Categories
Health Law Highlights

Change Healthcare Ransomware Attack: 10 Lessons Learned

Summary of article from Guidepost Solutions LLC, by Todd Doss:

In February 2024, Change Healthcare fell victim to a ransomware attack due to vulnerabilities in its infrastructure, including outdated software and misconfigured settings. The attackers used sophisticated malware to access the network and breach sensitive data, including patient records, financial data, and administrative details. The incident underscores the importance of robust cybersecurity measures, such as regular data backups, software updates, strong passwords, network segmentation, and continuous employee education. Organizations are also advised to avoid paying ransoms and to stay informed about cybersecurity trends. Lastly, consulting with third-party cybersecurity experts can help assess vulnerabilities and strengthen an organization’s security posture.

Categories
Health Law Highlights

Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders

Summary of article in The HIPAA Journal, by Steve Adler:

A study by Diligent Institute and Bitsight reveals that organizations with strong cybersecurity programs yield better financial performance and higher shareholder returns. The study, which analyzed data from 4,149 mid to large-sized organizations, found that companies with advanced security ratings created almost four times more value for their shareholders than those with basic security ratings. The report also emphasized that cybersecurity is not just an IT problem, but an enterprise risk affecting the company’s performance and health. There was a correlation between board structure and security ratings, with companies having specialized risk or audit committees performing better. The presence of a cybersecurity expert on these committees significantly improved an organization’s security performance.

Categories
Health Law Highlights

Healthcare Still Underprepared for Scope of Cyber Threats, Says Report

Summary of article from Healthcare IT News, by Andrea Fox:

A new report from Kroll reveals a discrepancy between healthcare organizations’ self-assessment of their cybersecurity maturity and the reality of their readiness. Despite healthcare being among the most breached sectors, many organizations in this industry believe their cybersecurity processes are “very mature”. The report also identified remote access as a key vulnerability, with ransomware groups increasingly gaining initial access through external remote services. Kroll warns of increased scrutiny and accountability for C-suite executives in overseeing cybersecurity defenses. The report concludes that healthcare organizations must close the ‘self-diagnosis gap’ and enhance their security measures to protect against cyber threats.

Categories
Health Law Highlights

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible

From Ars Technica, by Andy Greenberg and Matt Burgess:

Change Healthcare, a prominent healthcare company in the U.S., has been embroiled in a significant ransomware debacle, initially victimized by the group AlphV, which encrypted the company’s network and received a $22 million ransom payment. Now, a new ransomware group, RansomHub, claims to possess 4 terabytes of Change Healthcare’s stolen data and is demanding its own ransom. While the origins of RansomHub’s data are unclear, security analysts suggest that the threat may be legitimate. This situation highlights the risk of re-extortion in ransomware attacks and the untrustworthiness of cybercriminals, even after ransoms are paid. The ongoing attack has caused severe disruptions across U.S. medical practices, with 80% of clinicians reporting revenue loss and many facing potential bankruptcy.

Categories
Health Law Highlights

Health Care Groups Resist Cybersecurity Rules in Wake of Landmark Breach

From CyberScoop, by AJ Vicens and Elias Groll:

A devestating cyberattack on payment processor Change Healthcare has spurred discussions in Washington about urgent cybersecurity regulations for the healthcare sector. Health and Human Services (HHS) is working on developing mandatory rules, including updating the Health Insurance Portability and Accountability Act with cybersecurity requirements.

These updates are meeting resistance from the healthcare industry, which argues that hospitals should not be punished for the success of hackers. President Biden’s budget proposal includes funding for hospitals’ cybersecurity efforts and penalties for non-compliance. Despite this, the complexity of implementing such standards, especially for smaller health entities, and the current political climate suggest no significant changes will occur soon.

Categories
Health Law Highlights

Healthcare Hit Hardest by Ransomware Last Year, FBI IC3 Report Shows

From Health IT Security, by Jill McKeon:

The Federal Bureau of Investigation’s 2023 Internet Crime Report reveals that the healthcare sector experienced the highest number of ransomware attacks among all critical infrastructure sectors last year.

The FBI’s Internet Crime Complaint Center (IC3) recorded an unprecedented 880,418 complaints, marking a 10% increase from the previous year and financial losses exceeding $12.5 billion, a 22% increase. Of the total complaints, 1,193 were from critical infrastructure organizations, with 249 from healthcare and 218 from critical manufacturing.

