06/14/2021

Cybersecurity and HIPAA: Government Issues New Warning and Guidance in Wake of Increased Threats

The U.S. Department of Health and Human Service’s Office for Civil Rights in Action (OCR) issued a warning that cybercriminals are attempting to exploit a critical vulnerability in VMware software. This alert originates from the Cybersecurity and Infrastructure Security Agency (CISA) and specifically concerns the VMware vCenter Server and VMware Cloud Foundation, which are part of the underlying infrastructure used in network management. To avoid cyber threats, CISA urges organizations using these systems to implement the necessary patches immediately, or, if organizations cannot immediately apply the update, to apply workarounds in the interim. Healthcare providers using VMware are especially encouraged to implement the patches immediately to ensure protected health information remains safe from cyberattacks, including ransomware.

Ransomware is a type of malicious software cybercriminals use, such as email phishing campaigns or encrypting the hard drive of infected computers, to make a user’s sensitive data or proprietary information inaccessible, with the purpose of extracting ransom from the user to restore access to the data. Since 2015, there has been a 300% increase in recorded ransomware attacks in the United States. The healthcare industry, which contains a wealth of valuable data, such as social security numbers and health insurance credentials, is one of the main targets of ransomware attacks. In fact, the number of healthcare data breaches recorded in 2020 increased by 25%, making it the third worst year in terms of the amount of breached healthcare records. The largest healthcare data breach in 2020 was a ransomware attack on the cloud service provider Blackbaud Inc., where more than 10 million records are known to have been compromised.

Previously, in an effort to reinforce how the healthcare industry should deal with ransomware attacks, the U.S. Department of Health and Human Services (HHS) released a factsheet, directing healthcare entities to the Health Insurance Portability and Accountability Act (HIPAA), which provides guidance and recommended compliance measures to help HIPAA-covered entities and business associates prevent ransomware. Namely, the HIPAA Security Rule requires implementation of security measures to prevent the introduction of ransomware. Covered entities can mitigate the risk of successful ransomware attacks by:

  1. Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
  2. Implementing procedures to guard against and detect malicious software;
  3. Training users on malicious software protection so they detect malicious software and know how to report such detections;
  4. Limiting access to ePHI to only those persons or software programs requiring access;
  5. Maintaining an overall contingency plan that includes disaster recovery, emergency operations planning, and periodic testing of contingency plans to ensure organizational readiness;
  6. Understanding ransomware and identifying the particular strain of malware involved; and
  7. Implementing security incident responses.

After a “security incident,” HIPAA-covered entities must initiate reasonable and appropriate procedures, response, and reporting processes. Additional security incident guidance is available at Paul Cichonski et al., Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology, NIST SP 800-61 Rev. 2 (Aug. 2012).

On May 12, 2021, with cybersecurity attacks still prevalent and growing, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity, which seeks to (1) remove barriers to sharing threat information between government and the private sector; (2) modernize and implement stronger cybersecurity standards in the federal government; (3) improve software supply chain security; (4) establish a cybersecurity safety review board; (5) create a standard playbook for responding to cyber incidents; (6) improve detection of cybersecurity incidents on federal government networks; and (7) improve investigations and remediation capabilities.

In response to President Biden’s Executive Order, on June 2, 2021, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, released a memo titled “What We Urge You to Do to Protect Against the Threat of Ransomware.” Neuberger’s memo provides the following U.S. Government’s recommended best practices to drive down the risk of ransomware attacks:

  1. Implement the best practices from the President’s Executive Order;
  2. Backup your data, system images, and configurations, regularly test them, and keep the backups offline;
  3. Update and patch systems promptly;
  4. Test your incident response plan;
  5. Check your security team’s work; and
  6. Segment your networks.

Healthcare organizations should evaluate their compliance with the HIPAA Security Rule and implement the aforementioned prevention and response actions to mitigate the risk and consequences of ransomware attacks. As a best practice, it is of utmost importance that providers using VMware systems implement the necessary patches promptly to prevent cybercriminals from exploiting the vulnerability in the unpatched system. An unpatched system may result in unauthorized access of sensitive patient information. Failure to prevent and remedy these attacks, effectively resulting in HIPAA violations, may result in severe penalties.

DISCLAIMER

Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.