Health Law Highlights

Health Care Groups Resist Cybersecurity Rules in Wake of Landmark Breach

From CyberScoop, by AJ Vicens and Elias Groll:

A devestating cyberattack on payment processor Change Healthcare has spurred discussions in Washington about urgent cybersecurity regulations for the healthcare sector. Health and Human Services (HHS) is working on developing mandatory rules, including updating the Health Insurance Portability and Accountability Act with cybersecurity requirements.

These updates are meeting resistance from the healthcare industry, which argues that hospitals should not be punished for the success of hackers. President Biden’s budget proposal includes funding for hospitals’ cybersecurity efforts and penalties for non-compliance. Despite this, the complexity of implementing such standards, especially for smaller health entities, and the current political climate suggest no significant changes will occur soon.

Health Law Highlights

Healthcare Hit Hardest by Ransomware Last Year, FBI IC3 Report Shows

From Health IT Security, by Jill McKeon:

The Federal Bureau of Investigation’s 2023 Internet Crime Report reveals that the healthcare sector experienced the highest number of ransomware attacks among all critical infrastructure sectors last year.

The FBI’s Internet Crime Complaint Center (IC3) recorded an unprecedented 880,418 complaints, marking a 10% increase from the previous year and financial losses exceeding $12.5 billion, a 22% increase. Of the total complaints, 1,193 were from critical infrastructure organizations, with 249 from healthcare and 218 from critical manufacturing.

The report suggests that the high figures from the healthcare sector could be due to its readiness to report such incidents. The FBI has historically struggled to determine the actual number of ransomware victims, as many cases go unreported. The two most prevalent ransomware variants, LockBit and ALPHV/BlackCat, known for targeting healthcare, were responsible for 175 and 100 attacks respectively.

Ransomware was a significant concern across IC3’s complaint database, with over 2,800 complaints related to ransomware, an 18% increase from 2022. Financial losses from these attacks rose by 74% from $34.3 million to $59.6 million. The FBI noted emerging trends, including deploying multiple ransomware variants against the same victim and using data-destruction tactics to increase pressure on victims to negotiate.

Health Law Highlights

Hey Doc, Be Careful on TikTok – Legal Pitfalls of Healthcare Providers in the Social Media Age

From Buckingham, Doolittle & Burroughs, LLC, by Monica Davis:

Impact of Social Media on Healthcare: Social media platforms have enabled physicians to expand their practices, increase marketing, discover new clients, and build their reputations. However, they also pose risks..

HIPAA Violations: The Health Insurance Portability and Accountability Act (HIPAA) ensures strict confidentiality in physician-patient relationships. Violations, such as disclosing Protected Health Information (PHI) without patient authorization, can lead to severe penalties, including lawsuits, fines, and loss of license.

Cyber-Security Risks: Social media can expose healthcare providers to cyber-security threats, including viruses and hackers. The potential consequences are devastating if a hacker gains access to a patient’s private information. Strong authentication mechanisms and password-protected social media can help mitigate these risks.

Reputation Management: Social media can improve a physician’s reputation and client base, but it can also damage their image. Negative reviews and harassment can quickly tarnish a healthcare provider’s reputation, leading to potential legal action for defamation.

Malpractice and Thoughtful Use: The risk of malpractice increases when healthcare professionals give advice on social media, potentially exposing themselves to negligence allegations. To minimize risk and maximize benefits, healthcare facilities should implement social media risk management strategies, such as obtaining patient consent before posting identifying information, educating staff on HIPAA and privacy laws, and designating a social media manager.

Health Law Highlights

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

From Bradley Arant Boult Cummings LLP, by Alexis Buese, Eric Setterlund

The healthcare sector has seen a significant increase in cyber-threats, especially hacking and ransomware, with a 256% rise in hacking-related breaches and a 264% surge in ransomware incidents in the last five years. In 2023, these breaches affected over 134 million individuals, a 141% increase from the previous year.

The OCR recommends proactive measures to mitigate these threats, including securing partnerships with vendors, conducting regular risk assessments, establishing robust audit controls, and adopting multi-factor authentication.

The OCR’s two Congressional Reports on HIPAA compliance and enforcement highlight the need for healthcare systems to address potential HIPAA compliance issues before breaches occur. The reports reveal common vulnerabilities and suggest areas for improvement tied to specific HIPAA Security Rule standards, including the security management process standard, audit controls standard, and response and reporting requirements.

Despite the sophistication of some cyber-attacks, the majority of incidents could be prevented or significantly lessened if healthcare entities adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods like phishing emails, exploiting existing vulnerabilities, and using weak authentication measures. In case of a successful breach, attackers often encrypt or steal electronic Protected Health Information (ePHI) for ransom or future malicious activities.

Health Law Highlights

Cyberattack Shuts Down Pharmacies Across the US

From Brew Healthcare, by Quinn Sental:

Change Healthcare, a prominent health tech firm owned by UnitedHealth Group, suffered a cyberattack, disrupting patient payments and prescription processing across the US. The company, part of Optum, handles 15 billion healthcare transactions annually.

The cyberattack was first noticed as disruptions in the company’s applications, later identified as “enterprise-wide connectivity issues”, and eventually confirmed as a cybersecurity issue. In response, Change Healthcare disconnected its systems to prevent further spread.

The incident has affected pharmacies nationwide, preventing them from processing prescription orders. Some pharmacies could accept prescriptions but were unable to process them through patients’ insurance.

Change Healthcare said the disruption is expected to last at least a day and is specific to their systems, with all other UnitedHealth Group systems remaining operational.

Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.