The report suggests that the high figures from the healthcare sector could be due to its readiness to report such incidents. The FBI has historically struggled to determine the actual number of ransomware victims, as many cases go unreported. The two most prevalent ransomware variants, LockBit and ALPHV/BlackCat, known for targeting healthcare, were responsible for 175 and 100 attacks respectively.

Ransomware was a significant concern across IC3’s complaint database, with over 2,800 complaints related to ransomware, an 18% increase from 2022. Financial losses from these attacks rose by 74% from $34.3 million to $59.6 million. The FBI noted emerging trends, including deploying multiple ransomware variants against the same victim and using data-destruction tactics to increase pressure on victims to negotiate.

Categories
Health Law Highlights

Hey Doc, Be Careful on TikTok – Legal Pitfalls of Healthcare Providers in the Social Media Age

From Buckingham, Doolittle & Burroughs, LLC, by Monica Davis:

Impact of Social Media on Healthcare: Social media platforms have enabled physicians to expand their practices, increase marketing, discover new clients, and build their reputations. However, they also pose risks..

HIPAA Violations: The Health Insurance Portability and Accountability Act (HIPAA) ensures strict confidentiality in physician-patient relationships. Violations, such as disclosing Protected Health Information (PHI) without patient authorization, can lead to severe penalties, including lawsuits, fines, and loss of license.

Cyber-Security Risks: Social media can expose healthcare providers to cyber-security threats, including viruses and hackers. The potential consequences are devastating if a hacker gains access to a patient’s private information. Strong authentication mechanisms and password-protected social media can help mitigate these risks.

Reputation Management: Social media can improve a physician’s reputation and client base, but it can also damage their image. Negative reviews and harassment can quickly tarnish a healthcare provider’s reputation, leading to potential legal action for defamation.

Malpractice and Thoughtful Use: The risk of malpractice increases when healthcare professionals give advice on social media, potentially exposing themselves to negligence allegations. To minimize risk and maximize benefits, healthcare facilities should implement social media risk management strategies, such as obtaining patient consent before posting identifying information, educating staff on HIPAA and privacy laws, and designating a social media manager.

Categories
Health Law Highlights

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

From Bradley Arant Boult Cummings LLP, by Alexis Buese, Eric Setterlund

The healthcare sector has seen a significant increase in cyber-threats, especially hacking and ransomware, with a 256% rise in hacking-related breaches and a 264% surge in ransomware incidents in the last five years. In 2023, these breaches affected over 134 million individuals, a 141% increase from the previous year.

The OCR recommends proactive measures to mitigate these threats, including securing partnerships with vendors, conducting regular risk assessments, establishing robust audit controls, and adopting multi-factor authentication.

The OCR’s two Congressional Reports on HIPAA compliance and enforcement highlight the need for healthcare systems to address potential HIPAA compliance issues before breaches occur. The reports reveal common vulnerabilities and suggest areas for improvement tied to specific HIPAA Security Rule standards, including the security management process standard, audit controls standard, and response and reporting requirements.

Despite the sophistication of some cyber-attacks, the majority of incidents could be prevented or significantly lessened if healthcare entities adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods like phishing emails, exploiting existing vulnerabilities, and using weak authentication measures. In case of a successful breach, attackers often encrypt or steal electronic Protected Health Information (ePHI) for ransom or future malicious activities.

Categories
Health Law Highlights

Cyberattack Shuts Down Pharmacies Across the US

From Brew Healthcare, by Quinn Sental:

Change Healthcare, a prominent health tech firm owned by UnitedHealth Group, suffered a cyberattack, disrupting patient payments and prescription processing across the US. The company, part of Optum, handles 15 billion healthcare transactions annually.

The cyberattack was first noticed as disruptions in the company’s applications, later identified as “enterprise-wide connectivity issues”, and eventually confirmed as a cybersecurity issue. In response, Change Healthcare disconnected its systems to prevent further spread.

The incident has affected pharmacies nationwide, preventing them from processing prescription orders. Some pharmacies could accept prescriptions but were unable to process them through patients’ insurance.

Change Healthcare said the disruption is expected to last at least a day and is specific to their systems, with all other UnitedHealth Group systems remaining operational.

Categories
Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.