ePHI (electronic Protected Health Information). This comprehensive analysis notes the physical, technical, and administrative controls to protect your patient’s PHI. Your SRA is documented proof that your organization understands its weaknesses and is making strides to address them and better protect patient data. While the SRA is a very important document, it is frequently missed. From the last round of random HIPAA audits, which have resumed recently, only 83% of practices and Business Associates could produce a sufficient SRA. SRAs are vital for practice compliance, showcasing growth, and best practices in safeguarding patient data. Check out our recent blog post here to learn more about the SRA. Why do I need plans in place? When running a medical practice, it’s important to be prepared for any situation that could arise. That’s why policies and procedures are so important. If your practice faces a scenario that may compromise PHI, your team needs easy access to a plan for handling the situation calmly. By addressing potential challenges well in advance, your team will feel empowered and confident in their ability to respond. Moreover, as part of your preventive measures, it’s beneficial to designate specific roles and responsibilities for your staff. This ensures that everyone is aware of their duties in any given situation. Cybersecurity Measures Unfortunately, healthcare practices have become very common victims of ransomware attacks. To prepare your organization for this, follow best cybersecurity practices, such as encryption, reviewing access controls, and creating unique sign-ons for all employees. Healthcare organizations should prioritize technical safeguards like encryption, access controls, and multi-factor authentication. However, security goes beyond technology. Implement security awareness training for staff, establish a data breach response plan, and maintain regular backups. Regularly conduct risk assessments and evaluate the security practices of third-party vendors. It’s important to consider partnering with an IT company offering valuable expertise. They can recommend the right tools, update you on evolving threats, and monitor your systems for suspicious activity. This layered approach will strengthen your systems and prepare you for potential attacks. How Smart Software Can Help Fines for HIPAA non-compliance can be staggering, but there are alternatives to the manual tracking and paper binders you may be used to. Intelligent software systems are designed to save you time and headaches and ultimately protect your practice to avoid audits and fines. Software empowers your team to manage your program easily and enables a culture of compliance in the office. It streamlines commonly overlooked requirements such as the SRA with dynamically created documentation and develops comprehensive plans, policies, and procedures so you stay current with the latest requirements. Better yet, when using cloud-based software solutions, you get 24/7 secure access and real-time updates when compliance regulations change. Schedule an educational consultation today to learn more about how software solutions can protect your practice.
Change Healthcare Breach: What You Need to Do
May 31, 2024 Since February, the Change Healthcare ransomware attack has dominated headlines in the medical industry, cited as likely the most significant breach ever in the U.S. health system. To quickly recap, a group of malicious hackers infiltrated Change Healthcare’s systems in February. The hackers had access to the system for nine days before infecting systems with ransomware on the 21st. When it was realized Change Healthcare’s systems were compromised, its systems were immediately disconnected to mitigate risks. This attack not only jeopardized patients’ Protected Health Information (PHI) but also caused detrimental impact on the healthcare industry at large. Change Healthcare processes 15 billion healthcare transactions annually. With these systems down, healthcare providers continue to struggle with basic processes, like filling prescriptions and getting paid through insurance claims. The latest update on the Change Healthcare breach has reached Capitol Hill. Andrew Witty, CEO of UnitedHealth Group, the parent company of Change Healthcare, testified at two congressional hearings on May 1st. At these hearings, the cause of the breach was acknowledged: a lack of multi-factor authentication prompts when logging into internal systems. Additionally, while Witty confirmed that the exact scope of impacted patients is unknown, it is expected to be very severe. One-third of Americans could be affected by this cyberattack. Although Change Healthcare’s lack of security protocols caused the catastrophic breach, it is still your practice’s responsibility to notify impacted patients. What You Need to Do The Office for Civil Rights (OCR) is still investigating the magnitude of this cyberattack, but guidance has been released. First, Change Healthcare is notifying stakeholders impacted by the breach. This includes Covered Entities and Business Associates. Business Associates must notify Covered Entities if their business is affected, and the responsibility to inform patients ultimately falls on Covered Entities. The Breach Notification Rule under HIPAA details what information needs to be shared with patients, including suspected dates the data was breached, what PHI was involved, and the next steps. Once it’s known that this breach impacted your patients, it’s vital to notify affected individuals without unreasonable delay and to inform the HHS. The media must also be notified if five hundred or more patients were affected. After this significant cyber attack, reviewing your risks and vulnerabilities is crucial. If a vast organization processing up to $2 trillion in medical claims annually can be hacked, so can your practice. Ensure standard security protocols, like multi-factor authentication, are in place to mitigate the risk of breaches. When it comes to your HIPAA compliance programs, securing your data is critical. For example, Abyde’s cloud-based software features an intuitive Security Risk Analysis (SRA) and ongoing compliance review to quickly identify and address risks to keep your practice’s sensitive data safe. As this breach is still under investigation, Abyde will keep Covered Entities and Business Associates up-to-date on the latest developments. Visit the HHS FAQ page on the Change Healthcare breach here. To learn more about software solutions to ensure protected compliance for your practice, schedule an educational consultation here with a compliance expert.
UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach
May 1, 2024 Over the last several months, your friends at Abyde have kept you updated on the latest in the Change Healthcare Breach. Since February 21st, this breach has held the healthcare industry captive, likely the most significant healthcare data breach in the United States ever. Change Healthcare, nestled under the UnitedHealth Group umbrella, processes about 50% of U.S. medical claims, is still picking up the pieces. If you work in healthcare, you feel the sting of the attack. Almost all hospitals reported financial damages because of the attack. So, how did we get here? You’re getting answers, as CEO of UnitedHealth Group, Andrew Witty, is set to testify in front of two congressional panels today. Don’t worry, we’re not going in blind! While Witty might be on center stage today, a written testimony has already been released. Stay tuned because we’re decoding this testimony and answering your burning questions. Pack your bags! We’re taking a quick trip to the Capitol! Party Crashers This compliance catastrophe began on February 21st, with the BlackCat hacking group infecting Change Healthcare’s systems with ransomware. However, the team of malicious hackers had been plotting for over a week, being in Change Healthcare’s systems for nine days before the attack. How did they get in? It wasn’t a Mission Impossible stunt, avoiding lasers and jumping between buildings, but a simple case of compromised credentials. Using a stolen login, the black-hat hackers could log into a Change Healthcare application portal and remotely access desktops. This portal didn’t have a standard security protocol: multi-factor authentication. Multi-factor authentication (MFA), like a code sent to your phone before logging in, is a typical security standard for protecting sensitive data. Implementing technical safeguards, like MFA, falls under the HIPAA Security Rule. Mopping up the Mess While Change Healthcare is no stranger to hacking attempts – thwarting 450,000 intrusions a year – once the ransomware was identified, Change Healthcare sprung into action. According to Witty, the Change Healthcare team immediately severed connectivity with the data centers to avoid the spread of ransom. Change Healthcare started from the bottom up, rebuilding the foundation of its technology infrastructure, replacing thousands of laptops, implementing new credentials, and new servers with the help of Tech powerhouses like Amazon and Google. As of today, the ransomware only impacted Change Healthcare and none of UnitedHealth Group’s other organizations. Witty also admitted to meeting ransom demands, saying it was one of the toughest decisions he’s ever had to make. What’s Next? These uninvited party crashers have put the UnitedHealth Group in hot water. These congressional hearings are just the tip of the iceberg for the medical titan. Here at Abyde, we’re keeping a close eye on things, and you can bet we’ll keep you in the loop through our blogs and social media on the latest in these hearings. Want to stay on top of all things compliance? Follow us and watch for our This Week in Compliance series – it’s your one-stop shop for compliance info!
Change Healthcare Breach: What We Know Now
March 14, 2024 BREAKING NEWS! Your friends at Abyde are right back at you with an update on the Change Healthcare breach. Check out our first blog post on the breach here! Now, to quickly bring you up to speed, Change Healthcare, a division of United Healthcare, was impacted by a ransomware attack. This ransomware attack is like nothing we’ve ever seen, and being called the most significant attack on our healthcare system of all time. This ransomware attack was disastrous, taking Change Healthcare systems offline, and making it impossible for healthcare providers to check for insurance eligibility, see new patients, properly process prescriptions correctly, and much more. Now, it’s been several weeks since the initial attack, and we have the latest scoop for you. What’s going on now? Well, now here comes the fallout. While some of the systems have been able to get back online, like pharmacy functions, Change Healthcare is still not 100%. This has been detrimental to healthcare providers, and is costing them $100 million a day! Now, I know that’s gotta hurt. Now, the lawsuits are starting to roll in. Now, multiple class action lawsuits have been filed against Change Healthcare/United Healthcare due to its inadequate security systems and how it’s been handled. Unfortunately, in this attack, it’s highly likely Protected Health Information (PHI) is in the hands of criminals. In this ransomware attack, over six TB of stolen data was encrypted by the deceptive hackers. So, these lawsuits are just getting started. The government is also involved in this breach, investigating the causes and effects of the ransomware attack. The FBI has run into this group of hackers before and has taken some of their servers offline, causing many to think this attack was of vengeance. The Department of Health and Human Services also came together to discuss and address the impact of the cyber attack for more to come. As of yesterday, March 13, the Office of Civil Rights also released a statement of beginning their investigation of the attack. It’s safe to say this is far from over, and it’s been a tough month for United Healthcare. What should I do? To keep up with the news, we recommend you follow our news page, where we release the newest updates in compliance news and the best tips for your practice or business. To keep up with the Change Healthcare system updates, you can follow this page here. To keep your practice or business safe, and avoid this hot water that United Healthcare found itself in, it is essential for you to proactively protect your organization. This includes working with an IT company, employing firewalls, encryption, and of course, having compliance software like Abyde. Abyde is your one-stop shop when it comes to compliance management, allowing you to evaluate your risks and address them before it’s too late. Need documentation in order? Yeah, all in the software. Oh and – let me stop you right there, yes, we also dynamically generate our personalized policies and procedures, so don’t worry about writing them. And if you experience a breach? We’re here for you. We have an awesome team of compliance experts here to help you navigate any situation, so you’re not alone. Want to learn more about compliance? Reach out to us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates!
Yikes! My Files Are Kidnapped!: What is Ransomware?
March 7, 2024 Ransomware. Even the name sounds ominous! With the Change Healthcare ransomware attack, you might have heard a lot about ransomware in the news lately. While the effects of the attack are wreaking havoc on the healthcare system, you might be wondering what this notorious ransomware is all about. Well, you’ve come to the right place! We’re here to educate you on ransomware and how your practice or organization can be prepared for this cybercrime. What is it, exactly? Ransomware is a form of malware, or malicious software, that encrypts the files of a victim and requires a ransom to access files again. This is a very common way hackers infiltrate healthcare systems and over 4,000 ransomware attacks occur a day! If you’re confused about how ransomware works, here’s a simple example: Dan the Doctor was having an alright day, and then he got an email that went to his practice that he thought would turn it into the best day of his life! The email said he won 20 million dollars! All he had to do was click the link in the email to receive it. He clicked it as soon as possible, already dreaming of spending the rest of his life on the beaches of Hawaii. Spoiler alert: his day was going to get a lot worse. As he clicked the link, ransomware began its sinister magic: encrypting patients’ protected health information (PHI). He couldn’t believe what he did, putting his patients and his practice in jeopardy. Then, to get access to these files again, he had to pay thousands of dollars, or these files would be put online, putting his innocent patients even more at risk. His dreams of Hawaii turned into a very hurt wallet and his patients at risk. While you might think that could never happen to you: email scams, or phishing, are the most common way ransomware attacks are sent. Our simple example is just a story, but it happens often in the healthcare field. For example, the most recent major cybercrime is the ongoing Change Healthcare ransomware attack, in which they paid 22 million dollars in ransom! The OCR is also beginning to fine practices and organizations that do not take the proper precautions against ransomware attacks. The first ransomware attack fine was announced in October, costing the Business Associate (BA) $100,000 in HIPAA fines. What do I do? Now, while ransomware attacks have become extremely prevalent, with a 278% increase in ransomware breaches reported to the OCR, there are precautions you can take. Working with an IT company is key for your practice or business, with prevention being the first line of defense. This includes things like encrypting your files, keeping all software up-to-date, having firewalls, antivirus and more. Additionally, working with a compliance program like Abyde also lowers your risk. By identifying your vulnerabilities and enacting the right protocols, ransomware stands no match! For instance, password updating, proper data handling, access controls, and training, are all different barriers that help your practice or business. Also, if your practice is infected by ransomware, do not pay the ransom, get the infected device offline and off the network, report the breach to the OCR, and get IT experts to investigate the attack. To learn more about how your practice can stay compliant and secure against ransomware attacks, email us at info@abyde.com and schedule consultations for Covered Entities here, and Business Associates here.
The OCR Cracks Down on Cyber Attack Breaches: Second Ransomware Attack Settled in Four Months
February 22, 2024 Well, the Office of Civil Rights (OCR) did it again. In the past four months, two ransomware cyber attack cases have been settled, resulting in hefty fines, yikes! While the first ruling affected a Business Associate with a major fine, this breach impacted a Covered Entity. In February 2019, Green Ridge Behavioral Health in Maryland filed a breach report that all of their files on patients were encrypted with ransomware, resulting in over 14,000 patients’ data being compromised. That’s a lot of people! As the name suggests, ransomware is a cybercrime where data is held for ransom. Users are unable to access data/files till the ransom is paid. It is a malicious crime that is extremely prevalent in healthcare, with a 264% increase over the past five years in large breaches reported to the OCR. In their investigation, the OCR found potential violations of the HIPAA Privacy and Security Rules from before and right up until the breach. In their variety of violations, some other major misses included: As a result, Green Ridge Behavioral Health was fined $40,000 and will now be monitored by the OCR for the next three years. That’s a long time and a lot of money for a practice that could have avoided this situation with the right compliance solution. That’s where Abyde steps in. Cyber attacks are unfortunately common in healthcare, accounting for 79% of the large breaches reported to OCR. We’ve now seen a pattern of the OCR ruling on ransomware cases, cracking down on practices and organizations that are not prepared for a cyber attack. The OCR is not messing around, and these fines are a clear example. Thankfully, with Abyde, we make the journey to compliance simple. The Abyde software resolves many of the reasons why practices and organizations get fined. You can complete our intuitive Security Risk Analysis in minutes, being able to see what your practice needs to do to be compliant in a flash. Abyde also has engaging training, with interactive activities and videos, all with entertaining themes, to keep the user interested (yes, you read that right). We also have a portal that allows you to easily manage all of your agreements with Business Associates, digitally signing and storing them in the software. What’s the cherry on top? We will remind you when these agreements are close to expiring, being your compliance crew so you can focus on running your practice. We have a variety of resources for practices of any size to use, like dynamically generated policies and procedures, allowing you to finally ditch the dusty HIPAA binder, HIPAA logs, our team of friendly compliance experts is always a call (or message!) away, and much more. Why wait for a compliance disaster? Email us at info@abyde.com and schedule a demo of our revolutionary software here.